Abstract: In one embodiment, a multiple spanning tree (MST) region is defined in a network, where the MST region includes a plurality of network nodes interconnected by links. A MST cluster is defined within the MST region, where the MST cluster includes a plurality of network nodes selected from the plurality of network nodes of the MST region. A network node of the MST cluster generates one or more MST bridge protocol data units (BPDUs) that present the MST cluster as a single logical entity to network nodes of the MST region that are not included in the MST cluster, yet enables per-multiple spanning tree instance (per-MSTI) load balancing of traffic across inter-cluster links that connect network nodes included in the MST cluster and network nodes of the MST region that are not included in the MST cluster.

Abstract: According to one or more embodiments of this disclosure, a network controller in a data center network establishes a translation table for in-band traffic in a data center network, the translation table resolves ambiguous network addresses based on one or more of a virtual network identifier (VNID), a routable tenant address, or a unique loopback address. The network controller device receives packets originating from applications and/or an endpoints operating in a network segment associated with a VNID. The network controller device translates, using the translation table, unique loopback addresses and/or routable tenant addresses associated with the packets into routable tenant addresses and/or unique loopback addresses, respectively.

Abstract: Microsegmentation in a heterogeneous software-defined network can be performed by classifying endpoints associated with a first virtualized environment into respective endpoint groups based on respective attributes, and classifying endpoints associated with a second virtualized environment into respective security groups based on respective attributes. Each respective endpoint group can correspond to a respective security group having the same attribute. Each respective endpoint group and corresponding security group can be associated with a respective policy model defining rules for processing associated traffic. Each of the respective security groups can be used to generate a respective network attribute endpoint group, which can include the network addresses of those endpoints in the respective security group. Each respective network attribute endpoint group can inherit the policy model of the respective endpoint group corresponding to the respective security group.

Abstract: Systems, methods, and computer-readable media for OAM in overlay networks. In response to receiving a packet associated with an OAM operation from a device in an overlay network, the system generates an OAM packet. The system can be coupled with the overlay network and can include a tunnel endpoint interface associated with an underlay address and a virtual interface associated with an overlay address. The overlay address can be an anycast address assigned to the system and another device in the overlay network. Next, the system determines that a destination address associated with the packet is not reachable through the virtual interface, the destination address corresponding to a destination node in the overlay network. The system also determines that the destination address is reachable through the tunnel endpoint interface. The system then provides the underlay address associated with the tunnel endpoint interface as a source address in the OAM packet.

Abstract: An example method for facilitating multiple mobility domains with VLAN translation in a multi-tenant network environment is provided and includes detecting attachment of a first virtual machine on a first port and a second virtual machine on a second port of a network element, the first port and the second port being configured with a first mobility domain and a second mobility domain, respectively, and the first and second virtual machines being configured on a same original VLAN, determining whether the original VLAN falls within a pre-configured VLAN range, translating the original VLAN to a first VLAN on the first port corresponding to the first mobility domain and to a second VLAN on the second port corresponding to the second mobility domain, and segregating traffic on the original VLAN into the first VLAN and the second VLAN according to the respective mobility domains for per-port VLAN significance.

Abstract: Upon receiving a first message, from the second network device, indicating that the second network device is incompatible with one or more virtual local area network (VLAN) pruning techniques, a timer on a first network device is configured to expire after a predetermined period of time. The first network device is configured to maintain a subscription for the second network device to one or more VLANs until the timer expires. The second network device is configured to transmit the first message in response to detecting an upcoming control plane outage at the second device. Prior to the timer expiring, embodiments transmit data assigned to the one or more VLANs to the second network device. Embodiments also periodically receive update messages, from the second network device, identifying one or more VLANs to which the second network device wants to subscribe.

Abstract: In one embodiment, a method includes detecting a change in network topology and broadcasting a transient unconditional unpruning message to multiple nodes in the network. The message is configured to instruct each of the nodes receiving the message to start a phase timer in response to the broadcast message; unprune its operational ports; and, upon expiration of the phase timer, prune its ports in accordance with the results of a pruning protocol.

Abstract: Packet transmission techniques are disclosed herein. An exemplary method includes receiving a packet that identifies an internet protocol (IP) address assigned to more than one destination node; selecting a virtual routing and forwarding table based, at least in part, on a segmentation identification in the packet; identifying a designated destination node in the packet based, at least in part, on the selected virtual routing and forwarding table; and transmitting the packet to the designated destination node.

Abstract: A monitoring session associated with a virtual nickname may be established in a TRILL network. A monitoring station may be connected to an edge switch of the TRILL network specifying the virtual nickname for the monitoring session. The monitoring station is set as a destination for the monitoring session and the virtual nickname is flooded throughout the TRILL network. A source may then be configured to the monitoring session by specifying the virtual nickname of the monitoring session without knowing the destination tied to the monitoring session. Network traffic through the source may then be forwarded to the destination tied to the monitoring session.

Abstract: Presented herein are traffic pruning techniques that define the pruning at the group level. A software defined network (SDN) controller determines first and second endpoint groups (EPGs) of an SDN associated with the SDN controller. The SDN runs on a plurality of networking devices that interconnect a plurality of endpoints that are each attached to one or more host devices. The SDN controller determines a host-EPG mapping for the SDN, as well as a networking device-host mapping for the SDN. The SDN controller then uses the host-EPG mapping, the networking device-host mapping, and one or more group-based policies associated with traffic sent from the first EPG to the second EPG to compute hardware pruning policies defining how to prune multi-destination traffic sent from the first EPG to the second EPG. The hardware pruning policies are then installed in one or more of the networking devices or the host devices.

Abstract: The techniques presented herein use dynamic endpoint group (EPG) binding changes to facilitate cross-tenant resource sharing. A first node of a multi-tenant software defined network determines that an application on a first endpoint has initiated operation and needs temporary access to resources located at a second endpoint. The first and second endpoints are associated with first and second tenants, respectively, that are logically segregated from one another by the software defined network. The first node dynamically changes an initial EPG binding associated with the first endpoint to a second EPG binding that enables the first endpoint to temporarily directly access the resources at the second endpoint. The first node subsequently determines that the application on the first endpoint no longer needs access to the resources located at a second endpoint and, as such, changes the second EPG binding associated with the first endpoint back to the initial EPG binding.

Abstract: A method for programming a MAC address table by a first leaf node in a network comprising a plurality of leaf nodes is provided. Each leaf node comprises one or more Virtual Tunnel End Points (“VTEPs”) and instantiates a plurality of Virtual Routing and Forwarding elements (“VRFs”), with a corresponding Bridge Domain (“BD”) assigned to each VRF. The method includes obtaining information indicating one or more VTEP Affinity Groups (VAGs), each VAG comprising an identification of one VTEP per leaf node, obtaining information indicating assignment of each VRF to one of the VAGs, assigning each VAG to a unique Filtering Identifier (“FID”), thereby generating one or more FIDs, and programming the MAC address table, using FIDs instead of BDs, by populating the MAC address table with a plurality of entries, each entry comprising a unique combination of a FID and a MAC address of a leaf node.

Abstract: Packet transmission techniques are disclosed herein. An exemplary method includes receiving a packet that identifies an internet protocol (IP) address assigned to more than one destination node; selecting a virtual routing and forwarding table based, at least in part, on a segmentation identification in the packet; identifying a designated destination node in the packet based, at least in part, on the selected virtual routing and forwarding table; and transmitting the packet to the designated destination node.

Abstract: In accordance with one example embodiment, there is provided a system configured for virtual local area network (VLAN) blocking on a virtual port channel (vPC) member link to handle discrepant virtual network instance (VNI) to VLAN mappings. In other embodiments, the system can be configured for providing Virtual Switch Interface Discovery Protocol (VDP) and virtual switch enhancements to accommodate discrepant VNI to VLAN mappings. In another example embodiment, an apparatus is provided that includes a processor, and a memory coupled to the processor, where the apparatus is configured such that if a server is connected through a virtual port channel, a VDP is used to notify the server of different VNI to VLAN mappings. In another embodiment, the apparatus can extend a VDP Filter Info Field to carry a set of VLANs mapped to a VNI, keyed by leaf MAC addresses that serve as bridge identifiers.

Abstract: A method for programming a MAC address table by a first leaf node in a network comprising a plurality of leaf nodes is provided. Each leaf node comprises one or more Virtual Tunnel End Points (“VTEPs”) and instantiates a plurality of Virtual Routing and Forwarding elements (“VRFs”), with a corresponding Bridge Domain (“BD”) assigned to each VRF. The method includes obtaining information indicating one or more VTEP Affinity Groups (VAGs), each VAG comprising an identification of one VTEP per leaf node, obtaining information indicating assignment of each VRF to one of the VAGs, assigning each VAG to a unique Filtering Identifier (“FID”), thereby generating one or more FIDs, and programming the MAC address table, using FIDs instead of BDs, by populating the MAC address table with a plurality of entries, each entry comprising a unique combination of a FID and a MAC address of a leaf node.

Abstract: Systems, methods, and computer-readable media for OAM in overlay networks. In response to receiving a packet associated with an OAM operation from a device in an overlay network, the system generates an OAM packet. The system can be coupled with the overlay network and can include a tunnel endpoint interface associated with an underlay address and a virtual interface associated with an overlay address. The overlay address can be an anycast address assigned to the system and another device in the overlay network. Next, the system determines that a destination address associated with the packet is not reachable through the virtual interface, the destination address corresponding to a destination node in the overlay network. The system also determines that the destination address is reachable through the tunnel endpoint interface. The system then provides the underlay address associated with the tunnel endpoint interface as a source address in the OAM packet.

Abstract: According to one or more embodiments of this disclosure, a network controller in a data center network establishes a translation table for in-band traffic in a data center network, the translation table resolves ambiguous network addresses based on one or more of a virtual network identifier (VNID), a routable tenant address, or a unique loopback address. The network controller device receives packets originating from applications and/or an endpoints operating in a network segment associated with a VNID. The network controller device translates, using the translation table, unique loopback addresses and/or routable tenant addresses associated with the packets into routable tenant addresses and/or unique loopback addresses, respectively.

Abstract: Microsegmentation in a heterogeneous software-defined network can be performed by classifying endpoints associated with a first virtualized environment into respective endpoint groups based on respective attributes, and classifying endpoints associated with a second virtualized environment into respective security groups based on respective attributes. Each respective endpoint group can correspond to a respective security group having the same attribute. Each respective endpoint group and corresponding security group can be associated with a respective policy model defining rules for processing associated traffic. Each of the respective security groups can be used to generate a respective network attribute endpoint group, which can include the network addresses of those endpoints in the respective security group. Each respective network attribute endpoint group can inherit the policy model of the respective endpoint group corresponding to the respective security group.

Abstract: In one embodiment, a multiple spanning tree (MST) region is defined in a network, where the MST region includes a plurality of network nodes interconnected by links. A MST cluster is defined within the MST region, where the MST cluster includes a plurality of network nodes selected from the plurality of network nodes of the MST region. A network node of the MST cluster generates one or more MST bridge protocol data units (BPDUs) that present the MST cluster as a single logical entity to network nodes of the MST region that are not included in the MST cluster, yet enables per-multiple spanning tree instance (per-MSTI) load balancing of traffic across inter-cluster links that connect network nodes included in the MST cluster and network nodes of the MST region that are not included in the MST cluster.