Abstract: A method for servicing network traffic in a wide area network (WAN) comprising a plurality of network devices is provided. The method is executed by a network device among the plurality of network devices and comprises: receiving a request to transmit the network traffic to a destination network device where the request specifies that the network traffic is to be serviced by a network service; determining, based on the request and using a service-aware virtual topology (SAVT) routing table, a path through the WAN for reaching the network service and a service instance identifier (ID) of the network service; configuring the network traffic to include a service bit indicating whether service is to be performed and instructions specifying the path for reaching the network service; and transmitting, after configuring the network traffic, the network traffic toward the destination device through the at least one network service.

Abstract: A system and method for provisionally authenticating a host moving from a source port of a switch device to a destination port of the switch device is disclosed. The host is initially authenticated at the source port and blocked from forwarding network traffic at the destination port. During a provisional authentication session, an authentication agent executing on the switch intercepts one or more authentication packets sourced by the host and headed for the destination port of the switch device and redirects the authentication packets to an authentication server for validating the host at the destination port of the switch device. The switch device removes the block at the destination port in response to receiving an acknowledgment of successful authentication at the destination port from the authentication server.

Abstract: Techniques disclosed herein provide a method for efficiently propagating address resolution reply messages. A first router in a first network receives an address resolution request message from a second router in a second network. The first router generates an entry for the address resolution request message and stores the entry in a pending address resolution requests table. When the first router receives a route advertisement, it extracts a network layer address from the route advertisement and determines whether the pending address resolution requests table includes an entry for the network layer address. If so, the router extracts a link layer address from the route advertisement and generates an address resolution reply message comprising the network layer address and the link layer address. The router then transmits the address resolution reply message to the second router.

Abstract: In response to receiving an ASR message, a VTEP generates a specially modified control plane message advertising the IP-to-MAC binding of the ASR message. The control plane message may be modified to indicate that it is not to be used for MAC learning. The control plane message is advertised over the network. When an intended recipient receives the message, it uses that message just for the IP-to-MAC binding. When an unintended recipient receives the message, it may drop it as invalid.

Abstract: A method for synchronizing a binding process among a group of network devices connected to a server that is multi-homed to the group of network devices in provided. The method is executed by a first network device among the group of network devices and includes: receiving, from the server, network traffic associated with a host executing on the server; configuring, using the network traffic, a binding between the first network device and the host and setting a binding status of the first network device for the host to a first status; and transmitting, in response to the setting and via an out-of-band (OOB) channel to a second network device among the plurality of network devices, first binding instructions for causing the second network device set a binding status of the second network device for the host to a second status different from the first status.

Abstract: A system and method for provisionally authenticating a host moving from a source port of a switch device to a destination port of the switch device is disclosed. The host is initially authenticated at the source port and blocked from forwarding network traffic at the destination port. During a provisional authentication session, an authentication agent executing on the switch intercepts one or more authentication packets sourced by the host and headed for the destination port of the switch device and redirects the authentication packets to an authentication server for validating the host at the destination port of the switch device. The switch device removes the block at the destination port in response to receiving an acknowledgment of successful authentication at the destination port from the authentication server.

Abstract: A method for supporting virtual machine (VM) mobility between network devices connected to a network includes: selecting a first type of route for interconnecting VMs that are connected to the network devices; and adding a feature of a second type of route to the first type of route to enable the network devices to execute proxy address resolution protocol (ARP) for transmitting network traffic between the VMs without requiring each of the network devices to store a physical address of each of the VMs in respective ones of a network address table.

Abstract: A method for transmitting network traffic across a wide area network (WAN) from a first site to a second site is provided. The method is executed by a first edge network device at the first site that further includes a second edge network device, and the method includes: receiving the network traffic from a client device at the first site; determining, using ipath characteristics and a classification of the network traffic, that the network traffic should be transmitted by the second edge network device to the second site; forwarding in response to the determination, the network traffic to the second edge network device using a local tunnel over a local area network (LAN) of the first site such that the network traffic is transmitted to the second site by the second edge network device.

Abstract: In general, embodiments relates to a method for creating an on-demand tunnel (ODT) in a network between a first network device and a second network device, the method comprising: storing by the first network device, a a potentially suboptimal path to the second network device, determining that a trigger condition to create the ODT between the first network device and the second network device is satisfied, in response to the determination: transmitting, by the first network device, an ODT signaling packet to the second network device via the potentially suboptimal path, receiving, from the second network device and in response to transmitting the ODT signaling packet, an ODT keepalive by first network device via the ODT, and transmitting, after receiving the ODT keepalive, a second packet to the second network device via the ODT.

Abstract: A method for servicing network traffic in a wide area network (WAN) comprising a plurality of network devices is provided. The method is executed by a network device among the plurality of network devices and comprises: receiving a request to transmit the network traffic to a destination network device where the request specifies that the network traffic is to be serviced by a network service; determining, based on the request and using a service-aware virtual topology (SAVT) routing table, a path through the WAN for reaching the network service and a service instance identifier (ID) of the network service; configuring the network traffic to include a service bit indicating whether service is to be performed and instructions specifying the path for reaching the network service; and transmitting, after configuring the network traffic, the network traffic toward the destination device through the at least one network service.

Abstract: A method for synchronizing a binding process among a group of network devices connected to a server that is multi-homed to the group of network devices in provided. The method is executed by a first network device among the group of network devices and includes: receiving, from the server, network traffic associated with a host executing on the server; configuring, using the network traffic, a binding between the first network device and the host and setting a binding status of the first network device for the host to a first status; and transmitting, in response to the setting and via an out-of-band (OOB) channel to a second network device among the plurality of network devices, first binding instructions for causing the second network device set a binding status of the second network device for the host to a second status different from the first status.

Abstract: Systems and methods are provided herein for a mechanism for faster convergence of network traffic after a network device's link is interrupted by leveraging the withdrawal of the ethernet virtual private network (EVPN) auto discovery (AD) route. This may be accomplished by a first device checking an ethernet segment identifier (ESI) status flag before generating an entry in the first device's forwarding table, where the entry is based on an IP route for a host received by a second network device. In response to receiving a withdrawal of an EVPN AD route from the second device, the first device may update the ESI status flag to indicate that the host on the ethernet segment (ES) is reachable only via the third device and update the entry that was based on the IP route for the host received by the second network device to prevent sending traffic to the host via the second device.

Abstract: A method for generating an application-aware virtual topology (AAVT) routing table for a network device among network devices connected via a wide area network is provided. The method is executed by a network controller connected to the network and includes: receiving, from the network devices, path information of the network devices; generating, using the path information, an underlay graph specifying a path topology of the network device; generating, based on the path topology specified in the underlay graph, the AAVT routing table for the network device where the AAVT routing table includes a set of paths; and transmitting, in response to generating the AAVT routing table, the AAVT routing table to the network device to cause the network device to program the set of paths.

Abstract: Network identifiers are extracted from route advertisements. A table associates virtual network identifiers with provider edge devices. When a virtual network identifier extracted from a route advertisement matches a virtual network identifier in the table, the route advertisement is propagated to the provider edge devices associated with that virtual network identifier in the table. The route advertisement is not propagated to provider edge devices not associated with that virtual network identifier in the table.

Abstract: A system and method for provisionally authenticating a host moving from one router to another router in a network using border gateway protocol (BGP) is disclosed. A host is initially authenticated at a first BGP router, this discovery is advertised to a second BGP router pursuant to BGP with a new extended community indicating successful authentication (or pre-authentication) of the host at the first BGP router. An indication for re-authentication of the host at the second BGP router is then received, which blocks network traffic from the host to the second BGP router. Due to the notification of a previous authentication of the host, the second BGP router begins a provisional authentication session. In response to a successful completion of the provisional authentication session, the host is authorized to transmit network traffic on the second BGP router and subsequently blocked from doing the same at the first BGP router.

Abstract: Systems and methods are provided herein for supporting Spanning Tree Protocol (STP) in networks that use Ethernet Virtual Private Network (EVPN) All-Active (A-A) multihoming. This may be accomplished by a network administrator defining a super root group comprising a plurality of network devices, wherein each network device provides A-A multihoming to a multihomed device. All network devices in the super root group use a common bridge ID when generating BPDU messages for STP. All network devices in the super root group will send BPDU messages comprising the common bridge ID to the multihomed device. Because the BPDU messages comprise a common bridge ID, the multihomed device treats the network devices in the super root group as a single local bridge, thus STP is enabled without causing STP flapping.

Abstract: Embodiments of the disclosure include a method comprising storing a first identifier of a first host device in an Address Resolution Protocol (ARP) cache of a first VXLAN Tunnel Endpoint (VTEP); making a first determination that an age of the first identifier exceeds a defined age threshold; sending, as a result of the first determination, a first request to the first host device to confirm liveness of the first identifier; and removing the first identifier from the ARP cache as a result of failing to receive a first response from the first host device within a defined time period.

Abstract: A system and method for provisionally authenticating a host moving from a source port of a switch device to a destination port of the switch device is disclosed. The host is initially authenticated at the source port and blocked from forwarding network traffic at the destination port. During a provisional authentication session, an authentication agent executing on the switch intercepts one or more authentication packets sourced by the host and headed for the destination port of the switch device and redirects the authentication packets to an authentication server for validating the host at the destination port of the switch device. The switch device removes the block at the destination port in response to receiving an acknowledgment of successful authentication at the destination port from the authentication server.

Abstract: Network identifiers are extracted from route advertisements. A table associates virtual network identifiers with provider edge devices. When a virtual network identifier extracted from a route advertisement matches a virtual network identifier in the table, the route advertisement is propagated to the provider edge devices associated with that virtual network identifier in the table. The route advertisement is not propagated to provider edge devices not associated with that virtual network identifier in the table.

Abstract: In response to receiving an ASR message, a VTEP generates a specially modified control plane message advertising the IP-to-MAC binding of the ASR message. The control plane message may be modified to indicate that it is not to be used for MAC learning. The control plane message is advertised over the network. When an intended recipient receives the message, it uses that message just for the IP-to-MAC binding. When an unintended recipient receives the message, it may drop it as invalid.