Abstract: Techniques disclosed herein provide a method for efficiently propagating address resolution reply messages. A first router in a first network receives an address resolution request message from a second router in a second network. The first router generates an entry for the address resolution request message and stores the entry in a pending address resolution requests table. When the first router receives a route advertisement, it extracts a network layer address from the route advertisement and determines whether the pending address resolution requests table includes an entry for the network layer address. If so, the router extracts a link layer address from the route advertisement and generates an address resolution reply message comprising the network layer address and the link layer address. The router then transmits the address resolution reply message to the second router.

Abstract: Systems and methods are provided herein for supporting Spanning Tree Protocol (STP) in networks that use Ethernet Virtual Private Network (EVPN) All-Active (A-A) multihoming. This may be accomplished by a network administrator defining a super root group comprising a plurality of network devices, wherein each network device provides A-A multihoming to a multihomed device. All network devices in the super root group use a common bridge ID when generating BPDU messages for STP. All network devices in the super root group will send BPDU messages comprising the common bridge ID to the multihomed device. Because the BPDU messages comprise a common bridge ID, the multihomed device treats the network devices in the super root group as a single local bridge, thus STP is enabled without causing STP flapping.

Abstract: In response to receiving an ASR message, a VTEP generates a specially modified control plane message advertising the IP-to-MAC binding of the ASR message. The control plane message may be modified to indicate that it is not to be used for MAC learning. The control plane message is advertised over the network. When an intended recipient receives the message, it uses that message just for the IP-to-MAC binding. When an unintended recipient receives the message, it may drop it as invalid.

Abstract: In general, embodiments of the invention relate to managing the processing of network data units (NDUs) received by a network device. More specifically, embodiments of the invention relate to minimize the use of a peer link between two multichassis link aggregation group (MLAG) peers to transmit NDUs that are to be routed or bridged by the MLAG peers. The aforementioned minimization of the use of the peer link may be achieved, e.g., using a shared media access control (MAC) address.

Abstract: Systems and methods are provided herein for a mechanism for faster convergence of network traffic after a network device's link is interrupted by leveraging the withdrawal of the ethernet virtual private network (EVPN) auto discovery (AD) route. This may be accomplished by a first device checking an ethernet segment identifier (ESI) status flag before generating an entry in the first device's forwarding table, where the entry is based on an IP route for a host received by a second network device. In response to receiving a withdrawal of an EVPN AD route from the second device, the first device may update the ESI status flag to indicate that the host on the ethernet segment (ES) is reachable only via the third device and update the entry that was based on the IP route for the host received by the second network device to prevent sending traffic to the host via the second device.

Abstract: Techniques disclosed herein provide a method for efficiently propagating address resolution reply messages. A first router in a first network receives an address resolution request message from a second router in a second network. The first router generates an entry for the address resolution request message and stores the entry in a pending address resolution requests table. When the first router receives a route advertisement, it extracts a network layer address from the route advertisement and determines whether the pending address resolution requests table includes an entry for the network layer address. If so, the router extracts a link layer address from the route advertisement and generates an address resolution reply message comprising the network layer address and the link layer address. The router then transmits the address resolution reply message to the second router.

Abstract: A system and method for provisionally authenticating a host moving from a source port of a switch device to a destination port of the switch device is disclosed. The host is initially authenticated at the source port and blocked from forwarding network traffic at the destination port. During a provisional authentication session, an authentication agent executing on the switch intercepts one or more authentication packets sourced by the host and headed for the destination port of the switch device and redirects the authentication packets to an authentication server for validating the host at the destination port of the switch device. The switch device removes the block at the destination port in response to receiving an acknowledgment of successful authentication at the destination port from the authentication server.

Abstract: A system and method for provisionally authenticating a host moving from one router to another router in a network using border gateway protocol (BGP) is disclosed. A host is initially authenticated at a first BGP router, this discovery is advertised to a second BGP router pursuant to BGP with a new extended community indicating successful authentication (or pre-authentication) of the host at the first BGP router. An indication for re-authentication of the host at the second BGP router is then received, which blocks network traffic from the host to the second BGP router. Due to the notification of a previous authentication of the host, the second BGP router begins a provisional authentication session. In response to a successful completion of the provisional authentication session, the host is authorized to transmit network traffic on the second BGP router and subsequently blocked from doing the same at the first BGP router.

Abstract: Systems and methods for generating a route advertisement including a sequence number associated with a network layer address. An illustrative method includes receiving a first route advertisement advertising a path to a primary device, the first route advertisement including a network layer address, a first link layer address, and a first sequence number associated with the network layer address; receiving a gratuitous address resolution message from a standby device, the gratuitous address resolution message including the network layer address and a second link layer address; generating a second route advertisement advertising a path to the standby device, the second route advertisement including the network layer address, the second link layer address, and a second sequence number associated with the network layer address, wherein the second sequence number is incremented by a predetermined increment value over the first sequence number; and transmitting the second route advertisement.

Abstract: In one embodiment, a method is provided. The method includes determining that a network device should use an underlay multicast group associated with an overlay multicast group for multicast traffic. The underlay multicast group carries multicast traffic for the overlay multicast group. The overlay multicast group is associated with a virtual private network. The method also includes determining an underlay multicast group address for the underlay multicast group. The overlay multicast group is associated with an overlay multicast group address. A first portion of the underlay multicast group address is a function of the overlay multicast group address. The method further includes forwarding one or more multicast packets to one or more multicast receivers via the underlay multicast group using the underlay multicast group address.

Abstract: In response to receiving an ASR message, a VTEP generates a specially modified control plane message advertising the IP-to-MAC binding of the ASR message. The control plane message may be modified to indicate that it is not to be used for MAC learning. The control plane message is advertised over the network. When an intended recipient receives the message, it uses that message just for the IP-to-MAC binding. When an unintended recipient receives the message, it may drop it as invalid.

Abstract: Techniques disclosed herein provide a method for efficiently propagating address resolution reply messages. A first router in a first network receives an address resolution request message from a second router in a second network. The first router generates an entry for the address resolution request message and stores the entry in a pending address resolution requests table. When the first router receives a route advertisement, it extracts a network layer address from the route advertisement and determines whether the pending address resolution requests table includes an entry for the network layer address. If so, the router extracts a link layer address from the route advertisement and generates an address resolution reply message comprising the network layer address and the link layer address. The router then transmits the address resolution reply message to the second router.

Abstract: Systems and methods for generating a route advertisement including a sequence number associated with a network layer address. An illustrative method includes receiving a first route advertisement advertising a path to a primary device, the first route advertisement including a network layer address, a first link layer address, and a first sequence number associated with the network layer address; receiving a gratuitous address resolution message from a standby device, the gratuitous address resolution message including the network layer address and a second link layer address; generating a second route advertisement advertising a path to the standby device, the second route advertisement including the network layer address, the second link layer address, and a second sequence number associated with the network layer address, wherein the second sequence number is incremented by a predetermined increment value over the first sequence number; and transmitting the second route advertisement.

Abstract: Systems and methods for handling an address resolution probe. An illustrative method includes receiving, at a first device on a network, an address resolution message from a second device on the network, determining whether the address resolution message is an address resolution probe message, and in response to determining that the address resolution message is an address resolution probe message, transmitting the address resolution message to a third device on the network regardless of whether a binding for a destination internet protocol (IP) address included in the address resolution message is stored in a bindings table accessible to the first device.

Abstract: Network identifiers are extracted from route advertisements. A table associates virtual network identifiers with provider edge devices. When a virtual network identifier extracted from a route advertisement matches a virtual network identifier in the table, the route advertisement is propagated to the provider edge devices associated with that virtual network identifier in the table. The route advertisement is not propagated to provider edge devices not associated with that virtual network identifier in the table.

Abstract: In one embodiment, a method is provided. The method includes determining that a network device should use an underlay multicast group associated with an overlay multicast group for multicast traffic. The underlay multicast group carries multicast traffic for the overlay multicast group. The overlay multicast group is associated with a virtual private network. The method also includes determining an underlay multicast group address for the underlay multicast group. The overlay multicast group is associated with an overlay multicast group address. A first portion of the underlay multicast group address is a function of the overlay multicast group address. The method further includes forwarding one or more multicast packets to one or more multicast receivers via the underlay multicast group using the underlay multicast group address.

Abstract: Systems and methods for handling an address resolution probe. An illustrative method includes receiving, at a first device on a network, an address resolution message from a second device on the network, determining whether the address resolution message is an address resolution probe message, and in response to determining that the address resolution message is an address resolution probe message, transmitting the address resolution message to a third device on the network regardless of whether a binding for a destination internet protocol (IP) address included in the address resolution message is stored in a bindings table accessible to the first device.

Abstract: In one embodiment, a primary tunnel is established from a head-end node to a destination along a path including one or more protected network elements for which a fast reroute path is available to pass traffic around the one or more network elements in the event of their failure. A first path quality measures path quality prior to failure of the one or more protected network elements. A second path quality measures path quality subsequent to failure of the one or more protected network elements, while the fast reroute path is being used to pass traffic of the primary tunnel. A determination is made whether to reestablish the primary tunnel over a new path that does not include the one or more failed protected network elements, or to continue to utilize the path with the fast reroute path, in response to a difference between the first path quality and the second path quality.

Abstract: In general, embodiments of the invention relate to managing the processing of network data units (NDUs) received by a network device. More specifically, embodiments of the invention relate to minimize the use of a peer link between two multichassis link aggregation group (MLAG) peers to transmit NDUs that are to be routed or bridged by the MLAG peers. The aforementioned minimization of the use of the peer link may be achieved, e.g., using a shared media access control (MAC) address.

Abstract: In one embodiment, a primary tunnel is established from a head-end node to a destination along a path including one or more protected network elements for which a fast reroute path is available to pass traffic around the one or more network elements in the event of their failure. A first path quality measures path quality prior to failure of the one or more protected network elements. A second path quality measures path quality subsequent to failure of the one or more protected network elements, while the fast reroute path is being used to pass traffic of the primary tunnel. A determination is made whether to reestablish the primary tunnel over a new path that does not include the one or more failed protected network elements, or to continue to utilize the path with the fast reroute path, in response to a difference between the first path quality and the second path quality.