Abstract: Systems and methods for enforcing media access control (MAC) learning limits (MLLs) on multi-homed access ports comprise configuring MLL violation actions to be performed by a virtual extensible local area network (VxLAN) tunnel endpoint (VTEP). The VTEP is multi-homed to VTEPs and comprises an Ethernet segment (ES) access port. A BGP EVPN or similar protocol may be used to communicate MLL information across VTEPs participating in the multi-homed ES to keep MACs and MLL violation actions consistent. The violation actions may comprise initiating a shutdown message to shut down an ES. Once an MLL violation associated with a MAC that has been received at the VTEP is detected, the VTEP may enforce the MLL by performing one or more of the configured MLL violation actions and propagate the same to other VTEPs.

Abstract: An aggregated networking device subsystem station move control system includes first and second aggregated networking devices connected via an ICL. The first aggregated networking device receives a MAC address from the second aggregated networking device that was learned on an orphan port that has port security enabled and a station-move-deny configuration, and generates a static MAC address entry in its MAC address table that associates the MAC address with the ICL. The static MAC address entry causes data packets received on non-ICL ports on the first aggregated networking device that include the MAC address to generate a static MAC move violation. The first aggregated networking device also programs rule(s) that, in response to data packets being received on its non-ICL ports that have port security disabled and generating a static MAC move violation, causes the association of the MAC address with that non-ICL port.

Abstract: A set of remote Virtual Extensible LAN (VxLAN) tunnel endpoints (VTEPs) and an ingress VTEP associated different Ethernet Segments (ESs) elect amongst themselves designated forwarder (DF) for forwarding broadcast, unknown-unicast, and multicast traffic (BUM) traffic by triggering an RFC 7432 election mechanism on each of the VTEPs. In embodiments, DF election involves exchanging configuration information, such as Type-4 routes for ESs via Border Gateway Protocol (BGP), without being confined to a particular ES that is local to all VTEPs, i.e., irrespective of local ES and internet identifiers. This allows performing targeted forwarding of BUM traffic to intended VTEPs which avoiding unnecessary ingress replication of BUM traffic in the ingress VTEP, thereby, saving hardware buffer resources and avoiding unnecessary flooding of frames to a set of non-forwarding egress VTEPs, ultimately, reducing the load on the egress VTEP and freeing up packet processing resources.

Abstract: An aggregated networking device subsystem station move control system includes first and second aggregated networking devices connected via an ICL. The first aggregated networking device receives a MAC address from the second aggregated networking device that was learned on an orphan port that has port security enabled and a station-move-deny configuration, and generates a static MAC address entry in its MAC address table that associates the MAC address with the ICL. The static MAC address entry causes data packets received on non-ICL ports on the first aggregated networking device that include the MAC address to generate a static MAC move violation. The first aggregated networking device also programs rule(s) that, in response to data packets being received on its non-ICL ports that have port security disabled and generating a static MAC move violation, causes the association of the MAC address with that non-ICL port.

Abstract: An asymmetric/symmetric IRB migration system includes an aggregated networking device subsystem with a first and second networking device that are both configured to operate according to an asymmetric IRB model. A migration system coupled to the aggregated networking device subsystem retrieves first and second asymmetric IRB attributes from the first and second networking devices, uses the first asymmetric IRB attributes to generate first symmetric IRB attributes for the first networking device, and uses the second asymmetric IRB attributes to generate second symmetric IRB attributes for the second networking device. The migration system then causes data destined for end host device(s) coupled to the aggregated networking device subsystem to be transmitted only to the first networking device, configures the first networking device using the first symmetric IRB attributes, and then configures the second networking device using the second symmetric IRB attributes.

Abstract: An aggregated networking device subsystem station move control system includes first and second aggregated networking devices connected via an ICL. The first aggregated networking device receives a MAC address from the second aggregated networking device that was learned on an orphan port that has port security enabled and a station-move-deny configuration, and generates a static MAC address entry in its MAC address table that associates the MAC address with the ICL. The static MAC address entry causes data packets received on non-ICL ports on the first aggregated networking device that include the MAC address to generate a static MAC move violation. The first aggregated networking device also programs rule(s) that, in response to data packets being received on its non-ICL ports that have port security disabled and generating a static MAC move violation, causes the association of the MAC address with that non-ICL port.

Abstract: An asymmetric/symmetric IRB migration system includes an aggregated networking device subsystem with a first and second networking device that are both configured to operate according to an asymmetric IRB model. A migration system coupled to the aggregated networking device subsystem retrieves first and second asymmetric IRB attributes from the first and second networking devices, uses the first asymmetric IRB attributes to generate first symmetric IRB attributes for the first networking device, and uses the second asymmetric IRB attributes to generate second symmetric IRB attributes for the second networking device. The migration system then causes data destined for end host device(s) coupled to the aggregated networking device subsystem to be transmitted only to the first networking device, configures the first networking device using the first symmetric IRB attributes, and then configures the second networking device using the second symmetric IRB attributes.

Abstract: Systems and methods for enforcing media access control (MAC) learning limits (MLLs) on multi-homed access ports comprise configuring MLL violation actions to be performed by a virtual extensible local area network (VxLAN) tunnel endpoint (VTEP). The VTEP is multi-homed to VTEPs and comprises an Ethernet segment (ES) access port. A BGP EVPN or similar protocol may be used to communicate MLL information across VTEPs participating in the multi-homed ES to keep MACs and MLL violation actions consistent. The violation actions may comprise initiating a shutdown message to shut down an ES. Once an MLL violation associated with a MAC that has been received at the VTEP is detected, the VTEP may enforce the MLL by performing one or more of the configured MLL violation actions and propagate the same to other VTEPs.

Abstract: A set of remote Virtual Extensible LAN (VxLAN) tunnel endpoints (VTEPs) and an ingress VTEP associated different Ethernet Segments (ESs) elect amongst themselves designated forwarder (DF) for forwarding broadcast, unknown-unicast, and multicast traffic (BUM) traffic by triggering an RFC 7432 election mechanism on each of the VTEPs. In embodiments, DF election involves exchanging configuration information, such as Type-4 routes for ESs via Border Gateway Protocol (BGP), without being confined to a particular ES that is local to all VTEPs, i.e., irrespective of local ES and internet identifiers. This allows performing targeted forwarding of BUM traffic to intended VTEPs which avoiding unnecessary ingress replication of BUM traffic in the ingress VTEP, thereby, saving hardware buffer resources and avoiding unnecessary flooding of frames to a set of non-forwarding egress VTEPs, ultimately, reducing the load on the egress VTEP and freeing up packet processing resources.

Abstract: A VXLAN multi-tenant inter-networking device packet forwarding system includes a first aggregated networking device coupled to a first host device and a second aggregated networking device that is coupled to second host devices. The first aggregated networking device receives a data packet from the first host device and, in response, identifies a virtual network associated with the first host device. Based on a first and second portion of a virtual network identifier that identifies the virtual network, the first aggregated networking device generates respective first and second packet forwarding identifiers. The first aggregated networking device then provides the first and second packet forwarding identifiers in the data packet, and forwards the data packet to the second aggregated networking device. The second aggregated networking device may then forward the data packet to one of the second host devices based on the first and second packet forwarding identifiers in the data packet.

Abstract: A VXLAN multi-tenant inter-networking device packet forwarding system includes a first aggregated networking device coupled to a first host device and a second aggregated networking device that is coupled to second host devices. The first aggregated networking device receives a data packet from the first host device and, in response, identifies a virtual network associated with the first host device. Based on a first and second portion of a virtual network identifier that identifies the virtual network, the first aggregated networking device generates respective first and second packet forwarding identifiers. The first aggregated networking device then provides the first and second packet forwarding identifiers in the data packet, and forwards the data packet to the second aggregated networking device. The second aggregated networking device may then forward the data packet to one of the second host devices based on the first and second packet forwarding identifiers in the data packet.

Abstract: A multicast system includes a source device and a plurality of receiver devices connected by switches that are also coupled to a switch controller. The switch controller receives source device information for the source device from its connected first switch, and receives receiver device information for each of the receiver devices from their respective connected second switches. The switch controller uses the source device information and receiver device information to construct a multicast tree that includes switches capable of transmitting multicast communications from the source device to each of the receiver devices. The switch controller then programs at least some of the switches so that a multicast data communication from the source device is segment routed to a third switch, and replicated by the third switch to produce replicated multicast data communications that are each segment routed to at least some of the receiver devices through their respective second switches.

Abstract: A multicast system includes a source device and a plurality of receiver devices connected by switches that are also coupled to a switch controller. The switch controller receives source device information for the source device from its connected first switch, and receives receiver device information for each of the receiver devices from their respective connected second switches. The switch controller uses the source device information and receiver device information to construct a multicast tree that includes switches capable of transmitting multicast communications from the source device to each of the receiver devices. The switch controller then programs at least some of the switches so that a multicast data communication from the source device is segment routed to a third switch, and replicated by the third switch to produce replicated multicast data communications that are each segment routed to at least some of the receiver devices through their respective second switches.