Abstract: In some examples, a method includes accessing an orthogonal network policy set that represents a first intent-based network policy and a second intent-based network policy. The method may also include determining multiple reduced orthogonal network policy sets from the orthogonal network policy set. The multiple reduced orthogonal network policy sets may differ from one another, and each represent the first and second intent-based network policies. The method may further include selecting a particular reduced orthogonal network policy set among the multiple reduced orthogonal network policy sets to implement on a target switching device.

Abstract: Example embodiments disclosed herein relate to determining whether a device exhibits anomalous behavior based on a set of rules, address usage information, and address range information. Address usage information for a device communicating on a data plane of a network implemented using switches is received via a control plane. Address range information for the network is maintained. Whether the device exhibits anomalous behavior is determined based on the set of rules, address usage information, and address range information.

Abstract: In example implementations, a method is provided. The method detects, by a processor, a change in incoming data packet relative to a previously received data packet. In response to the change, group rate limiters are enabled to the incoming data packets for each one of a plurality of different data packet groups. The group rate limiters stop the incoming data packet when the data packet is assigned to one of the plurality of different data packet groups that has reached a respective group rate limiter. A hardware controller is programmed to forward respective data packets in each one of the plurality of different data packet groups.

Abstract: In an example, a method is disclosed for implementing forwarding behavior based on communication activity between an SDN controller and a network device. The method includes generating, for the network device, a first flow table rule to implement first forwarding behavior for a network flow if communication to the SDN controller is active. The first flow table rule comprises match criteria for matching to the network flow, a first timeout value, and a first priority value. The method also includes generating, for the network device, a second flow table rule to implement second forwarding behavior for the network flow if communication to the SDN controller is not active. The second flow table rule comprises match criteria for matching to the network flow, a second timeout value, and a second priority value. The method further includes instructing the network device to implement the first and second flow table rules.

Abstract: In an example, a re-convergence point is determined for a convergence point in a network. A host is currently connected to the convergence point for example to access the network. Authentication information and a policy for the host is sent to the re-convergence point prior to the host connecting to the re-convergence point to access the network.

Abstract: In example implementations, a method is provided. The method detects, by a processor, a change in incoming data packet relative to a previously received data packet. In response to the change, group rate limiters are enabled to the incoming data packets for each one of a plurality of different data packet groups. The group rate limiters stop the incoming data packet when the data packet is assigned to one of the plurality of different data packet groups that has reached a respective group rate limiter. A hardware controller is programmed to forward respective data packets in each one of the plurality of different data packet groups.

Abstract: In an example, a method is disclosed for implementing forwarding behavior based on communication activity between an SDN controller and a network device. The method includes generating, for the network device, a first flow table rule to implement first forwarding behavior for a network flow if communication to the SDN controller is active. The first flow table rule comprises match criteria for matching to the network flow, a first timeout value, and a first priority value. The method also includes generating, for the network device, a second flow table rule to implement second forwarding behavior for the network flow if communication to the SDN controller is not active. The second flow table rule comprises match criteria for matching to the network flow, a second timeout value, and a second priority value. The method further includes instructing the network device to implement the first and second flow table rules.

Abstract: In some examples, a method includes accessing an orthogonal network policy set that represents a first intent-based network policy and a second intent-based network policy. The method may also include determining multiple reduced orthogonal network policy sets from the orthogonal network policy set. The multiple reduced orthogonal network policy sets may differ from one another, and each represent the first and second intent-based network policies. The method may further include selecting a particular reduced orthogonal network policy set among the multiple reduced orthogonal network policy sets to implement on a target switching device.

Abstract: Network service insertion includes determining a tunnel interface corresponding to a service entity to which an incoming packet is to be directed, the tunnel interface being determined based on software defined network (SDN) flow rules. Further, the incoming packet can be encapsulated based on a tunnel configuration corresponding to the tunnel interface to generate an encapsulated packet such that the encapsulated packet includes media access control (MAC) address headers and a virtual local area network (VLAN) tag associated with the incoming packet. The encapsulated packet can be sent to the service entity through the tunnel interface for network service insertion.

Abstract: Example embodiments disclosed herein relate to determining whether a device exhibits anomalous behavior based on a set of rules, address usage information, and address range information. Address usage information for a device communicating on a data plane of a network implemented using switches is received via a control plane. Address range information for the network is maintained. Whether the device exhibits anomalous behavior is determined based on the set of rules, address usage information, and address range information.

Abstract: Example implementations relate to compiling network policies. In an example, a method includes dividing a plurality of network policies into an exclusive policy group and a non-exclusive policy group, compiling the policies in the exclusive policy group into a first plurality of orthogonal policies, compiling the policies in the non-exclusive policy group into at least a second plurality of orthogonal policies, where the compiling of each policy group occurs separately.

Abstract: In an example, a re-convergence point is determined for a convergence point in a network. A host is currently connected to the convergence point for example to access the network. Authentication information and a policy for the host is sent to the re-convergence point prior to the host connecting to the re-convergence point to access the network.

Abstract: Network service insertion includes determining a tunnel interface corresponding to a service entity to which an incoming packet is to be directed, the tunnel interface being determined based on software defined network (SDN) flow rules. Further, the incoming packet can be encapsulated based on a tunnel configuration corresponding to the tunnel interface to generate an encapsulated packet such that the encapsulated packet includes media access control (MAC) address headers and a virtual local area network (VLAN) tag associated with the incoming packet. The encapsulated packet can be sent to the service entity through the tunnel interface for network service insertion.

Abstract: An example system may include a controller to receive traffic of a host from a network device. The controller may include a network access control (NAC) unit and a network unit. The NAC unit may perform NAC authentication of the host. The network unit may indicate to the network device to allow traffic from the host, if the host is authenticated by the NAC unit.

Abstract: A method for multicast routing may include receiving, at a router of a receiving multicast domain, a data packet from a forwarding multicast domain. The method may further include configuring the router to operate as if a multicast forwarding information base entry is directly connected, and configuring the router with a reverse path forwarding override with source discovery such that a path used by multicast traffic is different from a path used for unicast traffic.

Abstract: Examples described herein provide for generating a multicast consumer search request from a request node in the network. The request is then routed to the interconnected nodes and received at a target node having a directly-connected multicast consumer. Identification information associated with the directly-connected multicast consumer is forwarded from the target node back to the request node.

Abstract: A method for multicast routing may include receiving, at a router of a receiving multicast domain, a data packet from a forwarding multicast domain. The method may further include configuring the router to operate as if a multicast forwarding information base entry is directly connected, and configuring the router with a reverse path forwarding override with source discovery such that a path used by multicast traffic is different from a path used for unicast traffic.

Abstract: A method for multicast routing may include receiving, at a router of a receiving multicast domain, a data packet from a forwarding multicast domain. The method may further include configuring the router to operate as if a multicast forwarding information base entry is directly connected, and configuring the router with a reverse path forwarding override with source discovery such that a path used by multicast traffic is different from a path used for unicast traffic.

Abstract: Methods for controlling a Designated Forwarder (DF) election in a multicast network are described herein. The multicast network includes a plurality of multicast network devices, including a first network device and a second network device. A Designated Forwarder is determined. It is determined whether to initiate a Designated Forwarder election based on a comparison of a metric measuring a distance to a Rendezvous Point Address from a first network device and a metric measuring the distance to the Rendezvous Point Address from the second network device.

Abstract: A method for convergence of multicast traffic in response to a topology change. The method includes, in response to a change in a multicast topology, redirecting multicast traffic through a network device of a plurality of network devices in the multicast topology and determining a querier status of the network device. The method also includes flooding the multicast traffic through an interface to the network device to facilitate convergence of the multicast traffic. The interface is a connecting point between the network device and another network device of the plurality of network devices.