Abstract: A method, apparatus and computer program product for scaling hierarchical route reflectors (RRs) using automated Outbound Route Filtering (ORF) is presented. A first route reflector identifies other route reflectors configured as Route reflector clients within a route reflector hierarchy. The first route reflector then builds a common set of route target filters received from the client route reflectors and sends the common set of route target filters to client route reflectors.

Abstract: A system and method for aggregating performance characteristics for core network paths allows computation of message traffic performance over each of the available candidate paths through the core for identifying an optimal core network path. Particular network traffic, or messages, include attributes indicative of performance, such as transport time, delay, jitter, and drop percentage, over individual hops along the candidate path. A diagnostic processor parses these messages to identify the attributes corresponding to performance, and analyzes the resulting parsed routing information to compute an expected performance, such as available bandwidth (e.g. transport rate) over the path. Messages including such attributes may include link state attribute (LSA) messages, diagnostic probe messages specifically targeted to enumerate such attributes, or other network suitable network traffic. In a particular configuration, the messages may be Path Verification Protocol (PVP) messages.

Abstract: A mechanism for ASBRs to identify the originating node, or router, in an LSP conversant autonomous system (AS), such as an MPLS VPN environment, maintains the identity of the originating node and successive nodes in subsequent autonomous systems along the path to the node to be pinged. The identity of the transporting nodes is stored in a stack or other object associated with the ping request (ping), such that the pinged node may employ the stored identity as a set of return path routing information. Successive ASBRs store their identity on the stack, in an ordered manner, along the path to the destination. Upon reaching the destination (ping) node, the destination node employs the identity of the first node on the stack to send the acknowledgment, or ping response. Each successive ASBR, therefore, pops (retrieves) the next node identity from the stack and redirects (sends) the ping response to the retrieved node.

Abstract: A method, apparatus and computer program product for providing secure multipoint Internet Protocol Virtual Private Networks (IPVPNs) is presented. A packet lookup is performed in order to determine a next hop. A VPN label is pushed on the packet, as is an IP tunnel header. Group encryption through the use of DGVPN is further utilized. In such a manner secure connectivity and network partitioning are provided in a single solution.

Abstract: A data communication device (e.g., a router) originates a network configuration message in response to a network topology change or so as to refresh a configuration message. The data communication device encodes a timestamp in the network configuration message. The timestamp indicates a time of originating the network configuration message. Further, the data communication device transmits the network configuration message over the network to other network devices that, in turn, initiate further broadcast of at least a portion of contents of the network configuration message. Based on the timestamp of the network configuration message, the data communication devices receiving the network configuration message identify transmission time value indicating how long the network configuration message takes to be conveyed over the network to the other network devices.

Abstract: A method and apparatus for providing routing protocol support for distributing encryption information is presented. Subnet prefixes reachable on a first customer site in an encrypted manner are identified, as are security groups the subnet prefixes belong to. An advertisement is received at a first Customer Edge (CE) device in the first customer site, the advertisement originating from a Customer (C) device in the first customer site. The advertisement indicates links, subnets to be encrypted, and security group identifiers. The prefixes and the security group identifiers are then propagated across a service provider network to a second CE device located in a second customer site. In such a manner, encryption and authentication is expanded further into a customer site, as customer devices are able to indicate to a service provider network infrastructure and other customer devices in other customer sites which local destinations require encryption/authentication.

Abstract: Customer edge (CE) to CE device verification checks initiate routes from available CEs as a set of path verification messages, destined for remote CE routes serving a remote VPN. An extended community attribute, included among the attributes of the path verification message, stores the identity of the originating CE router. The path verification message propagates across the network, and transports the identity of the originating CE router because the originator identity is not overwritten by successive routing. Upon receipt by the remote CE, the originator is determinable from the extended community attribute. A further reachability field is also included in the extended community attribute and indicates whether per CE or per prefix is appropriate for the particular route in question. In this manner, CE-CE connectivity checks identify CEs which are reachable from other CEs. Accordingly, such a mechanism allows for route reachability aggregation on a per-CE or per-prefix reachability basis.

Abstract: A path verification protocol (PVP) which enumerates a series of messages sent to a set of nodes, or routers, along a suspected path identifies forwarding plane problems for effecting changes at the control plane level. The messages include a command requesting interrogation of a further remote node for obtaining information about the path between the node receiving the PVP message and the further remote node. The node receiving the PVP message replies with a command response indicative of the outcome of attempts to reach the further remote node. The series of messages collectively covers a set of important routing points along a path from the originator to the recipient. The aggregate command responses to the series of PVP messages is analyzed to identify not only whether the entire path is operational, but also the location and nature of the problem.

Abstract: A method, apparatus and computer program product for providing dynamic routing support for Half-Duplex Virtual Routing and Forwarding (HDVRF) environments. The method, apparatus and computer program function to configure a forwarding Virtual Routing and Forwarding (VRF) table for a router with information to forward incoming packets to a central location within a hub and spoke environment. The method, apparatus and computer program also function to populate a routing Virtual Routing and Forwarding (VRF) table for the router with routing information received from ingress interfaces of the router. The method, apparatus and computer program function further forwards packets received on egress interfaces of the router according to the forwarding VRF table.

Abstract: A first network node maintains separate routing policy information to forward network traffic depending on a direction of the network traffic. Upstream routing policy information at the first node identifies a second node to forward upstream traffic received from at least a first client communicating through the first node. Downstream routing policy information at the first node identifies how to forward downstream network traffic received from another node to the first client. By preventing use of the downstream policy routing information by the first client to route upstream network traffic, the first node is able to forward traffic along a path that the network traffic otherwise would have not traveled. For example, network traffic communicated through the first node can be forced to travel through another network node through which it would have not otherwise have passed if the downstream policy information was available to route the network traffic.