Abstract: Systems, methods, and computer-readable storage media are provided for dynamically setting an end point group for an end point. An endpoint can be assigned a default end point group when added to a network. For example, the default end point group can be a baseline port/security group which is considered an untrusted group. The end point can then be dynamically assigned an end point group based on a set of group selection rules. For example, the group selection rules can identify an end point group based on the MAC address or other attributes. When the end point is added to the network, the MAC address and/or other attributes of the end point can be determined and used to assign an end point group. As another example, an end point group can be assigned based on the amount of traffic or guest operation system.

Abstract: A packet forwarding network may include switches that forward network traffic between end hosts and network tap devices that forward copied network traffic to an analysis network formed from client switches that are controlled by a controller. Network analysis devices and network service devices may be coupled to the client switches at interfaces of the analysis network. The controller may receive one or more network policies from a network administrator. A network policy may identify ingress interfaces, egress interfaces, matching rules, packet manipulation services to be performed. The controller may control the client switches to generate network paths that forward network packets that match the matching rules from the ingress interfaces to the egress interfaces through service devices that perform the services of the list. The controller may generate network paths for network policies based on network topology information and/or current network conditions maintained at the controller.

Abstract: Systems, methods, and computer-readable storage media are provided for dynamically setting an end point group for an end point. An endpoint can be assigned a default end point group when added to a network. For example, the default end point group can be a baseline port/security group which is considered an untrusted group. The end point can then be dynamically assigned an end point group based on a set of group selection rules. For example, the group selection rules can identify an end point group based on the MAC address or other attributes. When the end point is added to the network, the MAC address and/or other attributes of the end point can be determined and used to assign an end point group. As another example, an end point group can be assigned based on the amount of traffic or guest operation system.

Abstract: In one embodiment, a list of source identifiers is maintained at a virtual switch. These source identifiers are allowed to send packets through the virtual switch to ports in a private virtual local area network (PVLAN). When a packet is received at the virtual switch from a particular source destined for a particular port in the PVLAN, the virtual switch determines whether a particular identifier associated with the particular source matches one of the source identifiers in the list. If that particular source identifier is not on the list, the packet is prevented from being forwarded to the particular port in the PVLAN.

Abstract: A packet forwarding network may include switches that perform network forwarding operations to forward network traffic between end hosts that are coupled to the packet forwarding network. An analysis network that is controlled by a controller may be coupled to the packet forwarding network. The analysis network and the packet forwarding network may overlap. Switches such as hybrid switches in the overlapping network portions may be controlled by the controller to copy network packets without interfering with the network forwarding operations of the packet forwarding network. The analysis network may include a central portion to which analysis tools are coupled and one or more isolated portions. The controller may control the client switches of the central portion and the isolated portions to establish tunneling paths through the forwarding network.

Abstract: In one embodiment, a first number of multiple spanning tree instances (MSTIs) are defined within a network. A second number of network segments associated with segmentation identifier (IDs) are also configured, where the first number of MSTIs is less than the second number of segmentation IDs. Segmentation ID to MSTI mappings are maintained that map each defined segmentation ID of the second number of network segments to one of the first number of MSTIs. A segmentation mapping digest is computed of the segmentation ID to MSTI mappings. Multiple spanning tree (MST) bridge protocol data units (BPDUs) are broadcast that include the digest of the segmentation ID to MSTI mappings.

Abstract: In one embodiment, a list of source identifiers is maintained at a virtual switch. These source identifiers are allowed to send packets through the virtual switch to ports in a private virtual local area network (PVLAN). When a packet is received at the virtual switch from a particular source destined for a particular port in the PVLAN, the virtual switch determines whether a particular identifier associated with the particular source matches one of the source identifiers in the list. If that particular source identifier is not on the list, the packet is prevented from being forwarded to the particular port in the PVLAN.

Abstract: A system and method runs a multiple spanning tree protocol (MSTP) in a computer network having a very large number of bridge domains. The computer network includes a plurality of intermediate network devices, each having a plurality of ports for forwarding network messages. Within each device, a plurality of bridge domains are defined, each bridge domain is identified by a Virtual Local Area Network (VLAN) Identifier (VID), and one or more device ports. For each port, a separate mapping of VIDs to Multiple Spanning Tree Instances (MSTIs), based on the bridge domains defined at the port, is established. Each mapping is converted to a port-based configuration digest, which is entered into Spanning Tree Protocol (STP) control messages sent from the respective port. Ports receiving STP control messages whose configuration digest values that match the configuration digests values computed for the ports are said to be in the same Multiple Spanning Tree region.

Abstract: Techniques are provided for receiving one or more packets at a network device in a network. The one or more packets are part of normal network communication traffic. Device specific information associated with the one or more packets is generated that is unique to or available at the network device. One or more duplicate packets corresponding to the one or more packets are generated. The device specific information is encapsulated within the one or more duplicate packets for transmission over the network. The one or more duplicate packets are received at a network analyzer in the network. The device specific information associated with the one or more packets that is unique to the network device is extracted from the one or more duplicate packets and analyzed to determine network metrics for the one or more packets.

Abstract: In one embodiment, a method includes receiving at a network device operating as a relay agent, a Dynamic Host Configuration Protocol (DHCP) request from an end host, inserting a group identifier into the DHCP request and forwarding the DHCP request to a DHCP server, the end host associated with a group identified by the group identifier, receiving a response from the DHCP server, and forwarding the response to the end host. The response includes configuration information for the end host, at least some of the configuration information selected based on the group identifier. An apparatus is also disclosed.

Abstract: In one embodiment, bridges in a computer network maintain a per-port mapping table for each of its ports, where each mapping table maps, for each virtual connection (of more than 4K) at a respective port, i) frame encapsulation fields that uniquely identify a particular virtual connection at the respective port to ii) a particular multiple spanning tree (MST) instance. The bridges may then compute a checksum of a particular mapping table for a particular port, and share the checksum with a corresponding port interconnected with the particular port (e.g., of another bridge). Upon determining that the mapping tables at the corresponding ports match in response to the checksums matching, frames may then be forwarded between the ports based on the particular mapping table.

Abstract: A method and network device to generate a remote traffic monitoring session using an automated technique to configure the source and destination devices of the monitoring system is disclosed. The method includes discovering a Layer 3 (L3) source device and an L3 destination device and automatically configuring the devices. The L3 source device passes target traffic that will be monitored via the L3 destination device in a remote traffic monitoring session. The method verifies configurations of the L3 source device and the L3 destination device, and determines remote monitoring capabilities common to the L3 source device and the L3 destination device. The method negotiates relevant parameters for the remote traffic monitoring session and establishes the remote traffic monitoring session between the L3 source device and the L3 destination device.

Abstract: In one embodiment, a bridge in a computer network may execute a spanning tree protocol (STP) for network topology and a registration protocol for traffic control of virtual connections (e.g., EVCs) at the bridge. For any gateway ports of the bridge inter-connected with a provider network, the bridge may generate “fake” received registration protocol join messages for a particular virtual connection at the gateway port. The bridge may then either i) propagate the join messages, in response to the gateway port being in a forwarding state according to the STP, on other forwarding ports of the bridge, or ii) in response to the gateway port not being in a forwarding state, block propagation of the join messages to other ports of the bridge.

Abstract: In one embodiment, bridges in a computer network maintain a per-port mapping table for each of its ports, where each mapping table maps, for each virtual connection (of more than 4K) at a respective port, i) frame encapsulation fields that uniquely identify a particular virtual connection at the respective port to ii) a particular multiple spanning tree (MST) instance. The bridges may then compute a checksum of a particular mapping table for a particular port, and share the checksum with a corresponding port interconnected with the particular port (e.g., of another bridge). Upon determining that the mapping tables at the corresponding ports match in response to the checksums matching, frames may then be forwarded between the ports based on the particular mapping table.

Abstract: In one embodiment, a bridge in a computer network may execute a spanning tree protocol (STP) for network topology and a registration protocol for traffic control of virtual connections (e.g., EVCs) at the bridge. For any gateway ports of the bridge inter-connected with a provider network, the bridge may generate “fake” received registration protocol join messages for a particular virtual connection at the gateway port. The bridge may then either i) propagate the join messages, in response to the gateway port being in a forwarding state according to the STP, on other forwarding ports of the bridge, or ii) in response to the gateway port not being in a forwarding state, block propagation of the join messages to other ports of the bridge.

Abstract: A method and network device to generate a remote traffic monitoring session using an automated technique to configure the source and destination devices of the monitoring system is disclosed. The method includes discovering a Layer 3 (L3) source device and an L3 destination device and automatically configuring the devices. The L3 source device passes target traffic that will be monitored via the L3 destination device in a remote traffic monitoring session. The method verifies configurations of the L3 source device and the L3 destination device, and determines remote monitoring capabilities common to the L3 source device and the L3 destination device. The method negotiates relevant parameters for the remote traffic monitoring session and establishes the remote traffic monitoring session between the L3 source device and the L3 destination device.

Abstract: A technique shares a port (e.g., a physical port) among a plurality of virtual bridges on a switch in a computer network. According to the novel technique, two or more virtual bridges are established on the switch, and are each assigned respective sets of Virtual Local Area Networks (VLANs). Each virtual bridge has a virtual interface corresponding to the physical port (a “shared trunk”), the virtual bridges regarding the virtual interfaces as though they were physical ports. Control messages transmitted by the virtual bridges on the virtual interfaces are sent over the physical port and to each other virtual interface of the port (the shared trunk), such as, e.g., by a virtual hub of the shared trunk. Also, control messages received on the physical port are sent over each virtual interface to each virtual bridge (e.g., by the virtual hub).

Abstract: A technique shares a port (e.g., a physical port) among a plurality of virtual bridges on a switch in a computer network. According to the novel technique, two or more virtual bridges are established on the switch, and are each assigned respective sets of Virtual Local Area Networks (VLANs). Each virtual bridge has a virtual interface corresponding to the physical port (a “shared trunk”), the virtual bridges regarding the virtual interfaces as though they were physical ports. Control messages transmitted by the virtual bridges on the virtual interfaces are sent over the physical port and to each other virtual interface of the port (the shared trunk), such as, e.g., by a virtual hub of the shared trunk. Also, control messages received on the physical port are sent over each virtual interface to each virtual bridge (e.g., by the virtual hub).

Abstract: A system and method runs a multiple spanning tree protocol (MSTP) in a computer network having a very large number of bridge domains. The computer network includes a plurality of intermediate network devices, each having a plurality of ports for forwarding network messages. Within each device, a plurality of bridge domains are defined, each bridge domain is identified by a Virtual Local Area Network (VLAN) Identifier (VID), and one or more device ports. For each port, a separate mapping of VIDs to Multiple Spanning Tree Instances (MSTIs), based on the bridge domains defined at the port, is established. Each mapping is converted to a port-based configuration digest, which is entered into Spanning Tree Protocol (STP) control messages sent from the respective port. Ports receiving STP control messages whose configuration digest values that match the configuration digests values computed for the ports are said to be in the same Multiple Spanning Tree region.