Abstract: Examples disclosed herein relate to a method for defining an ingress access policy at an ingress network device based on instructions from an egress network device. The egress network device receives data packets directed to a first entity from a second entity connected to an ingress network device. Each data packet transmitted includes a source role tag corresponding to the second entity. At the egress network device, the data packets may be dropped based on the enforcement of an egress access policy. When the number of data packets that are being dropped increases beyond a pre-defined threshold, the egress network device transmits a command to the ingress network device instructing the ingress network device to create a restriction on the transmission of subsequent data packets. The command is transmitted in a Border Gateway Protocol (BGP) Flow Specification (FlowSpec) route.

Abstract: The system determines a first source MAC associated with a switch. The system updates a MAC address table by mapping the first source MAC to a first tag which indicates a source role corresponding to a network infrastructure. A processor associated with the switch generates a first packet which indicates the first source MAC. The system performs a first search in the MAC address table based on the indicated first source MAC to obtain the first tag, and performs a second search in a policy table based on the first tag for a policy which indicates an action to be applied to the first packet. If the second search is not successful, the system modifies a header of the first packet by adding the first tag. If the second search is successful, the system determines that the indicated action comprises allowing the first packet and transmits the first packet.

Abstract: A system for dynamically activating a virtual network is provided. During operation, the system can operate a switch as a tunnel endpoint of a tunnel in conjunction with a remote switch. The tunnel can facilitate a virtual private network (VPN) spanning the switch and the remote switch. The system can maintain an inactive state for a virtual local area network (VLAN) and a corresponding tunnel network identifier identifying the VLAN for the tunnel. If a notification indicating the activation of the VLAN at a downstream switch is received by the switch, the system can activate the VLAN at the switch. The system can then activate the tunnel network identifier in a routing process of the VPN, thereby enabling sharing of a media access control (MAC) address associated with the VLAN via the tunnel.

Abstract: A system determines a first set of policies, wherein at least one policy entry for a destination role comprises a source role, a traffic attribute, and an action to be taken for the packet. The system represents the policies as a matrix, wherein a first entry in the matrix indicates the source and destination role, the traffic attribute, and the action of the at least one policy entry. The system replaces, in the first entry, the action with the destination role if the action indicates to allow the packet, and with a null value if the action indicates to deny the packet, to obtain a first data structure with entries indicating, for a respective source role, traffic attributes and corresponding sets of allowed destination roles. The system resolves an overlapping pair comprising a first and a second traffic attribute to obtain a second set of synthesized policies.

Abstract: The system determines a first source MAC associated with a switch. The system updates a MAC address table by mapping the first source MAC to a first tag which indicates a source role corresponding to a network infrastructure. A processor associated with the switch generates a first packet which indicates the first source MAC. The system performs a first search in the MAC address table based on the indicated first source MAC to obtain the first tag, and performs a second search in a policy table based on the first tag for a policy which indicates an action to be applied to the first packet. If the second search is not successful, the system modifies a header of the first packet by adding the first tag. If the second search is successful, the system determines that the indicated action comprises allowing the first packet and transmits the first packet.

Abstract: One aspect of the instant application facilitates a source port-based identification of client role. During operation, the system can receive, at a network device, a network packet from a client device coupled to the network device via a port. The system can in response to determining that the port is a trusted port, apply a global trusted port configuration based on a first mapping table. The global trusted port configuration corresponds to a default client role. The system can in response to determining that a per-port configuration exists in a second mapping table and the client device is coupled to the trusted port, identify the per-port configuration that corresponds to a port-based client role to override the global trusted port configuration; and apply, based on the per-port configuration and a third mapping table, a policy to the subsequent network packets received via the port.

Abstract: A system for policy management in a switch is provided. During operation, the system can generate, from a first policy defined for the switch, a second policy. The first policy can indicate whether a type of traffic is allowed from a source role to a destination role via an overlay tunnel. The second policy can indicate a plurality of destination roles that are allowed to receive multi-destination packets of the type of traffic from the source role via the overlay tunnel. Upon identifying a host associated with a role at a port of the switch, the system can determine whether the role belongs to the plurality of destination roles based on the second policy. If the role belongs to the plurality of allowed destination roles, the system can allow the port to forward a multi-destination packet, which is received via the overlay tunnel and associated with the type of traffic.

Abstract: Examples disclosed herein relate to a method for defining an ingress access policy at an ingress network device based on instructions from an egress network device. The egress network device receives data packets directed to a first entity from a second entity connected to an ingress network device. Each data packet transmitted includes a source role tag corresponding to the second entity. At the egress network device, the data packets may be dropped based on the enforcement of an egress access policy. When the number of data packets that are being dropped increases beyond a pre-defined threshold, the egress network device transmits a command to the ingress network device instructing the ingress network device to create a restriction on the transmission of subsequent data packets. The command is transmitted in a Border Gateway Protocol (BGP) Flow Specification (FlowSpec) route.

Abstract: A system for dynamically activating a virtual network is provided. During operation, the system can operate a switch as a tunnel endpoint of a tunnel in conjunction with a remote switch. The tunnel can facilitate a virtual private network (VPN) spanning the switch and the remote switch. The system can maintain an inactive state for a virtual local area network (VLAN) and a corresponding tunnel network identifier identifying the VLAN for the tunnel. If a notification indicating the activation of the VLAN at a downstream switch is received by the switch, the system can activate the VLAN at the switch. The system can then activate the tunnel network identifier in a routing process of the VPN, thereby enabling sharing of a media access control (MAC) address associated with the VLAN via the tunnel.

Abstract: Methods for performing neighbor state management between peers of a Multi-Chassis Link Aggregation Group (MCLAG) are provided. In one method, a first peer of a Multi-Chassis Link Aggregation Group (MCLAG) performs state management for each neighbor entry in a first set of neighbor entries. Similarly, a second peer of the MCLAG connected in parallel with the first peer performs state management for each neighbor entry in a second set of neighbor entries, the second set of neighbor entries containing contain at least one neighbor entry absent from the first set of neighbor entries.

Abstract: Examples disclosed herein relate to monitoring flow activity on a network device. In an example, a neighbor table is maintained on a network device. The neighbor table may include a record of a neighbor network device and a hit bit corresponding to the neighbor network device. The hit bit may be used to represent a flow activity of the neighbor network device. A determination may be made whether a status of the hit bit corresponding to the neighbor network device is inactive. If the status of the hit bit is inactive, a flow entry corresponding to the neighbor network device may be deleted from an ASIC table on the network device.

Abstract: Methods for performing neighbor state management between peers of a Multi-Chassis Link Aggregation Group (MCLAG) are provided. In one method, a first peer of a Multi-Chassis Link Aggregation Group (MCLAG) performs state management for each neighbor entry in a first set of neighbor entries. Similarly, a second peer of the MCLAG connected in parallel with the first peer performs state management for each neighbor entry in a second set of neighbor entries, the second set of neighbor entries containing contain at least one neighbor entry absent from the first set of neighbor entries.

Abstract: Examples disclosed herein relate to monitoring flow activity on a network device. In an example, a neighbor table is maintained on a network device. The neighbor table may include a record of a neighbor network device and a hit bit corresponding to the neighbor network device. The hit bit may be used to represent a flow activity of the neighbor network device. A determination may be made whether a status of the hit bit corresponding to the neighbor network device is inactive. If the status of the hit bit is inactive, a flow entry corresponding to the neighbor network device may be deleted from an ASIC table on the network device.