Abstract: A device transmits, from an overlay service controller associated with an overlay network to an underlay service controller associated with an underlay network and via a semantic structure defined for a service usage API, a request for a service offered by the underlay network. A device may receive, at the overlay service controller, from the underlay service controller and via the service usage API, attachment metadata. A device may map, based on the attachment metadata and via the overlay service controller, an overlay network tunnel to the service in the underlay network to generate an overlay tunnel mapping, wherein the overlay service controller does not have knowledge of details about implementing the service in order to enable the overlay network to consume the service offered by the underlay network. A device may communicate tunneled packets from the overlay network to the underlay network via the overlay tunnel mapping.

Abstract: Present disclosure includes determining, at two or more gateway nodes that each communicate with a plurality of branch nodes and a plurality of resources, dynamically a path between each of the plurality of branch nodes and each of the plurality of resources, wherein the path includes one or more virtual routers; generating, at the two or more gateways, dynamically a path length based upon a number of virtual routers each path traverses; automatically translating the path length to an overlay management protocol route preference for each of the plurality of resources.

Abstract: According to some embodiments, a method is performed by a software defined wide area network (SD-WAN) edge router in a hierarchical SD-WAN network comprising a plurality of edge routers and a plurality of border routers. The method comprises: originating a SD-WAN system route for advertising reachability to the edge router, the system route comprising an encryption key associated with the edge router; and transmitting the system route to one or more SD-WAN border routers. The method may further comprise: receiving a packet destined for the edge router from one of the one or more SD-WAN border routers, wherein the packet is at least partially encrypted with the encryption key associated with the edge router; and decrypting the received packet.

Abstract: A process can include determining affinity information indicative of route preferences between branch routers and gateway routers. A prefix can be determined for a subnet of branch routers located at a same branch location. An affinity position of a first gateway router can be determined based on affinity information of the branch routers in the subnet. A mapping can be determined between a local preference Border Gateway Protocol (BGP) community attribute and the affinity position of the first gateway router, wherein a mapped local preference BGP community attribute and the affinity position are indicative of a same routing preference. The mapped local preference BGP community attribute can be attached to routes from the first gateway router into a cloud service provider. Affinity-based route preferences are indicated to the cloud service provider by redistributing the routes from the first gateway router with the mapped local preference BGP community attribute attached.

Abstract: In one embodiment, a method by a first edge router includes receiving a request control message from a second edge router requesting a first identifier of a first group associated with a first host having a first Internet Protocol (IP) address, determining the first identifier of the first group based on the first IP address, sending a response control message to the second edge router including the first identifier of the first group, receiving a data packet destined to the first host from the second edge router, determining that a second group is a source group and the first group is a destination group of the data packet, applying one or more policies associated with a combination of the source group and the destination group to the data packet, and causing the data packet to be routed to the first host within the first site.

Abstract: According to some embodiments, a method is performed by a software defined wide area network (SD-WAN) edge router in a hierarchical SD-WAN network comprising a plurality of edge routers and a plurality of border routers. The method comprises: originating a SD-WAN system route for advertising reachability to the edge router, the system route comprising an encryption key associated with the edge router; and transmitting the system route to one or more SD-WAN border routers. The method may further comprise: receiving a packet destined for the edge router from one of the one or more SD-WAN border routers, wherein the packet is at least partially encrypted with the encryption key associated with the edge router; and decrypting the received packet.

Abstract: In one embodiment, a method by an edge router configured to operate at a first site of a software-defined wide-area network includes receiving a data packet from a first host located in the first site, where the data packet is destined to a second host located in a second site, determining that an identifier of a second group to which the second host belongs is not available at the edge router, sending a request for an identifier of the second group to a network apparatus, where the request may comprise an address of the second host, receiving a response comprising the identifier of the second group from the network apparatus, determining that the second group is a destination group, applying one or more policies associated with the destination group to the data packet, and causing the data packet to be routed to the second host.

Abstract: Systems and techniques are provided for synchronizing DHCP snoop information. In some examples, a method can include, performing, by a first PE device from a plurality of PE devices, DHCP snooping of a first plurality of DHCP messages between a DHCP client and a DHCP server, wherein the plurality of PE devices is part of an ethernet segment for multihoming the DHCP client. In some aspects, the method includes determining, based on snooping the first plurality of DHCP messages, an association between an IP address corresponding to the DHCP client and a MAC address corresponding to the DHCP client. In some examples, the method includes sending, by the first PE device to at least one other PE device from the plurality of PE devices, a first route advertisement that includes the association between the IP address corresponding to the DHCP client and the MAC address corresponding to the DHCP client.

Abstract: A system and method for adaptive encryption for SD-WAN includes identifying an encrypted conversational flow and determining whether a duration of the encrypted conversational flow exceeds a threshold. The method also includes selecting a header-less tunnel for the encrypted conversational flow when the duration is more than the threshold. The method further includes transmitting the encrypted conversational flow to an egress router over the selected header-less tunnel.

Abstract: This disclosure describes methods of operating a leaf node device, such as a switch device, connected to a switch fabric of a network. The leaf node device receives, from another leaf node device via the switch fabric, an indication of a secure route to a host device. In response to receiving the indication of the secure route, the leaf node device creates or updates a routing entry for the host device in a routing information base of the leaf node device and creates or updates an entry for the host device in a Dynamic Host Configuration Protocol (DHCP) snoop database of the leaf node device. The leaf node may thereby communicate with the host device that is attached to the leaf node device as a result of moving from the other leaf node device.

Abstract: A computer network efficiently provides a multicast network flow to a multicast recipient across a multihomed network element. The multihomed network element includes network devices that receive multicast data from a source of a multicast network flow. Each particular network device that received the multicast data publishes a notification indicating that the multicast network flow is available from the particular network device. The computer network receives a subscription to the multicast network flow from a multicast recipient, and determines whether to bridge the multicast data across the multihomed network element based on a multicast configuration of the computer network. The multihomed network element provides the multicast data to the multicast recipient from at least one of the particular network devices that received the multicast data from the source of the multicast network flow.

Abstract: Techniques for ensuring symmetric forwarding between disparate networks. The techniques may include receiving a gateway preference order associated with a route advertised by an edge node, the edge node associated with a first network. The techniques may also include determining, based at least in part on the gateway preference order, that a gateway node is a more preferred gateway for the route than another gateway node, the gateway node configured to facilitate communications between the first network and a second network. In some examples, the techniques may also include converting the gateway preference order into a metric associated with an IP routing protocol that is in use in the second network. In some examples, the route including the metric may be distributed within the second network such that the gateway node is the more preferred gateway for return traffic of the route.

Abstract: Systems and methods are provided for receiving bandwidth metrics from a plurality of routers on respective link routes in a network, compiling a link database including the bandwidth metrics of each respective link route in the network, selecting a first designated link path from the link database between a first router and a second router based on an application routing policy, the application routing policy being based on a routing metric, providing a first multiprotocol label switching label based on the first designated link path to the first router of the plurality of routers in the network, and restricting network traffic of the first router to the first designated link path provided in the first multiprotocol label switching label.

Abstract: Systems and techniques are provided for synchronizing DHCP snoop information. In some examples, a method can include, performing, by a first PE device from a plurality of PE devices, DHCP snooping of a first plurality of DHCP messages between a DHCP client and a DHCP server, wherein the plurality of PE devices is part of an ethernet segment for multihoming the DHCP client. In some aspects, the method includes determining, based on snooping the first plurality of DHCP messages, an association between an IP address corresponding to the DHCP client and a MAC address corresponding to the DHCP client. In some examples, the method includes sending, by the first PE device to at least one other PE device from the plurality of PE devices, a first route advertisement that includes the association between the IP address corresponding to the DHCP client and the MAC address corresponding to the DHCP client.

Abstract: A system and method for adaptive encryption for SD-WAN includes identifying an encrypted conversational flow and determining whether a duration of the encrypted conversational flow exceeds a threshold. The method also includes selecting a header-less tunnel for the encrypted conversational flow when the duration is more than the threshold. The method further includes transmitting the encrypted conversational flow to an egress router over the selected header-less tunnel.

Abstract: In one embodiment, a method is performed. A device may include an interface in communication with a network. The device may determine whether an all-active multi-homed ethernet segment (ES) associated with the interface is enabled. On a condition that an all-active multi-homed ES is enabled, the device may determine an ethernet virtual private network (EVPN) designated forwarder (DF) state of the all-active multi-homed ES. If the all-active multi-homed ES is enabled and has an ethernet virtual private network (EVPN) designated forwarder (DF) state, the device may enter a protocol independent multicast (PIM) designated router (DR) state. If an all-active multi-homed ES is enabled and does not have an EVPN DF state, the device may enter a PIM non-DR state.

Abstract: Techniques for ensuring symmetric forwarding between disparate networks. The techniques may include receiving a gateway preference order associated with a route advertised by an edge node, the edge node associated with a first network. The techniques may also include determining, based at least in part on the gateway preference order, that a gateway node is a more preferred gateway for the route than another gateway node, the gateway node configured to facilitate communications between the first network and a second network. In some examples, the techniques may also include converting the gateway preference order into a metric associated with an IP routing protocol that is in use in the second network. In some examples, the route including the metric may be distributed within the second network such that the gateway node is the more preferred gateway for return traffic of the route.

Abstract: This disclosure describes techniques for enabling interoperability between asymmetric and symmetric Integrated Routing and Bridging (IRB) modes. An interfacing component may be configured to receive a first route advertisement from a first edge node in a Layer-2 (L2) fabric. The first route advertisement may correspond to an asymmetric format route, for instance. The interfacing component may be further configured to receive a second route advertisement from a second edge node in a L2/Layer-3 (L3) fabric. The second edge node may be configured for symmetric integrated routing and bridging (IRB). The interfacing component may be configured to re-originate the first route and the second route such that the interfacing component is included as a hop in the resultant routes between the L2 fabric and the L2/L3 fabric.

Abstract: According to some embodiments, a software defined wide area network (SD-WAN) includes a first region and a second region. The first region includes multiple first routing controllers and multiple first SD-WAN edge routers. The second region includes multiple second routing controllers and multiple second SD-WAN edge routers. Each first SD-WAN edge router of the first region is configured to establish Overlay Management Protocol (OMP) peering connections with the plurality of first routing controllers of the first region but to avoid establishing OMP peering connections with the plurality of second routing controllers of the second region. Each second SD-WAN edge router of the second region is configured to establish OMP peering connections with the plurality of second routing controllers of the second region but to avoid establishing OMP peering connections with the plurality of first routing controllers of the first region.

Abstract: A method is performed by a first provider edge (PE) of a redundancy group including provider edges configured with an Ethernet virtual private network (EVPN) segment identifier (EVI) and an Ethernet segment identifier (ESI) and that are multi-homed to a customer edge (CE). The method includes, upon receiving from the CE a join request including a group address for a multicast stream, electing a designated forwarder (DF) for the multicast stream. The electing includes: computing for each PE a respective affinity for the DF as a function of a respective address of the PE, the EVI, and the group address; and determining which PE has a largest affinity. The method further includes, if the first PE has the largest affinity or does not have the largest affinity, configuring the first PE as the designated forwarder or not configuring the first PE as the designated forwarder for the multicast stream, respectively.