Abstract: Techniques for ensuring symmetric forwarding between disparate networks. The techniques may include receiving a gateway preference order associated with a route advertised by an edge node, the edge node associated with a first network. The techniques may also include determining, based at least in part on the gateway preference order, that a gateway node is a more preferred gateway for the route than another gateway node, the gateway node configured to facilitate communications between the first network and a second network. In some examples, the techniques may also include converting the gateway preference order into a metric associated with an IP routing protocol that is in use in the second network. In some examples, the route including the metric may be distributed within the second network such that the gateway node is the more preferred gateway for return traffic of the route.

Abstract: This disclosure describes techniques for enabling interoperability between asymmetric and symmetric Integrated Routing and Bridging (IRB) modes. An interfacing component may be configured to receive a first route advertisement from a first edge node in a Layer-2 (L2) fabric. The first route advertisement may correspond to an asymmetric format route, for instance. The interfacing component may be further configured to receive a second route advertisement from a second edge node in a L2/Layer-3 (L3) fabric. The second edge node may be configured for symmetric integrated routing and bridging (IRB). The interfacing component may be configured to re-originate the first route and the second route such that the interfacing component is included as a hop in the resultant routes between the L2 fabric and the L2/L3 fabric.

Abstract: A method is performed by a first provider edge (PE) of a redundancy group including provider edges configured with an Ethernet virtual private network (EVPN) segment identifier (EVI) and an Ethernet segment identifier (ESI) and that are multi-homed to a customer edge (CE). The method includes, upon receiving from the CE a join request including a group address for a multicast stream, electing a designated forwarder (DF) for the multicast stream. The electing includes: computing for each PE a respective affinity for the DF as a function of a respective address of the PE, the EVI, and the group address; and determining which PE has a largest affinity. The method further includes, if the first PE has the largest affinity or does not have the largest affinity, configuring the first PE as the designated forwarder or not configuring the first PE as the designated forwarder for the multicast stream, respectively.

Abstract: According to some embodiments, a software defined wide area network (SD-WAN) includes a first region and a second region. The first region includes multiple first routing controllers and multiple first SD-WAN edge routers. The second region includes multiple second routing controllers and multiple second SD-WAN edge routers. Each first SD-WAN edge router of the first region is configured to establish Overlay Management Protocol (OMP) peering connections with the plurality of first routing controllers of the first region but to avoid establishing OMP peering connections with the plurality of second routing controllers of the second region. Each second SD-WAN edge router of the second region is configured to establish OMP peering connections with the plurality of second routing controllers of the second region but to avoid establishing OMP peering connections with the plurality of first routing controllers of the first region.

Abstract: A system of one embodiment that provides stateless symmetric forwarding of packets in a computer network. The system includes a memory and a processor. The system is operable to determine a cluster state of a plurality of border routers in a cluster. The system is operable to communicate the cluster state to at least one branch node in the computer network. The system is operable to generate a network level consistent hash based on the cluster state. The system is operable to route a first packet through a first border router of the plurality of border routers in the cluster using the network level consistent hash. After the first packet is sent through a first border router, the system is further operable to route a second packet through the first border router of the plurality of border routers in the cluster using the network level consistent hash.

Abstract: Systems and methods are provided for receiving bandwidth metrics from a plurality of routers on respective link routes in a network, compiling a link database including the bandwidth metrics of each respective link route in the network, selecting a first designated link path from the link database between a first router and a second router based on an application routing policy, the application routing policy being based on a routing metric, providing a first multiprotocol label switching label based on the first designated link path to the first router of the plurality of routers in the network, and restricting network traffic of the first router to the first designated link path provided in the first multiprotocol label switching label.

Abstract: A system and method for adaptive encryption for SD-WAN includes identifying an encrypted conversational flow and determining whether a duration of the encrypted conversational flow exceeds a threshold. The method also includes selecting a header-less tunnel for the encrypted conversational flow when the duration is more than the threshold. The method further includes transmitting the encrypted conversational flow to an egress router over the selected header-less tunnel.

Abstract: In one embodiment, a method includes onboarding, by an edge router, a first tenant from a network management system and determining, by the edge router, a mapping of a tenant identifier associated with the first tenant to a controller identifier associated with a controller. The method also includes reserving, by the edge router, a port number in a kernel for the first tenant and inserting, by the edge router, the tenant identifier into a first control packet. The method further includes communicating, by the edge router, the first control packet to the controller via an encrypted control connection during a first peering session. The first peering session shares the encrypted control connection with a second peering session.

Abstract: According to some embodiments, a method is performed by a software defined wide area network (SD-WAN) edge router in a hierarchical SD-WAN network comprising a plurality of edge routers and a plurality of border routers. The method comprises: originating a SD-WAN system route for advertising reachability to the edge router, the system route comprising an encryption key associated with the edge router; and transmitting the system route to one or more SD-WAN border routers. The method may further comprise: receiving a packet destined for the edge router from one of the one or more SD-WAN border routers, wherein the packet is at least partially encrypted with the encryption key associated with the edge router; and decrypting the received packet.

Abstract: A computer network efficiently provides a multicast network flow to a multicast recipient across a multihomed network element. The multihomed network element includes network devices that receive multicast data from a source of a multicast network flow. Each particular network device that received the multicast data publishes a notification indicating that the multicast network flow is available from the particular network device. The computer network receives a subscription to the multicast network flow from a multicast recipient, and determines whether to bridge the multicast data across the multihomed network element based on a multicast configuration of the computer network. The multihomed network element provides the multicast data to the multicast recipient from at least one of the particular network devices that received the multicast data from the source of the multicast network flow.

Abstract: Systems and methods are provided for receiving bandwidth metrics from a plurality of routers on respective link routes in a network, compiling a link database including the bandwidth metrics of each respective link route in the network, selecting a first designated link path from the link database between a first router and a second router based on an application routing policy, the application routing policy being based on a routing metric, providing a first multiprotocol label switching label based on the first designated link path to the first router of the plurality of routers in the network, and restricting network traffic of the first router to the first designated link path provided in the first multiprotocol label switching label.

Abstract: In one embodiment, a method includes onboarding, by an edge router, a first tenant from a network management system and determining, by the edge router, a mapping of a tenant identifier associated with the first tenant to a controller identifier associated with a controller. The method also includes reserving, by the edge router, a port number in a kernel for the first tenant and inserting, by the edge router, the tenant identifier into a first control packet. The method further includes communicating, by the edge router, the first control packet to the controller via an encrypted control connection during a first peering session. The first peering session shares the encrypted control connection with a second peering session.

Abstract: A computer network efficiently provides a multicast network flow to a multicast recipient across a multihomed network element. The multihomed network element includes network devices that receive multicast data from a source of a multicast network flow. Each particular network device that received the multicast data publishes a notification indicating that the multicast network flow is available from the particular network device. The computer network receives a subscription to the multicast network flow from a multicast recipient, and determines whether to bridge the multicast data across the multihomed network element based on a multicast configuration of the computer network. The multihomed network element provides the multicast data to the multicast recipient from at least one of the particular network devices that received the multicast data from the source of the multicast network flow.

Abstract: Systems and techniques are provided for synchronizing DHCP snoop information. In some examples, a method can include, performing, by a first PE device from a plurality of PE devices, DHCP snooping of a first plurality of DHCP messages between a DHCP client and a DHCP server, wherein the plurality of PE devices is part of an ethernet segment for multihoming the DHCP client. In some aspects, the method includes determining, based on snooping the first plurality of DHCP messages, an association between an IP address corresponding to the DHCP client and a MAC address corresponding to the DHCP client. In some examples, the method includes sending, by the first PE device to at least one other PE device from the plurality of PE devices, a first route advertisement that includes the association between the IP address corresponding to the DHCP client and the MAC address corresponding to the DHCP client.

Abstract: In one embodiment, a method by an edge router configured to operate at a first site of a software-defined wide-area network includes receiving a data packet from a first host located in the first site, where the data packet is destined to a second host located in a second site, determining that an identifier of a second group to which the second host belongs is not available at the edge router, sending a request for an identifier of the second group to a network apparatus, where the request may comprise an address of the second host, receiving a response comprising the identifier of the second group from the network apparatus, determining that the second group is a destination group, applying one or more policies associated with the destination group to the data packet, and causing the data packet to be routed to the second host.

Abstract: A system and method are disclosed for enabling interoperability between asymmetric and symmetric Integrated Routing and Bridging (IRB) modes. A system is configured to receive a route advertisement, examine the label fields of the route advertisement, and determine whether Layer 2 or Layer 3 information is conveyed. The system is further configured to build a route advertisement to advertise to a second device based on whether Layer 2 or Layer 3 information is conveyed in the first route advertisement.

Abstract: In one embodiment, a method includes receiving a broadcast, unknown-unicast, or multicast (BUM) frame from a connected device, where the BUM frame is associated with a broadcast domain, determining a segment within the broadcast domain associated with the device, adding to the BUM frame a segment identifier that uniquely identifies the segment within the broadcast domain, and causing the BUM frame to be delivered to one or more recipient network apparatuses in a network associated with the broadcast domain, where the segment identifier added to the BUM frame is configured to be used by the one or more recipient network apparatuses to selectively forward the BUM frame to connected devices that are associated with segment identifier.

Abstract: In one embodiment, a method includes receiving a data packet from a first host located in the first site, where the data packet may be destined to a second host located in a second site that may be different from the first site, determining that an identifier of a second group to which the second host belongs is not available at the first network apparatus, sending a request for an identifier of the second group to a second network apparatus, where the request may comprise an address of the second host, receiving a response comprising the identifier of the second group from the second network apparatus, determining that the second group is a destination group, applying one or more policies associated with the destination group to the data packet, and causing the data packet to be routed to the second host.

Abstract: In one embodiment, a method includes onboarding, by an edge router, a first tenant from a network management system and determining, by the edge router, a mapping of a tenant identifier associated with the first tenant to a controller identifier associated with a controller. The method also includes reserving, by the edge router, a port number in a kernel for the first tenant and inserting, by the edge router, the tenant identifier into a first control packet. The method further includes communicating, by the edge router, the first control packet to the controller via an encrypted control connection during a first peering session. The first peering session shares the encrypted control connection with a second peering session.

Abstract: In one embodiment, a method includes identifying, by a router, a first tenant. The first tenant is associated with a first tenant virtual private network (VPN). The method also includes determining, by the router, a mapping of the first tenant VPN to a first device VPN and generating, by the router, a first label representing the first device VPN. The method further includes adding, by the router, the first label to a first network packet and communicating, by the router, the first network packet with the first label to a controller.