Abstract: A method including determining that network traffic being transmitted is unicast or multicast; mapping to which virtual network and locator address each host belongs; generating leaking data for unicast and multicast traffic, wherein the leaking data indicates that a first virtual network leaks traffic to a second virtual network; receiving a request from the second virtual network to receive traffic from a host in the first virtual network; determining, based on the leaking data and the type of traffic being transmitted, if the first virtual network leaks traffic to the second virtual network; if the first virtual network leaks traffic to the second virtual network, determining a locator address for the host in the first virtual network using the mapping data; and transmitting the locator address for the host to the second virtual network to enable traffic leaking from the host to the second virtual network is disclosed.

Abstract: One embodiment of a method includes receiving at a first network node traffic from a second network node; and sending by the first network node to a third network node information identifying the second network node via a Local Area Network (“LAN”) connection between the first and third network nodes. Subsequent to receipt of the information identifying the second network node, the third network node updates a locator table maintained by the third network node to include an entry including the information identifying the second network node received by the third network node from the first network node. Upon receipt by the third network node of a notification that the first network node has failed, the third network node sends an update only to network nodes that have an entry in the locator table indicating that the first network node has failed.

Abstract: In one embodiment, a method is performed at a first node. The method may include receiving, at a first node, a request from a source host associated with a network to communicate with a destination host. The first node may determine whether the destination host is associated with the network. If the destination host is not associated with the network, the first node may determine an instance identifier (IID) and a proxy egress tunnel router (PETR) locator address used to communicate with the destination host. The first node may send an indicator to an ingress tunnel router (ITR) to encapsulate a packet with the IID and the PETR locator address before sending the packet from the source host to the destination host.

Abstract: A method is described and in some embodiments includes receiving at a network element a transmission control protocol (“TCP”) packet with TCP options set on a link between a controller and a destination node; if the network element comprises a transit node, comparing a bandwidth value indicated in a TCP options field of the received TCP packet with an outgoing link bandwidth of the network element; if the bandwidth value indicated in the TCP options field is greater than the outgoing link bandwidth of the network element, updating the bandwidth value indicated in the TCP options field to be equal to the outgoing link bandwidth of the network element; and forwarding the TCP packet to a next network element. If the bandwidth value indicated in the TCP options field is not greater than the outgoing link bandwidth, the bandwidth value indicated in the TCP options field is not changed.

Abstract: A Location/Identifier Separation Protocol (LISP) mapping server, including: a network interface for communicating with a LISP-enabled network; a mapping database; a subscription database; and an overlapping subscription publication engine (OSPE) to: receive a first mapping of a first subnetwork to a first routing locator (RLOC); add the first mapping to the mapping database; receive from a first ingress tunnel router (ITR) a subscription request for an endpoint identifier (EID) within the first subnetwork; add to a first subscription entry for the first subnetwork in the subscription database a subscription for the first ITR; receive a second mapping of a second subnetwork to a second RLOC, wherein the second subnetwork overlaps the first subnetwork; add the second mapping to the mapping database; and copy at least part of the first subscription entry to a second subscription entry for the second subnetwork.

Abstract: Presented herein are techniques for determining the impact a policy change might have on a network. The techniques include receiving configuration information from a plurality of network devices in a network, receiving traffic flow records from the plurality of network devices, receiving an indication of an intent to apply a new policy on the network devices, and based on the configuration information, traffic flow records and the new policy, determining an impact of the new policy on the network devices and traffic flowing through the network.

Abstract: A policy server correlates information from several messages associated with a client device to implement an identity-based network access policy. The policy server receives a first message from a network element connected to the client device. The first message requests an identity-based policy for the client device, and includes a first network address. The policy server receives a second message from an identity server. The second message includes information indicating an identity role and a second network address. The policy server receives a third message from a NAT device. The third message includes a NAT mapping that correlates the first network address with the second network address. After the policy server determines the identity-based policy based on a combination of the first message, the second message, and the third message, the policy server implements the identity-based policy in the network element.

Abstract: Group based multicasts may be provided. First, a request may be received. The request may comprise a receiver tag, a request source identifier, and a request multicast group identifier. Next, a source tag corresponding to the request source identifier may be obtained and then it may be determined that a group corresponding to the receiver tag is allowed to access content from a source corresponding to the obtained source tag. In response to determining that the group corresponding to the receiver tag is allowed to access content from the source corresponding to the obtained source tag, content may be received from the source at a multicast group corresponding to the request multicast group identifier. The content may then be forwarded to a receiver corresponding to the request.

Abstract: Group based multicasts may be provided. First, a request may be received. The request may comprise a receiver tag, a request source identifier, and a request multicast group identifier. Next, a source tag corresponding to the request source identifier may be obtained and then it may be determined that a group corresponding to the receiver tag is allowed to access content from a source corresponding to the obtained source tag. In response to determining that the group corresponding to the receiver tag is allowed to access content from the source corresponding to the obtained source tag, content may be received from the source at a multicast group corresponding to the request multicast group identifier. The content may then be forwarded to a receiver corresponding to the request.

Abstract: Systems and methods for network authorization are described herein. An example method can include receiving a user credential from a host device connected to a network, authenticating the user credential, and in response to authenticating the user credential, determining an authorization policy associated with the host device. The method can also include polling a network overlay control plane of the network to obtain a network location information associated with the host device, identifying at least one network device of the network using the network location information, and transmitting the authorization policy to the at least one network device.

Abstract: Aspects of the embodiments are directed to a network element that is configured for receiving, from an access point, a data packet originating from a client, the data packet comprising a packet header that comprises a packet header augmented with context information; decapsulating the packet header to identify the context information; applying a client-specific policy on the packet based, at least in part, on the context information; and forwarding the packet to a next hop in the network. The network element can be part of a network, such as a datacenter fabric architecture.

Abstract: Client address based forwarding of dynamic host configuration protocol response packets may be provided. First, a first relay agent on a first network device may receive a first discovery message associated with a first client device. The first discovery message may include a first discovery message identifier field comprising a first identifier corresponding to the first client device. The first client device may be associated with a subnet. Then the first relay agent may register, with a map server, the first identifier with an address of the first network device and add a gateway address corresponding to the first relay agent to the first discovery message. Next, the first relay agent may encapsulate the first discovery message and forward the encapsulated first discovery message over a network to a border device.

Abstract: A network device may receive a flow having source information corresponding to a first client device and destination information corresponding to a second client device. A tag may then be created by the network device for the flow based upon the source information and the destination information. Next, the network device may encapsulate a packet corresponding to the flow. The packet may be encapsulated with encapsulation information including the created tag. The encapsulated packet may then be routed through a plurality of intermediate network devices in the network. The created tag encapsulated with the packet may identify the packet as being a part of the flow as the packet is routed through the plurality of intermediate network devices.

Abstract: Methods and systems are provided for virtual expansion of a fabric network edge to include edge network devices. For example, unique virtual Internet Protocol (IP) addresses may be assigned to a plurality of L2 switches, wherein the L2 switches are connected to one or more fabric edge devices in a fabric, and wherein the L2 switches are located outside of the fabric. Next, the unique virtual IP addresses may be announced in an underlay of the fabric.

Abstract: Fast roaming across a network fabric may be provided. A route device may receive location information corresponding to a client device in response to roaming by the client device from a first access point connected to a first network device to a second access point connected to a second network device. The first network device and the second network device may comprise fabric edge nodes on the fabric network. The first network device and the second network device may be ones of a plurality of network devices in the fabric network. On detecting the roaming of the client device, the route device may be updated with the new location, and then the route device may send, to the plurality of network devices in the fabric network, the location information corresponding to the client device.

Abstract: An application switch instantiates two application-side network service instances for the same application. Each network service instance is characterized by a common Internet Protocol (IP) address, a common Open Systems Interconnection (OSI) reference model layer 2 (L2) media access control (MAC) address, and a unique (for the application) supplemental L2 identifier. The application switch maintains a mapping between a {client IP address, client port} tuple and a particular instantiated network service instance based at least in part on the supplemental L2 identifier of a particular one of the instantiated first and second network service instances.

Abstract: A first network device may receive a frame from a first client device that may be destined for a second client device. Then a request may be sent to a network control plane of a network by the first network device in response to receiving the frame. The request may be for information on reachability for the second client device and may comprise an identifier of the second client device and first metadata corresponding to the first client device. The first network device may receive, from the network control plane, in response to sending the request, a policy rule-set for a flow corresponding to the frame and for a location of the second client device. The network control plane may use the identifier of the second client device and the first metadata as keys to lookup the location of the second client device and the policy rule-set.

Abstract: Changes are made to a virtual network for an endpoint based on the authenticated user identity of the endpoint. The system includes a server and a controller associated with a network fabric to which the endpoint is connected. The network fabric includes network elements to carry network traffic for the endpoint. The server authenticates the endpoint associated with a network address and determines a user identity of the endpoint based on the authentication. The server determines a first virtual network associated with the user identity. The controller receives a notification from the server that the network traffic for the endpoint associated with the network address is to be routed over the first virtual network. The controller updates routing information to associate the network address with the first virtual network and sends the updated routing information to the network elements of the network fabric.

Abstract: In one embodiment, contextual service mobility in an enterprise fabric network environment (e.g., overlay and underlay networks) provides for moving of the location of a service being applied to packets with minimal updates to the mapping database. The mapping database is used to convert addresses of the overlay network to physical network and service addresses. The mapping database provides contextual lookup operations on the same destination address of a packet being forwarded in the overlay network to provide different results. The contextual lookup operations provide for a packet to be forwarded to a service node or its intended destination depending on the current context. In one embodiment, the enterprise fabric network uses Locator/ID Separation Protocol (LISP), a network architecture and set of protocols that uses different overlay and underlay namespaces and a distributed mapping database for converting an overlay address to an underlay address.

Abstract: In one embodiment, contextual service mobility in an enterprise fabric network environment (e.g., overlay and underlay networks) provides for moving of the location of a service being applied to packets with minimal updates to the mapping database. The mapping database is used to convert addresses of the overlay network to physical network and service addresses. The mapping database provides contextual lookup operations on the same destination address of a packet being forwarded in the overlay network to provide different results. The contextual lookup operations provide for a packet to be forwarded to a service node or its intended destination depending on the current context. In one embodiment, the enterprise fabric network uses Locator/ID Separation Protocol (LISP), a network architecture and set of protocols that uses different overlay and underlay namespaces and a distributed mapping database for converting an overlay address to an underlay address.