Abstract: Systems, methods, and non-transitory computer-readable storage media for translating source addresses in an overlay network. An access switch in an overlay network, such as a VXLAN, may receive an encapsulated packet from a tunnel endpoint in the overlay network. The encapsulated packet may originate from a host associated with the tunnel endpoint and be encapsulated at the tunnel endpoint with a first source tunnel endpoint address and a destination tunnel endpoint address. The access switch may replace the first source tunnel endpoint address in the encapsulated packet with a second source tunnel endpoint address of the access switch to yield a translated packet. The access switch may then transmit the translated packet towards the destination tunnel endpoint address.

Abstract: Disclosed herein are methods and related apparatuses for determining statistics descriptive of packets received at a particular location on a network out of a set of packets transmitted on the network, which include transmitting first and second groups of packets on the network, the packets in the first and second groups labeled with first and second labels, respectively (the packets in the second group not in the first group), incrementing first and second packet counters associated with the particular network location in response to packet(s) in the first and second groups, respectively, being received at the network location until all packets in the first and second groups have drained from the network, and using values read from the first and second packet counters to determine a statistic descriptive of the packets received at the particular network location out of those in the first and second groups transmitted on the network.

Abstract: Disclosed herein are methods of forwarding packets on a network, such as a leaf-spine network having leaf devices and spine devices. The methods may include receiving a packet at an ingress leaf device, and determining based, at least in part, on a header of the packet whether the packet is to be transmitted to a spine device. The methods may further include ascertaining based, at least in part, on a header of the packet whether to perform encapsulation on the packet, encapsulating the packet according to a result of the ascertaining, and then transmitting the packet to a spine device according to a result of the determining. Also disclosed herein are network apparatuses which include a processor and a memory, at least one of the processor or the memory being configured to perform some or all of the foregoing described methods.

Abstract: Systems, methods, and non-transitory computer-readable storage media for translating source addresses in an overlay network. An access switch in an overlay network, such as a VXLAN, may receive an encapsulated packet from a tunnel endpoint in the overlay network. The encapsulated packet may originate from a host associated with the tunnel endpoint and be encapsulated at the tunnel endpoint with a first source tunnel endpoint address and a destination tunnel endpoint address. The access switch may replace the first source tunnel endpoint address in the encapsulated packet with a second source tunnel endpoint address of the access switch to yield a translated packet. The access switch may then transmit the translated packet towards the destination tunnel endpoint address.

Abstract: Methods and supporting systems for managing secure communications and establishing authenticated communications between processes of a computer application operating across network domains are provided. Authentication agents operate on servers hosting application processes, wherein each authentication agent has access to policies related to each of the application processes. An authentication agent operating on an originating server intercepts transmissions from an originating application processes and appends a trust profile associated with the originating application process. The transmission is released to a receiving server, where it is intercepted and validated at the receiving server by a second authentication agent on the receiving server.

Abstract: Methods and apparatus for optimizing data center routing in the event of virtual machine (VM) mobility are provided. In one embodiment, a first gateway router, acting as an interface between an Ethernet Virtual Private Network (EVPN) domain and a Locator/ID Separation Protocol (LISP) domain, detects EVPN mobility messages advertised when a VM that has moved connects to a gateway router at a data center. The first gateway router then initiates a LISP mobility event that registers the new location of the moved VM to a LISP mapping system. In another embodiment, the first gateway router may notify a second gateway router, located at another data center from which the VM departed, to clean up the state maintained in that data center. This notification may be made via EVPN or LISP mechanisms. In response, the second gateway router may insert a new sequence into the other data center.

Abstract: Disclosed herein are methods and related apparatuses for determining statistics descriptive of packets received at a particular location on a network out of a set of packets transmitted on the network, which include transmitting first and second groups of packets on the network, the packets in the first and second groups labeled with first and second labels, respectively (the packets in the second group not in the first group), incrementing first and second packet counters associated with the particular network location in response to packet(s) in the first and second groups, respectively, being received at the network location until all packets in the first and second groups have drained from the network, and using values read from the first and second packet counters to determine a statistic descriptive of the packets received at the particular network location out of those in the first and second groups transmitted on the network.

Abstract: Disclosed herein are methods of forwarding packets on a network, such as a leaf-spine network having leaf devices and spine devices. The methods may include receiving a packet at an ingress leaf device, and determining based, at least in part, on a header of the packet whether the packet is to be transmitted to a spine device. The methods may further include ascertaining based, at least in part, on a header of the packet whether to perform encapsulation on the packet, encapsulating the packet according to a result of the ascertaining, and then transmitting the packet to a spine device according to a result of the determining. Also disclosed herein are network apparatuses which include a processor and a memory, at least one of the processor or the memory being configured to perform some or all of the foregoing described methods.

Abstract: Systems, methods, and non-transitory computer-readable storage media for translating source addresses in an overlay network. An access switch in an overlay network, such as a VXLAN, may receive an encapsulated packet from a tunnel endpoint in the overlay network. The encapsulated packet may originate from a host associated with the tunnel endpoint and be encapsulated at the tunnel endpoint with a first source tunnel endpoint address and a destination tunnel endpoint address. The access switch may replace the first source tunnel endpoint address in the encapsulated packet with a second source tunnel endpoint address of the access switch to yield a translated packet. The access switch may then transmit the translated packet towards the destination tunnel endpoint address.

Abstract: Aspects of the embodiments include receiving a packet at a network element of a packet-switched network; identifying a presence of a shared service destination address in a header of the packet; identifying a shared service destination address for the packet based, at least in part, on a destination internet protocol (IP) address stored in a forward information base; and forwarding the packet to the shared service destination address.

Abstract: Aspects of the subject technology relate to solutions for transporting network traffic over an overlay network. A first tunnel endpoint in an overlay network can receive an encapsulated packet from a second tunnel endpoint. The encapsulated packet may have been encapsulated at the second tunnel endpoint based on another packet originating from a source host that is associated with the second tunnel endpoint. The encapsulated packet can include a source host address for the source host and a source tunnel endpoint address for the second tunnel endpoint. The first tunnel endpoint can then update a lookup table based on an association between the source host address and the source tunnel endpoint address.

Abstract: Disclosed are systems, methods, and computer-readable storage media for minimizing the number of entries in network access control lists (ACLs). In some embodiments of the present technology a networking device can receive, from a first computing device, a first data transmission intended for a second computing device, the first data transmission including first transmission data. The networking device can normalize at least a subset of the first transmission data based on a predetermined normalization algorithm, yielding a first normalized data set for the first data transmission. Subsequently, the networking device can identify a first access control list entry from a set of access control list entries based on the first normalized data set, the first access control list entry identifying a first action, and implement the first action in relation to the first data transmission.

Abstract: The subject technology addresses a need for improving utilization of network bandwidth in a multicast network environment. More specifically, the disclosed technology provides solutions for extending multipathing to tenant multicast traffic in an overlay network, which enables greater bandwidth utilization for multicast traffic. In some aspects, nodes in the overlay network can be connected by virtual or logical links, each of which corresponds to a path, perhaps through many physical links, in the underlying network.

Abstract: Various embodiments of the present disclosure provide methods for randomly mapping entries in a suitable lookup table across multiple switch devices and/or multiple switch chipsets in each of the multiple switch devices by using two or more independent hash functions. In some embodiments, the number of entries in the lookup table is equal to be the least common multiple of all possible M (i.e., a number of switch devices) choosing R values (i.e., a desired redundancy level).

Abstract: Systems, methods, and non-transitory computer-readable storage media for managing routing information in overlay networks. A first tunnel endpoint in an overlay network may receive an encapsulated packet from a second tunnel endpoint. The encapsulated packet may have been encapsulated at the second tunnel endpoint based on another packet originating from a source host that is associated with the second tunnel endpoint. The encapsulated packet can include a source host address for the source host and a source tunnel endpoint address for the second tunnel endpoint. The first tunnel endpoint can then update a lookup table based on an association between the source host address and the source tunnel endpoint address.

Abstract: The subject technology addresses the need in the art for improving utilization of network bandwidth in a multicast network environment. More specifically, the disclosed technology addresses the need in the art for extending multipathing to tenant multicast traffic in an IP overlay network, which enables the network to fully utilize available bandwidth for multicast traffic. In some examples, nodes in the overlay network may be connected by virtual or logical links, each of which corresponds to a path, perhaps through many physical links, in the underlying network.

Abstract: Various examples of the present disclosure provide methods for unifying various types of end-point identifiers, such as IPv4 (e.g., Internet protocol version 4 represented by a VRF and an IPv4 address), IPv6 (e.g., Internet protocol version 6 represented by a VRF and an IPv6 address) and L2 (e.g., Layer-2 represented by a bridge domain (BD) and a media access control (MAC) address), by mapping end-point identifiers to a uniform space (e.g., a synthetic IPv4 address and a synthetic VRF) and allowing different forms of lookups to be uniformly handled. In some examples, a lookup database residing on a switch device can be sharded into a plurality of lookup table subsets, each of which resides on a different one of multiple switch chipsets (e.g., Tridents) in the switch device.

Abstract: Aspects of the subject disclosure provide methods for avoiding a packet bounce event in a virtual port channel (VPC). A method of the technology can include steps for detecting a link failure event (e.g., between a first network device and a destination node), and receiving a data packet addressed to the destination node. In some implementations, the method can additionally include steps for rewriting encapsulation information of the first data packet. Systems and computer-readable media are also provided.

Abstract: Aspects of the subject disclosure relate to methods for detecting a link failure between the first network device and a destination node, receiving a data packet addressed to the destination node, and rewriting encapsulation information of the first data packet. Subsequent to rewriting the encapsulation information of the first data packet, the first data packet is forwarded to a second network device (e.g., using updated address information in the packet header), wherein the second network device is paired with the first network device in the virtual port channel. In certain aspects, systems and computer readable media are also provided.

Abstract: Methods and apparatus for optimizing data center routing in the event of virtual machine (VM) mobility are provided. In one embodiment, a first gateway router, acting as an interface between an Ethernet Virtual Private Network (EVPN) domain and a Locator/ID Separation Protocol (LISP) domain, detects EVPN mobility messages advertised when a VM that has moved connects to a gateway router at a data center. The first gateway router then initiates a LISP mobility event that registers the new location of the moved VM to a LISP mapping system. In another embodiment, the first gateway router may notify a second gateway router, located at another data center from which the VM departed, to clean up the state maintained in that data center. This notification may be made via EVPN or LISP mechanisms. In response, the second gateway router may insert a new sequence into the other data center.