Abstract: An identity-verification based secure network based on a zero-trust mechanism, is disclosed. The network includes an initiating host (IH), an accepting host (AH), and a software-defined perimeter (SDP) controller. The controller is configured to receive, from the IH, an indication of a source identity, verify a security posture of the source identity based on a stored policy associated with the source identity, and transmit the policy, to the AH, based on the verification. The AH is configured to receive, from the IH, data packets and verify one or more source identities corresponding to each of the received data packets based on a check of each of the one or more source identities against the policy received from the controller. The AH is further configured to transmit one or more of the received data packets, corresponding to the source identity, based on the verification being successful for the source identity.

Abstract: One technique includes receiving, in a first network, a multi-destination packet from a second network, and determining, based on the multi-destination packet, a first multi-destination tree in the first network for forwarding the multi-destination packet. In response to determining that the first multi-destination tree is not rooted on the network device, a second multi-destination tree in the first network is determined, and the multi-destination packet is transmitted using the second multi-destination tree. Another technique includes, upon detecting a first network device joining a network, sending a first indication to a second network device that the first network device is in a state for an amount of time. After the amount of time has elapsed, a second indication that the first network device has exited the state is sent to the second network device. A topology of the network is updated after the first network device has exited the state.

Abstract: A network device receives multi-destination packets from a first node and forwards at least a first of the multi-destination packets to another network device using a first multi-destination tree with respect to the network device. The network device detects that a link associated with the first multi-destination tree satisfies one or more criteria and, in response to detecting that the link satisfies the one or more criteria, selects a second multi-destination tree with respect to the network device. The network device forwards at least a second of the multi-destination packets to the other network device using the second multi-destination tree.

Abstract: A network device receives multi-destination packets from a first node and forwards at least a first of the multi-destination packets to another network device using a first multi-destination tree with respect to the network device. The network device detects that a link associated with the first multi-destination tree satisfies one or more criteria and, in response to detecting that the link satisfies the one or more criteria, selects a second multi-destination tree with respect to the network device. The network device forwards at least a second of the multi-destination packets to the other network device using the second multi-destination tree.

Abstract: A network device receives multi-destination packets from a first node and forwards at least a first of the multi-destination packets to another network device using a first multi-destination tree with respect to the network device. The network device detects that a link associated with the first multi-destination tree satisfies one or more criteria and, in response to detecting that the link satisfies the one or more criteria, selects a second multi-destination tree with respect to the network device. The network device forwards at least a second of the multi-destination packets to the other network device using the second multi-destination tree.

Abstract: One technique includes receiving, in a first network, a multi-destination packet from a second network, and determining, based on the multi-destination packet, a first multi-destination tree in the first network for forwarding the multi-destination packet. In response to determining that the first multi-destination tree is not rooted on the network device, a second multi-destination tree in the first network is determined, and the multi-destination packet is transmitted using the second multi-destination tree. Another technique includes, upon detecting a first network device joining a network, sending a first indication to a second network device that the first network device is in a state for an amount of time. After the amount of time has elapsed, a second indication that the first network device has exited the state is sent to the second network device. A topology of the network is updated after the first network device has exited the state.

Abstract: A network device resolves a destination address of an endpoint in an endpoint isolation environment. The network device receives a request for a destination address associated with a destination endpoint. The request originates from an isolated source endpoint. The network device determines whether the destination address is stored on the network device in association with the destination endpoint. Responsive to a determination that the destination address is not stored in association with the destination endpoint, the network device generates a proxy request for the destination address, and sends the proxy request to at least one endpoint attached to the network device. The network device receives a proxy response from the destination endpoint that includes the destination address. The network device stores the destination address in association with the destination endpoint.

Abstract: One technique includes receiving, in a first network, a multi-destination packet from a second network, and determining, based on the multi-destination packet, a first multi-destination tree in the first network for forwarding the multi-destination packet. In response to determining that the first multi-destination tree is not rooted on the network device, a second multi-destination tree in the first network is determined, and the multi-destination packet is transmitted using the second multi-destination tree. Another technique includes, upon detecting a first network device joining a network, sending a first indication to a second network device that the first network device is in a state for an amount of time. After the amount of time has elapsed, a second indication that the first network device has exited the state is sent to the second network device. A topology of the network is updated after the first network device has exited the state.

Abstract: A network device receives multi-destination packets from a first node and forwards at least a first of the multi-destination packets to another network device using a first multi-destination tree with respect to the network device. The network device detects that a link associated with the first multi-destination tree satisfies one or more criteria and, in response to detecting that the link satisfies the one or more criteria, selects a second multi-destination tree with respect to the network device. The network device forwards at least a second of the multi-destination packets to the other network device using the second multi-destination tree.

Abstract: A network device receives multi-destination packets from a first node and forwards at least a first of the multi-destination packets to another network device using a first multi-destination tree with respect to the network device. The network device detects that a link associated with the first multi-destination tree satisfies one or more criteria and, in response to detecting that the link satisfies the one or more criteria, selects a second multi-destination tree with respect to the network device. The network device forwards at least a second of the multi-destination packets to the other network device using the second multi-destination tree.

Abstract: One technique includes receiving, in a first network, a multi-destination packet from a second network, and determining, based on the multi-destination packet, a first multi-destination tree in the first network for forwarding the multi-destination packet. In response to determining that the first multi-destination tree is not rooted on the network device, a second multi-destination tree in the first network is determined, and the multi-destination packet is transmitted using the second multi-destination tree. Another technique includes, upon detecting a first network device joining a network, sending a first indication to a second network device that the first network device is in a state for an amount of time. After the amount of time has elapsed, a second indication that the first network device has exited the state is sent to the second network device. A topology of the network is updated after the first network device has exited the state.

Abstract: A network device receives multi-destination packets from a first node and forwards at least a first of the multi-destination packets to another network device using a first multi-destination tree with respect to the network device. The network device detects that a link associated with the first multi-destination tree satisfies one or more criteria and, in response to detecting that the link satisfies the one or more criteria, selects a second multi-destination tree with respect to the network device. The network device forwards at least a second of the multi-destination packets to the other network device using the second multi-destination tree.

Abstract: Embodiment provide recovering multicast data traffic during spine reload in software defined networks by identifying interfaces available between spine switches and a public network in a site; identifying Group Internet Protocol-outer (GIPo) addresses that handle multicast communications between endpoints associated together in a bridge domain, wherein the endpoints are connected via leaf switches in communication with the spine switches in a Clos topology; assigning each GIPo address to one virtual interface group (ViG) of a plurality of ViGs to generate GIPo-to-ViG mappings; distributing the GIPo-to-ViG mappings to the spine and leaf switches; assigning each ViG to one Interface as first ViG-to-Interface mappings; distributing the first ViG-to-Interface mappings to the spine and leaf switches and; when a number of available Interfaces changes, re-assigning each ViG to one currently-available Interface as second ViG-to-Interface mappings; and distributing the second ViG-to-Interface mappings to the spine swi

Abstract: Embodiment provide recovering multicast data traffic during spine reload in software defined networks by identifying interfaces available between spine switches and a public network in a site; identifying Group Internet Protocol-outer (GIPo) addresses that handle multicast communications between endpoints associated together in a bridge domain, wherein the endpoints are connected via leaf switches in communication with the spine switches in a Clos topology; assigning each GIPo address to one virtual interface group (ViG) of a plurality of ViGs to generate GIPo-to-ViG mappings; distributing the GIPo-to-ViG mappings to the spine and leaf switches; assigning each ViG to one Interface as first ViG-to-Interface mappings; distributing the first ViG-to-Interface mappings to the spine and leaf switches and; when a number of available Interfaces changes, re-assigning each ViG to one currently-available Interface as second ViG-to-Interface mappings; and distributing the second ViG-to-Interface mappings to the spine swi

Abstract: A network device resolves a destination address of an endpoint in an endpoint isolation environment. The network device receives a request for a destination address associated with a destination endpoint. The request originates from an isolated source endpoint. The network device determines whether the destination address is stored on the network device in association with the destination endpoint. Responsive to a determination that the destination address is not stored in association with the destination endpoint, the network device generates a proxy request for the destination address, and sends the proxy request to at least one endpoint attached to the network device. The network device receives a proxy response from the destination endpoint that includes the destination address. The network device stores the destination address in association with the destination endpoint.

Abstract: A network device resolves a destination address of an endpoint in an endpoint isolation environment. The network device receives a request for a destination address associated with a destination endpoint. The request originates from an isolated source endpoint. The network device determines whether the destination address is stored on the network device in association with the destination endpoint. Responsive to a determination that the destination address is not stored in association with the destination endpoint, the network device generates a proxy request for the destination address, and sends the proxy request to at least one endpoint attached to the network device. The network device receives a proxy response from the destination endpoint that includes the destination address. The network device stores the destination address in association with the destination endpoint.

Abstract: Bridge domain communication methods and devices are presented for efficiently communicating information in a bridge domain based upon group indications and source indications. Packets with a source and destination indication are received. A bridge domain communication process is performed at the bridge level wherein a packet is selected for forwarding based upon a source and group indication. For example, a determination is made if a particular bridge domain corresponds to the group destination indication in the received packet. The source indication in the packet is compared with a tracked source designation indication. Output ports associated with the tracked source designation indication are identified if the tracked source designation indication matches the received source indication. The communication packet is forwarded on identified ports.

Abstract: In one embodiment, a plurality of network interfaces of a network device that are configured to communicate with other network devices in a first computer network are identified as network-to-network interfaces (NNIs). Also, one or more network interfaces of the network device that are configured to provide access to the first computer network to user devices are identified as user-to-network interfaces (UNIs). One or more NNIs of the plurality of NNIs are selected to forward traffic from the network device to an aggregation device of the first network that couples the first computer network to a second computer network. Also, one or more NNIs of the plurality of NNIs that have not been selected to forward traffic from the device to the aggregation device are designated as network-to-network interface alternates (NNI-ALTs). The one or more NNI-ALTs are treated as UNIs for user data traffic forwarding decisions.

Abstract: In one embodiment, a plurality of network interfaces of a network device that are configured to communicate with other network devices in a first computer network are identified as network-to-network interfaces (NNIs). Also, one or more network interfaces of the network device that are configured to provide access to the first computer network to user devices are identified as user-to-network interfaces (UNIs). One or more NNIs of the plurality of NNIs are selected to forward traffic from the network device to an aggregation device of the first network that couples the first computer network to a io second computer network. Also, one or more NNIs of the plurality of NNIs that have not been selected to forward traffic from the device to the aggregation device are designated as network-to-network interface alternates (NNI-ALTs). The one or more NNI-ALTs are treated as UNIs for user data traffic forwarding decisions.

Abstract: In one embodiment, a network device may have its network interfaces identified as either network-to-network interfaces (NNIs) configured to communicate with other network devices in a first computer network, or user-to-network interfaces (UNIs) configured to provide service to the first computer network for user devices. Based on determining at least one NNI for forwarding upstream traffic to an aggregation device of the first network that connects the first network to a second network, any NNI that is not used for forwarding upstream traffic is deemed a novel “NNI alternate” (NNI-ALT). The forwarding of traffic at the network device may be controlled to provide user isolation between network devices by denying traffic forwarding between UNIs and NNI-ALTs as well as between NNI-ALTs and NNI-ALTs, while permitting traffic forwarding between NNIs and NNI-ALTs.