Abstract: A method and apparatus of a network element that dynamically establishes a first virtual private network (VPN) tunnel is described. In an exemplary embodiment, the network element detects data destined for a first private subnet. In response to the detecting, the network element determines that a next hop for the data does not have an established VPN tunnel that allows access to the first private subnet. The network element further establishes the VPN tunnel and sends the data using the VPN tunnel.

Abstract: A method and apparatus of a network element that hitlessly upgrades a network element operating system of a network element is described. In an exemplary embodiment, the network element hitlessly upgrades the network element operating system by instantiating a second container and starts a second set of processes using a second image of the network element operating system in the second container. In addition, the network element executes a first image of the network element operating system as a first set of processes in a first container. The network element additionally synchronizes state data between the first set of processes and the second set of processes. Furthermore, the network element sets the second set of processes as managing a plurality of hardware tables, and stops the first set of processes within the first container.

Abstract: A method for transmitting packets in a network is provided. The method includes determining that a first packet will be encrypted prior to transmitting the first packet to a network device. The first packet includes a first source address for the first packet. The method also includes generating a routing value based on the first source address. The routing value allows the network device to determine which of a plurality of processing cores will be used to process the first packet. The method further includes encrypting the first packet to generate an encrypted first packet. The method further includes encapsulating the encrypted first packet within a second packet. A payload of the second packet comprises the encrypted first packet and a packet header of the second packet includes the routing value. The method further includes transmitting the second packet to the network device.

Abstract: A method and apparatus of a device that simulates a plurality of network elements is described. In an exemplary embodiment, the device receives network topology information for the plurality of simulated network elements. The device further instantiates a container for each of the plurality of simulated network elements. The device additionally configures a set of processes for each of the plurality of containers, where each of the set of processes simulates at least one of the plurality of simulated network elements. The plurality of set of processes further implements a network topology represented by the network topology information. The device performs a test of the network topology and saves the results of the test.

Abstract: A method and apparatus of a network element that hitlessly upgrades a network element operating system of a network element is described. In an exemplary embodiment, the network element receives a second image for the network element operating system, where a first image of the network element operating system is executing as a first set of processes in a first container and the first set of processes manages the plurality of hardware tables for the network element. The network element further instantiates a second container for the second image. In addition, the network element starts a second set of processes using at least the second image in the second container. The network element additionally synchronizes state data between the first set of processes and the second set of processes. Furthermore, the network element sets the second set of processes as managing the plurality of hardware tables, and stops the first set of processes within the first container.

Abstract: A method and apparatus of a network element that installs a device driver used to manage hardware of the network element is described. In an exemplary embodiment, the network element detects, with a functionality of a network element operating system, the hardware of a data plane of the network element, where at least one component of the network element operating system is executing in a first container as a first set of processes. The network element further determines a device driver for the hardware and installs the device driver in a kernel of the host operating system. The network element additionally manages the data, with the network element operating system, using the device driver.

Abstract: A method and apparatus of a network element that processes control plane data in a network element is described. In an exemplary embodiment, the device receives control plane data with a network element operating system, where at least a functionality of the network element operating system is executing in a container of the network element. In addition, the network element includes a data plane with a plurality of hardware tables and the host operating system. Furthermore, the network element processes the control plane data with the network element operating system. The network element additionally updates at least one of the plurality of hardware tables with the process control plane data using the network element operating system.

Abstract: A method and apparatus of a network element that dynamically establishes a first virtual private network (VPN) tunnel is described. In an exemplary embodiment, the network element detects data destined for a first private subnet. In response to the detecting, the network element determines that a next hop for the data does not have an established VPN tunnel that allows access to the first private subnet. The network element further establishes the VPN tunnel and sends the data using the VPN tunnel.

Abstract: Methods and apparatus for providing availability information of a virtual machine to a load balancer are disclosed. The availability information of the virtual machine may be normalized information from performance metrics of the virtual machine and performance metrics of the physical machine on which the virtual machine operates. The normalized availability of a virtual machine is provided by a feedback agent executing on the virtual machine. Alternatively, the normalized availability of a virtual machine is provided by a feedback agent executing on a hypervisor executing multiple virtual machines on a common set of physical computing hardware.

Abstract: At a network element having a plurality of physical links configured to communicate traffic over a network to or from the network element, an uplink group is formed comprising the plurality of physical links, wherein the plurality of physical links comprise a first physical link and a second physical link. A plurality of classes of service are defined comprising a first class of service and a second class of service, wherein the first class of service and second class of service have bandwidth allocations on the first physical link. Traffic congestion is detected on the first physical link that exceeds a predetermined threshold for the first class of service. Traffic associated with one or more virtual machines associated with the first class of service on the first physical link is re-associated to the second physical link until the traffic congestion falls below the predetermined threshold.

Abstract: A method is provided in one example embodiment that includes detecting a migration of a virtual machine from an origination host to a destination host and comparing a first root bridge to a second root bridge to verify data link layer continuity of the virtual network on the destination host. The virtual machine is connected to a virtual network, the first root bridge is associated with the virtual network on the origination host and the second root bridge is associated with the virtual network on the destination host. The method may further include blocking the migration if the first root bridge and the second root bridge are not the same.

Abstract: An example method is provided and may include multicasting a discovery packet in an overlay network, which includes a Layer 2 scheme over a Layer 3 network; and identifying endpoints based on their respective responses to the discovery packet, where the endpoints are coupled across a multicast backbone. In more specific embodiments, the method may include identifying disconnected endpoints in the overlay network based on a lack of responses from the disconnected endpoints.

Abstract: In one example embodiment, an apparatus may include a first virtual machine provided on a first local device of a plurality of local devices, wherein a portion of resources of the first local device are allocated to the first virtual machine. A virtualization software switch may be provided on the first local device, configured to forward or redirect at least some traffic from the first local device to a WAN (Wide Area Network) optimization virtual appliance, the WAN optimization virtual appliance including at least the first virtual machine, a second virtual machine on a second local device of the plurality of local devices, and a distributed WAN optimization application running at least on the first and second virtual machines.

Abstract: Flows of packets are dynamically mapped to resource queues. Flows of packets are received at a network device to be routed from the network device in a network. Each flow comprises packets to be sent from a source to a connection. Data is stored for a queue allocation table that maintains a plurality of buckets to which received packets for a flow are assigned and indicating which of a plurality of resource queues are allocated for respective buckets. For each packet in a flow, a hash function is computed from values in a header of the packet and the packet is assigned to one of the plurality of buckets based on the computed hash function. One of a plurality of resource queues is allocated for each bucket to which packets are assigned based on the computed hash function.

Abstract: At a network element having a plurality of physical links configured to communicate traffic over a network to or from the network element, an uplink group is formed comprising the plurality of physical links, wherein the plurality of physical links comprise a first physical link and a second physical link A plurality of classes of service are defined comprising a first class of service and a second class of service, wherein the first class of service and second class of service have bandwidth allocations on the first physical link. Traffic congestion is detected on the first physical link that exceeds a predetermined threshold for the first class of service. Traffic associated with one or more virtual machines associated with the first class of service on the first physical link is re-associated to the second physical link until the traffic congestion falls below the predetermined threshold.

Abstract: Techniques are provided for improve quality of service on uplinks in a virtualized environment. At a server apparatus having a plurality of physical links configured to communicate traffic over a network to or from the server apparatus, forming an uplink group comprising a plurality of physical links. A first class of service is defined that allocates a first share of available bandwidth on the uplink group, and a second class of service is defined that allocates a second share of available bandwidth on the uplink group. The bandwidth for the first class of service is allocated across the plurality of physical links of the uplink group, and the bandwidth for the second class of service is allocated across the plurality of physical links of the uplink group. Traffic rates are monitored on each of the plurality of physical links to determine if a physical link is congested indicating that a bandwidth deficit exists for a class of service.

Abstract: Techniques are described for identifying destinations in a virtual network by defining virtual entities such as a port profile as the destination for network policies, such as redirect or span to be a logical set of ports (i.e., ports belonging to a port-profile or a port group) where the members of the set of ports may be added/removed dynamically without requiring any changes to the network policy. Further, a network administrator (or other user) may predefine the destinations for a network policy even before some or all of the destinations are active on a given virtualized system. In such cases, the network policies may go into effect when the required entities become available.

Abstract: A method is provided in one example embodiment that includes detecting a migration of a virtual machine from an origination host to a destination host and comparing a first root bridge to a second root bridge to verify data link layer continuity of the virtual network on the destination host. The virtual machine is connected to a virtual network, the first root bridge is associated with the virtual network on the origination host and the second root bridge is associated with the virtual network on the destination host. The method may further include blocking the migration if the first root bridge and the second root bridge are not the same.

Abstract: Flows of packets are dynamically mapped to resource queues. Flows of packets are received at a network device to be routed from the network device in a network. Each flow comprises packets to be sent from a source to a connection. Data is stored for a queue allocation table that maintains a plurality of buckets to which received packets for a flow are assigned and indicating which of a plurality of resource queues are allocated for respective buckets. For each packet in a flow, a hash function is computed from values in a header of the packet and the packet is assigned to one of the plurality of buckets based on the computed hash function. One of a plurality of resource queues is allocated for each bucket to which packets are assigned based on the computed hash function.

Abstract: An example method is provided and may include multicasting a discovery packet in an overlay network, which includes a Layer 2 scheme over a Layer 3 network; and identifying endpoints based on their respective responses to the discovery packet, where the endpoints are coupled across a multicast backbone. In more specific embodiments, the method may include identifying disconnected endpoints in the overlay network based on a lack of responses from the disconnected endpoints.