Abstract: A system for facilitating loop-free traffic forwarding is provided. During operation, the system can operate a switch as a tunnel endpoint for a plurality of tunnels with corresponding remote endpoints. The system can determine a tunnel network identifier (TNI) associated with a respective virtual local area network (VLAN) configured at the switch. The system can then enable the TNI for a first tunnel among the plurality of tunnels for carrying traffic of the VLAN. Here, traffic of the VLAN is only forwarded over the first tunnel. Therefore, the system can prevent the rest of the plurality of tunnels from looping the traffic of the VLAN back to the switch. The system can select a second tunnel as a standby tunnel for the TNI from the rest of the plurality of tunnels. If the first tunnel is unavailable, the system can enable the TNI for the second tunnel for traffic forwarding.

Abstract: Examples disclosed herein relate to a method for defining an ingress access policy at an ingress network device based on instructions from an egress network device. The egress network device receives data packets directed to a first entity from a second entity connected to an ingress network device. Each data packet transmitted includes a source role tag corresponding to the second entity. At the egress network device, the data packets may be dropped based on the enforcement of an egress access policy. When the number of data packets that are being dropped increases beyond a pre-defined threshold, the egress network device transmits a command to the ingress network device instructing the ingress network device to create a restriction on the transmission of subsequent data packets. The command is transmitted in a Border Gateway Protocol (BGP) Flow Specification (FlowSpec) route.

Abstract: An apparatus for detecting a loop in a domain comprising a plurality of overlay tunnel fabrics is provided. The apparatus can include an indicator logic block that can insert a predetermined value, which can be unique for the apparatus in the domain, into an egress tunnel header of a packet of a data flow. The header's destination address can correspond to a remote apparatus of an overlay tunnel fabric that includes the apparatus. Tunnel encapsulation can be initiated and terminated within the corresponding overlay tunnel fabric. The indicator logic block can determine, for a respective packet of the data flow from a remote overlay tunnel fabric of the domain, whether the predetermined value is present in an ingress tunnel header. Upon identifying the predetermining value in the ingress tunnel header, a loop logic block of the apparatus can determine that a loop is present in the domain.

Abstract: A member switch of multiple connected switches receives a stack-discovery packet from a first coupled switch and, in response, generates and transmits a stack-discovery-response packet to the first coupled switch to allow the member switch to be discovered. The member switch receives stack-configuration information from a stack-control node and forwards the stack-discovery packet to a second coupled switch to facilitate discovery of the second coupled switch. The first coupled switch, the member switch, and the second coupled switch are coupled to each other according to a predetermined order, thereby facilitating an ordered discovery of the multiple connected switches. In response to receiving, from the stack-control node, a control packet, the member switch reboots based on the received stack-configuration information.

Abstract: A first ingress interface on a switch receives a first control packet for establishing a Transmission Control Protocol (TCP) session and selects a first engine running on a first line card in the switch. A second ingress interface receives a second control packet and selects the same first engine. Data associated with the TCP session received by the first or second ingress interface subsequent to establishing the TCP session is to be forwarded to the first engine. The first ingress interface receives a third control packet and sends, to the selected first engine, a notification indicating the TCP session which is to be tracked. The first or second ingress interface receives a fourth packet with a payload associated with the TCP session and forwards, to the selected first engine, a copy of the fourth packet, thereby facilitating a plurality of engine instances to support application identification.

Abstract: A system for facilitating traffic redirection for a multi-chassis link aggregation group (MCLAG) is provided. During operation, the system can participate in an MCLAG using a first interface of a first switch. The MCLAG can also include a second interface of a second switch. Based on predetermined unavailability for the first switch, the system can determine a sequence of applications for a plurality of traffic forwarding configurations. A respective configuration can facilitate loop prevention for traffic forwarded via the MCLAG. The system can then apply the plurality of configurations to the first switch based on the sequence of applications to redirect unicast traffic from the first switch to the second switch. Here, applying a respective configuration can include programming corresponding switch hardware with the configuration. Subsequently, the system can perform a set of operations on the first switch that triggers the predetermined unavailability.

Abstract: In an example, a switch may receive an authentication request from a host associated with a first wireless access point (WAP) connected to the switch. The switch acts as a VXLAN Tunnel Endpoint (VTEP) in a Border Gateway Protocol (BGP) Ethernet Virtual Private Network (EVPN) based Virtual Extensible Local Area Network (VXLAN). The switch forwards the authentication request to an authentication server and on successful authentication of the host, may associate a role information with the host based on an authentication response from the authentication server. Further, the switch may create a BGP extended community field carrying the role identifier indicative of network policies to be implemented for the host and attach the BGP extended community field with a route advertisement. The switch then sends the route advertisement to another switch. The another switch is configured as a peer VTEP in the VXLAN. The switch and the another switch is configured in a single Virtual Local Area Network (VLAN).

Abstract: In an example, a wired network device receives a first join message originating from a client device associated with a first wireless access point (WAP) connected to another wired network device in a broadcast domain. An entry corresponding to the client device is created in a remote receiver record of the wired network device. In response to the client device transitioning from the first WAP to a second WAP connected to the wired network device, it is determined that the client device is locally connected to the wired network device. Intention of the client device to receive multicast traffic is identified. A second join message directed to the network address of the multicast group and distributed in the broadcast domain. A traffic flow path for the multicast traffic via the wired network device and the second WAP to the client device is configured.

Abstract: Examples disclosed herein relate to performing a software update on a network device forming a MC-LAG. In an example, a software update onto a first network device and a second network device may be downloaded. The first network device and the second network device may form a MC-LAG that may provide a redundant connectivity to a network device in a network. A shutdown of routing protocols on the first network device may be performed. Each of the routing protocols may advertise a maximum metric on the first network device, leading to a recalculation of network routes by the network device. The first network device may be updated with the software update. Until the software update on the first network device is complete, network traffic on the network may be routed through the second network device.

Abstract: A first ingress interface on a switch receives a first control packet for establishing a Transmission Control Protocol (TCP) session and selects a first engine running on a first line card in the switch. A second ingress interface receives a second control packet and selects the same first engine. Data associated with the TCP session received by the first or second ingress interface subsequent to establishing the TCP session is to be forwarded to the first engine. The first ingress interface receives a third control packet and sends, to the selected first engine, a notification indicating the TCP session which is to be tracked. The first or second ingress interface receives a fourth packet with a payload associated with the TCP session and forwards, to the selected first engine, a copy of the fourth packet, thereby facilitating a plurality of engine instances to support application identification.

Abstract: A system for dynamically activating a virtual network is provided. During operation, the system can operate a switch as a tunnel endpoint of a tunnel in conjunction with a remote switch. The tunnel can facilitate a virtual private network (VPN) spanning the switch and the remote switch. The system can maintain an inactive state for a virtual local area network (VLAN) and a corresponding tunnel network identifier identifying the VLAN for the tunnel. If a notification indicating the activation of the VLAN at a downstream switch is received by the switch, the system can activate the VLAN at the switch. The system can then activate the tunnel network identifier in a routing process of the VPN, thereby enabling sharing of a media access control (MAC) address associated with the VLAN via the tunnel.

Abstract: Examples disclosed herein relate to managing a second ring link failure in a multi-ring Ethernet network. In an example, an inter-connection network node in a multi-ring Ethernet network comprising a major ring and a sub-ring may propagate a signal failure (SF) event, received in response to a second ring link failure in the major ring, to one or more nodes in the sub-ring. In response to receiving the SF event, a Ring Protection Link (RPL) on the sub-ring may be unlocked to allow network traffic through the RPL and avoid loop formation on the multi-ring Ethernet network. The sub-ring may be moved to the ring protection switching state, including performing a filtering database (FDB) flush at every node on the multi-ring Ethernet network whereby all MAC addresses and related port associations for traffic forwarding are cleared from the FDB.

Abstract: An apparatus for detecting a loop in a domain comprising a plurality of overlay tunnel fabrics is provided. The apparatus can include an indicator logic block that can insert a predetermined value, which can be unique for the apparatus in the domain, into an egress tunnel header of a packet of a data flow. The header's destination address can correspond to a remote apparatus of an overlay tunnel fabric that includes the apparatus. Tunnel encapsulation can be initiated and terminated within the corresponding overlay tunnel fabric. The indicator logic block can determine, for a respective packet of the data flow from a remote overlay tunnel fabric of the domain, whether the predetermined value is present in an ingress tunnel header. Upon identifying the predetermining value in the ingress tunnel header, a loop logic block of the apparatus can determine that a loop is present in the domain.

Abstract: A member switch of multiple connected switches receives a stack-discovery packet from a first coupled switch and, in response, generates and transmits a stack-discovery-response packet to the first coupled switch to allow the member switch to be discovered. The member switch receives stack-configuration information from a stack-control node and forwards the stack-discovery packet to a second coupled switch to facilitate discovery of the second coupled switch. The first coupled switch, the member switch, and the second coupled switch are coupled to each other according to a predetermined order, thereby facilitating an ordered discovery of the multiple connected switches. In response to receiving, from the stack-control node, a control packet, the member switch reboots based on the received stack-configuration information.

Abstract: A system for policy management in a switch is provided. During operation, the system can generate, from a first policy defined for the switch, a second policy. The first policy can indicate whether a type of traffic is allowed from a source role to a destination role via an overlay tunnel. The second policy can indicate a plurality of destination roles that are allowed to receive multi-destination packets of the type of traffic from the source role via the overlay tunnel. Upon identifying a host associated with a role at a port of the switch, the system can determine whether the role belongs to the plurality of destination roles based on the second policy. If the role belongs to the plurality of allowed destination roles, the system can allow the port to forward a multi-destination packet, which is received via the overlay tunnel and associated with the type of traffic.

Abstract: In an example, a wired network device receives a first join message originating from a client device associated with a first wireless access point (WAP) connected to another wired network device in a broadcast domain. An entry corresponding to the client device is created in a remote receiver record of the wired network device. In response to the client device transitioning from the first WAP to a second WAP connected to the wired network device, it is determined that the client device is locally connected to the wired network device. Intention of the client device to receive multicast traffic is identified. A second join message directed to the network address of the multicast group and distributed in the broadcast domain. A traffic flow path for the multicast traffic via the wired network device and the second WAP to the client device is configured.

Abstract: Examples disclosed herein relate to a method for defining an ingress access policy at an ingress network device based on instructions from an egress network device. The egress network device receives data packets directed to a first entity from a second entity connected to an ingress network device. Each data packet transmitted includes a source role tag corresponding to the second entity. At the egress network device, the data packets may be dropped based on the enforcement of an egress access policy. When the number of data packets that are being dropped increases beyond a pre-defined threshold, the egress network device transmits a command to the ingress network device instructing the ingress network device to create a restriction on the transmission of subsequent data packets. The command is transmitted in a Border Gateway Protocol (BGP) Flow Specification (FlowSpec) route.

Abstract: In an example, a failure event is detected in a network, where the failure event is indicative of a network outage in a network device or a peer network device of an MC-LAG. The network device and the peer network device may be configured as a first VTEP in an overlay network. It may be determined that reprovisioning of virtual tunnels in the network device is incomplete. State parameters between the network device and the peer network device is synchronized. The set of virtual tunnels in the network device is provisioned based on the state parameters. After completion of provisioning of the virtual tunnels, an IP address of the first VTEP is published to underlay network devices connecting the first VTEP to a second VTEP over an underlay network. Subsequently, communication links between the MC-LAG and a host device is enabled.

Abstract: A system for redirecting traffic is provided. The system can allow a first switch to participate in a virtual switch in conjunction with a second switch of an overlay tunnel fabric. A path between a respective switch pair of an underlying network of the fabric can be determined based on a routing process. The first and second switches may individually participate in the routing process. Hence, the packets to a tunnel to the virtual switch can be distributed among paths to the first and second switches. The system can determine a trigger condition indicating that packets subsequently received via the tunnel is to be directed to a path to the second switch. The first and second switches can remain in an operational state. The system can then advertise a high cost for a link to the first switch for the routing process in the underlying network.

Abstract: A system for dynamically activating a virtual network is provided. During operation, the system can operate a switch as a tunnel endpoint of a tunnel in conjunction with a remote switch. The tunnel can facilitate a virtual private network (VPN) spanning the switch and the remote switch. The system can maintain an inactive state for a virtual local area network (VLAN) and a corresponding tunnel network identifier identifying the VLAN for the tunnel. If a notification indicating the activation of the VLAN at a downstream switch is received by the switch, the system can activate the VLAN at the switch. The system can then activate the tunnel network identifier in a routing process of the VPN, thereby enabling sharing of a media access control (MAC) address associated with the VLAN via the tunnel.