Abstract: A system for policy management in a switch is provided. During operation, the system can generate, from a first policy defined for the switch, a second policy. The first policy can indicate whether a type of traffic is allowed from a source role to a destination role via an overlay tunnel. The second policy can indicate a plurality of destination roles that are allowed to receive multi-destination packets of the type of traffic from the source role via the overlay tunnel. Upon identifying a host associated with a role at a port of the switch, the system can determine whether the role belongs to the plurality of destination roles based on the second policy. If the role belongs to the plurality of allowed destination roles, the system can allow the port to forward a multi-destination packet, which is received via the overlay tunnel and associated with the type of traffic.

Abstract: An example network orchestrator of a SDN is configured to receive, based on a user input, credentials associated with a traffic flow. Based on the credentials, it is determined whether the traffic flow is received at an ingress overlay network node. Route information and encapsulation information of the traffic flow is extracted from the ingress overlay network node. A first set of underlay network nodes each of which is a potential next hop for the traffic flow is identified. It is determined, based on the encapsulation information, whether the traffic flow is received by one of the first set of underlay network nodes. It is determined whether the traffic flow is received at an egress overlay network node from one of the first. A network trace of the traffic flow is determined based on the determinations of whether the traffic flow is received at the ingress overlay network node, one of the first set of underlay network nodes, and the egress overlay network node.

Abstract: In an example, a wired network device receives a first join message originating from a client device associated with a first wireless access point (WAP) connected to another wired network device in a broadcast domain. An entry corresponding to the client device is created in a remote receiver record of the wired network device. In response to the client device transitioning from the first WAP to a second WAP connected to the wired network device, it is determined that the client device is locally connected to the wired network device. Intention of the client device to receive multicast traffic is identified. A second join message directed to the network address of the multicast group and distributed in the broadcast domain. A traffic flow path for the multicast traffic via the wired network device and the second WAP to the client device is configured.

Abstract: Examples disclosed herein relate to a method comprising receiving a data packet originating from a first device and intended for a second device, wherein the first device and the first access device belong to a first branch of a Wide Area Network (WAN) using a MPLS overlay and the second device belongs to a second branch of the WAN. The method includes encapsulating the data packet in VXLAN including a VXLAN label identifying a role type and transmitting the data packet to a first core device. The method includes determining an MPLS label corresponding to the role type and transmitting the data packet over the MPLS overlay to a second core device belonging to the second branch of the WAN. The method includes translating the MPLS label into the VXLAN label and transmitting the data packet including the VXLAN label to a second access device for an enforcement action.

Abstract: Examples disclosed herein relate to a method for defining an ingress access policy at an ingress network device based on instructions from an egress network device. The egress network device receives data packets directed to a first entity from a second entity connected to an ingress network device. Each data packet transmitted includes a source role tag corresponding to the second entity. At the egress network device, the data packets may be dropped based on the enforcement of an egress access policy. When the number of data packets that are being dropped increases beyond a pre-defined threshold, the egress network device transmits a command to the ingress network device instructing the ingress network device to create a restriction on the transmission of subsequent data packets. The command is transmitted in a Border Gateway Protocol (BGP) Flow Specification (FlowSpec) route.

Abstract: In an example, a failure event is detected in a network, where the failure event is indicative of a network outage in a network device or a peer network device of an MC-LAG. The network device and the peer network device may be configured as a first VTEP in an overlay network. It may be determined that reprovisioning of virtual tunnels in the network device is incomplete. State parameters between the network device and the peer network device is synchronized. The set of virtual tunnels in the network device is provisioned based on the state parameters. After completion of provisioning of the virtual tunnels, an IP address of the first VTEP is published to underlay network devices connecting the first VTEP to a second VTEP over an underlay network. Subsequently, communication links between the MC-LAG and a host device is enabled.

Abstract: One aspect provides a method and system for managing address resolution requests in a network. During operation, a gateway of the network advertises a route for sending address resolution requests and determines whether a cached entry corresponding to an address resolution request received via the route exists in a neighbor table. In response to determining that the cached entry exists, the gateway responds to the address resolution request based on the cached entry; in response to determining that the cached entry does not exist, the gateway replicates the address resolution request to edge devices in the network, thereby facilitating discovery of a target host corresponding to the address resolution request.

Abstract: A system for dynamically activating a virtual network is provided. During operation, the system can operate a switch as a tunnel endpoint of a tunnel in conjunction with a remote switch. The tunnel can facilitate a virtual private network (VPN) spanning the switch and the remote switch. The system can maintain an inactive state for a virtual local area network (VLAN) and a corresponding tunnel network identifier identifying the VLAN for the tunnel. If a notification indicating the activation of the VLAN at a downstream switch is received by the switch, the system can activate the VLAN at the switch. The system can then activate the tunnel network identifier in a routing process of the VPN, thereby enabling sharing of a media access control (MAC) address associated with the VLAN via the tunnel.

Abstract: An example network orchestrator of a SDN is configured to receive, based on a user input, credentials associated with a traffic flow. Based on the credentials, it is determined whether the traffic flow is received at an ingress overlay network node. Route information and encapsulation information of the traffic flow is extracted from the ingress overlay network node. A first set of underlay network nodes each of which is a potential next hop for the traffic flow is identified. It is determined, based on the encapsulation information, whether the traffic flow is received by one of the first set of underlay network nodes. It is determined whether the traffic flow is received at an egress overlay network node from one of the first. A network trace of the traffic flow is determined based on the determinations of whether the traffic flow is received at the ingress overlay network node, one of the first set of underlay network nodes, and the egress overlay network node.

Abstract: Examples disclosed herein relate to a method comprising receiving a data packet originating from a first device and intended for a second device, wherein the first device and the first access device belong to a first branch of a Wide Area Network (WAN) using a MPLS overlay and the second device belongs to a second branch of the WAN. The method includes encapsulating the data packet in VXLAN including a VXLAN label identifying a role type and transmitting the data packet to a first core device. The method includes determining an MPLS label corresponding to the role type and transmitting the data packet over the MPLS overlay to a second core device belonging to the second branch of the WAN. The method includes translating the MPLS label into the VXLAN label and transmitting the data packet including the VXLAN label to a second access device for an enforcement action.

Abstract: A method is implemented by a network device for enabling destination network address translation in a cloud network. The method includes determining that packets having a first public address as a source address and a second public address as a destination address are to be forwarded to a first host that is assigned a first private address and sending a first advertisement message to a gateway indicating that packets having the first public address as a source address and the second public address as a destination address are to be forwarded to a first switch connected to the first host, where the first switch is configured to translate the destination address of those packets from the second public address to the first private address assigned to the first host.

Abstract: An example network orchestrator of a SDN is configured to receive, based on a user input, credentials associated with a traffic flow. Based on the credentials, it is determined whether the traffic flow is received at an ingress overlay network node. Route information and encapsulation information of the traffic flow is extracted from the ingress overlay network node. A first set of underlay network nodes each of which is a potential next hop for the traffic flow is identified. It is determined, based on the encapsulation information, whether the traffic flow is received by one of the first set of underlay network nodes, It is determined whether the traffic flow is received at an egress overlay network node from one of the first. A network trace of the traffic flow is determined based on the determinations of whether the traffic flow is received at the ingress overlay network node, one of the first set of underlay network nodes, and the egress overlay network node.

Abstract: A method and network interface card providing central processor unit efficient storing of data. The NIC receives request for registering a memory address range in the NIC, the request comprising a rewrite protection granularity for the memory address range. When receiving data from a client process, subsequent to registering of said memory address range, said data having an address within the memory address range, the NIC determines whether the rewrite protection granularity of the NIC is reached, when receiving said data. In the event that the rewrite protection granularity is reached, the NIC inactivates the memory address range according to said reached rewrite protection granularity. The auto-inactivated memory address range also provides a rewrite protection of data when storing data. Remote logging or monitoring of data is also enabled, wherein the logging or monitoring may be regarded to become server-less.

Abstract: A data center failure management system and method in a Software Defined Networking (SDN) deployment. In one embodiment, an SDN controller associated with the data center is configured to learn new flows entering the data center and determine which flows require flow stickiness. Responsive to the determination, the SDN controller generates commands to one or more switching nodes and/or one or more border gateway nodes to redirect the sticky flows arriving at the switching nodes via ECMP routes from the gateway nodes or avoid the ECMP routes by the gateway nodes in order to overcome certain failure conditions encountered in the data center, an external network, or both.

Abstract: A method is implemented by a network device for enabling destination network address translation in a cloud network. The method includes determining that packets having a first public address as a source address and a second public address as a destination address are to be forwarded to a first host that is assigned a first private address and sending a first advertisement message to a gateway indicating that packets having the first public address as a source address and the second public address as a destination address are to be forwarded to a first switch connected to the first host, where the first switch is configured to translate the destination address of those packets from the second public address to the first private address assigned to the first host.

Abstract: A data center failure management system and method in a Software Defined Networking (SDN) deployment. In one embodiment, an SDN controller associated with the data center is configured to learn new flows entering the data center and determine which flows require flow stickiness. Responsive to the determination, the SDN controller generates commands to one or more switching nodes and/or one or more border gateway nodes to redirect the sticky flows arriving at the switching nodes via ECMP routes from the gateway nodes or avoid the ECMP routes by the gateway nodes in order to overcome certain failure conditions encountered in the data center, an external network, or both.

Abstract: A data center failure management system and method in a Software Defined Networking (SDN) deployment. In one embodiment, an SDN controller associated with the data center is configured to learn new flows entering the data center and determine which flows require flow stickiness. Responsive to the determination, the SDN controller generates commands to one or more switching nodes and/or one or more border gateway nodes to redirect the sticky flows arriving at the switching nodes via ECMP routes from the gateway nodes or avoid the ECMP routes by the gateway nodes in order to overcome certain failure conditions encountered in the data center, an external network, or both.

Abstract: A data center failure management system and method in a Software Defined Networking (SDN) deployment. In one embodiment, an SDN controller associated with the data center is configured to learn new flows entering the data center and determine which flows require flow stickiness. Responsive to the determination, the SDN controller generates commands to one or more switching nodes and/or one or more border gate-way nodes to redirect the sticky flows arriving at the switching nodes via ECMP routes from the gateway nodes or avoid the ECMP routes by the gateway nodes in order to overcome certain failure conditions encountered in the data center, an external network, or both.

Abstract: Exposing existing database server attributes that are used for load balancing, accounting, log filtering, problem determination, and end user identification as tenant identifiers. An example of such attribute is the values in existing client information fields that are available to applications for passing additional information to the database server via connections. These values are then used by the database server for enhanced operational functions of load balancing, accounting, log filtering, problem determination, and end user identification.

Abstract: A method is performed by a network device acting as a controller in a software defined networking (SDN) network. The method detects control path loops in the SDN network. The method includes receiving a Packet-In message from a switch, where the Packet-In message includes a packet. The method further includes determining a packet identifier associated with the packet, determining a key based on the packet identifier associated with the packet, determining whether an entry associated with the key exists in a loop detection cache, updating a counter value associated with the entry in response to determining that the entry associated with the key exists in the loop detection cache, and determining that the packet is in a control path loop in response to determining that the counter value associated with the entry reaches a threshold value.