Abstract: A network management system (NMS) for provisioning and managing an overlay network is provided. During operation, the NMS can determine that a loop associated with a media access control (MAC) address is detected in the network. The NMS can probe a first switch in the loop by instructing the first switch to observe the MAC address for a predetermined period. The NMS can receive a first message indicating a first set of ports of the first switch observing the MAC address. The NMS can probe an upstream switch reachable via each of the first set of ports by instructing the upstream switch to observe the MAC address for the predetermined period. Here, observing the MAC address at an upstream port of the upstream switch causes further upstream probing. Based on probing the switches in the loop, the NMS can determine one or more loop origination points (LOPs) for the loop.

Abstract: A system for policy management in a switch is provided. During operation, the system can generate, from a first policy defined for the switch, a second policy. The first policy can indicate whether a type of traffic is allowed from a source role to a destination role via an overlay tunnel. The second policy can indicate a plurality of destination roles that are allowed to receive multi-destination packets of the type of traffic from the source role via the overlay tunnel. Upon identifying a host associated with a role at a port of the switch, the system can determine whether the role belongs to the plurality of destination roles based on the second policy. If the role belongs to the plurality of allowed destination roles, the system can allow the port to forward a multi-destination packet, which is received via the overlay tunnel and associated with the type of traffic.

Abstract: In an example, a switch may receive an authentication request from a host associated with a first wireless access point (WAP) connected to the switch. The switch acts as a VXLAN Tunnel Endpoint (VTEP) in a Border Gateway Protocol (BGP) Ethernet Virtual Private Network (EVPN) based Virtual Extensible Local Area Network (VXLAN). The switch forwards the authentication request to an authentication server and on successful authentication of the host, may associate a role information with the host based on an authentication response from the authentication server. Further, the switch may create a BGP extended community field carrying the role identifier indicative of network policies to be implemented for the host and attach the BGP extended community field with a route advertisement. The switch then sends the route advertisement to another switch. The another switch is configured as a peer VTEP in the VXLAN. The switch and the another switch is configured in a single Virtual Local Area Network (VLAN).

Abstract: A system for enforcement of a set of segmentation policies at a gateway switch of a network is provided. Here, the segmentation policies can indicate which other roles are allowed to communicate with a respective role, which can indicate a set of privileges in the network. During operation, the switch can receive a first message associated with a join request for a multicast group from a host. The switch can also receive a second message comprising data from a source of the multicast group. The first and second messages can indicate first and second roles, respectively, of the host and source. Based on the first and second roles and a corresponding segmentation policy, the system can determine whether the host is allowed to receive the data from the source. If not allowed, the system can prevent the second message from being forwarded to the host from the gateway switch.

Abstract: In an example, a failure event is detected in a network, where the failure event is indicative of a network outage in a network device or a peer network device of an MC-LAG. The network device and the peer network device may be configured as a first VTEP in an overlay network. It may be determined that reprovisioning of virtual tunnels in the network device is incomplete. State parameters between the network device and the peer network device is synchronized. The set of virtual tunnels in the network device is provisioned based on the state parameters. After completion of provisioning of the virtual tunnels, an IP address of the first VTEP is published to underlay network devices connecting the first VTEP to a second VTEP over an underlay network. Subsequently, communication links between the MC-LAG and a host device is enabled.

Abstract: A tank system having a tank container for filling with a fuel and having a sensor assembly for determining a current fuel quantity in the tank container, including a pressure sensor, and an air channel arranged at least in part inside the tank container and pneumatically connected at a first channel end to the pressure sensor, and the air channel is oriented in the direction toward a container bottom of the tank container at an open second channel end opposite the first channel end.

Abstract: Some examples relate to a proxy service on a network device for applying a group based policy (GBP) to network traffic from a client. In an example, a proxy service on a network device is used to intercept a network access request message, pertaining to a client, from an access device. The proxy service forwards the network access request message to an authentication server. The server responds by sending a network access response message to the access device. The proxy service intercepts the network access response message from the authentication server and obtains the role information of the client from the network access response message. In response to receiving network traffic from the client, the proxy service identifies a GBP corresponding to the role information of the client and applies the GBP to the network traffic from the client.

Abstract: A system for enforcement of a set of segmentation policies at a gateway switch of a network is provided. Here, the segmentation policies can indicate which other roles are allowed to communicate with a respective role, which can indicate a set of privileges in the network. During operation, the switch can receive a first message associated with a join request for a multicast group from a host. The switch can also receive a second message comprising data from a source of the multicast group. The first and second messages can indicate first and second roles, respectively, of the host and source. Based on the first and second roles and a corresponding segmentation policy, the system can determine whether the host is allowed to receive the data from the source. If not allowed, the system can prevent the second message from being forwarded to the host from the gateway switch.

Abstract: A system for compacting traffic separation policies in campus networks, the system comprising an access layer switch and a campus border switch. The access layer switch is configured to receive a definition of one or more policies; responsive to receiving a packet, determine whether any of the policies apply to the packet; responsive to determining that none of the policies apply, cause a tag to be inserted into a communication header of the packet and forward the packet; and responsive to determining that one of the policies applies, forward or drop the packet according to the applicable policy and omit the tag. The campus border switch is configured to, responsive to receiving a packet from the access layer switch, determine whether the packet includes the tag, and responsive to determining that the packet includes the tag, apply a traffic separation policy associated with the tag to the packet.

Abstract: A system for selectively programming the forwarding hardware of a switch is provided. During operation, the system can operate the switch as a tunnel endpoint of a tunnel in conjunction with a remote switch. The tunnel can facilitate a virtual private network (VPN). The system can determine, using a routing protocol, a set of routes for the VPN. The system can maintain the set of routes in a first data structure in an application space. The set of routes can include a first subset of routes to remote hosts of the VPN and a second subset of routes comprising the rest of the set of routes. The system can program the second subset routes in the forwarding hardware. Upon receiving a packet for a remote host, the system can determine a route to the remote host from the first set of routes and program the route in the forwarding hardware.

Abstract: In an example, a network switch may receive a join request, for a multicast group indicated by an overlay multicast address, from a remote network switch. The network switch may be coupled to a source host device and the remote network switch may be coupled to a receiver host device of the multicast group. The network switch and the remote network switch may be configured as virtual endpoints in an overlay network deployed over an underlay network. The network switch may map the overlay multicast address to an underlay multicast address and the remote network switch may join the multicast group represented by the underlay multicast address. The network switch may receive multicast (traffic for the multicast group from the source host device and encapsulate the multicast traffic with a destination address identical to the underlay multicast address. The network switch may then forward the multicast traffic to the multicast group via the underlay network based on the destination address.

Abstract: Examples disclosed herein relate to a method for defining an ingress access policy at an ingress network device based on instructions from an egress network device. The egress network device receives data packets directed to a first entity from a second entity connected to an ingress network device. Each data packet transmitted includes a source role tag corresponding to the second entity. At the egress network device, the data packets may be dropped based on the enforcement of an egress access policy. When the number of data packets that are being dropped increases beyond a pre-defined threshold, the egress network device transmits a command to the ingress network device instructing the ingress network device to create a restriction on the transmission of subsequent data packets. The command is transmitted in a Border Gateway Protocol (BGP) Flow Specification (FlowSpec) route.

Abstract: An apparatus for detecting a loop in a domain comprising a plurality of overlay tunnel fabrics is provided. The apparatus can include an indicator logic block that can insert a predetermined value, which can be unique for the apparatus in the domain, into an egress tunnel header of a packet of a data flow. The header's destination address can correspond to a remote apparatus of an overlay tunnel fabric that includes the apparatus. Tunnel encapsulation can be initiated and terminated within the corresponding overlay tunnel fabric. The indicator logic block can determine, for a respective packet of the data flow from a remote overlay tunnel fabric of the domain, whether the predetermined value is present in an ingress tunnel header. Upon identifying the predetermining value in the ingress tunnel header, a loop logic block of the apparatus can determine that a loop is present in the domain.

Abstract: In an example, a switch may receive an authentication request from a host associated with a first wireless access point (WAP) connected to the switch. The switch acts as a VXLAN Tunnel Endpoint (VTEP) in a Border Gateway Protocol (BGP) Ethernet Virtual Private Network (EVPN) based Virtual Extensible Local Area Network (VXLAN). The switch forwards the authentication request to an authentication server and on successful authentication of the host, may associate a role information with the host based on an authentication response from the authentication server. Further, the switch may create a BGP extended community field carrying the role identifier indicative of network policies to be implemented for the host and attach the BGP extended community field with a route advertisement. The switch then sends the route advertisement to another switch. The another switch is configured as a peer VTEP in the VXLAN. The switch and the another switch is configured in a single Virtual Local Area Network (VLAN).

Abstract: In an example, a wired network device receives a first join message originating from a client device associated with a first wireless access point (WAP) connected to another wired network device in a broadcast domain. An entry corresponding to the client device is created in a remote receiver record of the wired network device. In response to the client device transitioning from the first WAP to a second WAP connected to the wired network device, it is determined that the client device is locally connected to the wired network device. Intention of the client device to receive multicast traffic is identified. A second join message directed to the network address of the multicast group and distributed in the broadcast domain. A traffic flow path for the multicast traffic via the wired network device and the second WAP to the client device is configured.

Abstract: A system for dynamically activating a virtual network is provided. During operation, the system can operate a switch as a tunnel endpoint of a tunnel in conjunction with a remote switch. The tunnel can facilitate a virtual private network (VPN) spanning the switch and the remote switch. The system can maintain an inactive state for a virtual local area network (VLAN) and a corresponding tunnel network identifier identifying the VLAN for the tunnel. If a notification indicating the activation of the VLAN at a downstream switch is received by the switch, the system can activate the VLAN at the switch. The system can then activate the tunnel network identifier in a routing process of the VPN, thereby enabling sharing of a media access control (MAC) address associated with the VLAN via the tunnel.

Abstract: One aspect provides a method and system for managing address resolution requests in a network. During operation, a gateway of the network advertises a route for sending address resolution requests and determines whether a cached entry corresponding to an address resolution request received via the route exists in a neighbor table. In response to determining that the cached entry exists, the gateway responds to the address resolution request based on the cached entry; in response to determining that the cached entry does not exist, the gateway replicates the address resolution request to edge devices in the network, thereby facilitating discovery of a target host corresponding to the address resolution request.

Abstract: An apparatus for detecting a loop in a domain comprising a plurality of overlay tunnel fabrics is provided. The apparatus can include an indicator logic block that can insert a predetermined value, which can be unique for the apparatus in the domain, into an egress tunnel header of a packet of a data flow. The header's destination address can correspond to a remote apparatus of an overlay tunnel fabric that includes the apparatus. Tunnel encapsulation can be initiated and terminated within the corresponding overlay tunnel fabric. The indicator logic block can determine, for a respective packet of the data flow from a remote overlay tunnel fabric of the domain, whether the predetermined value is present in an ingress tunnel header. Upon identifying the predetermining value in the ingress tunnel header, a loop logic block of the apparatus can determine that a loop is present in the domain.

Abstract: One aspect of the instant application facilitates a source port-based identification of client role. During operation, the system can receive, at a network device, a network packet from a client device coupled to the network device via a port. The system can in response to determining that the port is a trusted port, apply a global trusted port configuration based on a first mapping table. The global trusted port configuration corresponds to a default client role. The system can in response to determining that a per-port configuration exists in a second mapping table and the client device is coupled to the trusted port, identify the per-port configuration that corresponds to a port-based client role to override the global trusted port configuration; and apply, based on the per-port configuration and a third mapping table, a policy to the subsequent network packets received via the port.

Abstract: A system for policy management in a switch is provided. During operation, the system can generate, from a first policy defined for the switch, a second policy. The first policy can indicate whether a type of traffic is allowed from a source role to a destination role via an overlay tunnel. The second policy can indicate a plurality of destination roles that are allowed to receive multi-destination packets of the type of traffic from the source role via the overlay tunnel. Upon identifying a host associated with a role at a port of the switch, the system can determine whether the role belongs to the plurality of destination roles based on the second policy. If the role belongs to the plurality of allowed destination roles, the system can allow the port to forward a multi-destination packet, which is received via the overlay tunnel and associated with the type of traffic.