A method comprising instantiating virtual routers (VRs) at each of a set of nodes that form a network. Each VR is coupled to the network and to a tenant of the node. The network comprises virtual links in an overlay network provisioned over an underlay network including servers of a public network. The method comprises configuring at least one VR to include a feedback control system comprising at least one objective function that characterizes the network. The method comprises configuring the VR to receive link state data of a set of virtual links of the virtual links, and control routing of a tenant traffic flow of each tenant according to a best route of the network determined by the at least one objective function using the link state data.

A media access control (MAC) address sending method, apparatus, and system, and a related device are provided. The method is implemented by a first network device connected to a first virtual machine and a second virtual machine. The first network device obtains a MAC address of the first virtual machine; and when the first virtual machine and the second virtual machine have a same MAC address and are located in different virtual local area networks, sends a route to a second network device, where the route includes route information, and the route information includes the MAC address, first virtual local area network information of the first virtual machine, and second virtual local area network information of the second virtual machine. In this method, information about virtual machines having a same MAC address in different virtual local area networks is aggregated to one route.

Techniques are described herein for service chaining in fabric networks such that hardware resources can be preserved without service nodes needing additional capabilities. The techniques may include storing a first configuration associated with a first VRF instance of a service forwarding node that is connected to a first service of a service chain sequence. The first configuration may indicate an identifier and a type associated with a second service of the service chain sequence where traffic is to be sent after the first service. Additionally, the techniques may also include storing a second configuration associated with a second VRF instance of the service forwarding node that is connected to the second service. The second configuration may indicate that the second service is a last service of the service chain sequence. When traffic is received at the service forwarding node, the service forwarding node can determine whether the traffic is pre-service traffic or post-service traffic.

A method for creating overlay networking constructs to establish network connectivity between virtual routers and remote physical gateways is provided. An orchestrator receives a mapping between tenant network identifiers for multiple tenant networks and overlay network identifiers for multiple overlay networks. The orchestrator attaches a virtual router to a parent logical port of an overlay logical switch for connectivity between a physical gateway and the multiple tenant networks. The orchestrator creates multiple child logical ports that are sub-interfaces of the parent logical port. Each child logical port is uniquely identified by a tenant network identifier. The orchestrator connects multiple child logical switches to the multiple child logical ports according to the received mapping. Each child logical switch is uniquely identified by an overlay network identifier. The orchestrator establishes multiple overlay networks based on the child logical switches to tunnel data between the physical gateway and the child logical ports.

In one example, a method comprises receiving, by a computing device, configuration data defining: an external virtual domain for a network function, the external virtual domain connected to a public network and managed by a provider for the computing device; a virtual domain for the network function, the virtual domain separate from the external virtual domain, configured with a secure tunnel interface, connected to a customer network, and managed by a customer of the provider for the computing device; forwarding, by the external virtual domain implementing a route-based virtual private network, encrypted network traffic, received from the public network via a secure tunnel, to the secure tunnel interface configured in the virtual domain; decrypting, by the virtual domain, the encrypted network traffic to generate network traffic; and forwarding, by the virtual domain, the network traffic to the customer network.

This disclosure describes an integrated management method to manage a service mesh data plane over a network fabric. The method includes determining at least one service mesh data plane policy for a microservice of a service mesh. The method further includes sending, over the network fabric, the at least one service mesh data plane policy to a virtual router associated with the microservice based at least in part on connectivity information maintained by a network fabric control plane manager of a configuration manager.

This disclosure describes an integrated management method to manage a service mesh data plane over a network fabric. The method includes determining at least one service mesh data plane policy for a microservice of a service mesh. The method further includes sending, over the network fabric, the at least one service mesh data plane policy to a virtual router associated with the microservice based at least in part on connectivity information maintained by a network fabric control plane manager of a configuration manager.

A switching system comprises a controlling switch and a plurality of port extenders. One of the port extenders includes: at least one upstream port; multiple downstream ports; and a forwarding engine. A forwarding database is populated with entries indicating associations between i) respective network addresses corresponding to devices coupled to downstream ports, and ii) respective local downstream ports. The forwarding database excludes entries corresponding to network addresses corresponding to devices coupled to the at least one upstream port. The forwarding engine is configured to: for a first packet received via one of the local downstream ports, and having a destination network address in the forwarding database, forward the first packet to a different local downstream port indicated by the forwarding database. For a second packet received via one of the local downstream ports, and having a destination network address not in the forwarding database, forward the second packet to the at least one upstream port.

A switching system comprises a controlling switch and a plurality of port extenders. One of the port extenders includes: at least one upstream port; multiple downstream ports; and a forwarding engine. A forwarding database is populated with entries indicating associations between i) respective network addresses corresponding to devices coupled to downstream ports, and ii) respective local downstream ports. The forwarding database excludes entries corresponding to network addresses corresponding to devices coupled to the at least one upstream port. The forwarding engine is configured to: for a first packet received via one of the local downstream ports, and having a destination network address in the forwarding database, forward the first packet to a different local downstream port indicated by the forwarding database. For a second packet received via one of the local downstream ports, and having a destination network address not in the forwarding database, forward the second packet to the at least one upstream port.

Techniques are disclosed for generating intent-based policies and applying the policies to traffic of a computer network. In one example, a policy controller for the computer network receives traffic statistics for traffic flows among a plurality of application workloads executed by a first set of computing devices. The policy controller correlates the traffic statistics into session records for the plurality of application workloads. The policy controller generates, based on the session records for the application workloads, application firewall policies for the application workloads. Each of the application firewall policies define whether traffic flows between application workloads are to be allowed or denied. The policy controller distributes the application firewall policies to a second set of one or more computing devices for application to traffic flows between instances of the application workloads.