Techniques are described for managing devices using multiple virtual personal area networks (VPANs). A border router can receive a first request to join a network from a first device. The first device may be assigned to a first virtual personal area network (VPAN), which has an associated first group temporal key (GTK). The first GTK can be distributed to the first virtual device. The border router can also receive a second request to join a network from a second device. The second device may be assigned to a second VPAN, which has an associated second GTK. The second GTK can be distributed to the second virtual device.

A cluster configuration request to form a hyperconverged computing infrastructure (HCI) cluster in a cloud computing environment is processed. Based on the cluster configuration request and any other cluster specifications, a plurality of bare metal computing nodes of the cloud computing environment are configured to operate as an HCI cluster. First, a tenant-specific secure network overlay is formed on a first set of tenant-specific networking hardware resources. Then, the tenant-specific secure network overlay is used by an orchestrator to provision a second set of tenant-specific networking hardware resources. The second set of tenant-specific networking hardware resources are configured to interconnect node-local storage devices into a shared storage pool having a contiguous address space. Top-of-rack switches are configured to form a network overlay on the first set of tenant-specific networking hardware resources. Then, top-of-rack switches are configured to form a layer-2 subnet on the second set of tenant-specific networking hardware resources.

A cluster configuration request to form a hyperconverged computing infrastructure (HCI) cluster in a cloud computing environment is processed. Based on the cluster configuration request and any other cluster specifications, a plurality of bare metal computing nodes of the cloud computing environment are configured to operate as an HCI cluster. First, a tenant-specific secure network overlay is formed on a first set of tenant-specific networking hardware resources. Then, the tenant-specific secure network overlay is used by an orchestrator to provision a second set of tenant-specific networking hardware resources. The second set of tenant-specific networking hardware resources are configured to interconnect node-local storage devices into a shared storage pool having a contiguous address space. Top-of-rack switches are configured to form a network overlay on the first set of tenant-specific networking hardware resources. Then, top-of-rack switches are configured to form a layer-2 subnet on the second set of tenant-specific networking hardware resources.

An industrial system for controlling backplane communication, including: a cluster manager including a primary switch linked to a primary control module, at least one Input/Output, I/O, module including a secondary switch linked to a secondary control module, a unidirectional communication line linking the cluster manager to the at least one IO module through passive base plates, wherein the cluster manager includes a transmission port and a reception port on the unidirectional communication line and the at least one Input/Output module includes a reception port on the unidirectional communication line, wherein the primary control module is configured to generate a pulse via the transmission port on the unidirectional communication line, wherein, upon reception of the pulse, the primary control module is configured to create a primary timestamp from a primary clock of the primary switch and the secondary control module is configured to create a secondary timestamp from a secondary clock of the secondary switch, wherein the primary control module is configured to send a message via the transmission port on the unidirectional communication line to the secondary control module, the message including the primary timestamp, wherein, upon reception of the message, the secondary control module is configured to synchronize the secondary clock with the primary clock based on the received primary timestamp and secondary timestamp.

A method and system of configuring a stack of switches includes configuring a switch with mapping information based on a user input flow mapping that defines destination port(s) (local destination port(s) and/or remote destination port(s)) for a flow to exit the stack. The mapping information includes any local destination port(s) via which the flow can exit the stack from the switch and an outbound stack port for each of any remote destination port(s) via which the flow can be transmitted from the switch to a downstream switch. The method further includes creating a decapsulation entry having a flow ID for the flow, wherein the flow ID is assigned to the flow and is unique across the stack, and configuring the switch with access to a decapsulation algorithm configured to use the flow ID via the decapsulation entry to decapsulate encapsulated network traffic of the flow received from an upstream switch.

A method and system of configuring a stack of switches includes configuring a switch with mapping information based on a user input flow mapping that defines destination port(s) (local destination port(s) and/or remote destination port(s)) for a flow to exit the stack. The mapping information includes any local destination port(s) via which the flow can exit the stack from the switch and an outbound stack port for each of any remote destination port(s) via which the flow can be transmitted from the switch to a downstream switch. The method further includes creating a decapsulation entry having a flow ID for the flow, wherein the flow ID is assigned to the flow and is unique across the stack, and configuring the switch with access to a decapsulation algorithm configured to use the flow ID via the decapsulation entry to decapsulate encapsulated network traffic of the flow received from an upstream switch.

A packet processing method is disclosed. According to the method, a first network device receives a first packet sent by a second network device, where the first packet includes a first group identifier corresponding to a VPN on the second network device, a first source device corresponding to the first packet belongs to the VPN, and the first source device is connected to the second network device. The first network device obtains a second group identifier based on a destination address of the first packet, where the second group identifier corresponds to the VPN on a third network device, a first destination device corresponding to the destination address of the first packet belongs to the VPN, and the first destination device is connected to the third network device. The first network device processes the first packet based on the first group identifier and the second group identifier.

Some embodiments provide a method for configuring a logical router that interfaces with an external network. The method receives a configuration for a logical network that includes a logical router with several interfaces that connect to at least one physical router external to the logical network. The method selects a separate host machine to host a centralized routing component for each of the interfaces. The method selects a particular one of the host machines for operating a dynamic routing protocol control plane that receives routing protocol data from each of the centralized routing components and updates routing tables of each of the centralized routing components.

Techniques are disclosed for session-based routing within Open Systems Interconnection (OSI) Model Layer-2 (L2) networks extended over Layer-3 (L3) networks. In one example, L2 networks connect a first client device to a first router and a second client device to a second router. An L3 network connects the first and second routers. The first router receives, from the first client device, an non-session-based L2 frame destined for the second client device. The first router forms an L3 packet comprising an L3 header specifying L3 addresses of the first and second routers and a protocol selected based on an L3 service for the L2 frame, a payload comprising the L2 frame, and metadata comprising a session identifier distinctly identifying the L2 frame, and forwards the L3 packet to the second router. The second router recovers the L2 frame from the payload and forwards the L2 frame to the second client device.

Methods and systems for implementing private allocated networks in a virtual infrastructure are presented. One method operation creates virtual switches in one or more hosts in the virtual infrastructure. Each port in the virtual switches is associated with a private allocated network (PAN) from a group of possible PANs. In one embodiment, one or more PANs share the same physical media for data transmission. The intranet traffic within each PAN is not visible to nodes that are not connected to the each PAN. In another operation, the method defines addressing mode tables for the intranet traffic within each PAN. The entries in the addressing mode tables define addressing functions for routing the intranet traffic between the virtual switches, and different types of addressing functions are supported by the virtual switches.