One or more techniques and/or systems are provided for network isolation. For example, nodes within a mesh of devices may be configured with routing rules, main routing tables, and alternative routing tables, such as at a layer-3 network layer. The routing rules may specify that packets received from downstream are to be routed upstream to either a gateway or a backhaul device for evaluation as to whether such packets are allowed to be communicated back downstream to destination recipients using main routing tables. An isolation rule may be configured to specify whether to block or allow packets. In an example, the gateway may either block or allow packets based upon whether a source and destination are within a same virtual local area network or are within different virtual local area networks. In this way, selective device isolation may be provided, such as at the layer-3 network layer.

Traffic broadcast to a VLAN is restricted. To do so, a plurality of stations are associated with a BSSID (basic service set identifier). A first VLAN is configured by sending a first group key to each station from the plurality of stations that is a member of the first VLAN, wherein each VLAN is associated with a unique group key. One or more frames addressed to the first VLAN are received. The one or more frames are encrypted with the first group key to prevent stations without the first group key from being able to decrypt the one or more frames. The one or more encrypted VLAN frames are broadcast to the plurality of stations associated with the BSSID.

Techniques are described for automatic provisioning of virtual local area networks (VLANs) on server-facing ports of access switches included in a data center network. Conventionally, VLANs are pre-configured on all server-facing ports of access switches. The techniques described in this disclosure enable automatic provisioning of VLANs on server-facing ports of access switches triggered by traffic received on the ports. The techniques include a feature in a forwarding plane of an access switch that is configured to detect data packets received for an unknown VLAN on a port, and notify a control plane of the access switch of the unknown VLAN on the port. In response to the notification from the forwarding plane, the control plane may authorize and provision the VLAN on the port. The techniques described in this disclosure include hardware-assisted software provisioning of an unknown VLAN on a given port of an access switch.

Aspects of the subject technology relate to systems for arbitrating direct forwarder (“DF”) instantiation between VPC peers used to facilitating the transport of bidirectional multicast traffic over a L2/L3 network boundary. In some aspects, arbitration of DF instantiation on a given VPC peer can include determining a first set of metrics for a first VPC switch, determining a second set of metrics for a second VPC switch, and determining, at the first VPC switch, whether to instantiate a designated forwarder (DF) operation based on a comparison of the first set of metrics and the second set of metrics. Methods and machine-readable media are also provided.

Described herein are various embodiments of a network element comprising a network port to receive a unit of network data and a data plane coupled to the network port. In one embodiment the data plane includes a ternary content addressable memory (TCAM) module to compare a first set of bits in the unit of network data with a second set of bits in a key associated with a TCAM rule. The second set of bits includes a first subset of bits and a second subset of bits and the TCAM module includes first logic to compare one or more bits in the first set of bits against the second set of bits, and second logic to select an action or a result using bits from either the second subset of bits, from the unit of network data, or from meta data associated with the unit of network data. Other embodiments are also described.

Techniques are described for managing devices using multiple virtual personal area networks (VPANs). A border router can receive a first request to join a network from a first device. The first device may be assigned to a first virtual personal area network (VPAN), which has an associated first group temporal key (GTK). The first GTK can be distributed to the first virtual device. The border router can also receive a second request to join a network from a second device. The second device may be assigned to a second VPAN, which has an associated second GTK. The second GTK can be distributed to the second virtual device.

Some embodiments provide a novel method for deploying different virtual networks over several public cloud datacenters for different entities. For each entity, the method (1) identifies a set of public cloud datacenters of one or more public cloud providers to connect a set of machines of the entity, (2) deploys managed forwarding nodes (MFNs) for the entity in the identified set of public cloud datacenters, and then (3) configures the MFNs to implement a virtual network that connects the entity's set of machines across its identified set of public cloud datacenters. In some embodiments, the method identifies the set of public cloud datacenters for an entity by receiving input from the entity's network administrator. In some embodiments, this input specifies the public cloud providers to use and/or the public cloud regions in which the virtual network should be defined. Conjunctively, or alternatively, this input in some embodiments specifies actual public cloud datacenters to use.

Some embodiments provide a novel method for deploying different virtual networks over several public cloud datacenters for different entities. For each entity, the method (1) identifies a set of public cloud datacenters of one or more public cloud providers to connect a set of machines of the entity, (2) deploys managed forwarding nodes (MFNs) for the entity in the identified set of public cloud datacenters, and then (3) configures the MFNs to implement a virtual network that connects the entity's set of machines across its identified set of public cloud datacenters. In some embodiments, the method identifies the set of public cloud datacenters for an entity by receiving input from the entity's network administrator. In some embodiments, this input specifies the public cloud providers to use and/or the public cloud regions in which the virtual network should be defined. Conjunctively, or alternatively, this input in some embodiments specifies actual public cloud datacenters to use.

The disclosure provides an approach for routing traffic in a network. Embodiments include receiving, by a service router of an edge services gateway (ESG), a packet comprising a virtual network identifier (VNI) and a virtual local area network (VLAN) identifier. Embodiments include sending, by the service router, the packet to a virtual switch of the ESG based on the VNI of the packet. Embodiments include determining, by the virtual switch, a virtual routing and forwarding (VRF) router of the ESG for the packet based on the VLAN identifier. Embodiments include forwarding, by the virtual switch, the packet to the VRF router.

The disclosure provides an approach for routing traffic in a network. Embodiments include receiving, by a service router of an edge services gateway (ESG), a packet comprising a virtual network identifier (VNI) and a virtual local area network (VLAN) identifier. Embodiments include sending, by the service router, the packet to a virtual switch of the ESG based on the VNI of the packet. Embodiments include determining, by the virtual switch, a virtual routing and forwarding (VRF) router of the ESG for the packet based on the VLAN identifier. Embodiments include forwarding, by the virtual switch, the packet to the VRF router.