Example methods and systems are provided a network device to perform tunnel-based service insertion in a public cloud environment. An example method may comprise establishing a tunnel between the network device and a service path. The method may also comprise: in response to receiving a first encapsulated packet, identifying the service path specified by a service insertion rule; generating and sending a second encapsulated packet over the tunnel to cause the service path to process an inner packet according to one or more services. The method may further comprise: in response to receiving, from the service path via the tunnel, a third encapsulated packet that includes the inner packet processed by the service path, sending the inner packet processed by the service path, or a fourth encapsulated packet, towards a destination address of the inner packet.

Example methods and systems are provided a network device to perform tunnel-based service insertion in a public cloud environment. An example method may comprise establishing a tunnel between the network device and a service path. The method may also comprise: in response to receiving a first encapsulated packet, identifying the service path specified by a service insertion rule; generating and sending a second encapsulated packet over the tunnel to cause the service path to process an inner packet according to one or more services. The method may further comprise: in response to receiving, from the service path via the tunnel, a third encapsulated packet that includes the inner packet processed by the service path, sending the inner packet processed by the service path, or a fourth encapsulated packet, towards a destination address of the inner packet.

In one embodiment, a plurality of virtual private local area network services (VPLSs) are operated among a plurality of packet switching devices, with the plurality of VPLSs including a first VPLS and a different second VPLS. In response to a conversion declaration including a particular Service Instance VLAN ID (I-SID), the first VPLS corresponding to the particular I-SID is converted to a different type of virtual private network (VPN) service, while continuing to operate the different second VPLS which is not related to the particular I-SID. In one embodiment, the different type of VPN service is Provider Backbone Bridging Ethernet VPN (PBB-EVPN). In one embodiment, the conversion declaration is a Border Gateway Protocol (BGP) Network Layer Reachability Information (NLRI) of Route Type 3 Inclusive Multicast Ethernet Tag (IMET) route.

In a communication method, when a terminal device initiates establishment of a session of an Ethernet type, a virtual local area network management function entity in a communications system may determine a virtual local area network identifier of a user group to which the terminal device belongs. In this way, a user plane function entity in the session of the terminal device may allocate a plurality of virtual ports to a virtual local area network whose identifier is the virtual local area network identifier and may broadcast the Ethernet broadcast frame on the plurality of virtual ports.

A method of utilizing the same hardware network interface card (NIC) in a gateway of a datacenter to communicate datacenter tenant packet traffic and packet traffic for a set of applications that execute in the user space of the gateway and utilize a network stack in the kernel space of the gateway. The method sends and receives packets for the datacenter tenant packet traffic through a packet datapath in the user space. The method sends incoming packets from the NIC to the set of applications through the datapath in the user space, a user-kernel transport driver connecting the kernel network stack to the datapath in the user space, and the kernel network stack. The method receives outgoing packets at the NIC from the set of applications through the kernel network stack, the user-kernel transport driver, and the data path in the user space.

Methods and techniques for flooding packets on a per-virtual-network basis are described. Some embodiments provide a method (e.g., a switch) which determines an internal virtual network identifier based on one or more fields in a packet's header. Next, the method performs a forwarding lookup operation based on the internal virtual network identifier. If the forwarding lookup operation succeeds, the method can process and forward the packet accordingly. However, if the forwarding lookup operation fails, the method can determine a set of egress ports based on the internal virtual network identifier. Next, for each egress port in the set of egress ports, the method can flood the packet if a virtual network identifier in the packet's header is associated with the egress port. Flooding packets on a per-virtual-network basis can substantially reduce the amount of resources required to flood the packet when a forwarding lookup operation fails.

One embodiment of the present invention provides a switch. The switch includes a storage device, a mapping module, and a packet processor. During operation, the mapping module maintains a first and a second mappings. The first mapping, which can be in the storage device, is between a first service tunnel identifier and a first virtual local area network (VLAN) identifier. The second mapping is between the first VLAN identifier and an indicator, which indicates whether the switch is elected as a designated forwarder of multi-destination traffic for the first service tunnel identifier. If the indicator indicates that the switch is the designated forwarder of multi-destination traffic for the first service tunnel identifier, the packet processor determines an egress port, which corresponds to the first service tunnel, for a packet belonging to multi-destination traffic of the first VLAN.

A method of protection switching in a packet network based on signal/service degrade includes monitoring a packet network connection; detecting the packet network connection has a signal/service degrade including a condition where the packet network connection is operational, but experiencing errors below a threshold; and responsive to detection of the signal/service degrade one or more of notifying nodes in the packet network and performing a protection switch based on the signal/service degrade. The signal/service degrade is detected through one or more of i) determining a Frame Error Rate imputed from one or more of Bit Error Rate, frame events, and frame losses; ii) frame delay measurements; and iii) a combination thereof.

A method for balancing load among firewall security devices (FSDs) is provided. According to one embodiment, a switching device performs adaptive load balancing among cluster units of an HA cluster of firewall security devices. A load balancing (LB) function implemented by the switching device is configured based on information received from a network administrator. A LB table is maintained that forms associations between hash values output by the LB function and corresponding ports of the switching device to which the cluster units are coupled. Network traffic received by the switching device is directed to appropriate cluster units based on the LB function and the LB table. A traffic load on each of the cluster units is monitored. Responsive to a deviation from a predefined ideal traffic distribution, an attempt is made to improve performance of the HA cluster by dynamically adjusting the LB balancing table to address the deviation.

In accordance with one example embodiment, there is provided a system configured for virtual local area network (VLAN) blocking on a virtual port channel (vPC) member link to handle discrepant virtual network instance (VNI) to VLAN mappings. In other embodiments, the system can be configured for providing Virtual Switch Interface Discovery Protocol (VDP) and virtual switch enhancements to accommodate discrepant VNI to VLAN mappings. In another example embodiment, an apparatus is provided that includes a processor, and a memory coupled to the processor, where the apparatus is configured such that if a server is connected through a virtual port channel, a VDP is used to notify the server of different VNI to VLAN mappings. In another embodiment, the apparatus can extend a VDP Filter Info Field to carry a set of VLANs mapped to a VNI, keyed by leaf MAC addresses that serve as bridge identifiers.