A fabric for container virtual machines (CM) has cross fabric spine switches coupled to spine switches, each spine switch coupled to has a leaf switches, each leaf switch coupled to servers hosting CVM processes. Each of the leaf switches has an uplink port coupled to a spine switch leaf port configured in a mesh. The spine switches have a plurality of uplink ports for coupling to a plurality of cross fabric spine (CFS) ports into a mesh. The cross fabric spine switches keep a CF-NHCIB table of entries containing capabilities, and also a CF-FIB slice table which maintains entries for assignment of CVMs to new spine switches, such as GTID range, MAC Range, IP range associated with a spine port and spine address (MAC and/or IP) for transferring packets through the fabric.

A visibility platform can be used to monitor traffic traversing private cloud infrastructures and/or public cloud infrastructures. In some instances, the traffic is provided to a set of network services that are accessible to the visibility platform. These network services can be provisioned in a serial or parallel fashion. Network service chaining can be used to ensure that traffic streams skip unnecessary network services and receive only those network services that are needed. For example, an email service chain can include virus, spam, and phishing detection, while a video streaming service chain can include traffic shaping policies to satisfy quality of service (QoS) guarantees. When the visibility platform is represented as a graph that makes use of action sets, network service chains can be readily created or destroyed on demand.

A system, method, and computer-readable medium for performing a traffic routing operation. The traffic routing operation includes: establishing a plurality of virtual private network (VPN) connections within an information handling system; obtaining a configuration policy for each of the plurality of VPN connections, the configuration policy for each of the plurality of VPN connections comprising an indication of at least one type of supported link of a plurality of links; configuring a plurality of queues for packets being communicated via the plurality of virtual private network connections, the plurality of queues being greater than the plurality of VPN connections; creating a tunnel indication for each of the plurality of VPN connections; mapping the tunnel indication for each of the plurality of VP connections to a respective queue of the plurality of queues; and, mapping each queue of the plurality of queues to a link of a particular VPN connection.

A network device is configured to receive an inbound packet from a first server device via a network tunnel, the first inbound packet including an outer header, a virtual private network (VPN) label, an inner header, and a data payload, the inner header including an inner source IP address of a source virtual machine. The processors are also configured to determine a first tunnel identifier, determine, based on the inner source IP address, a second tunnel identifier associated with a second server device hosting the source virtual machine, compare the second tunnel identifier with the first tunnel identifier to determine whether the tunnel on which the first inbound packet was received is the same as a tunnel used for forwarding traffic to the source virtual machine, and drop the inbound packet when the second tunnel identifier does not match the first tunnel identifier.

In one embodiment, a primary tunnel is established from a head-end node to a destination along a path including one or more protected network elements for which a fast reroute path is available to pass traffic around the one or more network elements in the event of their failure. A first path quality measures path quality prior to failure of the one or more protected network elements. A second path quality measures path quality subsequent to failure of the one or more protected network elements, while the fast reroute path is being used to pass traffic of the primary tunnel. A determination is made whether to reestablish the primary tunnel over a new path that does not include the one or more failed protected network elements, or to continue to utilize the path with the fast reroute path, in response to a difference between the first path quality and the second path quality.

Methods and systems anchor hypertext transfer protocol (HTTP) level communication in an information-centric networking (ICN) network. Both content requests and responses to servers within the ICN network and to servers located outside the ICN network, in an IP network for example, are disclosed. Communication may be between two IP capable only devices at the HTTP level, one connected to an ICN network while the other one is connected either to an ICN or IP network. The disclosed namespace 200 enables IP based HTTP communication within the ICN network. An information-centric networking (ICN) network attachment point (NAP) or border gateway (BGW) may receive an HTTP request packet and encapsulate the received HTTP request packet. The ICN NAP/BGW may then forward the HTTP request packet towards the local ICN network servers. The HTTP request packet may be published to a named content identifier (CID) that may be determined through a hash function of a fully qualified domain name (FQDN). The ICN NAP may receive a HTTP response packet for a subscribed information item, which may be included in a named rCID. The named rCID may be determined through a hash function of a uniform resource locator (URL). Instead of using the hash of a URL and an FQDN directly, a separate scope identifier, which may be a root identifier, may be chosen for HTTP-over-ICN communication for the overall ICN namespace. The scope identifier may include a particular structure for the ICN namespace being built up. Using a root identifier may allow for separating HTTP-over-ICN communication from other ICN communication, for example, for operational or migration reasons. Under the root scope identifier, there may be two sub-scope identifiers, a first sub-scope identifier (I) for communication within the ICN network and a second sub-scope identifier (O) for communication to IP addresses outside the ICN network. The ICN may be based on the PURSUIT publish-subscribe architecture or on the Named Data Networking (NDN) project and the like.

In an example, a network device may receive a L3VPN packet of which an egress label edge router (LER) is the network device, and acquire an adjacency index of an adjacency entry in an adjacency table according to the destination IP address of the inner IP datagram from the L3VPN packet. The network device may acquire a PW extended index of a PW extended entry in a PW extended table and a private network layer-2 header for the inner IP datagram from an adjacency entry having the adjacency index. By using the private network layer-2 header and a public network label, a private network label and a public network layer-2 header in a PW extended entry having the PW extended index, the network device may encapsulate the inner IP datagram into a L2VPN packet and forward the L2VPN packet through a physical egress interface in the PW extended entry.

Techniques are described for automatic discovery of two or more virtual service instances configured to apply a given service to a packet in a software-defined networking (SDN)/network functions virtualization (NFV) environment. Virtual service instances may be deployed as virtual entities hosted on one or more physical devices to offer individual services or chains of services from a service provider. The use of virtual service instances enables automatic scaling of the services on-demand. The techniques of this disclosure enable automatic discovery by a gateway network device of virtual service instances for a given service as load balancing entities. According to the techniques, the gateway network device automatically updates a load balancing group for the given service to include the discovered virtual service instances on which to load balance traffic for the service. In this way, the disclosed techniques provide auto-scaling and auto-discovery of services in an SDN/NFV environment.

A method of tunneling management traffic includes receiving at a managed system a control feature from a proxy-managed system that is connected to the managed system, determining that the proxy-managed system is not visible to a management system, providing the control feature to the management system in response to determining that the proxy-managed system is not visible, receiving a modification to the control feature from the management system, and providing, from the managed system, the modification to the control feature to the proxy-managed system in response to receiving the modification to the control feature from the management system.

Techniques and architecture are described for providing broadcast/multicast support using VXLAN in and among private on-premises/cloud networks and public cloud networks by defining peer groups comprising VXLAN tunnel endpoints (VTEPs) within clustered network security devices. For example, a static peer group comprising two or more virtual extensible local access network (VXLAN) tunnel end points (VTEPs) is defined. The two or more VTEPs may each comprise a data interface of a network security device. Based at least in part on the static peer group, an overlay network comprising the two or more VTEPs is defined. A network security device discovers available VTEPs within the static peer group. The network security device establishes a mesh network of available VTEPs.