In a virtual extensible local area network (VXLAN) packet encapsulation and policy execution method, a communications device determines an application identifier for identifying an application type of an Ethernet frame, and places the application identifier in a VXLAN header. Another device may directly execute a corresponding policy based on the application identifier in the VXLAN header and without analyzing a packet.

A virtual network monitoring apparatus includes an acquisition unit configured to acquire first network information, the first network information being network information possessed by a virtual machine control unit functioning as an orchestrator, and second network information, the second network information being network information possessed by a virtual machine generated by the virtual machine control unit among network information on a virtual network to which the virtual machine is connected, and a generation unit configured to generate a traffic filter indicating a filter for traffic flowing through the virtual network on the basis of the first network information and the second network information.

A packet transmission method includes a first virtual extensible local area network tunnel endpoint (VTEP) receiving a first packet from a first host and sending a second packet to a third VTEP based on a first IP address corresponding to the first host, where the second packet is obtained by the first VTEP by encapsulating the first packet, where the first host is multi-homed to a second VTEP and the first VTEP, where the second VTEP is configured to send a packet from the first host to the third VTEP based on a second Internet Protocol (IP) address corresponding to the first host, and where the first IP address is the same as the second IP address.

This application discloses a method and an apparatus for forwarding a packet based on an integrated flow table. The integrated flow table includes a plurality of flow entries, each of the plurality of flow entries includes a mapping relationship between a match item and an operation set, the match item includes a plurality of packet header fields, and the method includes: obtaining a first packet; extracting a plurality of first packet header fields from a packet header of the first packet; searching the integrated flow table for a target flow entry matching the plurality of first packet header fields, to determine an operation set corresponding to the first packet; and performing the other operations in the operation set on the first packet, to obtain a second packet corresponding to the first packet, and forwarding the second packet.

Methods, systems, and devices map an arbitrary number of Virtual Routing and Forwarding (VRF) instances to an Ethernet Virtual Private Network (EVPN) instance (EVI) of a leaf and spine network. For example, a spine network device executes a primary EVI to provide an EVPN to a plurality of leaf network devices, each leaf network device executing a secondary EVI to provide a plurality of network virtualization overlays to tenants of the network. The primary EVI is associated with a primary VRF instance, and each secondary EVI of the plurality of secondary EVIs is associated with a secondary VRF instance of a plurality of secondary VRF instances. The spine network device defines mappings between routes within the primary VRF instance and routes within each secondary VRF instance. The spine network device translates, based on the one or more mappings, network traffic between the primary EVI and the plurality of secondary EVIs.

Provided is a virtual circuit-based data packet processing method, which includes that: identification information of a next-hop Provider Edge (PE) node of a routing packet and identification information of an Original PE (OPE) node of the routing packet are determined according to the routing packet corresponding to a Virtual Private Network (VPN) service instance; a context virtual circuit is determined, wherein nodes at both ends of the context virtual circuit are respectively the current PE node and the OPE node; a virtual circuit label of the context virtual circuit is determined; a final data packet to be forwarded is obtained by carrying a VPN label of the routing packet and the virtual circuit label with an initial data packet of the VPN service instance; and the final data packet to be forwarded is forwarded to the next-hop PE node.

Example data transmission methods and apparatus are described. In one example method, a data distribution point obtains a first correspondence between a first virtual extensible local area network identifier (VXLAN ID) and an address of a first terminal. The data distribution point receives a first VXLAN packet based on a tunnel of a first VXLAN, where the first VXLAN packet includes the first VXLAN ID and first data. The address of the first terminal is determined based on the first VXLAN ID carried in the first VXLAN packet and the first correspondence. The first distribution point sends the first data to the first terminal based on the address of the first terminal.

The system determines a first source MAC associated with a switch. The system updates a MAC address table by mapping the first source MAC to a first tag which indicates a source role corresponding to a network infrastructure. A processor associated with the switch generates a first packet which indicates the first source MAC. The system performs a first search in the MAC address table based on the indicated first source MAC to obtain the first tag, and performs a second search in a policy table based on the first tag for a policy which indicates an action to be applied to the first packet. If the second search is not successful, the system modifies a header of the first packet by adding the first tag. If the second search is successful, the system determines that the indicated action comprises allowing the first packet and transmits the first packet.

Examples disclosed herein relate to a method comprising receiving a data packet originating from a first device and intended for a second device, wherein the first device and the first access device belong to a first branch of a Wide Area Network (WAN) using a MPLS overlay and the second device belongs to a second branch of the WAN. The method includes encapsulating the data packet in VXLAN including a VXLAN label identifying a role type and transmitting the data packet to a first core device. The method includes determining an MPLS label corresponding to the role type and transmitting the data packet over the MPLS overlay to a second core device belonging to the second branch of the WAN. The method includes translating the MPLS label into the VXLAN label and transmitting the data packet including the VXLAN label to a second access device for an enforcement action.

Virtualization software that includes a VDRB (virtual distributed router/bridge) module for performing L3 routing and/or bridging operations is provided. At least some of the VDRBs are configured as VDBs (virtual distributed bridge) for performing bridging operations between different network segments in a distributed manner. The bridging tasks of a network are partitioned among several VDBs of the network based on MAC addresses. MAC addresses of VMs or other types of network nodes belonging to an overlay logical network are partitioned into several shards, each shard of MAC addresses assigned to a VDB in the network. Each VDB assigned a shard of MAC addresses performs bridging when it receives a packet bearing a MAC address belonging to its assigned shard. A VDB does not perform bridging on packets that do not have MAC address that falls within the VDB's shard of MAC addresses.