Novel tools and techniques might provide for implementing extension of customer local area networks (“LANs”) and/or implementing isolated service overlays over a network. In some embodiments, a network service point that is located external to a demarcation point at each of a plurality of customer premises might establish a connection between a service provider network and a customer LAN, which has already been established within a customer premises. The system subsequently extends the customer LAN, via this connection, to span between the network service point and the customer premises. Alternatively, or additionally, the system might establish two or more isolated service overlays across the customer LAN between the network service point and the customer premises, each of the two or more isolated service overlays having network traffic that is isolated from network traffic transmitted along another of the two or more isolated service overlays.

In one embodiment, network node-to-node connectivity verification is performed in a network including data path processing of packets within a packet switching device. In one embodiment, an echo request connectivity test packet, emulating an echo request connectivity test packet received from a first connected network node, is inserted by the packet switching device prior in its data processing path prior to ingress processing performed for packets received from the first connected network node. A correspondingly received echo reply connectivity test packet is intercepted by the packet switching device during data path egress processing performed for packets to be forwarded to the first connected network node.

A first electronic device communicates over a wide area network by establishing a MACSec session with a second electronic device over the wide area network. The MACSec session is thereafter torn down in response to the first electronic device sensing a fault in the MACSec session. Then, one or more keep alive probes are transmitted to the second electronic device over the wide area network. A response to the keep alive probe is thereafter received. The MACSec session may then be automatically reestablished in response to receiving the probe.

A method for identifying VLANs associated with a network includes gathering actual network element configuration data from a plurality of network elements in the network, wherein the actual network element configuration data identifies one or more VLANs that at least some of the plurality of network elements are actually allocated to; correlating the actual network element configuration data with administrative VLAN data; and determining one or more VLANs that are not commonly identified in both the actual network element configuration data and the administrative VLAN data. A system includes a network monitoring system operable to gather actual network element configuration data from a plurality of network elements at one or more logical network sites, wherein the actual network element configuration data identifies one or more VLANs that at least some of the plurality of network elements are actually allocated to; and a VLAN services module operable to correlate the actual network element configuration data with administrative VLAN data, and further operable to determine one or more VLANs that are not commonly identified in both the actual network element configuration data and the administrative VLAN data.

Cloud delivered access may be provided. A network device may provide a client device with a pre-authentication virtual network and a pre-authentication address. Next, a policy may be received in response to the client device authenticating. The client device may then be moved to a post-authentication virtual network based on the policy. A post-authentication address may then be obtained for the client device in response to moving the client device to a post-authentication virtual network. Traffic for the client device may then be translated to the post-authentication address.

A packet is received via a first network interface of a first network device in an underlay network, the packet having been originated by a first endpoint device and including a first network address indicating a destination of the first packet. The first network device, without analyzing the first network address in the first packet, adds, to the first packet, a second network address corresponding to a cloud edge network device implemented at the cloud edge and information identifying the first network interface via which the first packet was received by the first network device. The first network device transmits the packet, via an overlay network layered over the underlay network, to the cloud edge network device to enable forwarding of the packet to the destination of the packet, based on the first network address included in the packet, by the cloud edge network device

Example methods and systems for logical overlay tunnel selection are described. One example may involve a first computer system generating and sending probe packets over multiple logical overlay tunnels and configuring routing information associated with a destination based on a comparison between tunnel state information measured using the probe packets and a desired state. In response to detecting an egress packet that is destined for the destination, the first computer system may select a first logical overlay tunnel that satisfies the desired state over a second logical overlay tunnel that does not satisfy the desired state. An encapsulated packet is then generated and sent over the first logical overlay tunnel to reach the destination. The encapsulated packet may include the egress packet and an outer header that is addressed from a first virtual tunnel endpoint (VTEP) on the first computer system and a second VTEP on a second computer system.

Embodiments of a device and method are disclosed. In an embodiment, a method for network segmentation of a network deployed at a customer site involves establishing a tunnel between a network device of the network deployed at the customer site and a network port of a switch of the network deployed at the customer site, when a wired device is plugged into the network port of the switch, transmitting network traffic between the wired device and the network device through the tunnel, facilitating a security operation regarding the wired device, and based on a result of the security operation, performing a network segmentation operation regarding the wired device.

An application information verification method is performed by a first apparatus. The first apparatus receives a first packet including application information. The first apparatus verifies integrity of the application information in the first packet. In embodiments of the present disclosure, the first packet includes the application information and first verification information, and the first verification information is for verifying the integrity of the application information. Therefore, after receiving the first packet, the first apparatus may verify the integrity of the application information based on the first verification information.

The following description is directed to configuring gateways in computer networks. For example, a method includes receiving a first request from a client associated with a configurable network. The first request can request associating a set of network addresses assigned to the configurable network to a gateway. A second request can be received from a client associated with the gateway. The second request can request accepting the association of the first request. It can be determined that the set of network addresses do not overlap with a network address space that is accessible using the gateway. Routing information can be generated for the gateway. The generated routing information can be used to configure the gateway for forwarding network packets between the client private network and the configurable network.