The present invention discloses a data forwarding unit based on a Handle identifier, comprising a dynamic configuration module, a Handle identifier data identification module and a matching-forwarding module. The system of the present invention is applied to network devices such as switches and routers, and supports dynamic configuration of data packet analysis, matching and forwarding rules through data interaction with network systems such as SDN managers, so that the network devices can identify data packets based on the Handle identifier and perform the specified operation on the designated data packets with the Handle identifier according to the rules of dynamic configuration.

Traffic is processed in a virtualised environment comprising: (i) a physical underlay network; (ii) a first overlay network (an overlay of the physical underlay network and associated with a first set of network addresses, IP.sub.1); (iii) a second overlay network (an overlay of the first overlay network and associated with a second set of network addresses, IP.sub.2); and (iv) virtualised applications each having an execution environment and being associated with at least one network address in each of the first and second sets of network addresses, IP.sub.1 and IP.sub.2. In the execution environment of a first virtualised application: (i) traffic communicated from the first virtualised application to the first overlay network is encapsulated; and/or (ii) traffic communicated from the first overlay network to the first virtualised application is decapsulated. Tenant separation processing is performed outside the execution environments of the virtualised applications.

A logical router includes disaggregated network elements that function as a single router and that are not coupled to a common backplane. The logical router includes spine elements and leaf elements implementing a network fabric with front panel ports being defined by leaf elements. Control plane elements program the spine units and leaf to function a logical router. The control plane may define operating system interfaces mapped to front panel ports of the leaf elements and referenced by tags associated with packets traversing the logical router. Redundancy and checkpoints may be implemented for a route database implemented by the control plane elements. The logical router may include a standalone fabric and may implement label tables that are used to label packets according to egress port and path through the fabric.

Virtual network identifiers are extracted from route advertisements. A table associates virtual network identifiers with provider edge devices. When a virtual network identifier extracted from a route advertisement matches a virtual network identifier in the table, the route advertisement is propagated to the provider edge devices associated with that virtual network identifier in the table. The route advertisement is not propagated to provider edge devices not associated with that virtual network identifier in the table.

Network identifiers are extracted from route advertisements. A table associates virtual network identifiers with provider edge devices. When a virtual network identifier extracted from a route advertisement matches a virtual network identifier in the table, the route advertisement is propagated to the provider edge devices associated with that virtual network identifier in the table. The route advertisement is not propagated to provider edge devices not associated with that virtual network identifier in the table.

A VXLAN multi-tenant inter-networking device packet forwarding system includes a first aggregated networking device coupled to a first host device and a second aggregated networking device that is coupled to second host devices. The first aggregated networking device receives a data packet from the first host device and, in response, identifies a virtual network associated with the first host device. Based on a first and second portion of a virtual network identifier that identifies the virtual network, the first aggregated networking device generates respective first and second packet forwarding identifiers. The first aggregated networking device then provides the first and second packet forwarding identifiers in the data packet, and forwards the data packet to the second aggregated networking device. The second aggregated networking device may then forward the data packet to one of the second host devices based on the first and second packet forwarding identifiers in the data packet.

A source Medium Access Control (MAC) address is learned upon receiving a data message from a local network, and a learned local MAC address entry is added to a MAC address forwarding table. A source MAC address is not learned upon receiving a data message from a tunnel. When a local MAC address entry in the MAC address forwarding table changes, a synchronization message is sent via each tunnel associated with a Virtual Extensible Local Area Network (VXLAN) in the changed local MAC address entry, and is saved into a database corresponding to the tunnel. Each tunnel corresponds to one database.

Techniques are described for providing users with access to computer networks, such as to enable users to create and configure computer networks that are provided by a remote configurable network service for the users' use. Computer networks provided by the configurable network service may be configured to be private computer networks that are accessible only by the users who create them, and may each be created and configured by a client of the configurable network service to be an extension to an existing computer network of the client, such as a private computer network extension to an existing private computer network of the client. In addition, access to remote resource services may be configured and provided from such computer networks in various manners, such as to automatically include access control information to limit access to particular resources to computing nodes at the location of that provided computer network.

A provider edge (PE) device and a method implemented thereon are disclosed for Ethernet virtual private network (EVPN). According to an embodiment, a first PE device performs label assignment procedure with a second PE device such that the first and second PE devices share an Ethernet segment identifier (ESI)-excluded label and know a correspondence between the ESI-excluded label and a label combination of an ESI label and a VPN label. The first PE device encapsulates a packet of broadcast, unknown unicast or multicast (BUM) traffic, with the ESI-excluded label instead of the label combination. The first PE device sends the encapsulated packet to the second PE device.

A virtual extensible local area network (VXLAN) packet forwarding method, device, and system, where the method includes setting, by a local VXLAN tunnel end point (VTEP) device based on a priority of a VXLAN tunnel, tunnel states of at least two VXLAN tunnels coupled to the local VTEP device, sending the tunnel states of the VXLAN tunnels to at least two peer VTEP devices, where the at least two VXLAN tunnels are in a one-to-one correspondence with the at least two peer VTEP devices, and separately confirming, by the at least two peer VTEP devices, the received tunnel states of the VXLAN tunnels. A VXLAN tunnel in an active state is in a working state, and a VXLAN tunnel in an inactive state is in a non-working state, thereby improving a redundancy protection capability of a VXLAN network.