Techniques are described for automatic provisioning of virtual local area networks (VLANs) on server-facing ports of access switches included in a data center network. Conventionally, VLANs are pre-configured on all server-facing ports of access switches. The techniques described in this disclosure enable automatic provisioning of VLANs on server-facing ports of access switches triggered by traffic received on the ports. The techniques include a feature in a forwarding plane of an access switch that is configured to detect data packets received for an unknown VLAN on a port, and notify a control plane of the access switch of the unknown VLAN on the port. In response to the notification from the forwarding plane, the control plane may authorize and provision the VLAN on the port. The techniques described in this disclosure include hardware-assisted software provisioning of an unknown VLAN on a given port of an access switch.

Some embodiments establish for an entity a virtual network over several public clouds of several public cloud providers and/or in several regions. In some embodiments, the virtual network is an overlay network that spans across several public clouds to interconnect one or more private networks (e.g., networks within branches, divisions, departments of the entity or their associated datacenters), mobile users, and SaaS (Software as a Service) provider machines, and other web applications of the entity. The virtual network in some embodiments can be configured to optimize the routing of the entity's data messages to their destinations for best end-to-end performance, reliability and security, while trying to minimize the routing of this traffic through the Internet. Also, the virtual network in some embodiments can be configured to optimize the layer 4 processing of the data message flows passing through the network.

According to an example, a Virtual Extensible Local Area Network Tunnel End Point (VTEP) sends a Virtual Extensible Local Area Network (VXLAN) information announcement message carrying the identifiers of VXLAN instances to the neighbor VTEPs and receive VXLAN information announcement messages from the neighbor VTEPs. If a neighbor VTEP is configured with the same VXLAN instance as the present VTEP, the present VTEP sets up a tunnel to the neighbor VTEP; and associates the tunnel with the same VXLAN instance.

In an approach for achieving resilience and load balancing control over layer 2 gateways in a cluster, a processor forms a cluster, wherein the cluster includes one or more layer 2 gateways. A processor registers endpoints for a tenant system attached to a virtual network through a bridge network to add to an endpoint database used to associate a destination MAC address with the cluster. A processor distributes flow of data.

A method includes a first provider edge (PE) device sending, to a second PE device, a media access control (MAC) route learned from a customer edge (CE) device and a virtual local area network (VLAN) identifier, wherein the second PE device generates a MAC forwarding entry based on the MAC route and the VLAN identifier, where the MAC forwarding entry is used to directly forward, using the CE device, a packet whose destination MAC address is the CE device or a MAC address of a terminal device accessing the CE device. An outbound interface identifier included in the MAC forwarding entry is an identifier of an interface connected to the CE device.

This disclosure describes techniques for implementing network address translation as a distributed service over the nodes of a logical network fabric, such as a software-defined network fabric. A method includes registering, by an edge node of a network, an IP address of a client device. The method further includes forwarding, by the edge node, the registered IP address to a control plane of the network. The method further includes checking, by the control plane, a network address translation policy. The method further includes recording, by the control plane, translations between the registered IP address and an allocated IP address in a translation table, each of the translations being related to the edge node. The method further includes returning, by the control plane, the translations between the registered IP address and the allocated IP address to the edge node.

In a method for configuring a communication between a first computer with an automation engineering software and a second computer which is connected in a proprietary automation network, the first computer is run in a cloud environment. The communication between the first computer and the second computer is carried out by a tunnel protocol for establishing a tunnel connection, and a configuration of the tunnel connection is automatically configured by determining information heuristically.

Via a tunnel configured on a Virtual eXtensible Local Area Network (VXLAN) Tunnel End Point (VTEP), a notification message is received from a peer VTEP over the tunnel. The received notification message contains VXLAN Network Identifiers (VNIs) of VXLANs currently configured on the peer VTEP. For each of VXLANs currently configured on the VTEP, when the same VXLAN as the VXLAN configured on the VTEP exists in the VXLANs indicated by the VNIs contained in the received notification message and when the VXLAN configured on the VTEP has not been associated with the tunnel, the VXLAN configured on the VTEP is associated with the tunnel.

A device blocking tool includes a user interface, a location engine, a retrieval engine, and an update engine. The user interface receives at least one of a MAC address and an IP address of a device. The location engine communicates a query to an access control server, receives a response, and determines, based on the response, that the device connected to a network through a wired connection. In response that determination, the location engine determines a switch through which the device connected. The location engine also determines a number identifying a VLAN through which the device connected and determines that the device is an IP telephone. The retrieval engine retrieves an access control list. The update engine disconnects the device from the VLAN and reconnects the device through a second VLAN.

A wireless device blocking tool includes a user interface, a location engine, a retrieval engine, and an update engine. The user interface receives at least one of a MAC address of a device and an IP address of the device. The location engine communicates a query to an access control server, receives a response from the access control server in response to communicating the query, and determines, based on the response, that the device connected to a network through a wireless connection. The location engine also determines a WLC through which the device connected. The retrieval engine retrieves, from the WLC, an access control list. The update engine disconnects the device from the VLAN and reconnects the device through a second VLAN.