Briefly, methods and/or apparatuses for implicit traffic engineering, such as for the Internet, are described.

A communication method and a switch device for one-way transmission based on VLAN ID are provided. The communication method includes: receiving, by a first port of a switch, a first data packet from a first external device; packing the first data packet with a first VLAN ID corresponding to a first path to generate a second data packet; receiving, by a first PLD, the second data packet from a third port of the switch; filtering, by the first PLD, the second data packet according to a first filtering rule; in response to the second data packet being matched with the first filtering rule, overwriting the first VLAN ID by a second VLAN ID corresponding to a second path to generate a third data packet; and transmitting, by the first PLD, the third data packet to a second port of the switch via the second path.

Various embodiments provide methods for Internet Protocol (IP) packet handling. Various embodiments may enable downlink (DL) data prioritization of IP packets for time-sensitive applications, for example by using differentiated services code point (DSCP) indications or type-of-service (TOS) indications in headers of the IP packets to distinguish prioritized IP packets from non-prioritized IP packets. In various embodiments, IP packets that are prioritized IP packets may be sent to another processor of a wireless device using a prioritized traffic handling configuration that has a lower latency than a default traffic handling configuration used for sending non-prioritized IP packets. Various embodiments may further enable uplink (UL) data prioritization of IP packets.

In one embodiment, a method includes activating a first network apparatus within a network and determining, by the first network apparatus, that a Scalable Group Tag (SGT) Exchange Protocol (SXP) is configured on the first network apparatus. The method also includes costing out the first network apparatus in response to determining that the SXP is configured on the first network apparatus. Costing out the first network apparatus prevents Internet Protocol (IP) traffic from flowing through the first network apparatus. The method further includes receiving, by the first network apparatus, IP-to-SGT bindings from an SXP speaker, receiving an end-of-exchange message from the SXP speaker, and costing in the first network apparatus in response to receiving the end-of-exchange message. Costing in the first network apparatus allows the IP traffic to flow through the first network apparatus.

Provided are a packet sending methods and apparatus, a packet processing method and apparatus, a PE node and a node. The packet sending method includes: receiving a first packet from an AC, processing the first packet to obtain a second packet, the second packet including a first IP, where the first IP includes a second IP or an IP obtained by encrypting part bits of the second IP with an intrinsic entropy value of the first packet and the second IP is one of an ESI IP of an ESI corresponding to the AC, an IP obtained by modifying a designated bit of the ESI IP of the ESI corresponding to the AC according to a Root/Leaf attribute of the AC, an IP obtained by replacing part bits of the ESI IP of the ESI corresponding to the AC with a VLAN ID value corresponding to the AC, a third IP, or an IP obtained by modifying a designated bit of the third IP according to the Root/Leaf attribute of the AC; and sending the second packet.

When a subscriber terminal (100A) connects to the other party vCPE (310B), a communication system (1) determines whether a connection between the other party terminal (100B) and the other party vCPE (310B) and a connection between the subscriber terminal (100A) and the other party vCPE (310B) are to be established through the same network segment based on connection permission conditions of the other party vCPE (310B) and the subscriber terminal (100A), and the other party vCPE (310B) allocates a network segment, which is the same as or different from a network segment allocated to the other party terminal (100B), to the subscriber terminal (100A) according to the determination.

This disclosure describes techniques for implementing network address translation as a distributed service over the nodes of a logical network fabric, such as a software-defined network fabric. A method includes registering, by an edge node of a network, an IP address of a client device. The method further includes forwarding, by the edge node, the registered IP address to a control plane of the network. The method further includes checking, by the control plane, a network address translation policy. The method further includes recording, by the control plane, translations between the registered IP address and an allocated IP address in a translation table, each of the translations being related to the edge node. The method further includes returning, by the control plane, the translations between the registered IP address and the allocated IP address to the edge node.

Secure network segmentation using logical subnet segments is described. A single network segment or subnet provided by a third party is mapped into multiple layer-3 virtual or logical segments without requiring separate subnets. This mapping is accomplished by using virtual routing functions (VRFs) per logical subnet segment while retaining a single subnet across the segments. The logical subnet segments interact with the single network segment provided by the third party (ISP). The layer-3 VRF instances are created without the need for separate IP subnet pools per layer-3 segment. Each VRF instance for the various logical subnet segments is mapped to an identifier and tag.

A method for identifying VLANs associated with a network includes gathering actual network element configuration data from a plurality of network elements in the network, wherein the actual network element configuration data identifies one or more VLANs that at least some of the plurality of network elements are actually allocated to; correlating the actual network element configuration data with administrative VLAN data; and determining one or more VLANs that are not commonly identified in both the actual network element configuration data and the administrative VLAN data. A system includes a network monitoring system operable to gather actual network element configuration data from a plurality of network elements at one or more logical network sites, wherein the actual network element configuration data identifies one or more VLANs that at least some of the plurality of network elements are actually allocated to; and a VLAN services module operable to correlate the actual network element configuration data with administrative VLAN data, and further operable to determine one or more VLANs that are not commonly identified in both the actual network element configuration data and the administrative VLAN data.

Some embodiments provide a method, executable by a network device, that receives a first set of commands instructing the network device to allow network traffic to egress out of an authentication port of the network device. The authentication port is configured to belong to a first virtual local area network (VLAN). An unauthenticated device is connected to the authentication port. The method further receives a second set of commands instructing the network device to add ports belonging to the first VLAN to a broadcast domain of a second VLAN. The method also broadcasts an address request to the broadcast domain of the second VLAN. The method further receives, from the unauthenticated device, a response to the address request.