In general, techniques are described for a dynamic prefix list for route filtering. In one example, a network device comprises a control unit comprising one or more processors; one or more interface cards coupled to the control unit; a routing protocol process configured to execute on the control unit to exchange, using the interface cards, routing protocol advertisements with a peer network device in accordance with a routing protocol; and a configuration database comprising a routing policy that references a dynamic prefix list comprising one or more prefixes. The routing policy includes at least one action for application to routes for import or export, by the network device via a routing protocol, that match any of the one or more prefixes of the dynamic prefix list. The dynamic prefix list comprises a routing table to store the one or more prefixes, the routing table separate from the configuration database.

Network level Moving Target Defense techniques are provided with substantially continuous access to protected applications. An exemplary method comprises identifying a first application listening to a first port or a first network address; notifying the first application to listen to a second port or a second network address; notifying at least one additional application that the first application is listening to the second port or the second network address; and notifying the first application to unlisten to the first port or the first network address, wherein the first application operates in a substantially continuous manner during a change from listening to one or more of the first port and the first network address and listening to one or more of the second port and the second network address. The first application can be a stateful application having persistent storage.

Disclosed are various embodiments for providing split-tunneled network connectivity on a per-application basis. A request to make a connection, such as a transmission control protocol (TCP) or a universal datagram protocol (UDP) connection, to a remote host specified by an internet protocol (IP) address in the request is received from a network driver. A hostname lookup table is queried to determine a hostname associated with the IP address for the remote host. A policy is identified based on the hostname associated with the IP address for the remote host. Then, the connection is routed based on the policy.

Techniques for updating a routing table based on a single message are described. One technique includes receiving at a first network device a node message from a second network device. The node message includes a sequence number and a list of link state(s) originated by the second network device. The first network device determines whether to withdraw one or more link states originated by the second network device and maintained in a routing table of the first network device based on the sequence number and the list of the link state(s) within the node message. The routing table is updated based on the determinations.

Example methods and network devices for tunnel-based routing calculation. One example method may comprise establishing a tunnel between a first tunnel interface and a second tunnel interface; establishing a first session for routing information exchange between a first tunnel endpoint and an underlay network device; establishing a second session for routing information exchange between the first tunnel interface and the second tunnel interface over the tunnel. In response to receiving first routing information over the first session, the underlay network device may be configured to be a next hop to reach the second tunnel endpoint by updating a routing table to include a first entry. Further, the underlay network device may be retained as the next hop by updating the routing table to include a second entry to override second routing information that advertises, over the second session, the second tunnel interface as the next hop.

Some embodiments of the invention provide novel methods for performing services on data messages passing through a network connecting one or more datacenters, such as software defined datacenters (SDDCs). The method of some embodiments uses service containers executing on host computers to perform different chains (e.g., ordered sequences) of services on different data message flows. For a data message of a particular data message flow that is received or generated at a host computer, the method in some embodiments uses a service classifier executing on the host computer to identify a service chain that specifies several services to perform on the data message. For each service in the identified service chain, the service classifier identifies a service container for performing the service. The service classifier then forwards the data message to a service forwarding element to forward the data message through the service containers identified for the identified service chain. The service classifier and service forwarding element are implemented in some embodiments as processes that are defined as hooks in the virtual interface endpoints (e.g., virtual Ethernet ports) of the host computer's operating system (e.g., Linux operating system) over which the service containers execute.

A system that incorporates teachings of the present disclosure may include, for example avoiding data copy and task switching by processing protocol headers of network PDUs as a serial tape to be processed in order such as by a single method. Other processing includes reducing stages and simplifying protocol processing and multiplexing during network communications. Address changing in an active network can be implemented by assigning multiple addresses to an entity so that a new address can replace the old address. Peer-to-peer application searching can be performed among networks that can be accessible or non-accessible networks. Utilizing anycast sets that include selected and alternative addresses to enable immediate or near immediate alternative route selection on failure or congestion. Other embodiments are disclosed.

A method of providing a path between bridges of a first network segment. The first network segment is configured using a Spanning Tree Protocol (STP). The method includes providing a second network segment interconnecting first and second bridges of said first network segment. The second network segment is operable to transmit frames adherent to a High-availability Seamless Redundancy (HSR) network control protocol and to discard the STP control data frames. The method also includes modifying at a first Redundancy Box (RedBox) STP control data frames to form modified data frames adherent to the HSR protocol. The method also includes modifying at a second RedBox, the modified data frames to re-form the STP control data frames.

Provided are a packet forwarding method based on BIER-TE, a node device and a storage medium. The method includes: acquiring X bit string sub-package structures from a BIER-TE based message; and forwarding the message according to the X bit string sub-package structures, where X is greater than or equal to 1.

A method implemented by a network element (NE) in a network, comprising receiving, by the NE, an advertisement comprising preferred path route (PPR) information and backup PPR information, the PPR information describing a PPR between a source and a destination in the network, the backup PPR information describing a backup PPR between the source and the destination, the PPR information comprising a PPR identifier (PPR-ID) and a plurality of PPR description elements (PPR-PDEs) each representing an element on the PPR, updating, by the NE, a local forwarding database to include the PPR information and the backup PPR information in association with a destination address of the destination, and transmitting, by the NE, a data packet based on the backup PPR information instead of the PPR information in response to an element on the PPR being unavailable due to a failure of an element along the PPR.