Malformed VLAN packets can be detected by programming suitable rules in a TCAM in the packet processing pipeline. In some deployments, for example, the TCAM rule(s) can match on the parsed EtherType metadata. More specifically, the match can be based on the EtherType metadata being set to a value equal to known VLAN TPIDs, such as 0x8100, 0x88a8, rather than being set to a standard EtherType.

A loop prevention system includes a plurality of networking devices that are coupled together to form a Layer Two (L2) domain and at least a portion of the plurality of networking devices are coupled together in a physical loop configuration. A networking device included in the plurality of networking devices may include at least one L2 domain connection that couples the networking device to at least one of the plurality of networking devices in the L2 domain, and an edge connection that connects the networking device to a computing device that is outside of the L2 domain. The networking device may receive a data frame via the edge connection. The networking device then generates a loop breaker data frame by tagging the data frame with a loop breaker tag and forwards the loop breaker data frame via the at least one L2 domain connection.

Access control systems and methods herein successfully overcome ACL (access control list) group width limitations of existing designs by splitting an ACL group across different units, e.g., to create two ACL groups that each has a relatively smaller width. In one or more embodiments, availability of ACL space is increased by hierarchically splitting an ACL table to fit into different two networked devices and modifying certain fields carrying metadata in packets that are exchanged between the devices, such that one chipset may carry information about the lookup of another. In one or more embodiments, an ACL group for a port extender is created by selectively creating a sub-group with qualifiers that fit within an available group width, and moving the remaining qualifiers to a controlling bridge to achieve the desired functionality/action.

Methods and computing systems for tunneling in a carrier transport network are described. An Internet Protocol (IP) packet having a destination IP address of a destination cellular site of a cellular cluster is received. A frame is formed with the IP packet placed into a payload portion of the frame. An outer Virtual Local Area Network (VLAN) tag that identifies a network of the cellular cluster to a first carrier network is added to the frame, and an inner VLAN tag that identifies the network of the cellular cluster to a second carrier is added. The first carrier network and the second carrier network are coupled via at least one network-to-network interface. The frame, including the IP packet, is forwarded to a provider edge switch of the first carrier network.

A controller for an electric power distribution system includes processing circuitry and a memory that includes instructions. The instructions, when executed by the processing circuitry, are configured to cause the processing circuitry to determine that a first switch of the electric power distribution system is a primary switch communicatively coupled to an intelligent electronic device (IED) of the electric power distribution system, determine that a second switch of the electric power distribution system is a backup switch communicatively coupled to the TED, and distribute a first copy of a security association key (SAK) to the first switch and a second copy of the SAK to the second switch in response to determining that the first switch is the primary switch and the second switch is the backup switch to enable the first switch and the second switch to establish respective media access control security (MACsec) communication links with the IED.

Aspects of the present disclosure provide techniques for enabling data traffic having security of different Purdue Enterprise Reference Architecture security levels to traverse a common network. Techniques disclosed herein maintain logical separation between the different data traffic types by assigning each to a discrete virtual LAN, and discretely encrypting each data traffic type.

Provided is a method and apparatus for searching for a Maintenance End Point (MEP), and a storage medium. The method includes that: a chip of the MEP parses an obtained packet; the chip of the MEP determines whether a field of the parsed packet matches a field in a combination of a port and a Virtual Local Area Network (VLAN); and in a case where the field of the parsed packet matches the field in the combination of the port and the VLAN, the chip of the MEP determines that the MEP is found successfully.

The network system that includes a first server and a first switch is provided. The first server includes a first virtual machine. The first virtual machine (VM) is configured to provide a first VM packet including a first VM identifier (ID) to the first server. The first server is configured to acquire a tenant identifier corresponding to the first VM according to the first VM identifier, to convert the tenant identifier to a first feature data, and to encapsulate the first VM packet to generate and output a first server packet containing the first feature data. The first switch is configured to receive the first server packet, to acquire a service instance identifier (I-SID) according to the first feature data, to acquire a backbone VLAN identifier according to the I-SID, and to encapsulate the first server packet to generate and output a switch packet.

Systems and methods for managing a global virtual network connection between an endpoint device and an access point server are disclosed. In one embodiment the network system may include an endpoint device, an access point server, and a control server. The endpoint device and the access point server may be connected with a first tunnel. The access point server and the control server may be connected with a second tunnel.

Systems and methods for providing multi-perimeter firewalls via a virtual global network are disclosed. In one embodiment the network system may comprise an egress ingress point in communication with a first access point server, a second access point server in communication with the first access point server, an endpoint device in communication with the second access point server, a first firewall in communication with the first access point server, and a second firewall in communication with the second access point server. The first and second firewalls may prevent traffic from passing through their respective access point servers. The first and second may be in communication with each other and exchange threat information.