Techniques are presented herein for providing a persistent external Internet Protocol (IP) address for extra-cluster services. One example involves initiating, in a cluster, a first pod with a label that identifies a service. The first pod is configured to provide the service to one or more network entities outside the cluster. The first pod is assigned an IP address configured for communicating outside the cluster. A mapping of the service to the IP address is stored. In response to a determination that the service has been disrupted, a second pod is initiated in the cluster with the label that identifies the service. The second pod is configured to provide the service to the one or more network entities outside the cluster. Based on the mapping and the label that identifies the service, the IP address is assigned to the second pod.

Disclosed is an improved approach for managing floating/virtual IP addresses in a virtualization system. Where a bare metal cloud provider does not provide adequate facilities to implement broadcast operations, the approach would capture broadcast packets, and from the captured packets, generate calls to the cloud provider to implement configuration changes to reflect the changes desired by the broadcast packets.

Systems, methods, and computer-readable media for preserving source host context when firewall policies are applied to traffic in an enterprise network fabric. A data packet to a destination host from a source host can be received at a first border node instance in an enterprise network fabric as part of network traffic. The data packet can include a context associated with the source host. Further, the data packet can be sent to a firewall of the enterprise network fabric and can be received at a second border node instance after the firewall applies a firewall policy to the data packet. The data packet can then be selectively encapsulated with the context associated with the source host at the second border node instance for applying one or more policies to control transmission of the network traffic through the enterprise network fabric.

This application provides a key distribution method, an apparatus, and a system, includes: determining, by an identity management server based on AAA authentication information, whether AAA authentication on the terminal succeeds; if the AAA authentication succeeds, sending the ID of the terminal to a key management server; and generating, by the key management server, a private key of the terminal and returning the private key to the management server. After negotiating with the terminal to generate a first key, the identity management server encrypts the ID and the private key of the terminal, and sends an encrypted ID and an encrypted private key to the terminal. The terminal obtains the ID and the private key of the terminal. According to the key distribution method, apparatus, and system provided in this application, communication security performance of the terminal during ID-based registration authentication is improved.

In one example, a Network Policy Function (NPF) obtains a first identifier for a User Equipment (UE) based on communications between the UE and a first access network of a system, and an Internet Protocol (IP) address used by the UE to communicate over the first access network. The NPF obtains a second identifier for the UE based on communications between the UE and a second access network of the system. The NPF determines that the UE used the IP address to communicate over the first access network of the system based on a correlation between the first identifier for the UE and the second identifier for the UE. The NPF provides the IP address to the UE, and the UE uses the IP address to communicate over the second access network.

A method for propagating a movement event message of a network entity, including: step 1) a network device maintaining a historical forwarded information list, wherein a network device capable of receiving a movement event message from an external system or device maintains an uplink port information table; step 2) after receiving the message, the network device performs matching using the table to obtain a forwarding port and forwarding information of the message, and constructs a movement event forwarding message using the information and forwards through the forwarding port; and step 3) after a device receives the message, searching for a matching forwarding port and forwarding information of the message in the information list, modifying the message using the forwarding information, and forwarding the modified message through the forwarding port. The method is able to propagate a movement event message to a network device responsible for related data transmission and forwarding.

Systems and methods for stretching a subnet that do not require level 2 (L2) communications to be handled are provided. A user may gradually migrate VMs or applications instead of migrating an entire subnet at one time, may fail-over specific VMs without failing-over an entire subnet or renumbering IP addresses, may deploy applications to the cloud without the need to create a VPN, or may enable hybrid network connectivity without modifying routes or (re)configuring edge routers, among other benefits. The domains over which the subnet are stretched include a virtual gateway which is associated with the layer-3 (L3) addresses of the other domains. L3 communications within the domain are routed within that domain, and L3 communications within the subnet in another domain are intercepted by the local gateway, are passed to the remote gateway of the other domain, and are forwarded to the destination while leveraging L3 communications.

A method for configuring a communication network including a gateway adapted for connecting the communication network to a wide area communication network and connected to a plurality of nodes implementing an access point functionality is described. The nodes are coordinated in a centralised manner by a current master node selected from the plurality of nodes. The current master node obtains a virtual MAC address and an IP address associated with the virtual MAC address, the IP address being reserved for configuring network services. It next configures a virtual network interface from the IP address associated with the virtual MAC address.

A method of using ephemeral identifiers (IDs) in a network implemented a network element (NE) comprises obtaining ephemeral ID for at least one user equipment (UE) accessible by the NE, wherein the ephemeral ID is a temporary and recyclable ID associated with the UE, transmitting a request to map the ephemeral ID of the UE to a locator of the NE to a mapping server, and establishing a communication session between the UE and a network site using the ephemeral ID.

A method performed in a network connected endpoint device having a first address as its current address. The method comprises receiving Constrained Application Protocol (CoAP) signalling from a network server. The received signalling comprises an Observe request for an information resource of the endpoint device. The resource comprises the current address of the endpoint device stored therein. The method also comprises, in accordance with the received signalling comprising the Observe request, sending CoAP signalling to the network server. The sent signalling comprises information about the current address of the endpoint device stored in the resource. The technique also relates to a method of the network server as well as to the endpoint device and the network server.