Abstract: A firewall manager periodically accesses a set of servers to identify the various services currently active on each server. The firewall manager also periodically accesses a set of firewalls configured to protect those servers to identify various firewall rules implemented by those firewalls. The firewall manager then compares the services data with the rules data to identify any obsolete firewall rules that are (i) defined based on an IP address not currently allocated to any of the servers or (ii) defined based on a port of an active server that is not associated with any service running on server. Such rules are considered obsolete. Upon identifying any obsolete firewall rules, the firewall manager accesses the firewalls associated with those rules and then removes the obsolete rules.

Abstract: An approach is provided for protecting a network from a unicast flood. If the destination MAC address of a frame is not included in a table of unknown MAC addresses, the MAC address is added to the table and the frame is forwarded to non-blocked spanning tree links to find the MAC address in the network. If the MAC address is included in the table, and if a timer for suppressing forwarding of frames is active, the frame is discarded, or if the timer is inactive, a counter for counting received frames is incremented and compared to a threshold value. If the counter is greater than the threshold value, the timer is activated and the frame is discarded. If the counter is not greater than the threshold value, the frame is forwarded to the non-blocked spanning tree links to find the MAC address in the network.

Abstract: An approach is provided for protecting a network from a unicast flood. If the destination MAC address of a frame is not included in a table of unknown MAC addresses, the MAC address is added to the table and the frame is forwarded to non-blocked spanning tree links to find the MAC address in the network. If the MAC address is included in the table, and if a timer for suppressing forwarding of frames is active, the frame is discarded, or if the timer is inactive, a counter for counting received frames is incremented and compared to a threshold value. If the counter is greater than the threshold value, the timer is activated and the frame is discarded. If the counter is not greater than the threshold value, the frame is forwarded to the non-blocked spanning tree links to find the MAC address in the network.

Abstract: A firewall manager periodically accesses a set of servers to identify the various services currently active on each server. The firewall manager also periodically accesses a set of firewalls configured to protect those servers to identify various firewall rules implemented by those firewalls. The firewall manager then compares the services data with the rules data to identify any obsolete firewall rules that are (i) defined based on an IP address not currently allocated to any of the servers or (ii) defined based on a port of an active server that is not associated with any service running on server. Such rules are considered obsolete. Upon identifying any obsolete firewall rules, the firewall manager accesses the firewalls associated with those rules and then removes the obsolete rules.

Abstract: An approach is provided for protecting a network from a unicast flood. If the destination MAC address of a frame is not included in a table of unknown MAC addresses, the MAC address is added to the table and the frame is forwarded to non-blocked spanning tree links to find the MAC address in the network. If the MAC address is included in the table, and if a timer for suppressing forwarding of frames is active, the frame is discarded, or if the timer is inactive, a counter for counting received frames is incremented and compared to a threshold value. If the counter is greater than the threshold value, the timer is activated and the frame is discarded. If the counter is not greater than the threshold value, the frame is forwarded to the non-blocked spanning tree links to find the MAC address in the network.

Abstract: An approach is provided for protecting a network from a unicast flood. If the destination MAC address of a frame is not included in a table of unknown MAC addresses, the MAC address is added to the table and the frame is forwarded to non-blocked spanning tree links to find the MAC address in the network. If the MAC address is included in the table, and if a timer for suppressing forwarding of frames is active, the frame is discarded, or if the timer is inactive, a counter for counting received frames is incremented and compared to a threshold value. If the counter is greater than the threshold value, the timer is activated and the frame is discarded. If the counter is not greater than the threshold value, the frame is forwarded to the non-blocked spanning tree links to find the MAC address in the network.

Abstract: Techniques for dampening an interface flapping rate between switches in a network environment. An interface of a first switch is designated as being in an active mode in which forwarding activity of the interface is permitted. The interface is determined to exhibit flapping behavior satisfying one or more dampening criteria when in the active mode. An indication is sent to a second switch to isolate the interface. A reply to the indication is received from the second switch. The interface is designated as being in an isolated mode in which health monitoring of the interface is permitted but forwarding activity of the interface is prohibited. The interface is determined to satisfy one or more reinstatement criteria when in the isolated mode. The interface is redesignated as being in the active mode.

Abstract: An approach is provided for protecting a network from a unicast flood. If the destination MAC address of a frame is not included in a table of unknown MAC addresses, the MAC address is added to the table and the frame is forwarded to non-blocked spanning tree links to find the MAC address in the network. If the MAC address is included in the table, and if a timer for suppressing forwarding of frames is active, the frame is discarded, or if the timer is inactive, a counter for counting received frames is incremented and compared to a threshold value. If the counter is greater than the threshold value, the timer is activated and the frame is discarded. If the counter is not greater than the threshold value, the frame is forwarded to the non-blocked spanning tree links to find the MAC address in the network.

Abstract: An approach is provided for protecting a network from a unicast flood. If the destination MAC address of a frame is not included in a table of unknown MAC addresses, the MAC address is added to the table and the frame is forwarded to non-blocked spanning tree links to find the MAC address in the network. If the MAC address is included in the table, and if a timer for suppressing forwarding of frames is active, the frame is discarded, or if the timer is inactive, a counter for counting received frames is incremented and compared to a threshold value. If the counter is greater than the threshold value, the timer is activated and the frame is discarded. If the counter is not greater than the threshold value, the frame is forwarded to the non-blocked spanning tree links to find the MAC address in the network.

Abstract: An approach is provided for protecting a network from a unicast flood. If the destination MAC address of a frame is not included in a table of unknown MAC addresses, the MAC address is added to the table and the frame is forwarded to non-blocked spanning tree links to find the MAC address in the network. If the MAC address is included in the table, and if a timer for suppressing forwarding of frames is active, the frame is discarded, or if the timer is inactive, a counter for counting received frames is incremented and compared to a threshold value. If the counter is greater than the threshold value, the timer is activated and the frame is discarded. If the counter is not greater than the threshold value, the frame is forwarded to the non-blocked spanning tree links to find the MAC address in the network.

Abstract: An approach is provided for protecting a network from a unicast flood. If the destination MAC address of a frame is not included in a table of unknown MAC addresses, the MAC address is added to the table and the frame is forwarded to non-blocked spanning tree links to find the MAC address in the network. If the MAC address is included in the table, and if a timer for suppressing forwarding of frames is active, the frame is discarded, or if the timer is inactive, a counter for counting received frames is incremented and compared to a threshold value. If the counter is greater than the threshold value, the timer is activated and the frame is discarded. If the counter is not greater than the threshold value, the frame is forwarded to the non-blocked spanning tree links to find the MAC address in the network.

Abstract: Embodiments of the present invention include methods, systems, and computer program products for packet forwarding. Aspects of the invention include receiving, from a source node, a first network queue in a set of network queues, wherein the first network queue includes one or more minimum network traffic performance requirements. A set of network paths is analyzed to determine a performance level for each network path and identify a first network path and a second network path with a performance level above the one or more minimum performance requirements of the first network queue. A determination is made that the first network path has a higher performance level than the second network path. Based at least in part on determining that the first network path has a higher performance level than the second network path, the first network queue is mapped to the first network path.

Abstract: An approach for regional firewall clustering for optimal state-sharing of different sites in a virtualized/networked (e.g., cloud) computing environment is provided. In a typical embodiment, each firewall in a given region is informed of its peer firewalls via a registration process with a centralized server. Each firewall opens up an Internet protocol (IP)-based communication channel to each of its peers in the region to share state table information. This allows for asymmetrical firewall flows through the network and allows routing protocols to ascertain the best path to a given destination without having to take firewall placement into consideration.

Abstract: Embodiments of the present invention include methods, systems, and computer program products for packet forwarding. Aspects of the invention include receiving, from a source node, a first network queue in a set of network queues, wherein the first network queue includes one or more minimum network traffic performance requirements. A set of network paths is analyzed to determine a performance level for each network path and identify a first network path and a second network path with a performance level above the one or more minimum performance requirements of the first network queue. A determination is made that the first network path has a higher performance level than the second network path. Based at least in part on determining that the first network path has a higher performance level than the second network path, the first network queue is mapped to the first network path.

Abstract: Embodiments of the present invention include methods, systems, and computer program products for packet forwarding. Aspects of the invention include receiving, from a source node, a first network queue in a set of network queues, wherein the first network queue includes one or more minimum network traffic performance requirements. A set of network paths is analyzed to determine a performance level for each network path and identify a first network path and a second network path with a performance level above the one or more minimum performance requirements of the first network queue. A determination is made that the first network path has a higher performance level than the second network path. Based at least in part on determining that the first network path has a higher performance level than the second network path, the first network queue is mapped to the first network path.

Abstract: Embodiments of the present invention include methods, systems, and computer program products for packet forwarding. Aspects of the invention include receiving, from a source node, a first network queue in a set of network queues, wherein the first network queue includes one or more minimum network traffic performance requirements. A set of network paths is analyzed to determine a performance level for each network path and identify a first network path and a second network path with a performance level above the one or more minimum performance requirements of the first network queue. A determination is made that the first network path has a higher performance level than the second network path. Based at least in part on determining that the first network path has a higher performance level than the second network path, the first network queue is mapped to the first network path.

Abstract: An approach for regional firewall clustering for optimal state-sharing of different sites in a virtualized/networked (e.g., cloud) computing environment is provided. In a typical embodiment, each firewall in a given region is informed of its peer firewalls via a registration process with a centralized server. Each firewall opens up an Internet protocol (IP)-based communication channel to each of its peers in the region to share state table information. This allows for asymmetrical firewall flows through the network and allows routing protocols to ascertain the best path to a given destination without having to take firewall placement into consideration.

Abstract: An approach for regional firewall clustering for optimal state-sharing of different sites in a virtualized/networked (e.g., cloud) computing environment is provided. In a typical embodiment, each firewall in a given region is informed of its peer firewalls via a registration process with a centralized server. Each firewall opens up an Internet protocol (IP)-based communication channel to each of its peers in the region to share state table information. This allows for asymmetrical firewall flows through the network and allows routing protocols to ascertain the best path to a given destination without having to take firewall placement into consideration.

Abstract: Techniques for dampening an interface flapping rate between switches in a network environment. An interface of a first switch is designated as being in an active mode in which forwarding activity of the interface is permitted. The interface is determined to exhibit flapping behavior satisfying one or more dampening criteria when in the active mode. An indication is sent to a second switch to isolate the interface. A reply to the indication is received from the second switch. The interface is designated as being in an isolated mode in which health monitoring of the interface is permitted but forwarding activity of the interface is prohibited. The interface is determined to satisfy one or more reinstatement criteria when in the isolated mode. The interface is redesignated as being in the active mode.

Abstract: A method and associated systems of automatic notification of isolation of a first networked device. In response to detecting that it is not being properly managed by a network-management means, the first networked device creates a notification message that identifies the problem and requests proper network management. The device then transmits this message to any other device or networked node that it can communicate with, along with a request that recipients try to forward the message to the network-management means. If a device that receives the message is able to forward the message successfully, the network-management means takes appropriate steps to begin properly managing the first networked device.