Abstract: Techniques for hierarchical security policies are disclosed. A first network configuration is received, where the first network configuration includes a plurality of subnets and a plurality of security zones. An updated network configuration is generated based on the first network configuration by generating, for a first security zone of the plurality of security zones, a first master class, and generating, for each respective subnet of the plurality of subnets, a respective bridge domain. For each respective bridge domain, a respective local endpoint group (EPG) corresponding to the first security zone is created, and the first master class is assigned to the respective local EPG. Finally, one or more contracts are generated for the first master class based on the first network configuration.

Abstract: A first leaf switch may receive from a first host, a request for a second host that is not known at the first leaf switch. The first host may be within a first End Point Group (EPG) and the second host being within a second EPG. The first EPG and the second EPG may be in a Bridge Domain (BD). Flood in encapsulation may be enabled for the first EPG and for the second EPG. Next, the first leaf switch may flood the request locally in the first EPG and to a spine switch with a VNID of the first EPG. The spine switch may then flood the request to a second leaf switch where the BD is present. The second leaf switch may send a glean request for the second host, receive, in response to sending the glean request, a reply, and learn the second host locally in response to receiving the reply.

Abstract: A network device resolves a destination address of an endpoint in an endpoint isolation environment. The network device receives a request for a destination address associated with a destination endpoint. The request originates from an isolated source endpoint. The network device determines whether the destination address is stored on the network device in association with the destination endpoint. Responsive to a determination that the destination address is not stored in association with the destination endpoint, the network device generates a proxy request for the destination address, and sends the proxy request to at least one endpoint attached to the network device. The network device receives a proxy response from the destination endpoint that includes the destination address. The network device stores the destination address in association with the destination endpoint.

Abstract: Techniques for hierarchical security policies are disclosed. A first network configuration is received, where the first network configuration includes a plurality of subnets and a plurality of security zones. An updated network configuration is generated based on the first network configuration by generating, for a first security zone of the plurality of security zones, a first master class, and generating, for each respective subnet of the plurality of subnets, a respective bridge domain. For each respective bridge domain, a respective local endpoint group (EPG) corresponding to the first security zone is created, and the first master class is assigned to the respective local EPG. Finally, one or more contracts are generated for the first master class based on the first network configuration.

Abstract: Embodiments provide for mitigating priority flow control deadlock in stretch topologies by initializing a plurality of queues in a buffer of a leaf switch at a local cluster of a site having a plurality of clusters, wherein each queue of the plurality of queues corresponds to a respective one cluster of the plurality of clusters; receiving a pause command for no-drop traffic on the leaf switch, the pause command including an internal Class-of-Service (iCoS) identifier associated with a particular cluster of the plurality of cluster and a corresponding queue in the plurality of queues; and in response to determining, based on the iCoS identifier, that the pause command was received from a remote spine switch associated with a different cluster than the local cluster: forwarding the pause command to a local spine switch in the local cluster; and implementing the pause command on the corresponding queue in the buffer.

Abstract: Embodiments provide for mitigating priority flow control deadlock in stretch topologies by initializing a plurality of queues in a buffer of a leaf switch at a local cluster of a site having a plurality of clusters, wherein each queue of the plurality of queues corresponds to a respective one cluster of the plurality of clusters; receiving a pause command for no-drop traffic on the leaf switch, the pause command including an internal Class-of-Service (iCoS) identifier associated with a particular cluster of the plurality of cluster and a corresponding queue in the plurality of queues; and in response to determining, based on the iCoS identifier, that the pause command was received from a remote spine switch associated with a different cluster than the local cluster: forwarding the pause command to a local spine switch in the local cluster; and implementing the pause command on the corresponding queue in the buffer.

Abstract: A network device resolves a destination address of an endpoint in an endpoint isolation environment. The network device receives a request for a destination address associated with a destination endpoint. The request originates from an isolated source endpoint. The network device determines whether the destination address is stored on the network device in association with the destination endpoint. Responsive to a determination that the destination address is not stored in association with the destination endpoint, the network device generates a proxy request for the destination address, and sends the proxy request to at least one endpoint attached to the network device. The network device receives a proxy response from the destination endpoint that includes the destination address. The network device stores the destination address in association with the destination endpoint.

Abstract: A network device resolves a destination address of an endpoint in an endpoint isolation environment. The network device receives a request for a destination address associated with a destination endpoint. The request originates from an isolated source endpoint. The network device determines whether the destination address is stored on the network device in association with the destination endpoint. Responsive to a determination that the destination address is not stored in association with the destination endpoint, the network device generates a proxy request for the destination address, and sends the proxy request to at least one endpoint attached to the network device. The network device receives a proxy response from the destination endpoint that includes the destination address. The network device stores the destination address in association with the destination endpoint.

Abstract: An ingress network device of a network fabric mark packets with source endpoint group information to enable intra-EPG isolation. The ingress network device receives an indication of endpoints associated with an isolated endpoint group that restricts network traffic among members of the isolated endpoint group. The ingress network device receives a packet from a source and detects that the source endpoint belongs to the isolated endpoint group. The ingress network device incorporates source endpoint group information into a header of the packet. The source endpoint group information indicates that the source endpoint belongs to the isolated endpoint group.

Abstract: A system, computer-readable media, and methods for classifying a quality of service for egress packets in a network are disclosed. The method may include receiving a packet and determining an ingress quality of service context for the packet. The method may also include determining an egress quality of service context for the packet. Further, the method may include classifying an egress quality of service for the packet based on the ingress quality of service context and the egress quality of service context. The method may also include rewriting one or more fields in the packet after classifying the egress quality of service and transmitting the packet based on the classified egress quality of service.