Abstract: An endpoint group (EPG) can be stretched between the sites so that endpoints at different sites can be assigned to the same stretched EPG. Because the sites can use different bridge domains when establishing the stretched EPGs, the first time a site transmits a packet to an endpoint in a different site, the site learns or discovers a path to the destination endpoint. The site can use BGP to identify the site with the host and use a multicast tunnel to reach the site. A unicast tunnel can be used to transmit future packets to the destination endpoint. Additionally, a stretched EPG can be segmented to form a micro-stretched EPG. Filtering criteria can be used to identify a subset of the endpoints in the stretched EPG that are then assigned to the micro-stretched EPG, which can have different policies than the stretched EPG.

Abstract: In one embodiment, a method includes identifying a problematic event between a first interest point and a second interest point of a network and activating, in response to identifying the problematic event between the first interest point and the second interest point, a first endpoint associated with the first interest point and a second endpoint associated with the second interest point. The method also includes receiving, from the first endpoint and the second endpoint, telemetry data associated with a problematic path between the first interest point and the second interest point. The method further includes determining the problematic path between the first interest point and the second interest point using the telemetry data received from the first endpoint and the second endpoint.

Abstract: A Software-Defined Networking (SDN)-based “upstream” approach is a controller-based solution that provides secure key distribution and management for multi-site data centers. The approach uses an SDN Multi-Site Controller (MSC) that acts as an intermediary between SDN controllers at sites in a multi-site data center and manages the distribution of keys to sites. The approach is not dependent upon any particular routing protocol, such as the Border Gateway Protocol (BGP), and is well suited for multicast stream encryption by allowing the same key to be used for all replicated packets sent to downstream sites from an upstream source site. The approach distributes keys in a secure manner, ensures that data transferred between sites is done in a secure manner, and supports re-keying with error handling.

Abstract: Embodiments herein describe using translation mappings and security contracts to establish interconnects and policies between switching fabrics at different sites to create a unified fabric. In one embodiment, a multi-site controller can stretch endpoint groups (EPGs) between the sites so that a host or application in a first site can communicate with a host or application in a second site which is assigned to the same stretched EPG, despite the two sites have different namespaces. Further, the shadow EPGs can be formed to facilitate security contracts between EPGs in different sites. Each site can store namespace translation mapping that enable the site to convert namespace information in packets received from a different site into its own namespace values. As a result, independent bridging and routing segments in the various sites can be interconnected as well as providing application accessibility across different fabrics with independent and private namespaces.

Abstract: A Software-Defined Networking (SDN)-based “upstream” approach is a controller-based solution that provides secure key distribution and management for multi-site data centers. The approach uses an SDN Multi-Site Controller (MSC) that acts as an intermediary between SDN controllers at sites in a multi-site data center and manages the distribution of keys to sites. The approach is not dependent upon any particular routing protocol, such as the Border Gateway Protocol (BGP), and is well suited for multicast stream encryption by allowing the same key to be used for all replicated packets sent to downstream sites from an upstream source site. The approach distributes keys in a secure manner, ensures that data transferred between sites is done in a secure manner, and supports re-keying with error handling.

Abstract: This disclosure describes techniques for adaptive disaster recovery of applications running on network devices. The techniques include generating an application template and an application template clone that include application attributes usable to deploy an application stack at an application site. The techniques also include sending the application template clone to a disaster recovery site group to await deployment instructions. In some examples, an observer may determine that a health metric of the application site indicates that a disaster recovery process be triggered. A disaster recovery site of the disaster recovery site group may be selected based at least in part on a performance metric. The application stack may be deployed at the disaster recovery site utilizing the application template clone.

Abstract: This disclosure describes techniques for adaptive disaster recovery of applications running on network devices. The techniques include generating an application template and an application template clone that include application attributes usable to deploy an application stack at an application site. The techniques also include sending the application template clone to a disaster recovery site group to await deployment instructions. In some examples, an observer may determine that a health metric of the application site indicates that a disaster recovery process be triggered. A disaster recovery site of the disaster recovery site group may be selected based at least in part on a performance metric. The application stack may be deployed at the disaster recovery site utilizing the application template clone.

Abstract: Embodiments herein describe using translation mappings and security contracts to establish interconnects and policies between switching fabrics at different sites to create a unified fabric. In one embodiment, a multi-site controller can stretch endpoint groups (EPGs) between the sites so that a host or application in a first site can communicate with a host or application in a second site which is assigned to the same stretched EPG, despite the two sites have different namespaces. Further, the shadow EPGs can be formed to facilitate security contracts between EPGs in different sites. Each site can store namespace translation mapping that enable the site to convert namespace information in packets received from a different site into its own namespace values. As a result, independent bridging and routing segments in the various sites can be interconnected as well as providing application accessibility across different fabrics with independent and private namespaces.

Abstract: Methods to secure against IP address thefts by rogue devices in a virtualized datacenter are provided. Rogue devices are detected and distinguished from a migration of an endpoint in a virtualized datacenter. A first hop network element in a one or more network fabrics intercepts a request that includes an identity of an endpoint and performs a local lookup for the endpoint entity identifier. Based on the lookup not finding the endpoint entity identifier, the first hop network element broadcasts a message such as a remote media access address (MAC) query to other network elements in the one or more network fabrics. Based on the received response, which may include an IP address associated with the MAC address, the first hop network element performs a theft validation process to determine whether the request originated from a migrated endpoint or a rogue device.

Abstract: This disclosure describes techniques for adaptive disaster recovery of applications running on network devices. The techniques include generating an application template and an application template clone that include application attributes usable to deploy an application stack at an application site. The techniques also include sending the application template clone to a disaster recovery site group to await deployment instructions. In some examples, an observer may determine that a health metric of the application site indicates that a disaster recovery process be triggered. A disaster recovery site of the disaster recovery site group may be selected based at least in part on a performance metric. The application stack may be deployed at the disaster recovery site utilizing the application template clone.

Abstract: In one embodiment, a method includes identifying a problematic event between a first interest point and a second interest point of a network and activating, in response to identifying the problematic event between the first interest point and the second interest point, a first endpoint associated with the first interest point and a second endpoint associated with the second interest point. The method also includes receiving, from the first endpoint and the second endpoint, telemetry data associated with a problematic path between the first interest point and the second interest point. The method further includes determining the problematic path between the first interest point and the second interest point using the telemetry data received from the first endpoint and the second endpoint.

Abstract: Methods to secure against IP address thefts by rogue devices in a virtualized datacenter are provided. Rogue devices are detected and distinguished from a migration of an endpoint in a virtualized datacenter. A first hop network element in a one or more network fabrics intercepts a request that includes an identity of an endpoint and performs a local lookup for the endpoint entity identifier. Based on the lookup not finding the endpoint entity identifier, the first hop network element broadcasts a message such as a remote media access address (MAC) query to other network elements in the one or more network fabrics. Based on the received response, which may include an IP address associated with the MAC address, the first hop network element performs a theft validation process to determine whether the request originated from a migrated endpoint or a rogue device.

Abstract: The present technology pertains to a system, method, and non-transitory computer-readable medium for orchestrating policies across multiple networking domains. The technology can receive, at a provider domain from a consumer domain, a data request; receive, at the provider domain from the consumer domain, at least one access policy for the consumer domain; translate, at the provider domain, the at least one access policy for the consumer domain into at least one translated access policy understood by the provider domain; apply, at the provider domain, the at least one translated access policy understood by the provider domain to the data request; and send, at the provider domain to the consumer domain, a response to the data request.

Abstract: Methods to secure against IP address thefts by rogue devices in a virtualized datacenter are provided. Rogue devices are detected and distinguished from a migration of an endpoint in a virtualized datacenter. A first hop network element in a one or more network fabrics intercepts a request that includes an identity of an endpoint and performs a local lookup for the endpoint entity identifier. Based on the lookup not finding the endpoint entity identifier, the first hop network element broadcasts a message such as a remote media access address (MAC) query to other network elements in the one or more network fabrics. Based on the received response, which may include an IP address associated with the MAC address, the first hop network element performs a theft validation process to determine whether the request originated from a migrated endpoint or a rogue device.

Abstract: Techniques for routing data packets through service chains within and between public cloud networks of multi-cloud fabrics. A router in a network, e.g., a public cloud network, receives data packets from nodes in the network through segments of the network. Based at least in part on (i) a source address of the data packet, (ii) a destination address of the data packet, and (iii) an identity of the segments of the network from which the data packets are received, the router determines a next node in the network to which the data packet is to be forwarded. The router may then forward the data packet through another segment of the network to the next node and then receive the data packet from the next node through the another segment.

Abstract: Presented herein are systems and methods to enable simultaneous interoperability with policy-aware and policy-unaware data center sites. A multi-site orchestrator (MSO) device can be configured to obtain configuration information for each of a plurality of different data center sites. The data center sites may include one or more on-premises sites and one or more off-premises sites, each of which may include one or more policy-aware sites and/or one or more policy-unaware sites. The MSO can selectively use namespace translations to create a unified fabric across the different data center sites, enabling one or more hosts and/or applications at a first of the data center sites to communicate with one or more hosts and/or applications at a second of the data center sites, regardless of the sites' respective configurations.

Abstract: Embodiments herein describe using translation mappings and security contracts to establish interconnects and policies between switching fabrics at different sites to create a unified fabric. In one embodiment, a multi-site controller can stretch endpoint groups (EPGs) between the sites so that a host or application in a first site can communicate with a host or application in a second site which is assigned to the same stretched EPG, despite the two sites have different namespaces. Further, the shadow EPGs can be formed to facilitate security contracts between EPGs in different sites. Each site can store namespace translation mapping that enable the site to convert namespace information in packets received from a different site into its own namespace values. As a result, independent bridging and routing segments in the various sites can be interconnected as well as providing application accessibility across different fabrics with independent and private namespaces.

Abstract: An endpoint group (EPG) can be stretched between the sites so that endpoints at different sites can be assigned to the same stretched EPG. Because the sites can use different bridge domains when establishing the stretched EPGs, the first time a site transmits a packet to an endpoint in a different site, the site learns or discovers a path to the destination endpoint. The site can use BGP to identify the site with the host and use a multicast tunnel to reach the site. A unicast tunnel can be used to transmit future packets to the destination endpoint. Additionally, a stretched EPG can be segmented to form a micro-stretched EPG. Filtering criteria can be used to identify a subset of the endpoints in the stretched EPG that are then assigned to the micro-stretched EPG, which can have different policies than the stretched EPG.

Abstract: A method and apparatus for providing tenant specific encryption is described herein. According to an embodiment, a transmission site receives a data packet for transmission or forwarding. The transmission site determines, based on information in a header of the data packet, that the data packet is to be encrypted before transmission or forwarding. Using the information in the header, the transmission site identifies an encryption key for the data packet. The transmission site generates, for the data packet, an additional header and populates the additional header with a destination port number based on a destination port header value of the data packet. The transmission site overwrites the destination port header value of the packet with data indicating that the data packet is encrypted and then encrypts an encapsulated packet within the data packet using the encryption key prior to transmitting or forwarding the data packet.

Abstract: Embodiments herein describe using translation mappings and security contracts to establish interconnects and policies between switching fabrics at different sites to create a unified fabric. In one embodiment, a multi-site controller can stretch endpoint groups (EPGs) between the sites so that a host or application in a first site can communicate with a host or application in a second site which is assigned to the same stretched EPG, despite the two sites have different namespaces. Further, the shadow EPGs can be formed to facilitate security contracts between EPGs in different sites. Each site can store namespace translation mapping that enable the site to convert namespace information in packets received from a different site into its own namespace values. As a result, independent bridging and routing segments in the various sites can be interconnected as well as providing application accessibility across different fabrics with independent and private namespaces.