Abstract: Techniques for propagating security group tag mapping between external interconnected sites that are not capable of carrying the SGT mappings. A system is disclosed that includes operations of subscribing at a first border of a first site, by a control plane, a first SGT mapping associated with a first data packet at the first site for storing the SGT mapping of the first data packet at the control plane. Then transmitting, the first data packet from the first border of the first site to a second border of the second site without attaching the first SGT mapping with the first data packet. Further, in response to a determination by the control plane that the first data packet has lost the associated first SGT mapping at the second border, identifying the SGT mapping with the first data packet at the second border to be re-associated with the first data packet.

Abstract: In one embodiment, an apparatus of a LISP environment includes one or more processors and computer-readable non-transitory storage media coupled to the one or more processors. The computer-readable non-transitory storage media include instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including receiving an attestation token from a first component of the LISP environment. The operations also include encoding the attestation token using a LISP message format. The operations further include distributing the encoded attestation token with a LISP signaling message to a third component of the LISP environment.

Abstract: This disclosure describes techniques and mechanisms for providing hybrid cloud services for enterprise fabric. The techniques include enhancing an on-demand protocol (e.g., such as LISP) and allowing simplified security and/or firewall service insertion for datacenter servers providing those services. Accordingly, the techniques described herein provide hybrid cloud services that work in disaggregated, distributed, and consistent way, while avoiding complex datacenter network devices (e.g., such running overlay on TOR), replacing and moving the functionality to on demand protocol enabled servers, which intelligently receive the required mappings as well as registers and publishes the service information to intelligently interact with the network.

Abstract: This disclosure describes techniques and mechanisms for providing hybrid cloud services for enterprise fabric. The techniques include enhancing an on-demand protocol (e.g., such as LISP) and allowing simplified security and/or firewall service insertion for datacenter servers providing those services. Accordingly, the techniques described herein provide hybrid cloud services that work in disaggregated, distributed, and consistent way, while avoiding complex datacenter network devices (e.g., such running overlay on TOR), replacing and moving the functionality to on demand protocol enabled servers, which intelligently receive the required mappings as well as registers and publishes the service information to intelligently interact with the network.

Abstract: Techniques for dynamically adapting a router capacity to system needs in a network. The border router may receive a list of summarized prefixes for endpoint devices associated with the router from control-plane nodes. The router may store the list of summarized prefixes in memory of the border router. Once the router receives traffic that is destined for endpoint devices associated with the border router, it may determine that the destination address is included in the summarized prefixes. In some examples, the router may download complete prefixes from the control-plane nodes, and forward the traffic to the destination address indicated by the complete prefixes.

Abstract: Disclosed are systems and methods for providing policy selection in a software defined network. An example method includes registering, by an enterprise controller on an enterprise domain, in a shared mapping system on a service provider domain, one or more entries specifying one or more services for one or more classes of traffic to yield registered entries, reading, by a service provider controller, from the shared mapping system, the registered entries, posting, by the service provider controller, the one or more entries to one or more routing tables at a software-defined wide area network of the service provider domain and receiving a request, by a mobile node on the enterprise domain, of a specific service for a particular class of packets according to a classification of the particular class of packets based on a particular label defined in the registered entries for the specific service.

Abstract: This disclosure describes techniques and mechanisms for providing hybrid cloud services for enterprise fabric. The techniques include enhancing an on-demand protocol (e.g., such as LISP) and allowing simplified security and/or firewall service insertion for datacenter servers providing those services. Accordingly, the techniques described herein provide hybrid cloud services that work in disaggregated, distributed, and consistent way, while avoiding complex datacenter network devices (e.g., such running overlay on TOR), replacing and moving the functionality to on demand protocol enabled servers, which intelligently receive the required mappings as well as registers and publishes the service information to intelligently interact with the network.

Abstract: Techniques for dynamically adapting a router capacity to system needs in a network. The border router may receive a list of summarized prefixes for endpoint devices associated with the router from control-plane nodes. The router may store the list of summarized prefixes in memory of the border router. Once the router receives traffic that is destined for endpoint devices associated with the border router, it may determine that the destination address is included in the summarized prefixes. In some examples, the router may download complete prefixes from the control-plane nodes, and forward the traffic to the destination address indicated by the complete prefixes.

Abstract: Systems, methods, and computer-readable media for implementing an extranet policy include receiving a request from a source to perform a lookup for a destination address. A lookup for the destination address is performed in a consolidated routing table, the consolidated routing table including a consolidated mapping of address prefixes associated with two or more virtual networks. If the lookup results in a match for the destination address with a matching address prefix, a matching virtual network associated with the matching address prefix is determined. An access policy for the request corresponding to the matching virtual network is obtained, and based on the access policy the request is allowed to access the destination address in the matching virtual network or disallowed. The consolidated routing table can be implemented in a mapping server using a Locator/ID Separation Protocol (LISP).

Abstract: This disclosure describes techniques and mechanisms for providing hybrid cloud services for enterprise fabric. The techniques include enhancing an on-demand protocol (e.g., such as LISP) and allowing simplified security and/or firewall service insertion for datacenter servers providing those services. Accordingly, the techniques described herein provide hybrid cloud services that work in disaggregated, distributed, and consistent way, while avoiding complex datacenter network devices (e.g., such running overlay on TOR), replacing and moving the functionality to on demand protocol enabled servers, which intelligently receive the required mappings as well as registers and publishes the service information to intelligently interact with the network.

Abstract: In one illustrative example, network fabric policy data associated with an application, subscriber, and/or device may be received. Mobile network policy data that corresponds to the received network fabric policy data may be selected, based on stored policy mappings between a set of network fabric policy profiles of a fabric network and a set of mobile network policy profiles of a mobile network. A bearer or Quality of Service (QoS) flow of the mobile network may be established in satisfaction of the selected mobile network policy data. In addition, a packet filter of a traffic flow template (TFT) or a packet detection rule (PDR) may be generated and applied in order to direct IP traffic flows associated with the application to the established bearer or QoS flow for communication in the mobile network.

Abstract: In one embodiment, an apparatus of a LISP environment includes one or more processors and computer-readable non-transitory storage media coupled to the one or more processors. The computer-readable non-transitory storage media include instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including receiving an attestation token from a first component of the LISP environment. The operations also include encoding the attestation token using a LISP message format. The operations further include distributing the encoded attestation token with a LISP signaling message to a third component of the LISP environment.

Abstract: In one embodiment, an apparatus of a LISP environment includes one or more processors and computer-readable non-transitory storage media coupled to the one or more processors. The computer-readable non-transitory storage media include instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including receiving an attestation token from a first component of the LISP environment. The operations also include encoding the attestation token using a LISP message format. The operations further include distributing the encoded attestation token with a LISP signaling message to a third component of the LISP environment.

Abstract: Disclosed are systems and methods for providing policy selection in a software defined network. An example method includes registering, by an enterprise controller on an enterprise domain, in a shared mapping system on a service provider domain, one or more entries specifying one or more services for one or more classes of traffic to yield registered entries, reading, by a service provider controller, from the shared mapping system, the registered entries, posting, by the service provider controller, the one or more entries to one or more routing tables at a software-defined wide area network of the service provider domain and receiving a request, by a mobile node on the enterprise domain, of a specific service for a particular class of packets according to a classification of the particular class of packets based on a particular label defined in the registered entries for the specific service.

Abstract: Disclosed are systems and methods for providing policy selection in a software defined network. An example method includes registering, by an enterprise controller on an enterprise domain, in a shared mapping system on a service provider domain, one or more entries specifying one or more services for one or more classes of traffic to yield registered entries, reading, by a service provider controller, from the shared mapping system, the registered entries, posting, by the service provider controller, the one or more entries to one or more routing tables at a software-defined wide area network of the service provider domain and receiving a request, by a mobile node on the enterprise domain, of a specific service for a particular class of packets according to a classification of the particular class of packets based on a particular label defined in the registered entries for the specific service.

Abstract: A method and a router device for managing memory for network overlay routes with fallback route support prioritization may be provided. A network overlay route as a candidate network overlay route may be obtained at a router for storage in a memory. The memory may store a plurality of network overlay routes for forwarding user plane traffic in a network. An assessment for storage of the candidate network overlay route based on a priority level indicator of the candidate network overlay route may be performed. The priority level indicator may be indicative of a fallback route support level of the candidate network overlay route in the router. Based on the assessment, at least one of the following may be performed: adding the candidate network overlay route to the memory and refraining from adding the candidate network overlay route to the memory.

Abstract: Systems, methods, and computer-readable media for implementing an extranet policy include receiving a request from a source to perform a lookup for a destination address. A lookup for the destination address is performed in a consolidated routing table, the consolidated routing table including a consolidated mapping of address prefixes associated with two or more virtual networks. If the lookup results in a match for the destination address with a matching address prefix, a matching virtual network associated with the matching address prefix is determined. An access policy for the request corresponding to the matching virtual network is obtained, and based on the access policy the request is allowed to access the destination address in the matching virtual network or disallowed. The consolidated routing table can be implemented in a mapping server using a Locator/ID Separation Protocol (LISP).

Abstract: In one embodiment, a router includes processors and computer-readable non-transitory storage media coupled to the processors including instructions executable by the processors. The router may store at least one virtual prefix and an associated aggregation threshold. The router may register, with a mapping database of an overlay network, ownership of individual prefixes served by the router. The router may determine an amount of prefixes served by the router that are within an address space of the virtual prefix. The router may register, based on a determination that the amount of prefixes satisfies the aggregation threshold, ownership of the virtual prefix with the mapping database of the overlay network. The registration of the virtual prefix may cause ownership of one or more of the registered individual prefixes served by the router that are within the address space of the virtual prefix to be deregistered.

Abstract: In one illustrative example, network fabric policy data associated with an application, subscriber, and/or device may be received. Mobile network policy data that corresponds to the received network fabric policy data may be selected, based on stored policy mappings between a set of network fabric policy profiles of a fabric network and a set of mobile network policy profiles of a mobile network. A bearer or Quality of Service (QoS) flow of the mobile network may be established in satisfaction of the selected mobile network policy data. In addition, a packet filter of a traffic flow template (TFT) or a packet detection rule (PDR) may be generated and applied in order to direct IP traffic flows associated with the application to the established bearer or QoS flow for communication in the mobile network.

Abstract: In one embodiment, an apparatus of a LISP environment includes one or more processors and computer-readable non-transitory storage media coupled to the one or more processors. The computer-readable non-transitory storage media include instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including receiving an attestation token from a first component of the LISP environment. The operations also include encoding the attestation token using a LISP message format. The operations further include distributing the encoded attestation token with a LISP signaling message to a third component of the LISP environment.