Abstract: Techniques for hierarchical security policies are disclosed. A first network configuration is received, where the first network configuration includes a plurality of subnets and a plurality of security zones. An updated network configuration is generated based on the first network configuration by generating, for a first security zone of the plurality of security zones, a first master class, and generating, for each respective subnet of the plurality of subnets, a respective bridge domain. For each respective bridge domain, a respective local endpoint group (EPG) corresponding to the first security zone is created, and the first master class is assigned to the respective local EPG. Finally, one or more contracts are generated for the first master class based on the first network configuration.

Abstract: Techniques for hierarchical security policies are disclosed. A first network configuration is received, where the first network configuration includes a plurality of subnets and a plurality of security zones. An updated network configuration is generated based on the first network configuration by generating, for a first security zone of the plurality of security zones, a first master class, and generating, for each respective subnet of the plurality of subnets, a respective bridge domain. For each respective bridge domain, a respective local endpoint group (EPG) corresponding to the first security zone is created, and the first master class is assigned to the respective local EPG. Finally, one or more contracts are generated for the first master class based on the first network configuration.

Abstract: Techniques are providing for managing and optimizing the configuration of network devices. At a management device in a network, a message is received from a first network device via a wireless link or a power line communication link between the management device and the first network device. The new network device is classified as belonging to one of a plurality of network device zones based on evaluating the message. A response message is then sent to the new network device via the wireless link or the power line communication link to ensure secure access to a virtual console-port is provided for the management device and the network devices in the network device zones.

Abstract: There is provided a router for use in a datacenter, the router including a frame receiving module operative to receive a traffic frame and a frame forwarding module operative to forward the traffic frame to a second router in a second datacenter if a Destination Media Access Control (DMAC) address included in the traffic frame is different from all of the following: a Burned in Address of the router; a Burned in Address of at least one server associated with the router; a Media Access Control (MAC) address of one of a Hot Standby Routing Protocol (HSRP) group and a Virtual Router Redundancy Protocol (VRRP) group of the router; and a MAC address of one of a HSRP group and a VRRP group of a subnet hosted by the router.

Abstract: Techniques are providing for managing and optimizing the configuration of network devices. At a management device in a network, a message is received from a first network device via a wireless link or a power line communication link between the management device and the first network device. The new network device is classified as belonging to one of a plurality of network device zones based on evaluating the message. A response message is then sent to the new network device via the wireless link or the power line communication link to ensure secure access to a virtual console-port is provided for the management device and the network devices in the network device zones.

Abstract: A method and apparatus is disclosed for preventing loops on a network topology which includes virtual switches and virtual machines. For example, a virtualization management application may prevent loops from being introduced into a network topology where a virtual machine forwards traffic between any two (or more) virtual network interface cards (vNICs). A method to prevent loops may include receiving a request to create a virtual network interface (vNIC) for a virtual machine (VM) instance on a computing system, and in response to determining that the requested vNIC is to be connected to the same network segment as an existing vNIC of the VM instance, failing the request to generate the requested vNIC.

Abstract: There is provided a router for use in a datacenter, the router including a frame receiving module operative to receive a traffic frame and a frame forwarding module operative to forward the traffic frame to a second router in a second datacenter if a Destination Media Access Control (DMAC) address included in the traffic frame is different from all of the following: a Burned in Address of the router; a Burned in Address of at least one server associated with the router; a Media Access Control (MAC) address of one of a Hot Standby Routing Protocol (HSRP) group and a Virtual Router Redundancy Protocol (VRRP) group of the router; and a MAC address of one of a HSRP group and a VRRP group of a subnet hosted by the router.

Abstract: There is provided a router for use in a datacenter, the router including a frame receiving module operative to receive a traffic frame and a frame forwarding module operative to forward the traffic frame to a second router in a second datacenter if a Destination Media Access Control (DMAC) address included in the traffic frame is different from all of the following: a Burned in Address of the router; a Burned in Address of at least one server associated with the router; a Media Access Control (MAC) address of one of a Hot Standby Routing Protocol (HSRP) group and a Virtual Router Redundancy Protocol (VRRP) group of the router; and a MAC address of one of a HSRP group and a VRRP group of a subnet hosted by the router.

Abstract: In an embodiment, a packet data switching system comprises content-addressable memory configured to redirect, to a measurement computer, a request to access a server application program hosted at a server computer in response to receiving the request from a client computer; the measurement computer comprises request rewriting logic configured to receive the request via redirection based on the CAM, to record a first time value representing a time of receiving the request, to forward the request to the server application, to receive a response from the server computer to the request, to rewrite a payload of the response by embedding a browser-executable measurement reporting script into the payload, and to forward the rewritten response to the client; performance recording logic configured to receive a second time value from the client based on the client computer executing the measurement reporting script, and to store a performance record with the time values.

Abstract: Techniques are disclosed for virtualized server kernel and virtual networks consolidation. The network consolidation allows a data center to migrate from an infrastructure that uses multiple dedicated gigabit Ethernet Network Adapters to manage system virtualization and migration to an infrastructure using consolidated, redundant, 10 gigabit Ethernet adapters. Different priority classes may be defined for different classes of network traffic such as hypervisor management traffic, inter-host virtual machine migration traffic, virtual machine production traffic, virtualized switching control plane traffic, etc. Further, an enhanced transmission standard may be used to specify a minimum bandwidth guarantee for certain traffic classes. Thus, the hypervisor management and inter-host virtual machine migration traffic may be transmitted, even the presence of congestion.

Abstract: A method and apparatus is disclosed for preventing loops on a network topology which includes virtual switches and virtual machines. For example, a virtualization management application may prevent loops from being introduced into a network topology where a virtual machine forwards traffic between any two (or more) virtual network interface cards (vNICs). A method to prevent loops may include receiving a request to create a virtual network interface (vNIC) for a virtual machine (VM) instance on a computing system, and in response to determining that the requested vNIC is to be connected to the same network segment as an existing vNIC of the VM instance, failing the request to generate the requested vNIC.

Abstract: In an embodiment, a packet data switching system comprises content-addressable memory configured to redirect, to a measurement computer, a request to access a server application program hosted at a server computer in response to receiving the request from a client computer; the measurement computer comprises request rewriting logic configured to receive the request via redirection based on the CAM, to record a first time value representing a time of receiving the request, to forward the request to the server application, to receive a response from the server computer to the request, to rewrite a payload of the response by embedding a browser-executable measurement reporting script into the payload, and to forward the rewritten response to the client; performance recording logic configured to receive a second time value from the client based on the client computer executing the measurement reporting script, and to store a performance record with the time values.

Abstract: There is provided a router for use in a datacenter, the router including a frame receiving module operative to receive a traffic frame and a frame forwarding module operative to forward the traffic frame to a second router in a second datacenter if a Destination Media Access Control (DMAC) address included in the traffic frame is different from all of the following: a Burned in Address of the router; a Burned in Address of at least one server associated with the router; a Media Access Control (MAC) address of one of a Hot Standby Routing Protocol (HSRP) group and a Virtual Router Redundancy Protocol (VRRP) group of the router; and a MAC address of one of a HSRP group and a VRRP group of a subnet hosted by the router.

Abstract: A method of operating a network is disclosed. The method includes identifying a packet as being subject to a policy and forwarding said packet based on said policy, if said packet is subject to said policy.

Abstract: A data center provides secure handling of HTTPS traffic using backend SSL decryption and encryption in combination with a load balancer such as a content switch. The load balancer detects HTTPS traffic and redirects it to an SSL offloading device for decryption and return to the load balancer. The load balancer then uses the clear text traffic for load balancing purposes before it redirects the traffic back to the SSL offloading device for re-encryption. Thereafter, the re-encrypted traffic is sent to the destination servers in the data center. In one embodiment, the combination with the back-end SSL with an intrusion detection system improves security by performing intrusion detection on the decrypted HTTPS traffic.

Abstract: A data-center network architecture. The data-center network architecture incorporates a front end having an aggregation layer exhibiting integrated service-module intelligence. A server farm connects the front end with a storage network. In a specific embodiment, the aggregation layer includes plural interconnected multilayer switches incorporating service-module intelligence implemented via one or more service modules. Plural layer-2 switches communicate with the plural multilayer switches. The server farm includes one or more servers that are dual homed or multihomed with the plural layer-2 switches. The storage network includes plural interconnected multilayer directors and one or more Fibre Channel hosts using Host Bus Adapters (HBAs) that interface one or more data-storage devices to the server farm.

Abstract: An intrusion detection system (IDS) is capable of identifying the source of traffic, filtering the traffic to classify it as either safe or suspect and then applying sophisticated detection techniques such as stateful pattern recognition, protocol parsing, heuristic detection or anomaly detection either singularly or in combination based on the traffic type. In a network environment, each traffic source is provided with at least one IDS sensor that is dedicated to monitoring a specific type of traffic such as RPC, HTTP, SMTP, DNS, or others. Traffic from each traffic source is filtered to remove known safe traffic to improve efficiency and increase accuracy by keeping each IDS sensor focused on a specific traffic type.

Abstract: A one-arm data center topology routes traffic between internal sub-nets and between a sub-net and an outside network through a common chain of services. The data center topology employs layer 4 services on a common chassis or platform to provide routing and firewall services while reducing the number of devices necessary to implement the data center and simplifying configuration. Load balancing is provided by a load balancing device. In the one-arm topology, policy based routing or client network address translations or NAT pushes traffic to the CSM.

Abstract: An architecture, arrangement, system, and method for providing service access in a data center are disclosed. In one embodiment, an arrangement can include: an aggregation switch configured to transfer data between a network and an access layer; and service modules coupled to the aggregation switch, where each service module is configured to provide a service for the data when selected. The service modules can include: firewall, load balancer, secure sockets layer (SSL) offloader, intrusion detection system (IDS), and cache, for example. Further, the service selection can be substantially transparent to an associated server.

Abstract: A system and method are provided to prevent the formation of loops in a network. The network device includes a plurality of ports for receiving and forwarding network messages and a spanning tree protocol engine. The spanning tree protocol engine, in one embodiment, implements the Rapid Spanning Tree Protocol (RSTP) to transitions the ports among a plurality port states, including a discarding state, a learning state and a forwarding state. The network device further includes a loop guard engine that is in a communicating relationship with the spanning tree protocol engine and the ports. The loop guard engine monitors the receipt of bridge protocol data units (BPDUs) by the ports. If a given port stops receiving BPDUs, the loop guard engine prevents the spanning tree protocol engine from transitioning the given port to the forwarding state. Instead, the loop guard engine causes the port to transition to loop inconsistent state.