Abstract: Techniques for hierarchical security policies are disclosed. A first network configuration is received, where the first network configuration includes a plurality of subnets and a plurality of security zones. An updated network configuration is generated based on the first network configuration by generating, for a first security zone of the plurality of security zones, a first master class, and generating, for each respective subnet of the plurality of subnets, a respective bridge domain. For each respective bridge domain, a respective local endpoint group (EPG) corresponding to the first security zone is created, and the first master class is assigned to the respective local EPG. Finally, one or more contracts are generated for the first master class based on the first network configuration.

Abstract: Techniques for generating and enforcing whitelist security policies in a communication network are disclosed. A first plurality of whitelist policies are consolidated into a second plurality of whitelist policies based on populating a plurality of tables. The populated tables include a first table including pairs of endpoints and associating each pair of endpoints with a service identifier, and a second table associating the service identifiers with the policy identifiers. The second plurality of whitelist policies are programmed into a network device in the communication network, based on at least one of the plurality of tables. Rules governing traffic between the pair of endpoints are enforced, at the network device, using the programmed second plurality of whitelist policies.

Abstract: A network device receives a fragmented packet of an internet protocol (IP) packet. The fragmented packet is subsequently received relative to an initial fragmented packet of the IP packet and includes a first set of tuple information. The network device determines an entry of a hash table associated with the IP packet, based on the first set of tuple information and a fragment identifier (ID) within the fragmented packet. The network device retrieves a second set of tuple information associated with the fragmented packet from the hash table entry, and transmits an indication of the first and second sets of tuple information.

Abstract: The present disclosure provides for application-centric enforcement for multi-tenant workloads with multi-site data center fabrics by: receiving, at a local switch at a first site, a packet from a first host at the first site intended for a second host located at a second site; identifying class identifiers (ID) for the hosts; determining, based on the class IDs, a security policy for transmitting data between the hosts; in response to determining that the security policy indicates that the second site exclusively manages security policies for the hosts' network: setting a policy applied indicator on the packet indicating that enforcement of the security policy is delegated from the first switch to a second switch connected to the second host; including the class IDs in the packet; and transmitting the packet to the second site.

Abstract: A network device receives a fragmented packet of an internet protocol (IP) packet. The fragmented packet is subsequently received relative to an initial fragmented packet of the IP packet and includes a first set of tuple information. The network device determines an entry of a hash table associated with the IP packet, based on the first set of tuple information and a fragment identifier (ID) within the fragmented packet. The network device retrieves a second set of tuple information associated with the fragmented packet from the hash table entry, and transmits an indication of the first and second sets of tuple information.

Abstract: Techniques for hierarchical security policies are disclosed. A first network configuration is received, where the first network configuration includes a plurality of subnets and a plurality of security zones. An updated network configuration is generated based on the first network configuration by generating, for a first security zone of the plurality of security zones, a first master class, and generating, for each respective subnet of the plurality of subnets, a respective bridge domain. For each respective bridge domain, a respective local endpoint group (EPG) corresponding to the first security zone is created, and the first master class is assigned to the respective local EPG. Finally, one or more contracts are generated for the first master class based on the first network configuration.

Abstract: The present disclosure provides for application-centric enforcement for multi-tenant workloads with multi-site data center fabrics by: receiving, at a local switch at a first site, a packet from a first host at the first site intended for a second host located at a second site; identifying class identifiers (ID) for the hosts; determining, based on the class IDs, a security policy for transmitting data between the hosts; in response to determining that the security policy indicates that the second site exclusively manages security policies for the hosts' network: setting a policy applied indicator on the packet indicating that enforcement of the security policy is delegated from the first switch to a second switch connected to the second host; including the class IDs in the packet; and transmitting the packet to the second site.