Abstract: Techniques for management of traffic in a network. The techniques provide application awareness in a Network Address Translation (NAT) system. In some examples, a first traffic is received at a first switch in a network from a first application hosted behind the first switch. The first switch identifies a first resource tag associated with the application from the first traffic. Further, the first switch identifies a first rule from the first resource tag indicating that the first traffic is to be routed through an intermediate device that performs network address translation. Moreover, the first switch transmits the traffic to an intermediate device, which perform NAT to translate the source IP address of the first traffic to a second IP address. Finally, the intermediate device sends the traffic to a destination device indicated by the first traffic.

Abstract: An embodiment of the present disclosure is directed a set of data centers and associated controls in which the data centers include network fabric comprises network routing devices configured to route bi-directional traffic symmetrically through insertable service, e.g., via the associated inter-site and intra-site controls, for a given set of policies or contracts using an ASIC or circuit-assisted arithmetic logic, enforcing such policies at the local network devices, to deterministically select the insertable services.

Abstract: Systems, methods, and computer-readable media for on-demand security provisioning using whitelist and blacklist rules. In some examples, a system in a network including a plurality of pods can configure security policies for a first endpoint group (EPG) in a first pod, the security policies including blacklist and whitelist rules defining traffic security enforcement rules for communications between the first EPG and a second EPG in a second pods in the network. The system can assign respective implicit priorities to the one or more security policies based on a respective specificity of each policy, wherein more specific policies are assigned higher priorities than less specific policies. The system can respond to a detected move of a virtual machine associated with the first EPG to a second pod in the network by dynamically provisioning security policies for the first EPG in the second pod and removing security policies from the first pod.

Abstract: Systems, methods, and computer-readable media for on-demand security provisioning using whitelist and blacklist rules. In some examples, a system in a network including a plurality of pods can configure security policies for a first endpoint group (EPG) in a first pod, the security policies including blacklist and whitelist rules defining traffic security enforcement rules for communications between the first EPG and a second EPG in a second pods in the network. The system can assign respective implicit priorities to the one or more security policies based on a respective specificity of each policy, wherein more specific policies are assigned higher priorities than less specific policies. The system can respond to a detected move of a virtual machine associated with the first EPG to a second pod in the network by dynamically provisioning security policies for the first EPG in the second pod and removing security policies from the first pod.

Abstract: Techniques for management of traffic in a network. The techniques provide application awareness in a Network Address Translation (NAT) system. In some examples, a first traffic is received at a first switch in a network from a first application hosted behind the first switch. The first switch identifies a first resource tag associated with the application from the first traffic. Further, the first switch identifies a first rule from the first resource tag indicating that the first traffic is to be routed through an intermediate device that performs network address translation. Moreover, the first switch transmits the traffic to an intermediate device, which perform NAT to translate the source IP address of the first traffic to a second IP address. Finally, the intermediate device sends the traffic to a destination device indicated by the first traffic.

Abstract: Systems, methods, and computer-readable media for on-demand security provisioning using whitelist and blacklist rules. In some examples, a system in a network including a plurality of pods can configure security policies for a first endpoint group (EPG) in a first pod, the security policies including blacklist and whitelist rules defining traffic security enforcement rules for communications between the first EPG and a second EPG in a second pods in the network. The system can assign respective implicit priorities to the one or more security policies based on a respective specificity of each policy, wherein more specific policies are assigned higher priorities than less specific policies. The system can respond to a detected move of a virtual machine associated with the first EPG to a second pod in the network by dynamically provisioning security policies for the first EPG in the second pod and removing security policies from the first pod.

Abstract: Systems, methods, and computer-readable media for on-demand security provisioning using whitelist and blacklist rules. In some examples, a system in a network including a plurality of pods can configure security policies for a first endpoint group (EPG) in a first pod, the security policies including blacklist and whitelist rules defining traffic security enforcement rules for communications between the first EPG and a second EPG in a second pods in the network. The system can assign respective implicit priorities to the one or more security policies based on a respective specificity of each policy, wherein more specific policies are assigned higher priorities than less specific policies. The system can respond to a detected move of a virtual machine associated with the first EPG to a second pod in the network by dynamically provisioning security policies for the first EPG in the second pod and removing security policies from the first pod.

Abstract: Disclosed are systems, methods, and computer-readable storage media for guaranteeing symmetric bi-directional policy based redirect of traffic flows. A first switch connected to a first endpoint can receive a first data packet transmitted by the first endpoint to a second endpoint connected to a second switch. The first switch can enforce an ingress data policy to the first data packet by applying a hashing algorithm to a Source Internet Protocol (SIP) value and a Destination Internet Protocol (DIP) value of the first data packet, resulting in a hash value of the first data packet. The first switch can then route the first data packet to a first service node based on the hash value of the first data packet.

Abstract: Systems, methods, and computer-readable media for on-demand security provisioning using whitelist and blacklist rules. In some examples, a system in a network including a plurality of pods can configure security policies for a first endpoint group (EPG) in a first pod, the security policies including blacklist and whitelist rules defining traffic security enforcement rules for communications between the first EPG and a second EPG in a second pods in the network. The system can assign respective implicit priorities to the one or more security policies based on a respective specificity of each policy, wherein more specific policies are assigned higher priorities than less specific policies. The system can respond to a detected move of a virtual machine associated with the first EPG to a second pod in the network by dynamically provisioning security policies for the first EPG in the second pod and removing security policies from the first pod.

Abstract: Disclosed are systems, methods, and computer-readable storage media for guaranteeing symmetric bi-directional policy based redirect of traffic flows. A first switch connected to a first endpoint can receive a first data packet transmitted by the first endpoint to a second endpoint connected to a second switch. The first switch can enforce an ingress data policy to the first data packet by applying a hashing algorithm to a Source Internet Protocol (SIP) value and a Destination Internet Protocol (DIP) value of the first data packet, resulting in a hash value of the first data packet. The first switch can then route the first data packet to a first service node based on the hash value of the first data packet.

Abstract: Disclosed are systems, methods, and computer-readable storage media for guaranteeing symmetric bi-directional policy based redirect of traffic flows. A first switch connected to a first endpoint can receive a first data packet transmitted by the first endpoint to a second endpoint connected to a second switch. The first switch can enforce an ingress data policy to the first data packet by applying a hashing algorithm to a Source Internet Protocol (SIP) value and a Destination Internet Protocol (DIP) value of the first data packet, resulting in a hash value of the first data packet. The first switch can then route the first data packet to a first service node based on the hash value of the first data packet.

Abstract: Systems, methods, and computer-readable media for on-demand security provisioning using whitelist and blacklist rules. In some examples, a system in a network including a plurality of pods can configure security policies for a first endpoint group (EPG) in a first pod, the security policies including blacklist and whitelist rules defining traffic security enforcement rules for communications between the first EPG and a second EPG in a second pods in the network. The system can assign respective implicit priorities to the one or more security policies based on a respective specificity of each policy, wherein more specific policies are assigned higher priorities than less specific policies. The system can respond to a detected move of a virtual machine associated with the first EPG to a second pod in the network by dynamically provisioning security policies for the first EPG in the second pod and removing security policies from the first pod.

Abstract: Disclosed are systems, methods, and computer-readable storage media for guaranteeing symmetric bi-directional policy based redirect of traffic flows. A first switch connected to a first endpoint can receive a first data packet transmitted by the first endpoint to a second endpoint connected to a second switch. The first switch can enforce an ingress data policy to the first data packet by applying a hashing algorithm to a Source Internet Protocol (SIP) value and a Destination Internet Protocol (DIP) value of the first data packet, resulting in a hash value of the first data packet. The first switch can then route the first data packet to a first service node based on the hash value of the first data packet.

Abstract: Systems, methods, and computer-readable storage media for executing a copy service. A copy service engine can monitoring network data flow in a network, detect packet data containing a contract defining copy parameters for the execution of a copy service, and determine, based on the contract, when the particular data flow hits a particular network node specified in the contract parameters. When the data flow hits the specified node, the copy service engine can execute the copy service which copies the particular data flow, determines one or more endpoints for sending the copied data flow, and deploys the copies to the one or more endpoints.

Abstract: Disclosed are systems, methods, and computer-readable storage media for guaranteeing symmetric bi-directional policy based redirect of traffic flows. A first switch connected to a first endpoint can receive a first data packet transmitted by the first endpoint to a second endpoint connected to a second switch. The first switch can enforce an ingress data policy to the first data packet by applying a hashing algorithm to a Source Internet Protocol (SIP) value and a Destination Internet Protocol (DIP) value of the first data packet, resulting in a hash value of the first data packet. The first switch can then route the first data packet to a first service node based on the hash value of the first data packet.

Abstract: Systems, methods, and computer-readable storage media for executing a copy service. A copy service engine can monitoring network data flow in a network, detect packet data containing a contract defining copy parameters for the execution of a copy service, and determine, based on the contract, when the particular data flow hits a particular network node specified in the contract parameters. When the data flow hits the specified node, the copy service engine can execute the copy service which copies the particular data flow, determines one or more endpoints for sending the copied data flow, and deploys the copies to the one or more endpoints.