Abstract: Techniques are provided for implementing a zone-based firewall policy. At a virtual network device, information is defined and stored that represents a security management zone for a virtual firewall policy comprising one or more common attributes of applications associated with the security zone. Information representing a firewall rule for the security zone is defined and comprises first conditions for matching common attributes of applications associated with the security zone and an action to be performed on application traffic. Parameters associated with the application traffic are received that are associated with properly provisioned virtual machines. A determination is made whether the application traffic parameters satisfy the conditions of the firewall rule and in response to determining that the conditions are satisfied, the action is performed.

Abstract: Presented herein are techniques useful in a network comprising a plurality of network nodes each configured to apply one or more service functions to traffic that passes through the respective network nodes. A network node receives packets encapsulated in a service header that includes information defining a first set of context headers stacked into an association of metadata that is relevant to one or more service functions within a service path comprised of one or more network nodes. The network node performs at least one of the service functions in the service path and rewrites the service header with a second set of context headers. The second set of context headers include metadata derived from performing the service function(s) at the network node.

Abstract: An example method for distributed service chaining in a network environment is provided and includes receiving a packet belonging to a service chain in a distributed virtual switch (DVS) network environment, wherein the packet includes a network service header (NSH) indicating a service path identifier identifying the service chain and a location of the packet on the service chain, evaluating a service forwarding table to determine a next service node based on the service path identifier and the location, with a plurality of different forwarding tables distributed across the DVS at a corresponding plurality of virtual Ethernet Modules (VEMs) associated with respective service nodes in the service chain, and forwarding the packet to the next service node, with substantially all services in the service chain provided sequentially to the packet in a single service loop on a service overlay.

Abstract: An example method for service node originated service chains in a network environment is provided and includes receiving a packet at a service node in a network environment that includes a plurality of service nodes and a central classifier, analyzing the packet for a service chain modification or a service chain initiation, classifying the packet at the service node to a new service chain based on the analysis, initiating the new service chain at the service node if the analysis indicates service chain initiation, and modifying an existing service chain for the packet to the new service chain if the analysis indicates service chain modification. In specific embodiments, the analysis includes applying classification logic specific to the service node. Some embodiments, service node attributes and order of service nodes in substantially all service chains configured in the network may be received from a central controller.

Abstract: A sense of location is provided for distributed virtual switch components into the service provisioning scheme to reduce latency observed in conducting policy evaluations across a network in a hybrid cloud environment. A management application in a first virtual network subscribes to virtual network services provided by a second virtual network. A first message is sent to the second virtual network, the first message comprising information configured to start a virtual switch in the second virtual network that switches network traffic for one or more virtual machines in the second virtual network that are configured to extend services provided by the first virtual network into the second virtual network. A second message is sent to the second virtual network, the second message comprising information configured to start a virtual service node in the second virtual network that provides network traffic services for the one or more virtual machines.

Abstract: A method is provided in one example embodiment and includes receiving at a network element a flow offload decision for a first service node that includes a portion of a service chain for processing a flow; recording the flow offload decision against the first service node at the network element; and propagating the flow offload decision backward on a service path to which the flow belongs if the first service node is hosted at the network element. Embodiments may also include propagating the flow offload decision backward on a service path to which the flow belongs if the flow offload decision is a propagated flow offload decision and the network element hosts a second service node that immediately precedes the service node on behalf of which the propagated flow offload decision was received and a flow offload decision has already been received by the network element from the second service node.

Abstract: An example method for service node originated service chains in a network environment is provided and includes receiving a packet at a service node in a network environment that includes a plurality of service nodes and a central classifier, analyzing the packet for a service chain modification or a service chain initiation, classifying the packet at the service node to a new service chain based on the analysis, initiating the new service chain at the service node if the analysis indicates service chain initiation, and modifying an existing service chain for the packet to the new service chain if the analysis indicates service chain modification. In specific embodiments, the analysis includes applying classification logic specific to the service node. Some embodiments, service node attributes and order of service nodes in substantially all service chains configured in the network may be received from a central controller.

Abstract: A sense of location is provided for distributed virtual switch components into the service provisioning scheme to reduce latency observed in conducting policy evaluations across a network in a hybrid cloud environment. A management application in a first virtual network subscribes to virtual network services provided by a second virtual network. A first message is sent to the second virtual network, the first message comprising information configured to start a virtual switch in the second virtual network that switches network traffic for one or more virtual machines in the second virtual network that are configured to extend services provided by the first virtual network into the second virtual network. A second message is sent to the second virtual network, the second message comprising information configured to start a virtual service node in the second virtual network that provides network traffic services for the one or more virtual machines.

Abstract: Techniques are provided to decouple service chain structure from the underlying network forwarding state and allow for data plane learning of service chain forwarding requirements and any association between services function state requirements and the forward and reverse forwarding paths for a service chain. In a network comprising a plurality of network nodes each configured to apply a service function to traffic that passes through the respective network node, a packet is received at a network node. When the network node determines that the service function it applies is stateful, it updates context information in a network service header of the packet to indicate that the service function applied at the network node is stateful and that traffic for a reverse path matching the classification criteria is to be returned to the network node.

Abstract: A method is provided in one example embodiment and includes receiving at a network element a flow offload decision for a first service node that includes a portion of a service chain for processing a flow; recording the flow offload decision against the first service node at the network element; and propagating the flow offload decision backward on a service path to which the flow belongs if the first service node is hosted at the network element. Embodiments may also include propagating the flow offload decision backward on a service path to which the flow belongs if the flow offload decision is a propagated flow offload decision and the network element hosts a second service node that immediately precedes the service node on behalf of which the propagated flow offload decision was received and a flow offload decision has already been received by the network element from the second service node.

Abstract: A highly scalable application network appliance is described herein. According to one embodiment, a network element includes a switch fabric, a first service module coupled to the switch fabric, and a second service module coupled to the first service module over the switch fabric. In response to packets of a network transaction received from a client over a first network to access a server of a data center having multiple servers over a second network, the first service module is configured to perform a first portion of OSI (open system interconnection) compatible layers of network processes on the packets while the second service module is configured to perform a second portion of the OSI compatible layers of network processes on the packets. The first portion includes at least one OSI compatible layer that is not included in the second portion. Other methods and apparatuses are also describe.

Abstract: Techniques are provided to decouple service chain structure from the underlying network forwarding state and allow for data plane learning of service chain forwarding requirements and any association between services function state requirements and the forward and reverse forwarding paths for a service chain. In a network comprising a plurality of network nodes each configured to apply a service function to traffic that passes through the respective network node, a packet is received at a network node. When the network node determines that the service function it applies is stateful, it updates context information in a network service header of the packet to indicate that the service function applied at the network node is stateful and that traffic for a reverse path matching the classification criteria is to be returned to the network node.

Abstract: Presented herein are techniques useful in a network comprising a plurality of network nodes each configured to apply one or more service functions to traffic that passes through the respective network nodes. A network node receives packets encapsulated in a service header that includes information defining a first set of context headers stacked into an association of metadata that is relevant to one or more service functions within a service path comprised of one or more network nodes. The network node performs at least one of the service functions in the service path and rewrites the service header with a second set of context headers. The second set of context headers include metadata derived from performing the service function(s) at the network node.

Abstract: A method includes simulating network resources of a portion of a cloud in a simulated cloud within a enterprise network, the cloud being communicable with the enterprise network over a first communication channel, which may be external to the enterprise network. The method can also include simulating network behavior of the first communication channel in a second communication channel within the enterprise network, and validating application performance in the simulated cloud. Simulating network resources includes providing a cloud resources abstraction layer in the enterprise network, and allocating enterprise network resources in the enterprise network to the simulated cloud by the cloud resources abstraction layer. The method further includes adding a virtual network service appliance to the simulated cloud, and determining a change to a network topology of the enterprise network to accommodate the virtual appliance without materially impacting application performance.

Abstract: An example method for distributed service chaining is provided and includes receiving a packet belonging to a service chain in a distributed virtual switch (DVS) network environment, the packet includes a network service header (NSH) indicating a service path identifier identifying the service chain. The packet is provided to a virtual Ethernet module (VEM) connected to an agentless service node (SN) providing an edge service such as a server load balancer (SLB). The VEM associates a service path identifier corresponding to the service chain with a local identifier such as a virtual local area network (VLAN). The agentless SN returns the packet to the VEM for forwarding on the VLAN. Because the VLAN corresponds exactly to the service path and service chain, the packet is forwarded directly to the next node in the service chain. This can enable agentless SNs to efficiently provide a service chain for network traffic.

Abstract: In one embodiment, a secure transport layer tunnel may be established over a public network between a first cloud gateway in a private cloud and a second cloud gateway in a public cloud, where the secure transport layer tunnel is configured to provide a link layer network extension between the private cloud and the public cloud. In addition, a cloud virtual Ethernet module (cVEM) may be executed (instantiated) within the public cloud, where the cVEM is configured to switch inter-virtual-machine (VM) traffic between the private cloud and one or more private application VMs in the public cloud connected to the cVEM.

Abstract: A method includes managing a virtual machine (VM) in a cloud extension, where the VM is part of a distributed virtual switch (DVS) of an enterprise network, abstracting an interface that is transparent to a cloud infrastructure of the cloud extension, and intercepting network traffic from the VM, where the VM can communicate securely with the enterprise network. The cloud extension comprises a nested VM container (NVC) that includes an emulator configured to enable abstracting the interface, and dual transmission control protocol/Internet Protocol stacks for supporting a first routing domain for communication with the cloud extension, and a second routing domain for communication with the enterprise network. The NVC may be agnostic with respect to operating systems running on the VM. The method further includes migrating the VM from the enterprise network to the cloud extension through suitable methods.

Abstract: A network switch comprises a load balancer steering mechanism configured to receive a service request received from a load balancer and forward the service request to a first server in a load-balanced server cluster. The service request was initiated by a client and transmitted to the load balancer. The network switch is configured to receive return traffic transmitted by the first server, and to automatically steer the return traffic to the load balancer.

Abstract: Presented herein are techniques useful in a network comprising a plurality of network nodes each configured to apply one or more service functions to traffic that passes through the respective network nodes. A network node receives packets encapsulated in a service header that includes information defining a variable set of context headers stacked into an association of metadata that is relevant to one or more service functions within a service path comprised of one or more network nodes. The network node interprets a forwarding state and a next-hop network node for the service path from the service header, and determines a service action or associated metadata from the set of context headers.

Abstract: An example method for service insertion in a network environment is provided in one example and includes configuring a service node by tagging one or more interface ports of a virtual switch function to which the service node is connected with one or more policy identifiers. When data traffic associated with a policy identifier is received on a virtual overlay path the virtual switch function may then terminate the virtual overlay path and direct raw data traffic to the interface port of the service node that is tagged to the policy identifier associated with the data traffic.