Abstract: An example method for a programmable infrastructure gateway for enabling hybrid cloud services in a network environment is provided and includes receiving an instruction from a hybrid cloud application executing in a private cloud, interpreting the instruction according to a hybrid cloud application programming interface, and executing the interpreted instruction in a public cloud using a cloud adapter. The method is generally executed in the infrastructure gateway including a programmable integration framework allowing generation of various cloud adapters using a cloud adapter software development kit, the cloud adapter being generated and programmed to be compatible with a specific public cloud platform of the public cloud.

Abstract: An example method for service node originated service chains in a network environment is provided and includes receiving a packet at a service node in a network environment that includes a plurality of service nodes and a central classifier, analyzing the packet for a service chain modification or a service chain initiation, classifying the packet at the service node to a new service chain based on the analysis, initiating the new service chain at the service node if the analysis indicates service chain initiation, and modifying an existing service chain for the packet to the new service chain if the analysis indicates service chain modification. In specific embodiments, the analysis includes applying classification logic specific to the service node. Some embodiments, service node attributes and order of service nodes in substantially all service chains configured in the network may be received from a central controller.

Abstract: An example method for workload based service chain insertion in a network environment is provided and includes partitioning a service-path into fragments at a service controller, where the service-path comprises an ordered sequence of services to be provided to a packet associated with a workload in a network. The method also includes determining a location of service nodes providing the services; and provisioning the fragments at interfaces at a distributed virtual switch. The method could further include generating a plurality of service insertion points corresponding to the fragments at a service dispatcher. The service dispatcher can include a plurality of data plane components, and the service insertion points are generated at the data plane components.

Abstract: Presented herein are elastic service chain techniques. In one example, a network element receives data traffic to be processed by a service chain that specifies an ordered sequence of service pools including a first service pool and second service pool, wherein each service pool comprises a plurality of network services. A network service is determined from the first service pool to be applied to the data traffic, and data traffic is forwarded to the network service in the first service pool.

Abstract: A highly scalable application network appliance is described herein. According to one embodiment, a network element includes a switch fabric, a first service module coupled to the switch fabric, and a second service module coupled to the first service module over the switch fabric. In response to packets of a network transaction received from a client over a first network to access a server of a data center having multiple servers over a second network, the first service module is configured to perform a first portion of OSI (open system interconnection) compatible layers of network processes on the packets while the second service module is configured to perform a second portion of the OSI compatible layers of network processes on the packets. The first portion includes at least one OSI compatible layer that is not included in the second portion. Other methods and apparatuses are also described.

Abstract: Presented herein are service-function chaining techniques. In one example, a service controller in a network comprising a plurality of service nodes receives one is configured to identify one or more service-functions hosted by each of the service nodes. The service controller defines a service-function chain in terms of service-functions to be applied to traffic in the network and provides information descriptive of the service-function chain to a classifier node.

Abstract: Techniques are provided for implementing a zone-based firewall policy. At a virtual network device, information is defined and stored that represents a security management zone for a virtual firewall policy comprising one or more common attributes of applications associated with the security zone. Information representing a firewall rule for the security zone is defined and comprises first conditions for matching common attributes of applications associated with the security zone and an action to be performed on application traffic. Parameters associated with the application traffic are received that are associated with properly provisioned virtual machines. A determination is made whether the application traffic parameters satisfy the conditions of the firewall rule and in response to determining that the conditions are satisfied, the action is performed.

Abstract: A method is provided in one example embodiment and includes receiving at a network element a flow offload decision for a first service node comprising a portion of a service chain for processing a flow; recording the flow offload decision against the first service node at the network element; and propagating the flow offload decision backward on a service path to which the flow belongs if the first service node is hosted at the network element. Embodiments may also include propagating the flow offload decision backward on a service path to which the flow belongs if the flow offload decision is a propagated flow offload decision and the network element hosts a second service node that immediately precedes the service node on behalf of which the propagated flow offload decision was received and a flow offload decision has already been received by the network element from the second service node.

Abstract: Techniques are provided for implementing a zone-based firewall policy. At a virtual network device, information is defined and stored that represents a security management zone for a virtual firewall policy comprising one or more common attributes of applications associated with the security zone. Information representing a firewall rule for the security zone is defined and comprises first conditions for matching common attributes of applications associated with the security zone and an action to be performed on application traffic. Parameters associated with the application traffic are received that are associated with properly provisioned virtual machines. A determination is made whether the application traffic parameters satisfy the conditions of the firewall rule and in response to determining that the conditions are satisfied, the action is performed.

Abstract: An example method for distributed service chaining in a network environment is provided and includes receiving a packet belonging to a service chain in a distributed virtual switch (DVS) network environment, wherein the packet includes a network service header (NSH) indicating a service path identifier identifying the service chain and a location of the packet on the service chain, evaluating a service forwarding table to determine a next service node based on the service path identifier and the location, with a plurality of different forwarding tables distributed across the DVS at a corresponding plurality of virtual Ethernet Modules (VEMs) associated with respective service nodes in the service chain, and forwarding the packet to the next service node, with substantially all services in the service chain provided sequentially to the packet in a single service loop on a service overlay.

Abstract: Presented herein are techniques useful in a network comprising a plurality of network nodes each configured to apply one or more service functions to traffic that passes through the respective network nodes. A network node receives packets encapsulated in a service header that includes information defining a variable set of context headers stacked into an association of metadata that is relevant to one or more service functions within a service path comprised of one or more network nodes. The network node interprets a forwarding state and a next-hop network node for the service path from the service header, and determines a service action or associated metadata from the set of context headers.

Abstract: Techniques are provided to decouple service chain structure from the underlying network forwarding state and allow for data plane learning of service chain forwarding requirements and any association between services function state requirements and the forward and reverse forwarding paths for a service chain. In a network comprising a plurality of network nodes each configured to apply a service function to traffic that passes through the respective network node, a packet is received at a network node. When the network node determines that the service function it applies is stateful, it updates context information in a network service header of the packet to indicate that the service function applied at the network node is stateful and that traffic for a reverse path matching the classification criteria is to be returned to the network node.

Abstract: An example method for service insertion in a network environment is provided in one example and includes configuring a service node by tagging one or more interface ports of a virtual switch function to which the service node is connected with one or more policy identifiers. When data traffic associated with a policy identifier is received on a virtual overlay path the virtual switch function may then terminate the virtual overlay path and direct raw data traffic to the interface port of the service node that is tagged to the policy identifier associated with the data traffic.

Abstract: An example method for workload based service chain insertion in a network environment is provided and includes partitioning a service-path into fragments at a service controller, where the service-path comprises an ordered sequence of services to be provided to a packet associated with a workload in a network. The method also includes determining a location of service nodes providing the services; and provisioning the fragments at interfaces at a distributed virtual switch. The method could further include generating a plurality of service insertion points corresponding to the fragments at a service dispatcher. The service dispatcher can include a plurality of data plane components, and the service insertion points are generated at the data plane components.

Abstract: A network switch comprises a load balancer steering mechanism configured to receive a service request received from a load balancer and forward the service request to a first server in a load-balanced server cluster. The service request was initiated by a client and transmitted to the load balancer. The network switch is configured to receive return traffic transmitted by the first server, and to automatically steer the return traffic to the load balancer.

Abstract: Techniques are provided to start a virtual service node that is configured to provide network traffic services for one or more virtual machines. The virtual service node has at least one associated service profile comprising identifiers for corresponding service policies for network traffic services. The service policies identified in the at least one associated service profile are retrieved. A virtual machine is started with an associated virtual interface and a port profile is applied to the virtual interface, including information identifying the service profile. Information is provided to the virtual service node that informs the virtual service node of network parameters and assigned service profile of the virtual machine. Network traffic associated with the virtual machine is intercepted and redirected to the virtual service node. A virtual service data path is provided that enables dynamic service binding, virtual machine mobility support, and virtual service node chaining and/or clustering.

Abstract: Techniques for highly parallel evaluation of XACML policies are described herein. In one embodiment, attributes are extracted from a request for accessing a resource including at least one of a user attribute and an environment attribute. Multiple individual searches are concurrently performed, one for each of the extracted attributes, in a policy store having stored therein rules and policies written in XACML, where the rules and policies are optimally stored using a bit vector algorithm. The individual search results associated with the attributes are then combined to generate a single final result using a predetermined policy combination algorithm. It is then determined whether the client is eligible to access the requested resource of the datacenter based on the single final result, including performing a layer-7 access control process, where the network element operates as an application service gateway to the datacenter. Other methods and apparatuses are also described.

Abstract: Systems and procedures are presented for communicating multiple data streams through an SSLVPN gateway. One implementation of a method includes receiving a plurality of incoming data streams and load balancing the incoming data streams. The load balancing includes assigning a first set of one or more incoming data streams to a first subprocessor, and responding to the first set of incoming data streams with outgoing data streams that include a first identifier that indicates the first subprocessor. One implementation of a network element includes a plurality of subprocessors and a dispatcher module. The dispatcher module is coupled to the plurality of subprocessors, and is configured to recognize an identifier in a received data stream. The dispatcher module dispatches the received data stream to a corresponding subprocessor of the plurality of processors in response to the identifier in the received data stream.

Abstract: An application network appliance with virtualized services is described herein. According to one embodiment, a packet of a network transaction is received from a client for accessing an application server of a datacenter, where the network element operates as an application services gateway of the datacenter. A context associated with the application server is identified based on the packet, including information that identifies application services to be performed on the packet and resources to be allocated for performing the application services. A context includes information representing a logical instance of physical resources of the network element shared by multiple contexts. One or more application services are performed on the packet using the resources identified by the context. Other methods and apparatuses are also described.

Abstract: Techniques are provided for implementing a zone-based firewall policy. At a virtual network device, information is defined and stored that represents a security management zone for a virtual firewall policy comprising one or more common attributes of applications associated with the security zone. Information representing a firewall rule for the security zone is defined and comprises first conditions for matching common attributes of applications associated with the security zone and an action to be performed on application traffic. Parameters associated with the application traffic are received that are associated with properly provisioned virtual machines. A determination is made whether the application traffic parameters satisfy the conditions of the firewall rule and in response to determining that the conditions are satisfied, the action is performed.