Abstract: In an embodiment, a computer-implemented method comprises receiving logical model input that specifies a logical topology model of networking elements and/or computing elements for deployment at least partially in a private cloud computing infrastructure and at least partially in a public cloud computing infrastructure; receiving resource input specifying an inventory of computing elements that are available at least partially in the private cloud computing infrastructure and at least partially in the public cloud computing infrastructure; automatically generating an intermediate topology comprising a set of deployment instructions that are capable of execution at least partially in the private cloud computing infrastructure and at least partially in the public cloud computing infrastructure to cause physical realization of a network deployment corresponding to the logical topology model; determining whether the intermediate topology is functionally equivalent to the logical topology model; in response to det

Abstract: Certain aspects of the present disclosure provide a method for managing network operations. The method generally includes selecting an edge cloud of a plurality of edge clouds to be used for performing one or more network operations for at least one endpoint device. In certain aspects, the selection may be based on an indication of at least one of an amount of available resources or capabilities associated with each of the plurality of edge clouds. In certain aspects, the method also includes configuring the edge cloud to perform the one or more network operations based on the selection.

Abstract: A method and apparatus for dynamic integration of a covert namespace are provided. A Software-Defined Networking (SDN) controller is configured to send a request for workload transfer to an endpoint where the endpoint is connected to a virtual switch. The SDN controller determines that a connection between the endpoint and the virtual switch is secure based on a tenant-specific policy associated with the endpoint. A first covert namespace is configured to be connected between the endpoint and the virtual switch to communicate to the endpoint and the virtual switch directly. The operations of the virtual switch are executed using the first covert namespace according to the tenant-specific policy. A workload is caused to be transmitted to the endpoint through the first covert namespace.

Abstract: Certain aspects of the present disclosure provide a method for managing network operations. The method generally includes selecting an edge cloud of a plurality of edge clouds to be used for performing one or more network operations for at least one endpoint device. In certain aspects, the selection may be based on an indication of at least one of an amount of available resources or capabilities associated with each of the plurality of edge clouds. In certain aspects, the method also includes configuring the edge cloud to perform the one or more network operations based on the selection.

Abstract: In an embodiment, a computer-implemented method comprises receiving logical model input that specifies a logical topology model of networking elements and/or computing elements for deployment at least partially in a private cloud computing infrastructure and at least partially in a public cloud computing infrastructure; receiving resource input specifying an inventory of computing elements that are available at least partially in the private cloud computing infrastructure and at least partially in the public cloud computing infrastructure; automatically generating an intermediate topology comprising a set of deployment instructions that are capable of execution at least partially in the private cloud computing infrastructure and at least partially in the public cloud computing infrastructure to cause physical realization of a network deployment corresponding to the logical topology model; determining whether the intermediate topology is functionally equivalent to the logical topology model; in response to det

Abstract: A method and apparatus for dynamic integration of a covert namespace are provided. A Software-Defined Networking (SDN) controller is configured to send a request for workload transfer to an endpoint where the endpoint is connected to a virtual switch. The SDN controller determines that a connection between the endpoint and the virtual switch is secure based on a tenant-specific policy associated with the endpoint. A first covert namespace is configured to be connected between the endpoint and the virtual switch to communicate to the endpoint and the virtual switch directly. The operations of the virtual switch are executed using the first covert namespace according to the tenant-specific policy. A workload is caused to be transmitted to the endpoint through the first covert namespace.

Abstract: Embodiments generally provide techniques for mapping service modules on a network device. Embodiments identify a plurality of service modules, each configured to perform a respective service. A first one of the plurality of service modules is mapped to a first one of a plurality of virtual switches on the network device. Service policy information for a plurality of virtual switches is retrieved. The service policy information is indicative of service requirements for each of the plurality of virtual switches. Upon detecting an occurrence of a predefined event, embodiments determine a second one of the plurality of virtual switches to map the first service module to, based on the service policy information. The first service module is then mapped to the second virtual switch.

Abstract: A method is provided in one example and includes receiving a first packet of a connection between a client and a server. The first packet is tagged with a tag comprising a member id of a service node in a service cluster that includes a plurality of nodes having distinct member ids. The method can also include mapping the member id to the service node in a tag-to-node map; receiving a second packet of the connection, where the second packet is tagged with the tag comprising the member id; determining the service node from the tag-to-node map; and forwarding the second packet to the service node.

Abstract: Embodiments generally provide techniques for mapping service modules on a network device. Embodiments identify a plurality of service modules, each configured to perform a respective service. A first one of the plurality of service modules is mapped to a first one of a plurality of virtual switches on the network device. Service policy information for a plurality of virtual switches is retrieved. The service policy information is indicative of service requirements for each of the plurality of virtual switches. Upon detecting an occurrence of a predefined event, embodiments determine a second one of the plurality of virtual switches to map the first service module to, based on the service policy information. The first service module is then mapped to the second virtual switch.

Abstract: A method is provided in one example and includes receiving a first packet of a connection between a client and a server. The first packet is tagged with a tag comprising a member id of a service node in a service cluster that includes a plurality of nodes having distinct member ids. The method can also include mapping the member id to the service node in a tag-to-node map; receiving a second packet of the connection, where the second packet is tagged with the tag comprising the member id; determining the service node from the tag-to-node map; and forwarding the second packet to the service node.

Abstract: Network devices, computer-readable media, and other embodiments associated with packet inspection are described. Packet inspection may be performed on data packets associated with a session, where a session can include multiple data channels and associated control channels that have been bound together. A session may be associated with an identity. Various policies may be associated with that identity. As packet inspection occurs, it can be determined whether policies are being violated on a per identity basis. If a policy is being violated, then an action may be selectively performed. The action performed may affect a single channel in the session or may affect the whole session. Different identities may have different policies. Example actions include dropping a session, throttling a session, monitoring a session, controlling the number of channels associated with a session, dropping a channel, throttling a channel, monitoring a channel, and other actions.

Abstract: Systems, methods, and other embodiments associated with layer two (L2) encryption for data center interconnectivity are described. One example system includes a receive logic to receive an unencrypted L2 switched frame (UL2SF). The UL2SF may include a payload and an L2 header. The example system may also include an encryption logic to selectively encrypt the UL2SF into an encrypted frame if the UL2SF is to be sent through an L2 virtual private network (L2VPN) requiring encryption. The example system may also include a delivery logic that adds a header to the encrypted frame. The header may include data to identify a decryption function to decrypt the encrypted frame and routing information for the encrypted frame. The delivery logic may also provide the encrypted frame to the L2VPN, where the providing includes selectively sending the encrypted frame as one of, a point to point packet, and a multipoint packet.

Abstract: Network devices, computer-readable media, and other embodiments associated with packet inspection are described. Packet inspection may be performed on data packets associated with a session, where a session can include multiple data channels and associated control channels that have been bound together. A session may be associated with an identity. Various policies may be associated with that identity. As packet inspection occurs, it can be determined whether policies are being violated on a per identity basis. If a policy is being violated, then an action may be selectively performed. The action performed may affect a single channel in the session or may affect the whole session. Different identities may have different policies. Example actions include dropping a session, throttling a session, monitoring a session, controlling the number of channels associated with a session, dropping a channel, throttling a channel, monitoring a channel, and other actions.

Abstract: Systems, methods, and other embodiments associated with layer two (L2) encryption for data center interconnectivity are described. One example system includes a receive logic to receive an unencrypted L2 switched frame (UL2SF). The UL2SF may include a payload and an L2 header. The example system may also include an encryption logic to selectively encrypt the UL2SF into an encrypted frame if the UL2SF is to be sent through an L2 virtual private network (L2VPN) requiring encryption. The example system may also include a delivery logic that adds a header to the encrypted frame. The header may include data to identify a decryption function to decrypt the encrypted frame and routing information for the encrypted frame. The delivery logic may also provide the encrypted frame to the L2VPN, where the providing includes selectively sending the encrypted frame as one of, a point to point packet, and a multipoint packet.