Abstract: Relay functionality may be provided. A network device may receive a response packet and may determine that one of Option-82 and Option-18 information is not present in the received response packet. Next, in response to determining that one of Option-82 and Option-18 information is not present in the received response packet, a database may be queried for information associated with the response packet. Then, based on the information associated with the response packet, the response packet may be sent to a client device associated with the response packet.

Abstract: Techniques for generating and enforcing whitelist security policies in a communication network are disclosed. A first plurality of whitelist policies are consolidated into a second plurality of whitelist policies based on populating a plurality of tables. The populated tables include a first table including pairs of endpoints and associating each pair of endpoints with a service identifier, and a second table associating the service identifiers with the policy identifiers. The second plurality of whitelist policies are programmed into a network device in the communication network, based on at least one of the plurality of tables. Rules governing traffic between the pair of endpoints are enforced, at the network device, using the programmed second plurality of whitelist policies.

Abstract: A network device receives a fragmented packet of an internet protocol (IP) packet. The fragmented packet is subsequently received relative to an initial fragmented packet of the IP packet and includes a first set of tuple information. The network device determines an entry of a hash table associated with the IP packet, based on the first set of tuple information and a fragment identifier (ID) within the fragmented packet. The network device retrieves a second set of tuple information associated with the fragmented packet from the hash table entry, and transmits an indication of the first and second sets of tuple information.

Abstract: A distributed policy proxy system offloads network policy processing from an overloaded network element to policy proxy network elements. A network controller detects that policy resources are overloaded at a network element, and selects a group of policy proxy network elements. The network controller assigns an exclusive range of endpoint groups to each policy proxy network element. Each policy proxy network element is assigned to handle policy processing for its assigned range of endpoint groups. The network controller provides instructions to the policy proxy network elements to enable each policy proxy network element to apply the network policy for its assigned range of endpoint groups. The network controller also provides instructions to the overloaded network element to redirect a packet from the first endpoint group to a first policy proxy network element based on a destination of the packet.

Abstract: Zero-trust dynamic discovery in provided by identifying a plurality of endpoints, including targets and initiators, connected to a software defined network, wherein the targets are provided on the software defined network according to a network addressable memory standard that lacks a native discovery service; grouping the targets into a plurality of target groups and the initiators into a plurality of initiator groups; and in response to receiving a discovery request from a given initiator grouped in a given initiator group of the plurality of initiator groups, returning addressing information for a target group of the plurality of target groups associated with the given initiator group in a security policy configuration for the software defined network.

Abstract: A distributed policy proxy system offloads network policy processing from an overloaded network element to policy proxy network elements. A network controller detects that policy resources are overloaded at a network element, and selects a group of policy proxy network elements. The network controller assigns an exclusive range of endpoint groups to each policy proxy network element. Each policy proxy network element is assigned to handle policy processing for its assigned range of endpoint groups. The network controller provides instructions to the policy proxy network elements to enable each policy proxy network element to apply the network policy for its assigned range of endpoint groups. The network controller also provides instructions to the overloaded network element to redirect a packet from the first endpoint group to a first policy proxy network element based on a destination of the packet.

Abstract: An endpoint group (EPG) can be stretched between the sites so that endpoints at different sites can be assigned to the same stretched EPG. Because the sites can use different bridge domains when establishing the stretched EPGs, the first time a site transmits a packet to an endpoint in a different site, the site learns or discovers a path to the destination endpoint. The site can use BGP to identify the site with the host and use a multicast tunnel to reach the site. A unicast tunnel can be used to transmit future packets to the destination endpoint. Additionally, a stretched EPG can be segmented to form a micro-stretched EPG. Filtering criteria can be used to identify a subset of the endpoints in the stretched EPG that are then assigned to the micro-stretched EPG, which can have different policies than the stretched EPG.

Abstract: Embodiments herein describe using translation mappings and security contracts to establish interconnects and policies between switching fabrics at different sites to create a unified fabric. In one embodiment, a multi-site controller can stretch endpoint groups (EPGs) between the sites so that a host or application in a first site can communicate with a host or application in a second site which is assigned to the same stretched EPG, despite the two sites have different namespaces. Further, the shadow EPGs can be formed to facilitate security contracts between EPGs in different sites. Each site can store namespace translation mapping that enable the site to convert namespace information in packets received from a different site into its own namespace values. As a result, independent bridging and routing segments in the various sites can be interconnected as well as providing application accessibility across different fabrics with independent and private namespaces.

Abstract: The present disclosure provides for application-centric enforcement for multi-tenant workloads with multi-site data center fabrics by: receiving, at a local switch at a first site, a packet from a first host at the first site intended for a second host located at a second site; identifying class identifiers (ID) for the hosts; determining, based on the class IDs, a security policy for transmitting data between the hosts; in response to determining that the security policy indicates that the second site exclusively manages security policies for the hosts' network: setting a policy applied indicator on the packet indicating that enforcement of the security policy is delegated from the first switch to a second switch connected to the second host; including the class IDs in the packet; and transmitting the packet to the second site.

Abstract: Embodiments herein describe using translation mappings and security contracts to establish interconnects and policies between switching fabrics at different sites to create a unified fabric. In one embodiment, a multi-site controller can stretch endpoint groups (EPGs) between the sites so that a host or application in a first site can communicate with a host or application in a second site which is assigned to the same stretched EPG, despite the two sites have different namespaces. Further, the shadow EPGs can be formed to facilitate security contracts between EPGs in different sites. Each site can store namespace translation mapping that enable the site to convert namespace information in packets received from a different site into its own namespace values. As a result, independent bridging and routing segments in the various sites can be interconnected as well as providing application accessibility across different fabrics with independent and private namespaces.

Abstract: An endpoint group (EPG) can be stretched between the sites so that endpoints at different sites can be assigned to the same stretched EPG. Because the sites can use different bridge domains when establishing the stretched EPGs, the first time a site transmits a packet to an endpoint in a different site, the site learns or discovers a path to the destination endpoint. The site can use BGP to identify the site with the host and use a multicast tunnel to reach the site. A unicast tunnel can be used to transmit future packets to the destination endpoint. Additionally, a stretched EPG can be segmented to form a micro-stretched EPG. Filtering criteria can be used to identify a subset of the endpoints in the stretched EPG that are then assigned to the micro-stretched EPG, which can have different policies than the stretched EPG.

Abstract: A first leaf switch may receive from a first host, a request for a second host that is not known at the first leaf switch. The first host may be within a first End Point Group (EPG) and the second host being within a second EPG. The first EPG and the second EPG may be in a Bridge Domain (BD). Flood in encapsulation may be enabled for the first EPG and for the second EPG. Next, the first leaf switch may flood the request locally in the first EPG and to a spine switch with a VNID of the first EPG. The spine switch may then flood the request to a second leaf switch where the BD is present. The second leaf switch may send a glean request for the second host, receive, in response to sending the glean request, a reply, and learn the second host locally in response to receiving the reply.

Abstract: A network device resolves a destination address of an endpoint in an endpoint isolation environment. The network device receives a request for a destination address associated with a destination endpoint. The request originates from an isolated source endpoint. The network device determines whether the destination address is stored on the network device in association with the destination endpoint. Responsive to a determination that the destination address is not stored in association with the destination endpoint, the network device generates a proxy request for the destination address, and sends the proxy request to at least one endpoint attached to the network device. The network device receives a proxy response from the destination endpoint that includes the destination address. The network device stores the destination address in association with the destination endpoint.

Abstract: Systems, methods, and computer-readable media for on-demand security provisioning using whitelist and blacklist rules. In some examples, a system in a network including a plurality of pods can configure security policies for a first endpoint group (EPG) in a first pod, the security policies including blacklist and whitelist rules defining traffic security enforcement rules for communications between the first EPG and a second EPG in a second pods in the network. The system can assign respective implicit priorities to the one or more security policies based on a respective specificity of each policy, wherein more specific policies are assigned higher priorities than less specific policies. The system can respond to a detected move of a virtual machine associated with the first EPG to a second pod in the network by dynamically provisioning security policies for the first EPG in the second pod and removing security policies from the first pod.

Abstract: A network device receives a fragmented packet of an internet protocol (IP) packet. The fragmented packet is subsequently received relative to an initial fragmented packet of the IP packet and includes a first set of tuple information. The network device determines an entry of a hash table associated with the IP packet, based on the first set of tuple information and a fragment identifier (ID) within the fragmented packet. The network device retrieves a second set of tuple information associated with the fragmented packet from the hash table entry, and transmits an indication of the first and second sets of tuple information.

Abstract: Disclosed are systems, methods, and computer-readable storage media for guaranteeing symmetric bi-directional policy based redirect of traffic flows. A first switch connected to a first endpoint can receive a first data packet transmitted by the first endpoint to a second endpoint connected to a second switch. The first switch can enforce an ingress data policy to the first data packet by applying a hashing algorithm to a Source Internet Protocol (SIP) value and a Destination Internet Protocol (DIP) value of the first data packet, resulting in a hash value of the first data packet. The first switch can then route the first data packet to a first service node based on the hash value of the first data packet.

Abstract: Techniques for hierarchical security policies are disclosed. A first network configuration is received, where the first network configuration includes a plurality of subnets and a plurality of security zones. An updated network configuration is generated based on the first network configuration by generating, for a first security zone of the plurality of security zones, a first master class, and generating, for each respective subnet of the plurality of subnets, a respective bridge domain. For each respective bridge domain, a respective local endpoint group (EPG) corresponding to the first security zone is created, and the first master class is assigned to the respective local EPG. Finally, one or more contracts are generated for the first master class based on the first network configuration.

Abstract: Systems, methods, and computer-readable media for on-demand security provisioning using whitelist and blacklist rules. In some examples, a system in a network including a plurality of pods can configure security policies for a first endpoint group (EPG) in a first pod, the security policies including blacklist and whitelist rules defining traffic security enforcement rules for communications between the first EPG and a second EPG in a second pods in the network. The system can assign respective implicit priorities to the one or more security policies based on a respective specificity of each policy, wherein more specific policies are assigned higher priorities than less specific policies. The system can respond to a detected move of a virtual machine associated with the first EPG to a second pod in the network by dynamically provisioning security policies for the first EPG in the second pod and removing security policies from the first pod.

Abstract: The present disclosure provides for application-centric enforcement for multi-tenant workloads with multi-site data center fabrics by: receiving, at a local switch at a first site, a packet from a first host at the first site intended for a second host located at a second site; identifying class identifiers (ID) for the hosts; determining, based on the class IDs, a security policy for transmitting data between the hosts; in response to determining that the security policy indicates that the second site exclusively manages security policies for the hosts' network: setting a policy applied indicator on the packet indicating that enforcement of the security policy is delegated from the first switch to a second switch connected to the second host; including the class IDs in the packet; and transmitting the packet to the second site.

Abstract: Embodiments provide for mitigating priority flow control deadlock in stretch topologies by initializing a plurality of queues in a buffer of a leaf switch at a local cluster of a site having a plurality of clusters, wherein each queue of the plurality of queues corresponds to a respective one cluster of the plurality of clusters; receiving a pause command for no-drop traffic on the leaf switch, the pause command including an internal Class-of-Service (iCoS) identifier associated with a particular cluster of the plurality of cluster and a corresponding queue in the plurality of queues; and in response to determining, based on the iCoS identifier, that the pause command was received from a remote spine switch associated with a different cluster than the local cluster: forwarding the pause command to a local spine switch in the local cluster; and implementing the pause command on the corresponding queue in the buffer.