Abstract: Techniques are described herein for service chaining in fabric networks such that hardware resources can be preserved without service nodes needing additional capabilities. The techniques may include storing a first configuration associated with a first VRF instance of a service forwarding node that is connected to a first service of a service chain sequence. The first configuration may indicate an identifier and a type associated with a second service of the service chain sequence where traffic is to be sent after the first service. Additionally, the techniques may also include storing a second configuration associated with a second VRF instance of the service forwarding node that is connected to the second service. The second configuration may indicate that the second service is a last service of the service chain sequence. When traffic is received at the service forwarding node, the service forwarding node can determine whether the traffic is pre-service traffic or post-service traffic.

Abstract: Techniques and architecture are described that utilize switchport protected flags to provide switchport protected functionality across network devices, e.g., switches, routers, etc., in fabric networks. For example, a first port of a first network device of a fabric network receives a packet from a first host destined for a second host. The second host is onboarded to the fabric network via a second port of a second network device. It is determined (i) if a first protected flag associated with the first port of the first network device is set as true and (ii) if a second protected flag associated with the second host is set as true. Based at least in part on (i) the first protected flag associated with the first port being set as true and (ii) the second protected flag being set as true, the first network device drops the packet.

Abstract: This disclosure describes techniques for implementing network address translation as a distributed service over the nodes of a logical network fabric, such as a software-defined network fabric. A method includes registering, by an edge node of a network, an IP address of a client device. The method further includes forwarding, by the edge node, the registered IP address to a control plane of the network. The method further includes checking, by the control plane, a network address translation policy. The method further includes recording, by the control plane, translations between the registered IP address and an allocated IP address in a translation table, each of the translations being related to the edge node. The method further includes returning, by the control plane, the translations between the registered IP address and the allocated IP address to the edge node.

Abstract: Techniques are described herein for service chaining in fabric networks such that hardware resources can be preserved without service nodes needing additional capabilities. The techniques may include storing a first configuration associated with a first VRF instance of a service forwarding node that is connected to a first service of a service chain sequence. The first configuration may indicate an identifier and a type associated with a second service of the service chain sequence where traffic is to be sent after the first service. Additionally, the techniques may also include storing a second configuration associated with a second VRF instance of the service forwarding node that is connected to the second service. The second configuration may indicate that the second service is a last service of the service chain sequence. When traffic is received at the service forwarding node, the service forwarding node can determine whether the traffic is pre-service traffic or post-service traffic.

Abstract: Techniques and architecture are described that utilize switchport protected flags to provide switchport protected functionality across network devices, e.g., switches, routers, etc., in fabric networks. For example, a first port of a first network device of a fabric network receives a packet from a first host destined for a second host. The second host is onboarded to the fabric network via a second port of a second network device. It is determined (i) if a first protected flag associated with the first port of the first network device is set as true and (ii) if a second protected flag associated with the second host is set as true. Based at least in part on (i) the first protected flag associated with the first port being set as true and (ii) the second protected flag being set as true, the first network device drops the packet.

Abstract: This disclosure describes techniques and mechanisms for providing hybrid cloud services for enterprise fabric. The techniques include enhancing an on-demand protocol (e.g., such as LISP) and allowing simplified security and/or firewall service insertion for datacenter servers providing those services. Accordingly, the techniques described herein provide hybrid cloud services that work in disaggregated, distributed, and consistent way, while avoiding complex datacenter network devices (e.g., such running overlay on TOR), replacing and moving the functionality to on demand protocol enabled servers, which intelligently receive the required mappings as well as registers and publishes the service information to intelligently interact with the network.

Abstract: Methods and devices configure edge nodes of a virtual network overlay to continuously forward data plane traffic flows between client devices of a common subnet over the course of at least some of the edge nodes being EF-configured. TF-configured edge nodes and EF-configured edge nodes both play roles in unilaterally inducing address discovery by sending to client devices address discovery responses that were not prompted by address discovery requests. TF-configured edge nodes then handle ensuing address discovery requests by proxy, and subsequently handle certain traffic flows according to an EF-compatible forwarding mode, while EF-configured edge nodes continue to forward traffic flows by IP routing normally. This averts throughput of data plane traffic over the network overlay being reduced as a side effect of the heterogeneously configured edge nodes, and averts the possibility of client devices broadcasting address discovery protocol requests as a result of remote client devices being unreachable.

Abstract: Techniques and architecture are described that utilize network address translation (NAT) based on a group tag such that legacy and third-party devices may utilize and apply “subnet” based policies, thereby allowing the subnet based policies to be as effective as “group” based policies. In particular, a subnet may be applied to a group tag where the group tag is not understandable outside an access network such as, for example, a fabric network. Thus, when a packet originates from a fabric network utilizing group tags representing source groups of endpoints and is destined for a legacy or a third-party device-based network that does not utilize and/or understand group tags, then the group is converted into a subnet. Since that subnet is different from the source host within the fabric network, network address translation (NAT) is utilized.

Abstract: The present disclosure provides systems, methods and computer-readable media for maintaining network connectivity, in a LISP based network, when one or more network edge nodes lose connectivity to a LISP control plane of the network, using multicast messaging. In one example, a method includes receiving a connection request from a first endpoint to a second endpoint communicatively coupled to a second edge node; determining, by the first edge node, that a connection session to a control plane for locating the second endpoint has failed; querying one or more available edge nodes for locating the second endpoint using a multicast message; locating the second endpoint based on at least one query response received from the one or more available edge nodes, at least one query response including an identifier of the second endpoint; and establishing the connection request between the first endpoint and the second endpoint upon locating the second endpoint.

Abstract: This disclosure describes techniques for software-defined service insertion. The techniques include a method of configuring a network for service insertion. The techniques include processing a master policy correlating an endpoint group pair, of source endpoint group and destination endpoint group, to a service graph. The service graph indicates a template service chain, and the template service chain indicates an ordering of a plurality of services. Processing the master policy includes disaggregating the master policy into at least one location specific policy, each of the at least one location specific policy corresponding to a separate location in the network and including traffic steering directives corresponding to a portion of the plurality of services associated with the separate location. The techniques further include causing each of the at least one location specific policy to be stored in association with the separate location to which that location specific policy corresponds.

Abstract: This disclosure describes techniques and mechanisms for providing hybrid cloud services for enterprise fabric. The techniques include enhancing an on-demand protocol (e.g., such as LISP) and allowing simplified security and/or firewall service insertion for datacenter servers providing those services. Accordingly, the techniques described herein provide hybrid cloud services that work in disaggregated, distributed, and consistent way, while avoiding complex datacenter network devices (e.g., such running overlay on TOR), replacing and moving the functionality to on demand protocol enabled servers, which intelligently receive the required mappings as well as registers and publishes the service information to intelligently interact with the network.

Abstract: This disclosure describes techniques for software-defined service insertion. The techniques include a method of configuring a network for service insertion. The techniques include processing a master policy correlating an endpoint group pair, of source endpoint group and destination endpoint group, to a service graph. The service graph indicates a template service chain, and the template service chain indicates an ordering of a plurality of services. Processing the master policy includes disaggregating the master policy into at least one location specific policy, each of the at least one location specific policy corresponding to a separate location in the network and including traffic steering directives corresponding to a portion of the plurality of services associated with the separate location. The techniques further include causing each of the at least one location specific policy to be stored in association with the separate location to which that location specific policy corresponds.

Abstract: Techniques are described herein for service chaining in fabric networks such that hardware resources can be preserved without service nodes needing additional capabilities. The techniques may include storing a first configuration associated with a first VRF instance of a service forwarding node that is connected to a first service of a service chain sequence. The first configuration may indicate an identifier and a type associated with a second service of the service chain sequence where traffic is to be sent after the first service. Additionally, the techniques may also include storing a second configuration associated with a second VRF instance of the service forwarding node that is connected to the second service. The second configuration may indicate that the second service is a last service of the service chain sequence. When traffic is received at the service forwarding node, the service forwarding node can determine whether the traffic is pre-service traffic or post-service traffic.

Abstract: This disclosure describes techniques for software-defined service insertion. The techniques include a method of configuring a network for service insertion. The techniques include processing a master policy correlating an endpoint group pair, of source endpoint group and destination endpoint group, to a service graph. The service graph indicates a template service chain, and the template service chain indicates an ordering of a plurality of services. Processing the master policy includes disaggregating the master policy into at least one location specific policy, each of the at least one location specific policy corresponding to a separate location in the network and including traffic steering directives corresponding to a portion of the plurality of services associated with the separate location. The techniques further include causing each of the at least one location specific policy to be stored in association with the separate location to which that location specific policy corresponds.

Abstract: The present disclosure provides systems, methods and computer-readable media for maintaining network connectivity, in a LISP based network, when one or more network edge nodes lose connectivity to a LISP control plane of the network, using multicast messaging. In one example, a method includes receiving a connection request from a first endpoint to a second endpoint communicatively coupled to a second edge node; determining, by the first edge node, that a connection session to a control plane for locating the second endpoint has failed; querying one or more available edge nodes for locating the second endpoint using a multicast message; locating the second endpoint based on at least one query response received from the one or more available edge nodes, at least one query response including an identifier of the second endpoint; and establishing the connection request between the first endpoint and the second endpoint upon locating the second endpoint.

Abstract: The present technology pertains to a system, method, and non-transitory computer-readable medium for orchestrating policies across multiple networking domains. The technology can receive, at a provider domain from a consumer domain, a data request; receive, at the provider domain from the consumer domain, at least one access policy for the consumer domain; translate, at the provider domain, the at least one access policy for the consumer domain into at least one translated access policy understood by the provider domain; apply, at the provider domain, the at least one translated access policy understood by the provider domain to the data request; and send, at the provider domain to the consumer domain, a response to the data request.

Abstract: This disclosure describes techniques for implementing network address translation as a distributed service over the nodes of a logical network fabric, such as a software-defined network fabric. A method includes registering, by an edge node of a network, an IP address of a client device. The method further includes forwarding, by the edge node, the registered IP address to a control plane of the network. The method further includes checking, by the control plane, a network address translation policy. The method further includes recording, by the control plane, translations between the registered IP address and an allocated IP address in a translation table, each of the translations being related to the edge node. The method further includes returning, by the control plane, the translations between the registered IP address and the allocated IP address to the edge node.

Abstract: This disclosure describes techniques for implementing network address translation as a distributed service over the nodes of a logical network fabric, such as a software-defined network fabric. A method includes registering, by an edge node of a network, an IP address of a client device. The method further includes forwarding, by the edge node, the registered IP address to a control plane of the network. The method further includes checking, by the control plane, a network address translation policy. The method further includes recording, by the control plane, translations between the registered IP address and an allocated IP address in a translation table, each of the translations being related to the edge node. The method further includes returning, by the control plane, the translations between the registered IP address and the allocated IP address to the edge node.

Abstract: A system and a method are disclosed for enabling interoperability between data plane learning endpoints and control plane learning endpoints in an overlay network environment. An exemplary method for managing network traffic in the overlay network environment includes receiving network packets in an overlay network from data plane learning endpoints and control plane learning endpoints, wherein the overlay network extends Layer 2 network traffic over a Layer 3 network; operating in a data plane learning mode when a network packet is received from a data plane learning endpoint; and operating in a control plane learning mode when the network packet is received from a control plane learning endpoint. Where the overlay network includes more than one overlay segment, the method further includes operating as an anchor node for routing inter-overlay segment traffic to and from hosts that operate behind the data plane learning endpoints.

Abstract: The present technology pertains to a system, method, and non-transitory computer-readable medium for orchestrating policies across multiple networking domains. The technology can receive, at a provider domain from a consumer domain, a data request; receive, at the provider domain from the consumer domain, at least one access policy for the consumer domain; translate, at the provider domain, the at least one access policy for the consumer domain into at least one translated access policy understood by the provider domain; apply, at the provider domain, the at least one translated access policy understood by the provider domain to the data request; and send, at the provider domain to the consumer domain, a response to the data request.