Systems, methods, and computer-readable media for communicating policy changes in a Locator/ID Separation Protocol (LISP) based network deployment include receiving, at a first routing device, a first notification from a map server, the first notification indicating a change in a policy for LISP based communication between at least a first endpoint device and at least a second endpoint device, the first endpoint device being connected to a network fabric through the first routing device and the second endpoint device being connected to the network fabric through a second routing device. The first routing device forwards a second notification to the second routing device if one or more entries of a first map cache implemented by the first routing device are affected by the policy change, the second notification indicating a set of one or more endpoints connected to the second routing device that are affected by the policy change.

A service process control method includes selecting, according to an execution policy of at least one service deployed on a network device, M data processors for processing a packet received by the network device, determining a processing sequence for the selected M data processors to process the packet, and invoking the selected M data processors to sequentially process, according to the processing sequence, the packet. An execution sequence for a data processor to process the packet is dynamically generated according to a policy set corresponding to the service.

A service process control method includes selecting, according to an execution policy of at least one service deployed on a network device, M data processors for processing a packet received by the network device, determining a processing sequence for the selected M data processors to process the packet, and invoking the selected M data processors to sequentially process, according to the processing sequence, the packet. An execution sequence for a data processor to process the packet is dynamically generated according to a policy set corresponding to the service.

Techniques are disclosed for generating intent-based policies and applying the policies to traffic of a computer network. In one example, a policy controller for the computer network receives traffic statistics for traffic flows among a plurality of application workloads executed by a first set of computing devices. The policy controller correlates the traffic statistics into session records for the plurality of application workloads. The policy controller generates, based on the session records for the application workloads, application firewall policies for the application workloads. Each of the application firewall policies define whether traffic flows between application workloads are to be allowed or denied. The policy controller distributes the application firewall policies to a second set of one or more computing devices for application to traffic flows between instances of the application workloads.

Even when a priority frame and a non-priority frame are provided as communication frames, real-time performance and security of communications are both provided.

A rule verification portion 7 tests a communication frame in accordance with a test rule and determines whether the communication frame is an invalid frame. Verification status hold portions 4 and 5 hold status information that indicates a status of the test by the rule verification portion 7. An interception control portion 8 controls interception of the communication frame based on a determination result of the rule verification portion 7. When an I/F portion 1 receives a fragment of a non-priority frame, the rule verification portion 7 tests the fragment to test the non-priority frame, when ending the test on the fragment, interrupts the test on the non-priority frame, and when the I/F portion 1 receives a next fragment, resumes the test on the non-priority frame based on status information.

Even when a priority frame and a non-priority frame are provided as communication frames, real-time performance and security of communications are both provided.

A rule verification portion 7 tests a communication frame in accordance with a test rule and determines whether the communication frame is an invalid frame. Verification status hold portions 4 and 5 hold status information that indicates a status of the test by the rule verification portion 7. An interception control portion 8 controls interception of the communication frame based on a determination result of the rule verification portion 7. When an I/F portion 1 receives a fragment of a non-priority frame, the rule verification portion 7 tests the fragment to test the non-priority frame, when ending the test on the fragment, interrupts the test on the non-priority frame, and when the I/F portion 1 receives a next fragment, resumes the test on the non-priority frame based on status information.

Embodiments of the present invention relate to a centralized network analytic device, the centralized network analytic device efficiently uses on-chip memory to flexibly perform counting, traffic rate monitoring and flow sampling. The device includes a pool of memory that is shared by all cores and packet processing stages of each core. The counting, the monitoring and the sampling are all defined through software allowing for greater flexibility and efficient analytics in the device. In some embodiments, the device is a network switch.

In general, embodiments described herein relate to methods and systems for automating the configuration of network devices. More specifically, embodiments of the invention relate to using configuration commands that specify protocol-specified relationships in order to generate granular (or specific) filtering rules (also referred to as rules). The rules are subsequently programmed into the network device.

In general, embodiments described herein relate to methods and systems for automating the configuration of network devices. More specifically, embodiments of the invention relate to using configuration commands that specify protocol-specified relationships in order to generate granular (or specific) filtering rules (also referred to as rules). The rules are subsequently programmed into the network device.

Systems, methods, and computer-readable media are provided for generating a unique ID for a sensor in a network. Once the sensor is installed on a component of the network, the sensor can send attributes of the sensor to a control server of the network. The attributes of the sensor can include at least one unique identifier of the sensor or the host component of the sensor. The control server can determine a hash value using a one-way hash function and a secret key, send the hash value to the sensor, and designate the hash value as a sensor ID of the sensor. In response to receiving the sensor ID, the sensor can incorporate the sensor ID in subsequent communication messages. Other components of the network can verify the validity of the sensor using a hash of the at least one unique identifier of the sensor and the secret key.