Enforcing micro-segmentation policies for physical and virtual application components in data centers
First Claim
1. A device, comprising:
- one or more processors to;
receive policy information associated with a first application group and a second application group,the first application group including a first set of virtual application components and a first set of physical application components,the second application group including a second set of virtual application components and a second set of physical application components;
generate a logical group of virtual application components,the first set of virtual application components and the second set of virtual application components being included in the logical group of virtual application components based on the first set of virtual application components and the second set of virtual application components being virtual application components;
generate a logical group of physical application components,the first set of physical application components and the second set of physical application components being included in the logical group of physical application components based on the first set of physical application components and the second set of physical application components being physical application components;
receive network topology information associated with a network;
generate a first policy, to be provided to a virtual network device of the network, based on the policy information, the logical group of virtual application components, and the network topology information,a virtual application component, of the first set of virtual application components, being connected to the virtual network device;
generate a second policy, to be provided to a physical network device of the network, based on the policy information, the logical group of physical application components, and the network topology information,a physical application component, of the first set of physical application components, being connected to the physical network device;
provide, to the virtual network device of the network, information associated with the first policy to permit the virtual network device to implement the first policy in association with network traffic transferred between the virtual application component, of the first set of virtual application components, and the second set of virtual application components,the first policy being provided to the virtual network device based on the virtual network device being a virtual device type; and
provide, to the physical network device, information associated with the second policy to permit the physical network device to implement the second policy in association with network traffic transferred between the physical application component, of the first set of physical application components, and another physical application component of the second set of physical application components,the second policy being provided to the physical network device based on the physical network device being a physical device type.
1 Assignment
0 Petitions
Accused Products
Abstract
A device may receive policy information associated with a first application group and a second application group. The device may receive network topology information associated with a network. The device may generate a first policy based on the policy information and the network topology information, and generate a second policy based on the policy information and the network topology information. The device may provide, to the virtual network device, information associated with the first policy to permit the virtual network device to implement the first policy in association with network traffic transferred between the first application group and the second application group. The device may provide, to the physical network device, information associated with the second policy to permit the physical network device to implement the second policy in association with network traffic transferred between the first application group and the second application group.
6 Citations
20 Claims
-
1. A device, comprising:
one or more processors to; receive policy information associated with a first application group and a second application group, the first application group including a first set of virtual application components and a first set of physical application components, the second application group including a second set of virtual application components and a second set of physical application components; generate a logical group of virtual application components, the first set of virtual application components and the second set of virtual application components being included in the logical group of virtual application components based on the first set of virtual application components and the second set of virtual application components being virtual application components; generate a logical group of physical application components, the first set of physical application components and the second set of physical application components being included in the logical group of physical application components based on the first set of physical application components and the second set of physical application components being physical application components; receive network topology information associated with a network; generate a first policy, to be provided to a virtual network device of the network, based on the policy information, the logical group of virtual application components, and the network topology information, a virtual application component, of the first set of virtual application components, being connected to the virtual network device; generate a second policy, to be provided to a physical network device of the network, based on the policy information, the logical group of physical application components, and the network topology information, a physical application component, of the first set of physical application components, being connected to the physical network device; provide, to the virtual network device of the network, information associated with the first policy to permit the virtual network device to implement the first policy in association with network traffic transferred between the virtual application component, of the first set of virtual application components, and the second set of virtual application components, the first policy being provided to the virtual network device based on the virtual network device being a virtual device type; and provide, to the physical network device, information associated with the second policy to permit the physical network device to implement the second policy in association with network traffic transferred between the physical application component, of the first set of physical application components, and another physical application component of the second set of physical application components, the second policy being provided to the physical network device based on the physical network device being a physical device type. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
8. A non-transitory computer-readable medium storing instructions, the instructions comprising:
one or more instructions that, when executed by one or more processors, cause the one or more processors to; receive policy information associated with a first application group and a second application group; generate a logical group of virtual application components, a set of virtual application components being included in the logical group of virtual application components based on the set of virtual application components being virtual application components; generate a logical group of physical application components, a set of physical application components being included in the logical group of physical application components based on the set of physical application components being physical application components; receive network topology information associated with a network; generate a first policy, to be provided to a virtual network device of the network, based on the policy information, the logical group of virtual application components, and the network topology information; generate a second policy, to be provided to a physical network device of the network, based on the policy information, the logical group of physical application components, and the network topology information, the first policy being different than the second policy; provide, to the virtual network device, information associated with the first policy to permit the virtual network device to implement the first policy in association with network traffic transferred between the first application group and the second application group, the first policy being provided to the virtual network device based on the virtual network device being a virtual device type; and provide, to the physical network device, information associated with the second policy to permit the physical network device to implement the second policy in association with network traffic transferred between the first application group and the second application group, the second policy being provided to the physical network device based on the physical network device being a physical device type. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
15. A method, comprising:
-
receiving, by a device, policy information associated with a set of application groups; generating, by the device, a logical group of virtual application components, a set of virtual application components being included in the logical group of virtual application components based on the set of virtual application components being virtual application components; generating, by the device, a logical group of physical application components, a set of physical application components being included in the logical group of physical application components based on the set of physical application components being physical application components; receiving, by the device, network topology information associated with a network; generating, by the device, a first policy, to be provided to a set of virtual network devices of the network, based on the policy information, the logical group of virtual application components, and the network topology information; generating, by the device, a second policy, to be provided to a set of physical network devices of the network, based on the policy information, the logical group of physical application components, and the network topology information; providing, by the device and to a virtual network device of the set of virtual network devices, information associated with the first policy to permit the virtual network device to implement the first policy in association with network traffic transferred between the set of application groups, the first policy being provided to the virtual network device based on the virtual network device being a virtual device type; and providing, by the device and to a physical network device of the set of physical network devices, information associated with the second policy to permit the physical network device to implement the second policy in association with network traffic transferred between the set of application groups, the second policy being provided to the physical network device based on the physical network device being a physical device type, the second policy including a set of rules associated with a set of physical application components of the set of application groups, and the second policy not including another set of rules associated with a set of virtual application components of the set of application groups. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification