Abstract: Techniques for associating manufacturer usage description (MUD) security profiles for Internet-of-Things (IoT) device(s) with secure access service edge (SASE) solutions, providing for automated and scalable integration of IoT devices with SASE frameworks. A MUD controller may utilize a MUD uniform resource identifier (URI) emitted by an IoT device to fetch an associated MUD file from a MUD file server associated with a manufacturer of the IoT device. The MUD controller may determine that a security recommendation included in the MUD file is to be implemented by a cloud-based security service provided by the SASE service and cause the IoT device to establish a connection with a secure internet gateway associated with the cloud-based security service. Additionally, or alternatively, the MUD file may include SASE extensions indicating manufacturer recommended cloud-based security services. Further, cloud-based security services may be implemented if local services are unavailable.

Abstract: Aspects of the subject technology relate to a system configured to receive a set of network snapshot segments from an output stream of a stream processing service, compile the set of network snapshot segments from the set of messages into a first network snapshot and a second network snapshot, and compare the first network snapshot and the second network snapshot to identify a difference between the first network snapshot and the second network snapshot.

Abstract: Spurious beamforming in high density environments can be reduced via transmitting a first signal from a first Access Point (AP) to a first endpoint associated with the first AP via a first beamforming arrangement; in response to identifying that the first beamforming arrangement is pollutive to a second endpoint associated with a second AP: deprecating the first beamforming arrangement; and transmitting a second signal from the first AP to the first endpoint via a second beamforming arrangement, different from the first beamforming arrangement.

Abstract: This disclosure describes techniques and mechanisms for disclosure describes techniques and mechanisms for a central management plane to automatically create and assign system identifiers to network devices, thereby creating a global network hierarchy within a network. The techniques enable the use of a system identifier to be automatically generated and assigned, as well as configuration and network policies to be automatically generated based on the system identifier. Accordingly, the techniques enable automation of regional connectivity and policy application, a simplified manner of troubleshooting/debugging of any connectivity issues, and a simplified, aggregated view of statistic and analytics related to problems at site, sub-region, and region levels.

Abstract: In one embodiment, an offload platform is an compute platform, adjunct to a router or other packet switching device, that performs packet processing operations including determining an egress forwarding value corresponding to the next-hop node of the packet switching device to which to send an offload-platform processed packet. The offload platform downloads forwarding information from the router, and augments it, such as, but not limited to, representing interfaces of the router as identifiable virtual interface(s) on the offload platform, and including each of one or more next-hop nodes of the router represented as an identifiable virtual adjacency and identifiable tunnel (e.g., identified by the egress forwarding value). In one embodiment, the egress forwarding value is an Multiprotocol Label Switching (MPLS) label or Segment Routing Identifier. The router identifies packets of certain packet flows to send to the adjunct offload platform, rather than processing per its routing information base.

Abstract: Techniques for using global virtual network instance (VNI) labels in a multi-domain network to route network data with a multi-tenant network overlay are described herein. A routing device provisioned in a network domain of the multi-domain network may register with a service discovery system of the network domain for use of network configuration data to establish routes through the multi-domain network with network nodes. Each network domain of the multi-domain network may include an application programming interface (API) server for processing API requests to make changes to configurations of a network domain. A border gateway protocol (BGP) large community may be utilized to encode global VNI labels, network addresses, local next hop nodes, and/or additional network information and sent to routing devices provisioned in separate network domains. A service chain may be signaled by global VNI labels to route network traffic through various services prior to reaching a destination endpoint.

Abstract: In one embodiment, a service chain data packet is instrumented as it is communicated among network nodes in a network providing service-level and/or networking operations visibility. The service chain data packet includes a particular header identifying a service group defining one or more service functions, and is a data packet and not a probe packet. A network node adds networking and/or service-layer operations data to the particular service chain data packet, such as, but not limited to, in the particular header. Such networking operations data includes a performance metric or attribute related to the transport of the particular service chain packet in the network. Such service-layer operations data includes a performance metric or attribute related to the service-level processing of the particular service chain data packet in the network.

Abstract: Techniques and mechanisms for managing workloads in compute clusters comprising compute nodes by managing the workloads at the resource level of the compute clusters. For example, virtual service contexts (VSCs) may be defined where the VSCs represent service classes. Policies may be defined with respect to each service class. These service classes are dynamically constructed based on business needs. Hence there is natural requirement for a user to construct and rebalance the compute resources for these service classes dynamically. The policies may be related to resources of the compute clusters for executing workload units in the compute clusters. Resources of the compute clusters may be allocated to each service class. Each workload unit may be assigned to a one of the service classes based on the service context or type of workload unit. The workload units may then be executed by the compute clusters using the resources in accordance with the policies.

Abstract: Power supply efficiency may be provided. First, a total power supply capacity may be determined comprising a sum of a plurality of supply capacities respectively corresponding to a plurality of power supplies serving a plurality of components. Next, a load value corresponding to the plurality of components may be determined. A number of the plurality of power supplies may then be powered down. The number of power supplies powered down may comprise a value that may cause a remaining number of the plurality of power supplies serving the plurality of components to operate within an efficiency range.

Abstract: This disclosure describes techniques for enabling interoperability between asymmetric and symmetric Integrated Routing and Bridging (IRB) modes. An interfacing component may be configured to receive a first route advertisement from a first edge node in a Layer-2 (L2) fabric. The first route advertisement may correspond to an asymmetric format route, for instance. The interfacing component may be further configured to receive a second route advertisement from a second edge node in a L2/Layer-3 (L3) fabric. The second edge node may be configured for symmetric integrated routing and bridging (IRB). The interfacing component may be configured to re-originate the first route and the second route such that the interfacing component is included as a hop in the resultant routes between the L2 fabric and the L2/L3 fabric.

Abstract: Technologies for proving packet transit through uncompromised nodes are provided. An example method can include receiving a packet including one or more metadata elements generated based on security measurements from a plurality of nodes along a path of the packet; determining a validity of the one or more metadata elements based on a comparison of one or more values in the one or more metadata elements with one or more expected values calculated for the one or more metadata elements, one or more signatures in the one or more metadata elements, and/or timing information associated with the one or more metadata elements; and based on the one or more metadata elements, determining whether the packet traversed any compromised nodes along the path of the packet.

Abstract: Systems, methods, and computer-readable media for assessing reliability and trustworthiness of devices operating within a network. A recipient node in a network environment can receive a neighbor discovery (ND) message from an originating node in the network environment that are both implementing a neighbor discovery protocol. Trustworthiness of the originating node can be verified by identifying a level of trust of the originating node based on attestation information for the originating node included in the ND message received at the recipient node. Connectivity with the recipient node through the network environment can be managed based on the level of trust of the originating node identified from the attestation information included in the ND message.

Abstract: Techniques for management of traffic in a network. The techniques provide application awareness in a Network Address Translation (NAT) system. In some examples, a first traffic is received at a first switch in a network from a first application hosted behind the first switch. The first switch identifies a first resource tag associated with the application from the first traffic. Further, the first switch identifies a first rule from the first resource tag indicating that the first traffic is to be routed through an intermediate device that performs network address translation. Moreover, the first switch transmits the traffic to an intermediate device, which perform NAT to translate the source IP address of the first traffic to a second IP address. Finally, the intermediate device sends the traffic to a destination device indicated by the first traffic.

Abstract: Techniques for orchestrating workloads based on policy to operate in optimal host and/or network proximity in cloud-native environments are described herein. The techniques may include receiving flow data associated with network paths between workloads hosted by a cloud-based network. Based at least in part on the flow data, the techniques may include determining that a utilization of a network path between a first workload and a second workload is greater than a relative utilization of other network paths between the first workload and other workloads. The techniques may also include determining that reducing the network path would optimize communications between the first workload and the second workload without adversely affecting communications between the first workload and the other workloads. The techniques may also include causing at least one of a redeployment or a network path re-routing to reduce the networking proximity between the first workload and the second workload.

Abstract: Techniques and architecture are described that utilize switchport protected flags to provide switchport protected functionality across network devices, e.g., switches, routers, etc., in fabric networks. For example, a first port of a first network device of a fabric network receives a packet from a first host destined for a second host. The second host is onboarded to the fabric network via a second port of a second network device. It is determined (i) if a first protected flag associated with the first port of the first network device is set as true and (ii) if a second protected flag associated with the second host is set as true. Based at least in part on (i) the first protected flag associated with the first port being set as true and (ii) the second protected flag being set as true, the first network device drops the packet.

Abstract: Systems, methods, and computer-readable media for annotating process and user information for network flows. In some embodiments, a capturing agent, executing on a first device in a network, can monitor a network flow associated with the first device. The first device can be, for example, a virtual machine, a hypervisor, a server, or a network device. Next, the capturing agent can generate a control flow based on the network flow. The control flow may include metadata that describes the network flow. The capturing agent can then determine which process executing on the first device is associated with the network flow and label the control flow with this information. Finally, the capturing agent can transmit the labeled control flow to a second device, such as a collector, in the network.

Abstract: A photonic Y-splitter includes a substrate, first optical waveguides disposed in the substrate on a first layer, the first optical waveguides may be flared at a first end and inverse tapered toward a second end and may be substantially mirror images of one another, and a second optical waveguide disposed in the substrate on a second layer, above the first layer, the second optical waveguide being centered over the first optical waveguides and longitudinally arranged between the first end and the second end.

Abstract: Presented herein are techniques for power fault management that operates without power-source-side switching. A power transmitter is configured to provide power to a current loop, and a power receiver is configured to receive the power from the current loop. The power receiver is configured to, on a periodic basis, disconnect from the current loop to stop pulling power from current loop for a period of time to enable a safety check to be performed by the power transmitter. The power transmitter is configured to monitor current on the current loop, determine whether the current level on the current loop passes the safety check within a predetermined time interval since a determination that the current level was not within a safe range, and control connectivity of the power to the current loop based on whether the safety check has or has not passed within the predetermined time interval.

Abstract: In one embodiment, a method comprises first causing, by a controller device, wireless access points (APs) to allocate first non-interfering wireless channels for a prescribed reliable data service for wireless client devices in a WLAN; second causing the wireless APs to allocate a second shared channel having a bandwidth that is greater than the corresponding bandwidth of any of the first non-interfering wireless channels; allocating for each wireless client device a corresponding location service interval on the second shared channel for transmission of at least a corresponding identifiable wireless data unit for locating the corresponding wireless client device between two or more of the wireless APs; and determining a location of at least one of the wireless client devices based on reception of at least the corresponding wireless data unit between the one wireless client device and the two or more wireless APs during the corresponding location service interval.

Abstract: According to one or more embodiments of the disclosure, a device of a virtual overlay for a Layer-2 mesh obtains a frame sent by a source toward a destination via the Layer-2 mesh. The device makes a classification of the frame. The device modifies, based on the classification, the frame to include a header associated with the virtual overlay and to include a trailer that comprises a sequence number of the frame, an identifier for a source of the frame, and a flow identifier. The device sends the frame modified by the device into the virtual overlay toward the destination, wherein the frame is replicated along different paths in the virtual overlay. The node in the virtual overlay performs deduplication with respect to two or more copies of the frame based on the trailer.