Abstract: The present disclosure relates to methods, systems, and non-transitory computer readable media for discovering policy scopes within an enterprise network and managing network policies for discovered policy scopes. In one aspect, a method includes identifying one or more communities of devices in an enterprise network; defining, from the one or more communities of devices, policy scopes in the enterprise network; generating a hierarchical representation of the policy scopes; identifying, based on the hierarchical representation of the policy scopes, one or more policies governing traffic flow between devices associated with each of the policy scopes; and managing application of the one or more policies at the devices.

Abstract: Systems and methods provide for optimizing utilization of an Address Translation Cache (ATC). A network interface controller (NIC) can write information reserving one or more cache lines in a first level of the ATC to a second level of the ATC. The NIC can receive a request for a direct memory access (DMA) to an untranslated address in memory of a host computing system. The NIC can determine that the untranslated address is not cached in the first level of the ATC. The NIC can identify a selected cache line in the first level of the ATC to evict using the request and the second level of the ATC. The NIC can receive a translated address for the untranslated address. The NIC can cache the untranslated address in the selected cache line. The NIC can perform the DMA using the translated address.

Abstract: A method by a wireless network device in a wireless data network comprises: joining a non-storing mode destination-oriented directed acyclic graph (DODAG) in response to receiving a multicast DODAG information object (DIO) message originated by a root device; generating and transmitting a unicast destination advertisement (DAO) message destined for the root device and indicating the wireless network device has joined the DODAG; advertising as a subroot of a subDAG in the DODAG, based on outputting a second message specifying subDAG information identifying the subDAG; receiving a second unicast DAO message generated by a child network device in the subDAG and addressed to the wireless network device, the second unicast DAO message indicating the child network device has joined the subDAG; and generating and sending a third unicast DAO message to the root device specifying the child network device is reachable via the wireless network device.

Abstract: This disclosure describes techniques for authentication related to verification of identity for network access. The techniques may include sending a challenge associated with authentication to a network to a mobile device. In response to sending the challenge, the techniques may include receiving a challenge response from the mobile device. The challenge response may include biometric credential information associated with a user of the mobile device. The challenge response may also include an indication of an authorization assertion associated with the authentication to the network. In some examples, the techniques may include tailoring access to the network for the mobile device based on the biometric credential information.

Abstract: A method includes instructing, by a WiFi access node, a first device to communicate using an uplink frequency band with a first uplink power. The method also includes instructing, by the WiFi access node, a second device to communicate using the uplink frequency band with a second uplink power different from the first uplink power.

Abstract: Embodiments provide for an optical modulator, comprising: a lower guide, comprising: a lower hub, made of monocrystalline silicon; and a lower ridge, made of monocrystalline silicon that extends in a first direction from the lower hub; an upper guide, including: an upper hub; and an upper ridge, made of monocrystalline silicon that extends in a second direction, opposite of the first direction, from the upper hub and is aligned with the lower ridge; and a gate oxide layer separating the lower ridge from the upper ridge and defining a waveguide region with the lower guide and the upper guide.

Abstract: Techniques and architecture are described for determining an identity of a client device and utilizing security policies associated with the client device provided by a device identity entity. For example, a tag associated with security policies is created for use in enforcing the security policies by a security policy enforcement entity associated with a cloud network. The techniques and architecture also allow for identification of a particular user on a client device that may be shared by multiple users based at least in part on the user accessing an application. Also, the techniques and architecture described herein provide a generic and agnostic approach to enforcing security policies for users and/or client devices.

Abstract: Seamless client roaming for Multi-Link Device (MLD) clients may be provided. First, a Traffic Identifier (TID)-to-link map may be established by an Upper Service Access Point (U-SAP) of a multi-AP MLD entity that assigns subsets of TIDs to at least two links of the entity. For example, a client device logically associates with the U-SAP, while the client device physically connects to a first and second AP of the entity on a respective first and second link, where the first and second AP include first and second Lower Service Access Points (L-SAPs) and are non-collocated. Next, using the map, data received at the U-SAP is directed over one of the two links for transmission to the client device. Further, frame aggregation and block acknowledgment functions may be performed by one of the first or second L-SAP based on whether data transmission is over the first or second link.

Abstract: This disclosure describes techniques for providing virtual resources (e.g., containers, virtual machines, etc.) of a clustered application with information regarding a cluster of physical servers on which the distributed clustered application is running. A virtual resource that supports the clustered application is executed on a physical server of the cluster of physical servers. The virtual resource may receive an indication of a database instance (or other application) running on a particular physical server of the cluster of physical servers that is nearest the physical server. The database instance may be included in a group of database instances that are maintaining a common data set on respective physical servers of the group of physical servers. The virtual resource may then access the database instance on the particular physical server based at least in part on the database instance running on the particular server that is nearest the physical server.

Abstract: In one embodiment, a network assurance service that monitors a network maps time series of values of key performance indicator (KPIs) measured from the network to lists of unique values from the time series. The service sets a target alarm rate for anomaly detection alarms raised by the network assurance service. The service uses an optimization function to identify a set of thresholds for the KPIs. The optimization function is based on: a comparison between the target alarm rate and a fraction of network issues flagged by the service as outliers, KPI thresholds selected based on the lists of unique values from the time series, and a number of thresholds that the KPIs must cross for the service to raise an alarm. The service raises an anomaly detection alarm for the monitored network based on the identified set of thresholds for the KPIs.

Abstract: This disclosure describes lifecycle management (LCM) techniques for improving high availability (HA) and scalability in a virtual network. The techniques include empowering virtual network function managers (VNFMs) to provide LCM to other VNFMs in the virtual network. For example, a VNFM instance in the virtual network may autonomously update and/or improve the virtual network design, such as by deploying additional VNFM instances. A VNFM network may be able to self-organize, such as by designating a primary cluster and/or autonomously holding an election. A VNFM instance may also heal and/or redeploy another VNFM instance. The present virtual network LCM techniques may allow a virtual network to be self-sustaining while providing HA.

Abstract: Systems and methods are described herein for logging system events within an electronic machine using an event log structured as a collection of tree-like cause and effect graphs. An event to be logged may be received. A new event node may be created within the event log for the received event. One or more existing event nodes within the event log may be identified as having possibly caused the received event. One or more causal links may be created within the event log between the new event node and the one or more identified existing event nodes. The new event node may be stored as an unattached root node in response to not identifying an existing event node that may have caused the received event.

Abstract: Embodiments of the present disclosure are directed to protocol state transition and/or resource state transition tracker configured to monitor, e.g., via filters, for certain protocol state transitions/changes or host hardware resource transitions/changes when a host processor in the control plane that performs such monitoring functions is unavailable or overloaded. The filters, in some embodiments, are pre-computed/computed by the host processor and transmitted to the protocol state transition and/or resource state transition tracker. The protocol state transition and/or resource state transition tracker may be used to implement a fast upgrade operation as well as load sharing and or load balancing operation with control plane associated components.

Abstract: In one embodiment, a device obtains performance data regarding failures of a tunnel in a network. The device generates a failure profile for the tunnel by applying machine learning to the performance data regarding the failures of the tunnel. The device determines, based on the failure profile for the tunnel, whether the tunnel exhibits failure flapping behavior. The device adjusts one or more Bidirectional Forwarding Detection (BFD) probing timers used to detect failures of the tunnel, based on the determination as to whether the tunnel exhibits failure flapping behavior.

Abstract: Aspects include a pluggable optical device and related optical system. The pluggable optical device comprises a housing, a printed circuit board (PCB) within the housing, and one or more blind mate optical connectors attached to the PCB along a first end of the PCB. The pluggable optical device further comprises one or more electrical contacts of the PCB near the first end, one or more external optical connectors arranged near a second end of the PCB opposite the first end, and one or more optical components attached to the PCB and included in optical paths extending between the one or more external optical connectors and the one or more blind mate optical connectors.

Abstract: In one embodiment, a service associates a plurality of descriptive tags with a node in a network, based on an inspection of packets sent by the node that is performed by one or more sensors deployed to the network. The service identifies, based on the plurality of descriptive tags, data to be extracted from traffic of the node by an edge device located at an edge of the network. The service determines, based on the plurality of descriptive tags, an external destination to which the data should be sent by the edge device after extraction. The service sends a data pipeline configuration to the edge device, wherein the data pipeline configuration causes the edge device to extract the data from the traffic sent by the node and to send the data to the external destination.

Abstract: Embodiments herein describe assigning different linearity operating points of a front end of a radio to groups of user devices when transmitting data using OFDMA. That is, when transmitting a PPDU to a first group of user devices, an access point (AP) may set the front end of the radio to a lower linearity operating point than when transmitting a PPDU to a second group of user devices. Using a higher linearity operating point can increase the data rate used to transmit the PPDU—e.g., the AP can use a higher modulation coding scheme (MCS). This can reduce the time the PPDUs have to wait in a queue before being transmitted.

Abstract: Techniques for utilizing a communication system that provides access to a representation of a virtual environment to participants. The communication system may establish connections between personal communication bridge(s) associated with participant(s) interacting within a virtual proximity radius of one another's virtual indicator in the virtual environment. The communication system may cause conversation data to be sent each personal communication bridge associated with a participant that is within the virtual proximity radius of the sender, and cause conversation data to be received via the personal communication bridge of a participant that is within the virtual proximity radius of the sender. The communication system may also analyze data associated with the participant profile(s) and transcribed conversation data from the communication bridges(s) to recommend potential conversations of interest to participant(s).

Abstract: In one embodiment, a method is performed. A device may include an interface in communication with a network. The device may determine whether an all-active multi-homed ethernet segment (ES) associated with the interface is enabled. On a condition that an all-active multi-homed ES is enabled, the device may determine an ethernet virtual private network (EVPN) designated forwarder (DF) state of the all-active multi-homed ES. If the all-active multi-homed ES is enabled and has an ethernet virtual private network (EVPN) designated forwarder (DF) state, the device may enter a protocol independent multicast (PIM) designated router (DR) state. If an all-active multi-homed ES is enabled and does not have an EVPN DF state, the device may enter a PIM non-DR state.

Abstract: A method for creating a secure network is provided. The method comprises establishing an overlay domain to control routing between overlay edge routers based on an underlying transport network, wherein said establishing comprises running an overlay management protocol to exchange information within the overlay domain; in accordance with the overlay management protocol defining service routes that exist exclusively within the overlay domain wherein each overlay route includes information on at least service availability within the overlay domain; and selectively using the service routes to control routing between the overlay edge routers; wherein the said routing is through the underlying transport network in a manner in which said overlay routes is shared with the overlay edge routers but not with the underlying transport network via the overlay management protocol.