Abstract: Wireless access points detect neighboring wireless access points in different subnets. Upon connecting with a wireless client, a wireless access point determines predictive roaming information for the wireless client. Predictive roaming information identifies the wireless client; its home network subnet; and includes connection information associated with the wireless client. The wireless access point forwards the predictive roaming information associated with a wireless client to neighboring wireless access points while the wireless client is still connected with the wireless access point. Neighboring wireless access points store received predictive roaming information. Upon connecting with a wireless client, a neighboring wireless access point determines if the wireless client matches the stored predictive roaming information.

Abstract: Techniques for implementing traffic deduplication in a visibility network are provided. According to one embodiment, a packet broker of the visibility network can receive a control or data packet replicated from a core network. The packet broker can then apply a first stage deduplication process in which the packet broker attempts to deduplicate the control or data packet based on one or more interfaces of the core network from which the control or data packet originated, and apply a second stage deduplication process in which the packet broker attempts to deduplicate the control or data packet based on the content (e.g., payload) of the control or data packet.

Abstract: A plug-in network device is disclosed. The plug-in network device can be used in association with a network management system and an infrastructure network device. The plug-in network device includes two antenna arrays, one of which is up-facing and one of which is front-facing. The plug-in network device can achieve wireless communication with the infrastructure network device via the up-facing antenna array and provide network services to wireless stations through the front-facing antenna array. The network management system can manage both the infrastructure network device and the plug-in network device.

Abstract: Authenticating a client device coupled to an authenticator network device for a network. A service request is received from the client device at the authenticator network device. User credentials, including a user ID, a user key, and a nonce for a user are received at the authenticator network device. A token is generated using the received user credentials. The service request is modified to include the token and a user ID parameter that is the user ID to generate a modified service request. The modified service request is used to provide single sign-on access to a service that is the subject of the service request.

Abstract: A security event that is associated with one or more communication devices is detected. For example, the security event may be an unexpected change in data being sent from a communication device outside an enterprise. In response to detecting the security event, a Virtual Service Network (VSN) is created that isolates one or more communication devices that may pose a security risk. A corrective action to mitigate the security event is then implemented. For example, the corrective action may be to dynamically instantiate a firewall on the VSN that blocks the transfer of data from the communication device outside the enterprise. This allows an administrator to review the security event and take further action if necessary. Because the VSN with the firewall is created dynamically, the network remains secure while the security event is investigated.

Abstract: Methods and apparatus are described for implementing service discovery protocols on subnetted zero configuration networks. A process for managing service advertisement across a plurality of subnets may comprise: collecting service advertisements on a local network level by designated network devices; sending listings of services from each of the designated devices to a master network device; sending a table of services for the plurality of subnets from the master device to all of the designated devices on the plurality of subnets; creating by each of the designated network devices for the corresponding subnet a service discovery proxy table listing the service advertisements on the subnets of the plurality of subnets beyond the subnet corresponding to the designated device; and periodically transmitting by each of the designated devices on the corresponding subnets service advertisements for the services of the corresponding service discovery proxy table.

Abstract: Techniques and systems for performing a network activity within a network. The technique includes assigning one or a plurality of network devices subnets with network devices for performing network activities. Network devices within the assigned network device subnets can be assigned to act as a primary network device and a backup network device. The primary network device can perform the network activity. The backup network devices can monitor the primary network device and continue performing the network activities if the primary network device fails or is rogue.

Abstract: A method and apparatus for automated mirroring is presented. A network device running as a Fabric Attach (FA) server configured to mirror traffic to a Remote Switch Port Analyzer (RSPAN) Virtual Local Area Network (VLAN), issues an FA Type Length Value (TLV) on its uplink to the FA server. The TLV includes a request to associate said RSPAN VLAN with a Service Identifier (I-SID) used to carry mirror traffic in a network. The network device sends the mirrored traffic on the RSPAN VLAN on its uplink to the FA server. The network device signals the I-SID into the network, and detects receive interest in the I-SID. The network device delivers the mirrored traffic to devices that expressed a receive interest in the mirrored traffic.

Abstract: A method and system for selecting a route in a wireless network for the transmission of a data packet between wireless nodes in the network using a modified link-state routing algorithm. A subset of nodes called portal nodes within the network are elected to do the broadcasting for the entire network. A wireless node identifies a unicast route back to its root portal node, and sends a link-state register message to this portal node. These link-state register messages received by each portal node are aggregated by them and are broadcast to each of the wireless nodes for storage. When a data packet is thereafter received by a wireless node from a neighboring node, it detects if the data packet satisfies one of a plurality of predetermined conditions and rebroadcasts the data packet to neighboring wireless nodes if none of the conditions is satisfied.

Abstract: Implementing auto attach for a shortest path bridging (SPB) network comprises determining, on an access point, that an auto attach device communicating in a SPB network is enabled for auto attach, and an advertisement is transmitted to a mobile station. The access point acts a proxy between the mobile station and the auto-attach device by communicably coupling the auto attach device and the mobile station via the access point. A virtual local area network (VLAN) identification and service instance identifier (I-SID) is received from the mobile station, when is then transmitted to the auto-attach device. A VLAN (independent of any static VLAN associated with the WLAN) is created off of the VLAN identification and an indication that the I-SID and the VLAN have been accepted. Data communications are then provided between the mobile station and the auto attach device via the VLAN and the access point.

Abstract: A technique for improving wireless communication characteristics involving matching transmitter antenna patterns to receiver antenna patterns. In a specific implementation, the transmitter antenna pattern adapts to changing parameters, such as when a smartphone is initially held in a first orientation and is later held in a second orientation. Because the transmitter antenna pattern matches receiver antenna patterns, signal quality between stations improves. In some implementations, antennas are organized and mounted to maximize spatial diversity to cause peak gains in different directions.

Abstract: Systems and methods for steering clients based on network service access characteristics. Systems can include a network service access characteristics specific network device client steering system and a network service access characteristics specific radio client steering system. Methods can include steering clients to network devices in accessing network services based on network service access characteristics and steering clients to radios in accessing network services based on network service access characteristics.

Abstract: Techniques for exchanging control and configuration information in a network visibility system are provided. In one embodiment, a control plane component of the network visibility system can receive one or more first messages from a data plane component of the network visibility system, where the one or more first messages define one or more forwarding resources available on the data plane component. The control plane component can further retrieve configuration information stored on the control plane component that comprises one or more network prefixes to be monitored by the network visibility system, and can determine one or more mappings between the network prefixes and the forwarding resources. Upon determining the one or more mappings, the control plane component can generate one or more packet forwarding rules based on the mappings.

Abstract: Airtime usage may be used as a factor in controlling network traffic flow to and from client devices via a wireless network interface. Received packets or other data are assigned to a quality of service profile. Additionally, a cost value for communicating the received data is determined at least in part based on an actual or estimated airtime usage for the received packet. The cost value is used to allocate wireless network airtime to data. The allocation of wireless network airtime may be varied dynamically based on operating conditions. The cost value may be based on factors including the airtime used to communicate data; whether the data is a retransmission; and wireless network overhead. The cost value of data may also be different depending on whether the data is being sent from a client device or to a client device.

Abstract: A unique pre-shared key plug-in is installed on a Chromebook device. Identification data associated with the Chromebook device is received, from the unique pre-shared key plug-in through a Chromebook client management system API. A unique pre-shared key is assigned to the Chromebook device using the identification data. The unique pre-shared key is sent to the Chromebook device. The Chromebook device is configured to seamlessly authenticate for a wireless network using the unique pre-shared key.

Abstract: Disclosed herein are system, method, and computer program product embodiments for analyzing a network. An embodiment operates by a third-party component deriving network data based on a received data packet from a network component configured to perform a network function. The third-party component orders a transaction including second network data from a distributed ledger. The third-party component determines that the first and second network data meet or exceed a condition of a smart contract comprising the condition and an associated network action related to the network function. The third-party component sends the condition of the smart contract and the first and second network data to another third-party component. The third-party component receives a validation that the first and second network data meet or exceed the first condition of the first smart contract and performing the first network action on the network.

Abstract: Disclosed herein are system, method, and computer program product embodiments for representing a forwarding information base (FIB) in a database. An embodiment operates by organizing forwarding entries of the FIB in a trie data structure. The embodiment determines that a first routing prefix of a first forwarding entry in the trie data structure is a less specific routing prefix than a second routing prefix in a second forwarding entry in the trie data structure based on the first forwarding entry being a parent of the second forwarding entry. The embodiment determines that a first next hop of the first routing prefix is equal to a second next hop of the second routing prefix. The embodiment removes the second forwarding entry from the trie data structure. The embodiment then inserts the first forwarding entry into the database based on a prefix length of the first routing prefix.

Abstract: Techniques for managing IoT devices through multi-protocol infrastructure network devices are disclosed. A system utilizing such techniques can include a multi-protocol infrastructure network device and a WAN based IoT device management system and various network device based engines. A method utilizing such techniques can include management according to WAN based IoT device policies and LAN based IoT device policies.

Abstract: Aspects of the present disclosure enable a router controller to maintain a default rules table indicating allocation of internet protocol (IP) addresses (of general packet radio service (GPRS) tunneling protocol (GTP) packets) to respective output ports. In an embodiment, the router controller receives information indicating the respective tunnel endpoint IP addresses of a control session and a data session. The router controller is configured to determine whether such IP addresses of the control session and the data session(s) are allocated to the same output port. In response to the IP addresses of the control session and the data session not being allocated to the same output port, the router controller is configured to generate a dynamic rule to forward packets of both the control session and the data session to the same output port.

Abstract: Systems and methods for performing network-side Simultaneous Authentication of Equals (SAE) to allow an end user device to access a network. A passphrase is assigned to an end user device for use in authenticating the end user device for a network using SAE. An identification of the end user device is determined during an authentication process. The passphrase assigned to the end user device is determined at a network side using the identification of the end user device. A shared secret is generated using the passphrase. Whether the end user device has generated the shared secret is determined by comparing network side and user side confirmation values. The end user device is authenticated for the network, if it is determined that the end user device has generated the shared secret.