Abstract: Systems, methods, and computer-readable media for interconnecting SDWANs through segment routing. A first SDWAN and a second SDWAN of a SDWAN fabric can be identified. A segment routing domain that interconnects the first SDWAN and the second SDWAN can be formed across a WAN underlay of the SDWAN fabric. Data transmission between the first SDWAN and the second SDWAN can be controlled by performing segment routing through the segment routing domain formed between the first SDWAN and the second SDWAN.

Abstract: The present disclosure is directed to systems and methods for dynamic firewall discovery on a service plane. The method includes the steps of identifying a source data packet for transmission from a source machine at a source site to a destination machine at a destination site, wherein the source data packet corresponds to a request for connection between the source machine and the destination machine over a WAN, inspecting the source data packet at a first firewall associated with the source site, marking the source data packet with a marker to indicate inspection by the first firewall, transmitting the marked source data packet to the destination site, determining at the destination site that the source data packet has been inspected based on the marker, and forwarding the source data packet to the destination machine at the destination site, without inspection of the source data packet by a second firewall associated with the destination site.

Abstract: The present disclosure is directed to managing industrial internet of things end points and includes one or more processors and one or more computer-readable non-transitory storage media coupled to the one or more processors and comprising instructions that, when executed by the one or more processors, cause one or more switches to perform operations comprising: identifying a first end point using a protocol associated with the first end point, determining a classification for the identified first end point based on one or more attributes of the first end point, identifying one or more related end points having the classification in common with the first end point, segmenting the first end point with the identified one or more related end points, and applying one or more policies to the segmented first end point and the one or more related end points.

Abstract: Systems and methods are provided for receiving, at a network device, a first set of rules from a security controller of an enterprise network, the first set of rules being different from a second set of rules provided to a firewall by the security controller, implementing, at the network device, the first set of rules received from the security controller, generating, at the network device, a first log including metadata based on the first set of rules, the first log being generated on a per flow basis, notifying, at the network device, a NetFlow of the first log including the metadata of the first set of rules, and providing, from the network device, the first log to a cloud-log store by the NetFlow of the network device, the cloud-log store receiving the first log from the network device and a second log from the firewall.

Abstract: Systems, methods, and computer-readable media for an integrated Wi-Fi Access Point and cellular network Radio Unit (RU) include a communication system interfacing with a wired network for communicating Wi-Fi traffic and cellular network traffic, the communication system integrating a Wi-Fi Access Point (AP) with a cellular network Radio Unit (RU). The Wi-Fi traffic and cellular network traffic can be processed in the communication system. The communication system can interface with at least one programmable Radio Frequency (RF) front end configured for wireless communication over one or more frequency bands for Wi-Fi traffic and one or more frequency bands for cellular network traffic (e.g., 5G, LTE, Wi-Fi).

Abstract: The present disclosure is directed to systems and methods for dynamic firewall discovery on a service plane. The method includes the steps of identifying a source data packet for transmission from a source machine at a source site to a destination machine at a destination site, wherein the source data packet corresponds to a request for connection between the source machine and the destination machine over a WAN, inspecting the source data packet at a first firewall associated with the source site, marking the source data packet with a marker to indicate inspection by the first firewall, transmitting the marked source data packet to the destination site, determining at the destination site that the source data packet has been inspected based on the marker, and forwarding the source data packet to the destination machine at the destination site, without inspection of the source data packet by a second firewall associated with the destination site.

Abstract: In one embodiment, an electronic device maintains one or more tunnel-based overlays for a communication network. The communication network includes two or more physical provider networks. The device maintains a mapping between a particular application and the one or more overlays for the communication network. The device adjusts the mapping between the particular application and the one or more overlays for the communication network. The device causes one or more routers in the communication network to route traffic for the particular application according to the adjusted mapping between the application and the one or more overlays for the communication network.

Abstract: The present disclosure is directed to seamless mobility between Wi-Fi technologies and includes one or more processors and one or more computer-readable non-transitory storage media comprising instructions that perform operations including detecting a client device having 802.11ax and 802.11ay Wi-Fi capability, identifying a 802.11ax access point associated with a first data path, wherein the first data path is configured to transmit traffic to and from the client device, identifying a 802.11ay access point associated with a second data path, wherein the second data path is configured to transmit the traffic to and from the client device, and wherein the 802.11ay access point is non-colocated with the 802.11ax access point, and establishing a mobility anchor point through which the traffic is switched, wherein a determination is made in the mobility anchor point as to whether the traffic will be transmitted via the 802.11ax access point through the first data path or via the 802.

Abstract: The present disclosure is directed to managing industrial internet of things end points and includes one or more processors and one or more computer-readable non-transitory storage media coupled to the one or more processors and comprising instructions that, when executed by the one or more processors, cause one or more switches to perform operations comprising: identifying a first end point using a protocol associated with the first end point, determining a classification for the identified first end point based on one or more attributes of the first end point, identifying one or more related end points having the classification in common with the first end point, segmenting the first end point with the identified one or more related end points, and applying one or more policies to the segmented first end point and the one or more related end points.

Abstract: Certain embodiments disclose systems and methods for creating a user private network (UPN) based on 11ay technology. Methods of the present disclosure include creating a personal basic service set (PBSS) having a service device and one or more flay devices, the service device configured to wirelessly communicate with the one or more flay devices in the PBSS, creating a UPN having an access point located in communicative proximity with the service device, and associating at least one 11ay device of the one or more 11ay devices with the UPN, wherein the at least one flay device is configured to establish a wireless connection with the one or more flay devices using the service device when within a coverage area of the PBSS, and to establish a wireless connection with the one or more flay devices using the access point when outside the coverage area of the PBSS.

Abstract: In one embodiment, a method includes providing a first profile to a plurality of edge routers of the SD-WAN, the plurality of edge routers operable to interface a plurality of devices to the SD-WAN. The first profile enables the plurality of edge routers to discover which devices of the plurality of devices support a first application. The method includes receiving, from one or more of the edge routers, information indicating which devices of the plurality of devices support the first application and building a first application fabric based on the information indicating which devices of the plurality of devices support the first application.

Abstract: Cloud delivered access may be provided. A network device may provide a client device with a pre-authentication virtual network and a pre-authentication address. Next, a policy may be received in response to the client device authenticating. The client device may then be moved to a post-authentication virtual network based on the policy. A post-authentication address may then be obtained for the client device in response to moving the client device to a post-authentication virtual network. Traffic for the client device may then be translated to the post-authentication address.

Abstract: Systems and methods are provided for receiving, at an enterprise network, first authentication data of a citizens broadband radio service (CBRS)-enabled device, receiving, at the enterprise network, second authentication data of the CBRS-enabled device, the first authentication data of the CBRS-enabled device being a different type of authentication data than the second authentication data of the CBRS-enabled device, determining a class of the CBRS-enabled device based on the first authentication data and the second authentication data of the CBRS-enabled device, determining a network segment for the CBRS-enabled device based on the class of the CBRS-enabled device, and providing access to the CBRS-enabled device based on the determining of the network segment for the CBRS-enabled device.

Abstract: Systems, methods, and computer-readable media for an integrated Wi-Fi Access Point and cellular network Radio Unit (RU) include a communication system interfacing with a wired network for communicating Wi-Fi traffic and cellular network traffic, the communication system integrating a Wi-Fi Access Point (AP) with a cellular network Radio Unit (RU). The Wi-Fi traffic and cellular network traffic can be processed in the communication system. The communication system can interface with at least one programmable Radio Frequency (RF) front end configured for wireless communication over one or more frequency bands for Wi-Fi traffic and one or more frequency bands for cellular network traffic (e.g., 5G, LTE, Wi-Fi).

Abstract: Secure network segmentation using logical subnet segments is described. A single network segment or subnet provided by a third party is mapped into multiple layer-3 virtual or logical segments without requiring separate subnets. This mapping is accomplished by using virtual routing functions (VRFs) per logical subnet segment while retaining a single subnet across the segments. The logical subnet segments interact with the single network segment provided by the third party (ISP). The layer-3 VRF instances are created without the need for separate IP subnet pools per layer-3 segment. Each VRF instance for the various logical subnet segments is mapped to an identifier and tag.

Abstract: A method includes generating, at a server, an event policy for controlling one or more wireless beacon devices in a network; detecting an event in the network; determining whether the event matches the event policy; when the event matches the event policy, generating programming information for configuring the one or more wireless beacon devices; and forwarding the programming information via one or more wireless access points to the one or more wireless beacon devices for configuring the one or more wireless beacon devices based on the programming information.

Abstract: Techniques for providing consistent monitoring and analytics for security insights for network and security functions for a security service are disclosed. In some embodiments, a system/process/computer program product for providing consistent monitoring and analytics for security insights for network and security functions for a security service includes receiving a flow at a software-defined wide area network (SD-WAN) device; inspecting the flow to determine whether the flow is associated with a split tunnel; and monitoring the flow at the SD-WAN device to collect security information associated with the flow for reporting to a security service.

Abstract: Techniques for providing flow meta data exchanges between network and security functions for a security service are disclosed. In some embodiments, a system/process/computer program product for providing flow meta data exchanges between network and security functions for a security service includes receiving a flow at a network gateway of a security service from a software-defined wide area network (SD-WAN) device; inspecting the flow to determine meta information associated with the flow; and communicating the meta information associated with the flow to the SD-WAN device.

Abstract: A mapping system, under administrative control of a Wide Area Network (WAN) controller, can track each host, authorized to access a plurality of Local Area Networks (LANs), in one or more mapping databases including a first network address representing an identifier and a second network addressing representing a locator for each host. The mapping system can receive a request for resolution of a first identifier of a host not presently connected to the network. The mapping system can determine the mapping databases exclude a mapping for the first identifier. The mapping system can update the mapping databases with a first mapping including the first identifier and a first locator corresponding to a honeypot network device. The mapping system can transmit, to one or more LANs of the plurality of LANs, routing information to route traffic destined for the first identifier to the honeypot network device.

Abstract: Certain embodiments disclose systems and methods for creating a user private network (UPN) based on 11ay technology. Methods of the present disclosure include creating a personal basic service set (PBSS) having a service device and one or more 11ay devices, the service device configured to wirelessly communicate with the one or more 11ay devices in the PBSS, creating a UPN having an access point located in communicative proximity with the service device, and associating at least one 11ay device of the one or more 11ay devices with the UPN, wherein the at least one 11ay device is configured to establish a wireless connection with the one or more 11ay devices using the service device when within a coverage area of the PBSS, and to establish a wireless connection with the one or more 11ay devices using the access point when outside the coverage area of the PBSS.