Abstract: An enterprise controller of an enterprise network sends to a service gateway of a service provider network a request for network slice information about network slices provisioned on a data plane of the service provider network. Responsive to the sending, the enterprise controller receives from the service gateway the network slice information including identifiers of and properties associated with the network slices. Responsive to receiving a request for the network slice information from a network device at a border of a forwarding plane of the enterprise network, the enterprise controller sends the network slice information to the network device to cause the network device to perform configuring network traffic in the forwarding plane with identifiers of ones of the network slices that match the network traffic, and to perform forwarding the network traffic configured with the identifiers to the data plane of the service provider network.

Abstract: Systems, methods, and computer-readable media for interconnecting SDWANs through segment routing. A first SDWAN and a second SDWAN of a SDWAN fabric can be identified. A segment routing domain that interconnects the first SDWAN and the second SDWAN can be formed across a WAN underlay of the SDWAN fabric. Data transmission between the first SDWAN and the second SDWAN can be controlled by performing segment routing through the segment routing domain formed between the first SDWAN and the second SDWAN.

Abstract: Systems, methods, and computer-readable media for interconnecting SDWANs through segment routing. A first SDWAN and a second SDWAN of a SDWAN fabric can be identified. A segment routing domain that interconnects the first SDWAN and the second SDWAN can be formed across a WAN underlay of the SDWAN fabric. Data transmission between the first SDWAN and the second SDWAN can be controlled by performing segment routing through the segment routing domain formed between the first SDWAN and the second SDWAN.

Abstract: In one embodiment, a method includes providing a first profile to a plurality of edge routers of the SD-WAN, the plurality of edge routers operable to interface a plurality of devices to the SD-WAN. The first profile enables the plurality of edge routers to discover which devices of the plurality of devices support a first application. The method includes receiving, from one or more of the edge routers, information indicating which devices of the plurality of devices support the first application and building a first application fabric based on the information indicating which devices of the plurality of devices support the first application.

Abstract: In one embodiment, an electronic device maintains one or more tunnel-based overlays for a communication network. The communication network includes two or more physical provider networks. The device maintains a mapping between a particular application and the one or more overlays for the communication network. The device adjusts the mapping between the particular application and the one or more overlays for the communication network. The device causes one or more routers in the communication network to route traffic for the particular application according to the adjusted mapping between the application and the one or more overlays for the communication network.

Abstract: Techniques are described to provide open access in a neutral host environment. In one example, a method includes obtaining, by a mobility management node of a neutral host network, a network connectivity request from a user equipment, wherein the network connectivity request comprises an indication of a preferred service provider to which the user equipment is to be connected; determining, by the mobility management node, that the preferred service provider provides non-subscription-based network connectivity for the neutral host network; based on determining that the preferred service provider provides non-subscription-based network connectivity for the neutral host network, establishing secure communications for the user equipment, wherein the secure communications are established for the user equipment without authenticating an identity of user equipment; and providing network connectivity between the user equipment and the preferred service provider upon establishing the secure communications.

Abstract: In one embodiment, a method includes providing a first profile to a plurality of edge routers of the SD-WAN, the plurality of edge routers operable to interface a plurality of devices to the SD-WAN. The first profile enables the plurality of edge routers to discover which devices of the plurality of devices support a first application. The method includes receiving, from one or more of the edge routers, information indicating which devices of the plurality of devices support the first application and building a first application fabric based on the information indicating which devices of the plurality of devices support the first application.

Abstract: Systems, methods, and computer-readable media for providing cross-domain policy enforcement. In some examples, transit VRFs for a destination network domain and a source network domain are created. Route advertisements for nodes coupled to source VRFs in the source network domain are created that include identifications of the source VRFs. The route advertisements can be transmitted from a source transit VRF in the source network domain to a destination transit VRF in the destination network domain. The route advertisements can then be filtered at the destination transit VRF based on a cross-domain policy using the identifications of the source VRFs to export routes to destination VRFs in the destination network domain according to the cross-domain policy.

Abstract: In one embodiment, an electronic device maintains one or more tunnel-based overlays for a communication network. The communication network includes two or more physical provider networks. The device maintains a mapping between a particular application and the one or more overlays for the communication network. The device adjusts the mapping between the particular application and the one or more overlays for the communication network. The device causes one or more routers in the communication network to route traffic for the particular application according to the adjusted mapping between the application and the one or more overlays for the communication network.

Abstract: A method includes generating, at a server, an event policy for controlling one or more wireless beacon devices in a network; detecting an event in the network; determining whether the event matches the event policy; when the event matches the event policy, generating programming information for configuring the one or more wireless beacon devices; and forwarding the programming information via one or more wireless access points to the one or more wireless beacon devices for configuring the one or more wireless beacon devices based on the programming information.

Abstract: In one example, a server obtains, from a device having an embedded Subscriber Identification Module (eSIM), a unique identifier of the eSIM. The server validates the device based on the unique identifier of the eSIM. The server provides, to the device, a unique credential for a profile of the eSIM. The profile of the eSIM corresponds to a network of an enterprise. The server provides, to a credential database, the unique credential for the profile of the eSIM. The credential database including the unique credential for the profile of the eSIM indicates that the device is permitted to access the network of the enterprise.

Abstract: Various implementations disclosed herein provide a method for authenticating users to an enterprise network using closed subscriber groups. The method includes determining whether the client device is associated with a subscriber group that corresponds to the enterprise network. The method further includes granting the client device access to the enterprise network in response to determining that the client device is associated with the subscriber group that corresponds to the enterprise network.

Abstract: Systems and methods provide for provisioning a dynamic intent-based firewall. A network controller can generate a master route table for network segments reachable from edge network devices managed by the controller. The controller can receive zone definition information mapping the network segments into zones and Zone-based Firewall (ZFW) policies to apply to traffic between a source and destination zone specified by each ZFW policy. The controller can evaluate a ZFW policy to determine first edge network devices that can reach first network segments mapped to the source zone specified by the ZFW policy, second edge network devices that can reach second network segments mapped to the destination zone specified by the ZFW policy, and routing information (from the route table) between the first network segments, the first and second edge network devices, and the second network segments. The controller can transmit the routing information to the edge network devices.

Abstract: A mapping system, under administrative control of a Wide Area Network (WAN) controller, can track each host, authorized to access a plurality of Local Area Networks (LANs), in one or more mapping databases including a first network address representing an identifier and a second network addressing representing a locator for each host. The mapping system can receive a request for resolution of a first identifier of a host not presently connected to the network. The mapping system can determine the mapping databases exclude a mapping for the first identifier. The mapping system can update the mapping databases with a first mapping including the first identifier and a first locator corresponding to a honeypot network device. The mapping system can transmit, to one or more LANs of the plurality of LANs, routing information to route traffic destined for the first identifier to the honeypot network device.

Abstract: Systems and methods provide for end-to-end identity-aware routing across multiple administrative domains. A first ingress edge device of a second overlay network can receive a first encapsulated packet from a first egress edge device of a first overlay network. The first ingress edge device can de-encapsulate the first encapsulated packet to obtain an original packet and a user or group identifier. The first ingress edge device can apply a user or group policy matching the user or group identifier to determine a next hop for the original packet. The first ingress edge device can encapsulate the original packet and the user or group identifier to generate a second encapsulated packet. The first ingress edge device can forward the second encapsulated packet to the next hop.

Abstract: A network device may receive a flow having source information corresponding to a first client device and destination information corresponding to a second client device. A tag may then be created by the network device for the flow based upon the source information and the destination information. Next, the network device may encapsulate a packet corresponding to the flow. The packet may be encapsulated with encapsulation information including the created tag. The encapsulated packet may then be routed through a plurality of intermediate network devices in the network. The created tag encapsulated with the packet may identify the packet as being a part of the flow as the packet is routed through the plurality of intermediate network devices.

Abstract: An application switch instantiates two application-side network service instances for the same application. Each network service instance is characterized by a common Internet Protocol (IP) address, a common Open Systems Interconnection (OSI) reference model layer 2 (L2) media access control (MAC) address, and a unique (for the application) supplemental L2 identifier. The application switch maintains a mapping between a {client IP address, client port} tuple and a particular instantiated network service instance based at least in part on the supplemental L2 identifier of a particular one of the instantiated first and second network service instances.

Abstract: In one embodiment, a method for the prioritized transmission of messages includes monitoring a network link of a mobile device to determine performance characteristics of the network link, establishing a network association between the mobile device and a routing network node, receiving a connection request from an application that is directed to a connection between the mobile device and a destination server, determining a relative priority of the connection, mapping the connection to a stream of the network association that is associated with the relative priority of the connection and identifies the destination server, and transmitting messages for the stream to the routing network node interlaced with messages of other streams of the network association based on the performance characteristics of the network link and the relative priority associated with the stream in comparison to relative priorities associated with the other streams of the network association.

Abstract: A method is provided in one example embodiment and includes receiving a dynamic host configuration protocol (DHCP) discovery signal at a wireless network element from a customer premise equipment; requesting that a data session be established at a gateway; receiving an Internet protocol (IP) address; and communicating the IP address to the customer premise equipment.

Abstract: In one embodiment, a device in a network determines one or more network metrics regarding operation of the network. The device determines one or more policy constraints regarding the routing of network traffic through a virtual service platform (VSP). The device generates a VSP usage policy based on the one or more network metrics and on the one or more policy constraints. The VSP usage policy is operable to cause traffic in the network to be routed through a particular VSP that is selected based on the VSP usage policy. The device causes the VSP usage policy to be implemented in the network.