Abstract: Techniques for virtualizing tenant transport interfaces configured to implement per-tenant network routing attribute differentiation in each tenant overlay of a multisite wide area network (WAN) and share the virtual transport interfaces between multi-tenant edge (MTE) devices providing transport services to tenant devices based on a defined tenant tier model. A Software-Defined Networking (SDN) controller may receive a physical transport interface and/or a device type associated with a tenant device. The SDN controller may determine a virtual transport interface for the tenant device based on a tier associated with the tenant. MTE device(s) may utilize the physical transport interface to establish sessions with other MTE device(s) in the WAN. The virtual transport interface may be utilized by MTE devices to implement and/or enforce network routing attributes when forwarding network traffic associated with the tenant via the sessions established between the MTE devices through the WAN.

Abstract: Techniques for virtualizing tenant transport interfaces configured to implement per-tenant network routing attribute differentiation in each tenant overlay of a multisite wide area network (WAN) and share the virtual transport interfaces between multi-tenant edge (MTE) devices providing transport services to tenant devices based on a defined tenant tier model. A Software-Defined Networking (SDN) controller may receive a physical transport interface and/or a device type associated with a tenant device. The SDN controller may determine a virtual transport interface for the tenant device based on a tier associated with the tenant. MTE device(s) may utilize the physical transport interface to establish sessions with other MTE device(s) in the WAN. The virtual transport interface may be utilized by MTE devices to implement and/or enforce network routing attributes when forwarding network traffic associated with the tenant via the sessions established between the MTE devices through the WAN.

Abstract: Symmetric networking techniques disclosed herein can be applied by gateway routers in cloud networks. The techniques can ensure that both outbound traffic received at a cloud from a branch device and return traffic directed from the cloud back to the branch device are processed by a same gateway router. The gateway router can use network address translation to insert IP addresses from an inside pool and an outside pool assigned to the router.

Abstract: This disclosure describes techniques and mechanisms for improving security within SDWAN fabric and utilizing telemetry data from non-enterprise providers to remediate compromised SDWAN site(s) and/or user(s). The techniques may implement an integration of non-enterprise application(s) and API(s) with an enterprise network, thereby enabling the enterprise network to identify compromised endpoint(s), identify user(s), group(s), site(s) that are impacted, and take a corrective action (by the enterprise network and/or the non-enterprise application(s) or API(s)) on the enterprise fabric.

Abstract: Systems and methods for managing traffic in a hybrid environment include monitoring traffic load of a local network to determine whether the traffic load exceeds or is likely to exceed a maximum traffic load, where the maximum traffic load is a traffic load for which a service can be provided by the local network, based on a license. An excess traffic load is determined if the traffic load exceeds or is likely to exceed the maximum traffic load. One or more external networks which have a capacity to provide the service to the excess traffic load are determined, to which the excess traffic load is migrated. The local network includes one or more service instances for providing the service for up to the maximum traffic load, and the service to the excess traffic load is provided by one or more additional service instances in the one or more external networks.

Abstract: This disclosure describes techniques and mechanisms for disclosure describes techniques and mechanisms for a central management plane to automatically create and assign system identifiers to network devices, thereby creating a global network hierarchy within a network. The techniques enable the use of a system identifier to be automatically generated and assigned, as well as configuration and network policies to be automatically generated based on the system identifier. Accordingly, the techniques enable automation of regional connectivity and policy application, a simplified manner of troubleshooting/debugging of any connectivity issues, and a simplified, aggregated view of statistic and analytics related to problems at site, sub-region, and region levels.

Abstract: Techniques are described for routing traffic through an interconnect cloud gateway based on cloud traffic routing indicators. The interconnect cloud gateway can advertise the cloud traffic routing indicators, which can include cloud indicators and transport gateway indicators. The cloud indicators can include cloud tags utilized to route cloud traffic. The transport gateway indicators can include transport gateway flags utilized to identify private networks utilized to route the cloud traffic. The cloud traffic can routed during normal private network operation through private networks, which can be dynamically replaced by public networks due to occurrences of failures preventing the data traffic from being routed through the private networks and to cloud networks.

Abstract: Techniques and architecture are described for a pull model for obtaining and implementing config changes on network devices are described herein. A user submits intent configuration to the network controller that needs to be delivered to several network sites. The network controller generates a config file. The network controller sends a pull notification message to all network devices that need to retrieve the config file. This pull notification message only contains a corresponding transaction ID for each network device and a location for the network device to use to pull the config file. The network devices may utilize a HTTP REST API exposed by the network controller to obtain the config file from the network controller. The network devices may utilize a REST API exposed by the network controller to reply with statuses of the configuration transaction. The techniques and architecture may be applied to multi-tenant network devices.

Abstract: This disclosure describes techniques and mechanisms for disclosure describes techniques and mechanisms for a central management plane to automatically create and assign system identifiers to network devices, thereby creating a global network hierarchy within a network. The techniques enable the use of a system identifier to be automatically generated and assigned, as well as configuration and network policies to be automatically generated based on the system identifier. Accordingly, the techniques enable automation of regional connectivity and policy application, a simplified manner of troubleshooting/debugging of any connectivity issues, and a simplified, aggregated view of statistic and analytics related to problems at site, sub-region, and region levels.

Abstract: A method of creating a connection between a controller and plurality of edge devices may include reading, by a data plane development kit (DPDK) of the controller, a plurality of packets having a common destination port from the plurality of edge devices, and demuxing, by the DPDK, a number of frames of the plurality of packets based on a hash of the plurality of packets, the hash altering the common destination port of the plurality of packets with a corresponding number of sham destination ports. The method may also include, with a TUNTAP interface, injecting the plurality of packets into a network kernel, and with the network kernel, delivering the plurality of packets to a respective one of a plurality of daemon instances.

Abstract: Techniques for user identity-based security policy enforcement. The techniques may include sending, to an edge device associated with a network, a networking policy associated with a user. The techniques may also include receiving, from an identity provider, an IP address associated with the user. Additionally, the techniques may include sending, to the edge device, an indication to associate the IP address with the user such that the edge device applies the networking policy to packets that include the IP address.

Abstract: Systems, methods, and computer-readable media for performing threat remediation through a switch fabric of a virtualized network environment. Data traffic passing into a virtualized network environment including a plurality of virtual machines running on a switch fabric is monitored. A network threat introduced through at a least a portion of the data traffic is identified at the switch fabric. One or more remedial measures are performed in the network environment based on the identification of the network threat in the virtualized network environment.

Abstract: Techniques for sharing the probing of software-as-a-service clouds among a cluster of routers are described herein. The techniques may include establishing a first path between a cluster of routers and an application infrastructure. Establishing a second path between the cluster of routers and the application infrastructure. Designating a first router in the cluster of routers to send probes over the first path to the application infrastructure. Designating a second router in the cluster of routers to send probes over the second path to the application infrastructure. Distributing, by the first router and to the cluster of routers, first routing performance data indicating a performance of the first path when communicating with the application infrastructure over the first path, distributing, by the second router and to the cluster of routers, second routing performance data indicating a performance of the second path when communicating with the application infrastructure over the second path.

Abstract: The present technology is directed to controlling and managing resources both in Software-Defined Cloud Interconnect (SDCI) providers and cloud service providers via a single network controller and further connecting virtual networks in a branch site to virtual networks in the cloud service providers. A network controller can establish a network gateway in an SDCI provider, establish a cross-connectivity between the network gateway in the SDCI provider and one or more clouds, group one or more virtual networks in the one or more clouds and one or more virtual networks in a branch site into a tag, and establish a connection between the one or more virtual networks in the one or more clouds and the one or more virtual networks in the branch site using the tag.

Abstract: Systems and methods for managing traffic in a hybrid environment include monitoring traffic load of a local network to determine whether the traffic load exceeds or is likely to exceed a maximum traffic load, where the maximum traffic load is a traffic load for which a service can be provided by the local network, based on a license. An excess traffic load is determined if the traffic load exceeds or is likely to exceed the maximum traffic load. One or more external networks which have a capacity to provide the service to the excess traffic load are determined, to which the excess traffic load is migrated. The local network includes one or more service instances for providing the service for up to the maximum traffic load, and the service to the excess traffic load is provided by one or more additional service instances in the one or more external networks.

Abstract: Systems, methods, and computer-readable media for creating service chains for inter-cloud traffic. In some examples, a system receives domain name system (DNS) queries associated with cloud domains and collects DNS information associated the cloud domains. The system spoofs DNS entries defining a subset of IPs for each cloud domain. Based on the spoofed DNS entries, the system creates IP-to-domain mappings associating each cloud domain with a respective IP from the subset of IPs. Based on the IP-to-domain mappings, the system programs different service chains for traffic between a private network and respective cloud domains. The system routes, through the respective service chain, traffic having a source associated with the private network and a destination matching the IP in the respective IP-to-domain mapping.

Abstract: According to certain embodiments, a method by a network device includes receiving a handshake message for a traffic flow from a Software-Defined Wide-Area Network (SDWAN) and determining, from a traffic policy, whether the traffic flow should be symmetrical. In response to determining from the traffic policy that the traffic flow should be symmetrical, the method further includes performing a flow lookup on the traffic flow to determine if the network device originated the traffic flow. In response to determining that the network device did not originate the traffic flow, the method further includes determining a second network device that originated the traffic flow and sending the handshake message for the traffic flow to the second network device in order to maintain symmetry for the traffic flow.

Abstract: According to some embodiments, a method includes receiving, from a graphical user interface, an indication that a user has purchased licenses associated with a CNF. The method further includes sending, to a second computing system of a CNF, first instructions regarding the licenses purchased by the user. The method further includes receiving an indication that the user wishes to deploy a particular router in the CNF with a particular data connection and retrieving, from the second computing system of the CNF, a list of licenses previously purchased by the user. The method further includes automatically determining, from the list of licenses, appropriate licenses for the particular router that the user wishes to deploy in the CNF. The method further includes sending second instructions that are operable to deploy the particular router in the CNF with the particular data connection and apply the determined licenses to the deployed particular router.

Abstract: The present technology discloses methods, systems, and non-transitory computer-readable storage media for establishing a redundant path connection. An example method can include configuring a software-defined wide-area network (SDWAN) tunnel between an on-premises router and a plurality of SDWAN routers; configuring a virtual layer 2 connection between the plurality of SDWAN routers and handoff locations for a virtual cloud resource (VCR) associated with at least one VCR tag, wherein a software-defined cloud infrastructure (SDCI) underlay associated with at least one SDCI provider connects to a cloud service provider (CSP) at the handoff locations; configuring a VCR connection between at least one VCR associated with the VCR tag and the handoff locations for the at least one VCR; configuring a border gateway protocol (BGP) session between the plurality of SDWAN routers and the handoff locations; and validating the SDWAN tunnel, the virtual layer 2 connection, the VCR connection, and the BGP session.

Abstract: Systems, methods, and computer-readable media for interconnecting SDWANs through segment routing. A first SDWAN and a second SDWAN of a SDWAN fabric can be identified. A segment routing domain that interconnects the first SDWAN and the second SDWAN can be formed across a WAN underlay of the SDWAN fabric. Data transmission between the first SDWAN and the second SDWAN can be controlled by performing segment routing through the segment routing domain formed between the first SDWAN and the second SDWAN.