Abstract: Symmetric networking techniques disclosed herein can be applied by gateway routers in cloud networks. The techniques can ensure that both outbound traffic received at a cloud from a branch device and return traffic directed from the cloud back to the branch device are processed by a same gateway router. The gateway router can use network address translation to insert IP addresses from an inside pool and an outside pool assigned to the router.

Abstract: Systems, methods, and computer-readable media for performing threat remediation through a switch fabric of a virtualized network environment. Data traffic passing into a virtualized network environment including a plurality of virtual machines running on a switch fabric is monitored. A network threat introduced through at a least a portion of the data traffic is identified at the switch fabric. One or more remedial measures are performed in the network environment based on the identification of the network threat in the virtualized network environment.

Abstract: The present technology pertains to receiving a tag associating at least one routing domain in an on-premises site with at least one virtual network in a cloud environment associated with a cloud service provider. The present technology also pertains to the automation of populating route and propagation tables with the cloud service provider.

Abstract: Techniques for sharing the probing of software-as-a-service clouds among a cluster of routers are described herein. The techniques may include establishing a first path between a cluster of routers and an application infrastructure. Establishing a second path between the cluster of routers and the application infrastructure. Designating a first router in the cluster of routers to send probes over the first path to the application infrastructure. Designating a second router in the cluster of routers to send probes over the second path to the application infrastructure. Distributing, by the first router and to the cluster of routers, first routing performance data indicating a performance of the first path when communicating with the application infrastructure over the first path, distributing, by the second router and to the cluster of routers, second routing performance data indicating a performance of the second path when communicating with the application infrastructure over the second path.

Abstract: Systems and methods are provided for re-balancing and healing of an SD-WAN in an unbalanced state and/or experiencing one or more failure states. In response to a request to connect to a new controller resulting from OMP load shedding from a first controller, the system can identify other controllers capable of handling the load requirements of the edge router. The system can incorporate the controller group preference of the edge router and select a second controller based on the identified other controllers and within the preferred controller group. If not possible, the system can temporarily assign the edge router to non-preferred controller groups and move them back to controllers in the preferred controller group once it becomes viable. The system further enhances OMP graceful restart (GR) logic to incorporate the load shedding effect and avoid unnecessary route retention that GR entails.

Abstract: Generally, Software-Defined Wide Area Networks (SD-WAN) generally do not support network segmentation. The concepts disclosed herein connects IPSec SD-WAN fabric to a Virtual Routing and Forwarding (VRF) router and make use of a Software Defined Cloud Interconnect (SDCI) Router to route traffic from IPSec SD-WAN to various cloud services from the SDCI Router in the fabric. The concepts disclosed herein also provides for tunnel multi-plexing that takes incoming and outgoing traffic and maps VPNs to any service VRF associated with the cloud based services.

Abstract: Systems and methods are provided for re-balancing and healing of an SD-WAN in an unbalanced state and/or experiencing one or more failure states. In response to a request to connect to a new controller resulting from OMP load shedding from a first controller, the system can identify other controllers capable of handling the load requirements of the edge router. The system can incorporate the controller group preference of the edge router and select a second controller based on the identified other controllers and within the preferred controller group. If not possible, the system can temporarily assign the edge router to non-preferred controller groups and move them back to controllers in the preferred controller group once it becomes viable. The system further enhances OMP graceful restart (GR) logic to incorporate the load shedding effect and avoid unnecessary route retention that GR entails.

Abstract: This disclosure describes techniques for improving routing policy awareness in a network. The method includes detecting, by a controller, an application initiated for use at an edge node of a network. Then, generating, by an analytics engine coupled to the controller, analytical data of traffic flow at the edge node of the network wherein the traffic flow is in accordance with a routing policy for routing traffic associated with the application. Further, routing of the traffic through a path from one or more paths configured at the edge node that is in accordance with at least a Service Level Agreement (SLA) for traffic flow. Also, in response to an SLA violation during routing of the traffic, causing an action, by the controller, of routing traffic flow through another path that is in accordance with at least the SLA for traffic flow based on analytical data received of the traffic flow.

Abstract: Systems, methods, and computer-readable media for performing threat remediation through a switch fabric of a virtualized network environment. Data traffic passing into a virtualized network environment including a plurality of virtual machines running on a switch fabric is monitored. A network threat introduced through at a least a portion of the data traffic is identified at the switch fabric. One or more remedial measures are performed in the network environment based on the identification of the network threat in the virtualized network environment.

Abstract: Techniques for user identity-based security policy enforcement. The techniques may include sending, to an edge device associated with a network, a networking policy associated with a user. The techniques may also include receiving, from an identity provider, an IP address associated with the user. Additionally, the techniques may include sending, to the edge device, an indication to associate the IP address with the user such that the edge device applies the networking policy to packets that include the IP address.

Abstract: The present technology pertains to receiving a tag associating at least one routing domain in an on-premises site with at least one virtual network in a cloud environment associated with a cloud service provider. The present technology also pertains to the automation of populating route and propagation tables with the cloud service provider.

Abstract: Techniques for automatically providing per tenant weighted DCMP over shared transport interfaces and automated flow has load balancing are described. The techniques may include onboarding, by an SD-WAN controller, the tenant with a resource profile to a first multi-tenant edge device, where the resource profile defines a traffic allowance per transport interface for the tenant on the first multi-tenant edge device. The SD-WAN controller receives, from the first multi-tenant edge device, information including a first weight per transport interface of the first multi-tenant edge device for the tenant. The SD-WAN controller transmits the information to a second multi-tenant device. The SD-WAN controller receives, from the second multi-tenant edge device, information including a second weight per transport interface of the second multi-tenant edge device, and transmits the information to the first multi-tenant edge device.

Abstract: According to certain embodiments, a method by a network device includes receiving a handshake message for a traffic flow from a Software-Defined Wide-Area Network (SDWAN) and determining, from a traffic policy, whether the traffic flow should be symmetrical. In response to determining from the traffic policy that the traffic flow should be symmetrical, the method further includes performing a flow lookup on the traffic flow to determine if the network device originated the traffic flow. In response to determining that the network device did not originate the traffic flow, the method further includes determining a second network device that originated the traffic flow and sending the handshake message for the traffic flow to the second network device in order to maintain symmetry for the traffic flow.

Abstract: Methods and systems are described herein for dynamically applying a security policy based on one or more tag attributes. The method comprises receiving, at a network controller, information about an instance of a cloud workload instantiated at a cloud provider. The cloud workload is associated with a tag attribute. The method further comprises querying the cloud provider for at least one IP address associated with the tag attribute and learning the at least one IP address associated with the tag attribute, including the IP address for the instance of the cloud workload. The method further comprises associating a security policy with the at least one IP address associated with the tag attribute and propagating the security policy to at least one edge router for implementation.

Abstract: Techniques for automatically integrating SD-WAN constructs to security policies are described. The techniques may include defining, by a security cloud provider, a security policy for an entity, the entity represented by a VPN security policy label and the security policy absent source and destination CIDR IP addresses. The security cloud provider notifies an SD-WAN controller of the security policy. The SD-WAN controller maps the VPN security policy label to an IP address pool and a VPN ID. The SD-WAN controller generates an enhanced security policy by automatically adding source and destination CIDR IP addresses to the security policy. The SD-WAN controller deploys the enhanced security policy to an SD-WAN branch router and generates a VPN segment between the SD-WAN branch router and the security cloud provider to establish a common secure internet gateway tunnel for the IP address pool.

Abstract: A process can include determining a plurality of Network Address Translation (NAT) routes associated with respective edge routers included in a same virtual private network (VPN) for communicating with a software-defined wide area network (SDWAN). A process can include identifying a first subset of the plurality of NAT routes as mapped to a first public NAT address included in a NAT pool associated with the VPN. A process can include tagging each NAT route of the first subset with a tag value indicative of a preferred router for receiving return traffic of the respective NAT route. A process can include routing traffic on a respective NAT route of the plurality of NAT routes based on applying, at an SDWAN controller, a corresponding control policy matching the tag value of the respective NAT route.

Abstract: The present disclosure is directed to systems and methods for dynamic firewall discovery on a service plane. The method includes the steps of identifying a source data packet for transmission from a source machine at a source site to a destination machine at a destination site, wherein the source data packet corresponds to a request for connection between the source machine and the destination machine over a WAN, inspecting the source data packet at a first firewall associated with the source site, marking the source data packet with a marker to indicate inspection by the first firewall, transmitting the marked source data packet to the destination site, determining at the destination site that the source data packet has been inspected based on the marker, and forwarding the source data packet to the destination machine at the destination site, without inspection of the source data packet by a second firewall associated with the destination site.

Abstract: Techniques for extending application-aware routing (AAR) policies to enable intelligent routing decisions based on device security posture. The techniques may include receiving, from a client device, traffic that is to be sent over a network to an application and determining a security score associated with the traffic. The security score may be based on a security posture associated with the client device, a security level associated with a connectivity network used by the client device, and the like. The techniques may also include determining, based at least in part on the security score and based at least in part on an application-aware routing policy, a path for sending the traffic to the application.

Abstract: The present disclosure is directed to managing industrial internet of things end points and includes one or more processors and one or more computer-readable non-transitory storage media coupled to the one or more processors and comprising instructions that, when executed by the one or more processors, cause one or more switches to perform operations comprising: identifying a first end point using a protocol associated with the first end point, determining a classification for the identified first end point based on one or more attributes of the first end point, identifying one or more related end points having the classification in common with the first end point, segmenting the first end point with the identified one or more related end points, and applying one or more policies to the segmented first end point and the one or more related end points.

Abstract: Route exchange in a plurality of network controller appliances on a per-tenant basis is disclosed. In one aspect, a method includes receiving, from a network management system and at a first network controller appliance, a designation of at least two tenants to be hosted on the first network controller appliance, the first network controller appliance being one of a plurality of network controller appliances in a SD-WAN; sending, from the first network controller appliance to other network controller appliances of the plurality of network controller appliances, a tenant list query message to obtain a corresponding tenant list of each of the other network controller appliances; and receiving a corresponding response from each of the other network controller appliances indicating the corresponding tenant list of each of the other network controller appliances, the corresponding response being used to update the tenant list on the first network controller appliance.