Abstract: The present disclosure provides systems and methods for securing a computer workload. The method may comprise: receiving a workload; embedding a secure agent into the workload, wherein the secure agent comprises (i) a shim layer located between an application libraries layer of the workload and an operating system service layer and (ii) a security policy repository; and implementing security policies based at least in part on application programming interface (API) calls intercepted by the shim layer.

Abstract: Described herein are techniques for resolving overlapping IP addresses for subnets assigned to uplink interfaces of a network switching device. As an example, a network switching device may determine that an IP address range of a first assigned subnet to a first uplink interface overlaps an IP address range of a second assigned subnet to a second uplink interface. The network switching device may generate a first map between the first assigned subnet and a first intermediate subnet, and generate a second map between the second assigned subnet and a second intermediate subnet, wherein an IP address range of the first intermediate subnet and an IP address range of the second intermediate subnet are non-overlapping.

Abstract: Described herein are techniques for resolving overlapping IP addresses for subnets assigned to uplink interfaces of a network switching device. As an example, a network switching device may determine that an IP address range of a first assigned subnet to a first uplink interface overlaps an IP address range of a second assigned subnet to a second uplink interface. The network switching device may generate a first map between the first assigned subnet and a first intermediate subnet, and generate a second map between the second assigned subnet and a second intermediate subnet, wherein an IP address range of the first intermediate subnet and an IP address range of the second intermediate subnet are non-overlapping.

Abstract: Some examples relate to determining routing decisions on a network device in a SD-WAN. In an example, a network device in a SD-WAN comprising a plurality of network nodes may receive respective routing information from a respective routing agent present on each node of the plurality of network nodes. The network device may determine an overlay network topology among the plurality of network nodes. Based on the overlay network topology and the respective routing information received from the respective routing agent, the network device may determine a respective routing decision for each node. The network device may distribute the respective routing decision to corresponding network node in the SD-WAN.

Abstract: In one embodiment, a method includes receiving a packet at a network device in communication with a plurality of client nodes, the packet identifying a first client node, performing a look up in a table stored at the network device to locate policies associated with the first client node, the table including an entry for each of the client nodes, each entry having a plurality of policies associated with the client node, applying the policies associated with the first client node at a forwarding engine at the network device, and forwarding the packet from the network device. An apparatus is also disclosed.

Abstract: A first data set is derived from a second data set. The first data set is stored in a database of derived data sets. The second data set is updated without updating the first data set, such that the first data set and the second data are inconsistent. The first data set is deleted or updated during batch processing of the database of the derived data sets.

Abstract: In one embodiment, a method includes receiving a packet from a source wireless device at a second switch, the source wireless device previously associated with a first switch and roamed to and associated with the second switch, wherein a point of presence for the source wireless device is maintained at the first switch, inserting into the packet a direction indicator, and forwarding the packet from the second switch to the first switch, the direction indicator identifying the packet as being transmitted towards the point of presence for the source wireless device to prevent a forwarding loop. An apparatus is also disclosed.

Abstract: A first data set is derived from a second data set. The first data set is stored in a database of derived data sets. The second data set is updated without updating the first data set, such that the first data set and the second data are inconsistent. The first data set is deleted or updated during batch processing of the database of the derived data sets.

Abstract: Techniques are provided to enable a support for guest access of devices in a network. At a controller apparatus in a first mobility sub-domain of a network comprising a plurality of mobility sub-domains, a request message containing a request for guest network access for a device is received from a first access switch in the first mobility sub-domain. The controller apparatus forwards the request message to a guest controller. At a tunneling endpoint apparatus in the first mobility sub-domain, a tunnel is established to the guest controller to carry traffic between the device and the guest controller. Traffic for the device passes in a tunnel between the first access switch and the tunneling endpoint apparatus in the first mobility sub-domain, through the tunneling endpoint apparatus in the first mobility sub-domain and in the tunnel between the routing apparatus in the first mobility sub-domain and the guest controller.

Abstract: A method and apparatus for handoff of a wireless client from a first network device to a second network device in a wired network are disclosed. In one embodiment, the method includes receiving data from a new wireless client at the second network device and transmitting a request for a route update for the new wireless client to the wired network. Prior to network convergence for the route update, data traffic for the new wireless client is received from the first network device and forwarded to the new wireless client. Context information for the new wireless client is transmitted from the second network device to other network devices in a proximity group of the second network device.

Abstract: Techniques are provided for seamless integration of wired and wireless functionality packet forwarding in network. A plurality of access switches are provided in each of a plurality of mobility sub-domains that are part of a mobility domain of a network. Each access switch serves one or more Internet Protocol (IP) subnets, each comprising a plurality of IP addresses. An access switch obtains an IP address for a wireless device according to the one or more IP subnets that the access switch serves. The access switch sends an association advertisement message to indicate the IP address of the wireless device and to enable other access switches and routers to compute a path to the wireless device. When a wireless device obtains an IP address, it can keep the same IP address as it roams in the mobility domain.

Abstract: Techniques are provided to enable support of roaming wireless devices in a network such that the wireless devices can keep their Internet Protocol (IP) addresses as they roam across mobility sub-domains. Traffic for a wireless device that roams is tunneled back to the access switch that serves the IP subnet which includes an IP address for the wireless device. Traffic is tunneled back to that access switch for the wireless device when the wireless device roams to another access switch which does not serve the IP subnet for the wireless device in the same mobility sub-domain and when the wireless device roams to a different mobility sub-domain, in which case the traffic is tunneled between tunneling endpoints in the respective mobility sub-domains.

Abstract: Techniques are provided to support roaming of wireless devices in a network such that the wireless devices can keep their Internet Protocol (IP) addresses as they roam within and across mobility sub-domains. When a wireless device roams from one access switch to another access switch, a tunneling endpoint apparatus in the wireless device's home mobility sub-domain is configured to serve as the point of presence for the roamed wireless device. Traffic for the roamed wireless device is tunneled from the access switch where the wireless device has roamed (where it is currently attached) to the tunneling endpoint apparatus. When the wireless device roams across mobility sub-domains, then traffic is tunneled from the access switch where the wireless device is currently attached to the tunneling endpoint apparatus in that mobility sub-domain (called a “foreign” mobility sub-domain) to the tunneling endpoint apparatus in the wireless device's home mobility sub-domain.

Abstract: A system and method for a hierarchical distributed control architecture to support roaming wireless client devices. Access switches serve one or more Internet Protocol (IP) subnets that include plural IP addresses. The access switches are arranged in switch peer groups and store information about other access switches in that switch peer group and about locations of wireless client devices that are associated with any access switch in the switch peer group. The access switches are further grouped into a corresponding mobility sub-domain each including plural switch peer groups. Plural controller devices control access switches in a corresponding mobility sub-domain. Each controller device stores information about the access switches and about locations of wireless client devices within its mobility sub-domain. A central controller device communicates with the controller devices for the respective mobility sub-domains.

Abstract: In one embodiment, a method includes receiving a packet from a source wireless device at a second switch, the source wireless device previously associated with a first switch and roamed to and associated with the second switch, wherein a point of presence for the source wireless device is maintained at the first switch, inserting into the packet a direction indicator, and forwarding the packet from the second switch to the first switch, the direction indicator identifying the packet as being transmitted towards the point of presence for the source wireless device to prevent a forwarding loop. An apparatus is also disclosed.

Abstract: In one embodiment, a method for processing encrypted wireless station data at a network device includes receiving from an access point, one or more frames comprising wireless station data fragmented into a plurality of encrypted protocol data units. The frames are configured to identify the encrypted protocol units associated with the wireless station data. The method further includes decrypting the encrypted protocol data units and forwarding the wireless station data. An apparatus for processing encrypted wireless station data, a method for transmitting encrypted multicast data for a wireless client, and a method for processing encrypted wireless station data at an access point are also disclosed.

Abstract: In one embodiment, a method includes receiving a packet at a network device in communication with a plurality of client nodes, the packet identifying a first client node, performing a look up in a table stored at the network device to locate policies associated with the first client node, the table including an entry for each of the client nodes, each entry having a plurality of policies associated with the client node, applying the policies associated with the first client node at a forwarding engine at the network device, and forwarding the packet from the network device. An apparatus is also disclosed.

Abstract: Techniques are provided to enable a support for guest access of devices in a network. At a controller apparatus in a first mobility sub-domain of a network comprising a plurality of mobility sub-domains, a request message containing a request for guest network access for a device is received from a first access switch in the first mobility sub-domain. The controller apparatus forwards the request message to a guest controller. At a tunneling endpoint apparatus in the first mobility sub-domain, a tunnel is established to the guest controller to carry traffic between the device and the guest controller. Traffic for the device passes in a tunnel between the first access switch and the tunneling endpoint apparatus in the first mobility sub-domain, through the tunneling endpoint apparatus in the first mobility sub-domain and in the tunnel between the routing apparatus in the first mobility sub-domain and the guest controller.

Abstract: A system and method are provided for a hierarchical distributed control architecture to support roaming of wireless client devices. A plurality of access switches are provided and configured to serve one or more Internet Protocol (IP) subnets that comprises a plurality of IP addresses. The plurality of access switches are arranged in switch peer groups such that each access switch within a given switch peer group is configured to store information about other access switches in that switch peer group and about locations of wireless client devices that are associated with any wireless access point on any access switch in the switch peer group. The plurality of access switches are further grouped into a corresponding one of a plurality of mobility sub-domains each comprising a plurality of switch peer groups. A plurality of controller devices are provided, each configured to control access switches in a corresponding mobility sub-domain.

Abstract: Techniques are provided to enable support of roaming wireless devices in a network such that the wireless devices can keep their Internet Protocol (IP) addresses as they roam across mobility sub-domains. Traffic for a wireless device that roams is tunneled back to the access switch that serves the IP subnet which includes an IP address for the wireless device. Traffic is tunneled back to that access switch for the wireless device when the wireless device roams to another access switch which does not serve the IP subnet for the wireless device in the same mobility sub-domain and when the wireless device roams to a different mobility sub-domain, in which case the traffic is tunneled between tunneling endpoints in the respective mobility sub-domains.