Abstract: A particular fat tree network node stores default routing information indicating that the particular fat tree network node can reach a plurality of parent fat tree network nodes of the particular fat tree network node. The particular fat tree network node obtains, from a first parent fat tree network node of the plurality of parent fat tree network nodes, a negative disaggregation advertisement indicating that the first parent fat tree network node cannot reach a specific destination. The particular fat tree network node determines whether the first parent fat tree network node is the only parent fat tree network node of the plurality of parent fat tree network nodes that cannot reach the specific destination. If so, the particular fat tree network node installs supplemental routing information indicating that every parent fat tree network node except the first parent fat tree network node can reach the specific destination.

Abstract: In one embodiment, an elimination point device in a network obtains a master secret from a network controller. The elimination point device assesses, using the master secret, whether an incoming packet received by the elimination point device from a redundant path between the elimination point device and a replication point device in the network includes a valid message integrity check (MIC). The elimination point device determines whether the incoming packet was injected maliciously into the redundant path, based on the assessment of the incoming packet. The elimination point device initiates performance of a mitigation action in the network, when the elimination point device determines that the incoming packet was injected maliciously into the redundant path.

Abstract: In one embodiment, a device in a network inserts a profile tag into an address request sent by an endpoint node in the network to a lookup service. The lookup service is configured to identify one or more addresses with which the endpoint node is authorized to communicate based on a profile for the endpoint node associated with the inserted profile tag. The device receives an address response sent from the lookup service to the endpoint node that indicates the set of one or more addresses with which the endpoint node is authorized to communicate. The device determines whether a communication between the endpoint node and a particular network address is authorized using the set of one or more addresses with which the endpoint node is authorized to communicate. The device blocks the communication based on a determination that the particular network address is not in the set of one or more addresses with which the endpoint node is authorized to communicate.

Abstract: In one embodiment, a supervisory device in a network assigns different access points in the network to different access point groupings. Each of the different access point groupings uses a different network path to communicate with a given endpoint in the network. The supervisory device selects at least one of the access points in each of the different access point groupings for mapping to a virtual access point (VAP) for a node in the network as part of a VAP mapping. The supervisory device instructs the selected access points to form a VAP for the node. The node treats the access points in the VAP mapping as a single access point for purposes of communicating with the network.

Abstract: In one embodiment, a device in a network determines whether a destination address of a packet received by the device is within a neighbor discovery (ND) cache of the device. The device determines whether the destination address is not in a set of addresses used to generate an address lookup array or possibly in the set of addresses used to generate the address lookup array, in response to determining that the destination address of the packet is not within the ND cache. The device performs address resolution for the destination address of the packet, in response to determining that the destination address of the packet is possibly in the set of addresses used to generate the address lookup array.

Abstract: In one embodiment, a supervisory device in a network forms a virtual access point (VAP) for a node in the network whereby a plurality of access points (APs) in the network are mapped to the VAP as part of a VAP mapping. The node treats the APs in the VAP mapping as a single AP for purposes of communicating with the network. The supervisory device determines a data traffic management strategy for the node based on traffic associated with the node. The supervisory device instructs the APs in the VAP mapping to implement the data traffic management strategy for the node.

Abstract: In one embodiment, a device in a network inserts a profile tag into an address request sent by an endpoint node in the network to a lookup service. The lookup service is configured to identify one or more addresses with which the endpoint node is authorized to communicate based on a profile for the endpoint node associated with the inserted profile tag. The device receives an address response sent from the lookup service to the endpoint node that indicates the set of one or more addresses with which the endpoint node is authorized to communicate. The device determines whether a communication between the endpoint node and a particular network address is authorized using the set of one or more addresses with which the endpoint node is authorized to communicate. The device blocks the communication based on a determination that the particular network address is not in the set of one or more addresses with which the endpoint node is authorized to communicate.

Abstract: In one illustrative example, one or more controllers may be configured to perform a path selection procedure for selecting a connection path for multi-hop device-to-device (D2D) communications. Identifiers of candidate D2D device pairings from D2D peer discovery performed by a plurality of UEs served in a plurality of base stations and link quality data associated with each candidate D2D device pairings are obtained. D2D network topology map data including a plurality of link-state relationships are generated based on the identifiers of candidate D2D device pairings. A plurality of connection paths of UEs are computed based on the generated link-state relationships and the link quality data, where each computed connection path includes UEs indicated as required nodes and at least one UE indicated as a candidate relay node. An optimal connection path that satisfies a latency parameter is selected from the plurality of computed connection paths (e.g. based on a shortest path first or SPF algorithm).

Abstract: In one embodiment, a device in a network receives a plurality of packets from one or more neighbors of the device. Each of the packets has a scheduled delivery time interval according to a deterministic communication schedule. The device determines an amount of clock drift for each of the one or more neighbors of the device by comparing arrival times of the received packets to their scheduled delivery time intervals according to the deterministic communication schedule. The device calculates a clock adjustment based on the amount of clock drift for each of the one or more neighbors. The device adjusts a clock of the device using the calculated clock adjustment.

Abstract: In one embodiment, a cloud-based service instructs one or more networking devices in a local area network (LAN) to form a virtual network overlay in the LAN that redirects traffic associated with a particular node in the LAN to a first isolation application instance hosted by the service. The first isolation application instance receives the redirected traffic associated with the particular node. The first isolation application instance determines a routing path for the traffic that comprises one or more other isolation application instances hosted by the cloud-based service. The first isolation application instance tags the traffic to indicate the determined routing path. The first isolation application forwards the tagged traffic to a second isolation application instance along the determined routing path.

Abstract: In one embodiment, a cloud-based service instructs one or more networking devices in a local area network (LAN) to form a virtual network overlay in the LAN that redirects traffic associated with a particular node in the LAN to the service. The service receives multicast or broadcast traffic sent by the particular node in the LAN and redirected to the service via the virtual network overlay. The service identifies a group of nodes in the network that are to receive the traffic sent by the particular node, based in part by profiling the traffic associated with the particular node. The service sends the traffic sent by the particular node to at least one networking device in the LAN with an indication of the identified group of nodes in the network that are to receive the traffic sent by the particular node. The at least one networking device forwards the traffic sent by the particular node to the nodes in the identified group.

Abstract: In one embodiment, a device in a network receives a notification from a neighbor of the device indicative of a child node of the device requesting a parent change from the device to the neighbor. The device updates an existing routing path from the device to the child node to be routed through the neighbor, in response to receiving the notification from the neighbor. The device receives an instruction to remove the updated routing path from the device to the child node through the neighbor. The device removes the updated routing path from the device to the child node, in response to receiving the instruction to remove the updated routing path.

Abstract: In one embodiment, a supervisory device in a network receives a help request from a first node in the network indicative of a problem in the network detected by the first node. The supervisory device identifies a second node in the network that is hosting a repair walker agent able to address the detected problem. The supervisory device determines a network path via which the second node is to send repair walker agent to the first node. The supervisory device instructs the second node to send the repair walker agent to the first node via the determined path.

Abstract: In one embodiment, a supervisory device in a network receives from a plurality of access points (APs) in the network data regarding a network availability request broadcast by a node seeking to access the network and received by the APs in the plurality. The supervisory device uniquely associates the node with a virtual access point (VAP) for the node and forms a VAP mapping between the VAP for the node and a set of the APs in the plurality selected based on the received data regarding the network availability request. One of the APs in the mapping is designated as a primary access point for the node. The supervisory device instructs the primary AP to send a network availability response to the node that includes information for the VAP. The node uses the information for the VAP to access the network via the set of APs in the VAP mapping.

Abstract: In one embodiment, a networking device in a local area network (LAN) establishes a virtual network overlay in the LAN to redirect traffic associated with a particular node in the LAN to a server for analysis. The networking device receives an indication from the server that at least a portion of the traffic associated with the particular node is trusted for local sending within the LAN and adjusts the virtual network overlay to locally send the trusted portion of the traffic associated with the particular node to one or more other nodes in the LAN without redirection to the server. The networking device collects characteristic information regarding the trusted portion of the traffic sent locally within the LAN via the adjusted virtual network overlay and sends the collected characteristic information to the server for analysis.

Abstract: In one embodiment, a first actuator in a network of sensors and actuators executes a walker agent configured to adjust an actuation setting of the first actuator. The actuation setting controls an area of coverage of the first actuator when actuated. The executing agent on the first actuator receives one or more sensor measurements from one or more of the sensors that are in communication range of the first actuator. The executing agent also controls, based on the received one or more sensor measurements, the area of coverage of the first actuator by adjusting its actuation setting, in an attempt to optimize coverage of the sensors in the network by the areas of coverage of the actuators. The first actuator unloads the executing walker agent after adjusting the actuation setting of the first actuator and propagates the agent to another one of the actuators in the network for execution.

Abstract: In one illustrative example, one or more controllers may be configured to perform a path selection procedure for selecting a connection path for multi-hop device-to-device (D2D) communications. Identifiers of candidate D2D device pairings from D2D peer discovery performed by a plurality of UEs served in a plurality of base stations and link quality data associated with each candidate D2D device pairings are obtained. D2D network topology map data including a plurality of link-state relationships are generated based on the identifiers of candidate D2D device pairings. A plurality of connection paths of UEs are computed based on the generated link-state relationships and the link quality data, where each computed connection path includes UEs indicated as required nodes and at least one UE indicated as a candidate relay node. An optimal connection path that satisfies a latency parameter is selected from the plurality of computed connection paths (e.g. based on a shortest path first or SPF algorithm).

Abstract: Theft detection in data center networks may be provided. First, a first leaf switch may create an entry in a first distributed secure cache in response to an endpoint appearing on the first leaf switch. The entry may correspond to the endpoint and may be marked as having a tentative state. Then a request message may be sent to a plurality of leaf switches. The request message may comprise data identifying the endpoint. Next, a reply message may be received in response to the request message from a second leaf switch within the plurality of leaf switches. The tentative state may then be removed from the entry in response to the reply message indicating that the endpoint is valid.

Abstract: In one embodiment, a virtual firewall is installed on a port of a device that communicates across a zone boundary within an industrial network. The virtual firewall is then configured based on operation of the industrial network, such that the port may then communicate via the firewall to a remote virtual firewall of a remote port of a remote device across the zone boundary.

Abstract: In one embodiment, a supervisory device in a network receives from a plurality of access points (APs) in the network data regarding a network availability request broadcast by a node seeking to access the network and received by the APs in the plurality. The supervisory device uniquely associates the node with a virtual access point (VAP) for the node and forms a VAP mapping between the VAP for the node and a set of the APs in the plurality selected based on the received data regarding the network availability request. One of the APs in the mapping is designated as a primary access point for the node. The supervisory device instructs the primary AP to send a network availability response to the node that includes information for the VAP. The node uses the information for the VAP to access the network via the set of APs in the VAP mapping.