Abstract: Systems, methods, and computer-readable media for migrating to and maintaining a white-list network security model. Network traffic identified from permit-all access logs can be analyzed to determine whether it should be white-listed, and if so, a specific permit-access, without logging, policy is generated for the identified network traffic. The addition of specific permit-access policies is repeated on permit-all access logs, at which point, permit-all access policy is converted into deny-all access. In some examples, a system or method can obtain hit counts, from both hardware (eg: TCAM) and software tables, for the specific permit-access policy to determine existence of identified network traffic over a period of time. After analyzing hit counts, the specific permit-access policy can either continue to exist or be removed to maintain a white-list network security model.

Abstract: Systems, methods, and computer-readable media for performing semantic analysis to identify shadowing events. One or more models of network intents, based at least in part on a priority-ordered listing of rules representing network intents, is received. Each rule comprises a Boolean function of one or more packet characteristics and network fabric conditions, and a corresponding network action. For each given rule of the priority-ordered listing of rules, partial and complete shadowing events are detected based on semantic analysis. The semantic analysis comprises calculating an inverse set that comprises the inverse of the set comprising all rules with a higher or equal priority to the given rule, and then calculating a shadowing parameter that comprises the intersection between the inverse set and the given rule. If the shadowing parameter is equal to zero, a complete shadowing event is detected.

Abstract: A method includes detecting a data flow and an associated originating interface on a network, determining a first link over which to forward the data flow, transmitting the data flow over the determined link, receiving a return data flow and moving a forward direction of the return data flow to a new path if the return data flow arrived via a link other than the first link, wherein all packets following a first packet on the flow are forwarded on the same path as the first packet.

Abstract: A method includes generating at a multi-tenant controller on a network a common shared secret for establishing a link between a first site and a second site, transmitting the shared secret to each of the first site and the second site over a secured channel, assigning a wall clock based start and end validity period for the shared secret, sending the shared secret with a future validity to allow secure link communication to continue if one or more elements in both sites cannot communicate with the multi-tenant controller and using a separate shared secret per link per VXWAN.

Abstract: A method includes detecting at a device on a network an application having an anchor domain, marking the application with a traffic source having an entry point domain that accessed the application and a time of detection and designating network flows from the traffic source within a predetermined time from the time of detection as belonging to the application.

Abstract: A method includes receiving information describing an addition of a first site comprising at least one application to an existing network wherein the information is selected from the group consisting of type of site, planned connectivity to the site and planned policies for the site and estimating an impact on the operation of the at least one application and associated network traffic using statistical analysis of monitored data collected from a second site similar to the first site.

Abstract: A method includes deploying in series a plurality of configurable devices in a network configured to communicate with one another via a protocol for exchanging state information wherein at least one of the plurality of configurable devices is in an active state and at least one of the plurality of devices is in a standby state, detecting, by the at least one of the plurality of configurable devices in a standby state, a failure of a configurable device in an active state via a protocol and switching the at least one configurable device in a standby state to an active state.

Abstract: A method includes receiving at a branch device an assigned first hub device and an assigned second hub device associated with a data center, establishing a VPN data tunnel to the assigned first and second hub devices, designating the first hub device as a primary device, designating the second hub device as a secondary device and switching traffic destined for the primary device to the secondary device based, at least in part, on a cost of a link.

Abstract: A method includes executing at a controller a horizontally scalable service Identity Definitions Manager (IDM) Service, mapping active directory (AD) domains to WAN network elements DNS ROLE and LDAP ROLE, instructing a plurality of network elements associated with a tenant to discover a plurality of AD domains and AD servers in an enterprise using the DNS ROLE, receiving from the plurality of network elements running DNS ROLE information indicative of changes to network attributes selected from the group consisting of AD domains, additions and subtractions of AD servers and changes in an IP address of AD servers and transmitting the received AD domains and AD servers to a tenant administrator and requesting credentials to communicate with added AD servers using LDAP.

Abstract: A method includes issuing a tuned request on a specified active link having an ingress shaper and an egress shaper to a server utilizing a link capacity to an extent in both a forward path and a return path, determining a link capacity for the active link, monitoring the active link and dropping any traffic traveling via the active link when a limit of at least one of the ingress shaper and the egress shaper is exceeded.

Abstract: A method includes allocating an identifier to each of a plurality of policies each comprising a network-isolation identifier associated with a VXWAN directive and transmitting each of the plurality of policies to one or more devices in a network.

Abstract: A method includes determining a network requirement for at least one application, dynamically determining a link suitable for data transmission in accordance with a policy based at least in part on a current network condition to meet the network requirement and routing one or more application network data flows associated with the at least one application over the link.

Abstract: A method includes generating at a multi-tenant controller on a network a common shared secret for establishing a link between a first site and a second site, transmitting the shared secret to each of the first site and the second site over a secured channel, assigning a wall clock based start and end validity period for the shared secret, sending the shared secret with a future validity to allow secure link communication to continue if one or more elements in both sites cannot communicate with the multi-tenant controller and using a separate shared secret per link per VXWAN.

Abstract: A method includes receiving at a branch device an assigned first hub device and an assigned second hub device associated with a data center, establishing a VPN data tunnel to the assigned first and second hub devices, designating the first hub device as a primary device, designating the second hub device as a secondary device and switching traffic destined for the primary device to the secondary device based, at least in part, on a cost of a link.

Abstract: A method includes receiving from a networked spoke device information describing network flows to and from an application, analyzing the information to characterize the application in at least one dimension selected from the group consisting of bi-directional bandwidth usage, network response times, application response times, a number of idle and active application sessions and a maximum number of concurrent application sessions and transmitting the dimensions to at least one networked spoke device as traffic profile information.

Abstract: A method includes deploying in series a plurality of configurable devices in a network configured to communicate with one another via a protocol for exchanging state information wherein at least one of the plurality of configurable devices is in an active state and at least one of the plurality of devices is in a standby state, detecting, by the at least one of the plurality of configurable devices in a standby state, a failure of a configurable device in an active state via a protocol and switching the at least one configurable device in a standby state to an active state.

Abstract: A method includes detecting at a device on a network an application having an anchor domain, marking the application with a traffic source having an entry point domain that accessed the application and a time of detection and designating network flows from the traffic source within a predetermined time from the time of detection as belonging to the application.

Abstract: A method includes detecting a data flow and an associated originating interface on a network, determining a first link over which to forward the data flow, transmitting the data flow over the determined link, receiving a return data flow and moving a forward direction of the return data flow to a new path if the return data flow arrived via a link other than the first link, wherein all packets following a first packet on the flow are forwarded on the same path as the first packet.

Abstract: A method includes issuing a tuned request on a specified active link having an ingress shaper and an egress shaper to a server utilizing a link capacity to an extent in both a forward path and a return path, determining a link capacity for the active link, monitoring the active link and dropping any traffic traveling via the active link when a limit of at least one of the ingress shaper and the egress shaper is exceeded.

Abstract: A method includes executing at a controller a horizontally scalable service Identity Definitions Manager (IDM) Service, mapping active directory (AD) domains to WAN network elements DNS ROLE and LDAP ROLE, instructing a plurality of network elements associated with a tenant to discover a plurality of AD domains and AD servers in an enterprise using the DNS ROLE, receiving from the plurality of network elements running DNS ROLE information indicative of changes to network attributes selected from the group consisting of AD domains, additions and subtractions of AD servers and changes in an IP address of AD servers and transmitting the received AD domains and AD servers to a tenant administrator and requesting credentials to communicate with added AD servers using LDAP.