Abstract: In one embodiment, a controller identifies access points forming an overhead mesh of access points in an area, each access point comprising one or more directional transmitters each configured to transmit a beam cone in a substantially downward direction towards a floor of the area. The controller assigns the access points to access point groups. The controller generates communication schedules for the access points such that each access point in an access point group is on a common channel and only one of neighboring directional transmitters of access points in that group is able to transmit at any given time. The controller sends the communication schedules to the access points forming the overhead mesh of access points in the area.

Abstract: In one embodiment, a client device enters an area having an overhead mesh of access points, each access point comprising one or more directional transmitters each configured to transmit a beam cone in a substantially downward direction towards a floor of the area. The client device obtains an area-dependent communication schedule for the overhead mesh that is exclusive or partially-exclusive to the client device for the area. The client device sends, during an arbitrary timeslot of the area-dependent communication schedule, a pull request. The client device receives, from a particular access point in the overhead mesh, a packet in response to the pull request.

Abstract: In one embodiment, a controller identifies access points forming an overhead mesh of access points in an area, each access point comprising one or more directional transmitters each configured to transmit a beam cone in a substantially downward direction towards a floor of the area. The controller determines coverage areas on the floor of the area for the one or more directional transmitters of the access points in the overhead mesh. The controller generates, based on the coverage areas, alternating communication schedules for the access points such that a client device at any given location on the floor of the area is within range of a plurality of receiving access points in the overhead mesh and at least one transmitting access point in the overhead mesh at a certain point in time. The controller sends the communication schedules to the access points.

Abstract: Techniques for adjusting a duration of an authenticated user device session. A baseline session duration is determined for a session for which a user account is authorized in response to a request for authentication. A first session is established on behalf of a user device associated with the user account based at least in part on the user account performing a first authentication. A posture associated with the user device is determined. The baseline duration is then adjusted to a dynamic duration based at least in part upon the posture associated with the user device. Based at least in part on the dynamic duration the user can be required to re-authenticate.

Abstract: A particular fat tree network node stores default routing information indicating that the particular fat tree network node can reach a plurality of parent fat tree network nodes of the particular fat tree network node. The particular fat tree network node obtains, from a first parent fat tree network node of the plurality of parent fat tree network nodes, a negative disaggregation advertisement indicating that the first parent fat tree network node cannot reach a specific destination. The particular fat tree network node determines whether the first parent fat tree network node is the only parent fat tree network node of the plurality of parent fat tree network nodes that cannot reach the specific destination. If so, the particular fat tree network node installs supplemental routing information indicating that every parent fat tree network node except the first parent fat tree network node can reach the specific destination.

Abstract: Techniques for using Network Address Translation (NAT), Mobile Internet Protocol (MIP), and/or other techniques in conjunction with Domain Name System (DNS) to anonymize server-side addresses in data communications. Rather than having DNS provide a client device with an IP address of an endpoint device, such as a server, the DNS instead returns a virtual IP (VIP) address that is mapped to the client device and the endpoint device. In this way, IP addresses of servers are obfuscated by a virtual network of VIP addresses. The client device may then communicate data packets to the server using the VIP address as the destination address, and a virtual network service that works in conjunction with DNS can convert the VIP address to the actual IP address of the server using NAT and forward the data packet onto the server.

Abstract: A method includes receiving, at a first edge node, an Internet Protocol (IP) multicast address of a first silent host node. The method further includes receiving, at a second edge node, an IP multicast address of a second silent host node. The IP multicast address of the first silent host node is equal to the IP multicast address of the second silent host node. The method further includes storing the IP multicast address of the first and second silent host node in a shared entry of a routing table. The method further includes receiving, at a third edge node, a packet from a third host node and determining that a destination address of the packet corresponds to the IP multicast address stored in the shared entry of the routing table. The method further includes sending the packet to both the first host node and the second host node.

Abstract: Techniques for using Network Address Translation (NAT), Mobile Internet Protocol (MIP), and/or other techniques in conjunction with Domain Name System (DNS) to anonymize server-side addresses in data communications. Rather than having DNS provide a client device with an IP address of an endpoint device, such as a server, the DNS instead returns a random IP address that is mapped to the client device and the endpoint device. In this way, IP addresses of servers are obfuscated by a random IP address that cannot be used to identify the endpoint device or service. The client device may then communicate data packets to the server using the random IP address as the destination address, and a gateway that works in conjunction with DNS can convert the random IP address to the actual IP address of the server using NAT and forward the data packet onto the server.

Abstract: Techniques for identifying nodes in a data center fabric that are affected by a failure in the fabric, and selectively sending disaggregation advertisements to the nodes affected by the failure. The techniques include a process where a component monitors the network fabric to identify communication paths between leaf nodes, and determines what leaf nodes would be affected by a failure in those communication paths. The component may detect a failure in the network and determine which communication paths, and thus which leaf nodes, are affected by the failure and send disaggregation advertisements to the affected leaf nodes. In some examples, ingress leaf nodes send data through the fabric that indicate egress nodes for the communication paths. Intermediate nodes along may receive the data from the leaf nodes to identify communication paths, and the notify only affected nodes upon detecting a failure in the network.

Abstract: In one embodiment, a method comprises causing, by a network controller device, a first access point (AP) device to initiate a reverse sounding operation comprising wireles sly requesting a mobile constrained network device to transmit a null data packet (NDP) at a first transmission interval, wirelessly receiving the NDP at the first transmission interval, and generating a reception report describing reception of the NDP and including beamforming information; causing, by the network controller device, a second AP device to generate a corresponding reception report describing a corresponding wireless detection of the NDP at the first transmission interval; and causing, by the network controller device, the mobile constrained network device to connect to a selected one of the first AP device or the second AP device for an identified data flow based on the respective reception reports from the first and second AP devices.

Abstract: In one embodiment, a supervisory device in a network notifies, via an access point of the network, a node as to an ability of the network to support virtual access points. The supervisory device receives, in response to notifying the node, information from the node regarding characteristics of the node. The supervisory device selects, based on the characteristics of the node, a plurality of access points in the network to form a virtual access point with which the node may communicate. The supervisory device configures the plurality of access points to function as the virtual access point, wherein the node communicates with the network via the virtual access point.

Abstract: In one embodiment, a method comprises: determining, by a network switching device, whether the network switching device is configured as one of multiple leaf network switching devices, one of multiple Top-of-Fabric (ToF) switching devices, or one of multiple intermediate switching devices in a switched data network having a leaf-spine switching architecture; if configured as a leaf switching device, limiting flooding of an advertisement only to a subset of the intermediate switching devices in response to detecting a mobile destination is reachable; if configured as an intermediate switching device, flooding the advertisement, received from any one of the leaf network switching devices, to connected ToF switching devices without installing any routing information specified within the advertisement; if configured as a ToF switching device, installing from the flooded advertisement the routing information and tunneling a data packet, destined for the mobile destination, to the leaf switching device having trans

Abstract: Techniques for using Network Address Translation (NAT), Mobile Internet Protocol (MIP), and/or other techniques in conjunction with Domain Name System (DNS) to anonymize server-side addresses in data communications. Rather than having DNS provide a client device with an IP address of an endpoint device, such as a server, the DNS instead returns a virtual IP (VIP) address that is mapped to the client device and the endpoint device. In this way, IP addresses of servers are obfuscated by a virtual network of VIP addresses. The client device may then communicate data packets to the server using the VIP address as the destination address, and a virtual network service that works in conjunction with DNS can convert the VIP address to the actual IP address of the server using NAT and forward the data packet onto the server.

Abstract: In one embodiment, a device identifies a path of travel of a mobile system. The device subdivides the path of travel into a plurality of zones. The device generates time-slotted channel hopping schedules for the plurality of zones, each time-slotted channel hopping schedule having an associated zone among the plurality of zones. The device causes the mobile system to communicate wirelessly with networking infrastructure located along the path of travel, in accordance with a particular one of the time-slotted channel hopping schedules while the mobile system is located in its associated zone.

Abstract: Techniques for identifying nodes in a data center fabric that are affected by a failure in the fabric, and selectively sending disaggregation advertisements to the nodes affected by the failure. The techniques include a process where a component monitors the network fabric to identify communication paths between leaf nodes, and determines what leaf nodes would be affected by a failure in those communication paths. The component may detect a failure in the network and determine which communication paths, and thus which leaf nodes, are affected by the failure and send disaggregation advertisements to the affected leaf nodes. In some examples, ingress leaf nodes send data through the fabric that indicate egress nodes for the communication paths. Intermediate nodes along may receive the data from the leaf nodes to identify communication paths, and the notify only affected nodes upon detecting a failure in the network.

Abstract: A method by a wireless network device in a wireless data network comprises: joining a non-storing mode destination-oriented directed acyclic graph (DODAG) in response to receiving a multicast DODAG information object (DIO) message originated by a root device; generating and transmitting a unicast destination advertisement (DAO) message destined for the root device and indicating the wireless network device has joined the DODAG; advertising as a subroot of a subDAG in the DODAG, based on outputting a second message specifying subDAG information identifying the subDAG; receiving a second unicast DAO message generated by a child network device in the subDAG and addressed to the wireless network device, the second unicast DAO message indicating the child network device has joined the subDAG; and generating and sending a third unicast DAO message to the root device specifying the child network device is reachable via the wireless network device.

Abstract: In one embodiment, a mobile system scans wireless channels for any upcoming access points using a dedicated monitor radio of the mobile system. The mobile system identifies a particular wireless channel in use by an upcoming access point. The mobile system notifies a second radio of the mobile system of the particular wireless channel. The mobile system performs a handoff between a current access point and the upcoming access point in part by switching the second radio of the mobile system to the particular wireless channel of the upcoming access point.

Abstract: Connectors for a networking device may be provided. A networking device may comprise a first plurality of switch bars each comprising a first switch type arranged parallel to one another, a second plurality of switch bars each comprising a second switch type arranged parallel to one another, and a third plurality of switch bars each comprising a third switch type arranged parallel to one another. The first plurality of switch bars, the second plurality of switch bars, and the third plurality of switch bars may be arranged orthogonally. A first one of the first plurality of switch bars may be connected to a first one of the second plurality of switch bars via a retractable mechanical connector mechanism.

Abstract: This disclosure describes techniques for authenticating a user device for a session. For instance, an authentication entity may authenticate a user device using single sign-on authentication and/or multi-factor authentication. The authentication entity may then determine a duration for which the user device is authenticated for the session. For example, the authentication entity may receive information representing a state of an environment of the user device. The authentication entity may then use the information to identify one or more transitions associated with the environment between the session and a previous session. Using the one or more transitions, the authentication entity may determine the duration for the session by increasing or decreasing a previous duration associated with the previous session.

Abstract: In one embodiment, a supervisory device in a network forms a virtual access point (VAP) for a node in the network. A set of access points (APs) in the network are mapped to the VAP as part of a VAP mapping and the node treats the APs in the VAP mapping as a single AP for purposes of communicating with the network. The supervisory device receives measurements from the APs in the VAP mapping regarding communications associated with the node. The supervisory device identifies a movement of the node based on the received measurements from the APs in the VAP mapping. The supervisory device adjusts the set of APs in the VAP mapping based on the identified movement of the node.