Abstract: One embodiment of a method includes receiving at a first network node traffic from a second network node; and sending by the first network node to a third network node information identifying the second network node via a Local Area Network (“LAN”) connection between the first and third network nodes. Subsequent to receipt of the information identifying the second network node, the third network node updates a locator table maintained by the third network node to include an entry including the information identifying the second network node received by the third network node from the first network node. Upon receipt by the third network node of a notification that the first network node has failed, the third network node sends an update only to network nodes that have an entry in the locator table indicating that the first network node has failed.

Abstract: Systems and methods for network authorization are described herein. An example method can include receiving a user credential from a host device connected to a network, authenticating the user credential, and in response to authenticating the user credential, determining an authorization policy associated with the host device. The method can also include polling a network overlay control plane of the network to obtain a network location information associated with the host device, identifying at least one network device of the network using the network location information, and transmitting the authorization policy to the at least one network device.

Abstract: In accordance with various embodiments, a method is performed including receiving, at a first node associated with a first instance identifier, a packet from a first host addressed to a second host. The method includes sending, from the first node to the second node, the packet. The method includes receiving, from the second node, a solicit map-request for the second host including the first instance identifier of the first node and the second instance identifier of the second node for the second host. The method includes sending, in response to receiving the solicit map-request for the second host, a map-request for the second host. The method includes receiving, in response to sending the map-request for the second host, a map-reply indicating a third node associated with the second instance identifier. The method includes sending, from the first node to the third node, the packet.

Abstract: Systems, methods, and computer-readable storage media are provided for provisioning a common subnet across a number of subscribers and their respective virtual networks using dynamically generated network policies that provide isolation between the subscribers. The dynamic generation of the network policies is performed when a host (e.g. client) is detected (via a switch) as the host joins the computing network via virtual networks. This ability to configure a common subnet for all the subscriber virtual networks allows these subscribers to more easily access external shared services coming from a headquarter site while keeping the separation and segmentation of multiple subscriber virtual networks within a single subnet. This allows the Enterprise fabric to be more simple and convenient to deploy without making security compromises.

Abstract: In one embodiment, a method is performed at a node in a multi-site enterprise fabric. The method includes obtaining map entries from a fabric control plane of the multi-site enterprise fabric, where the map entries are associated with identifiers of endpoints in external networks, site and virtual network identifiers of sites in the multi-site enterprise fabric, location identifiers of border nodes, and characteristics of the border nodes. The method further includes receiving a request from a source to connect to an external endpoint. After deriving an external endpoint identifier and source parameters, the method additionally includes establishing at least one connection between the source and the external endpoint via border node(s) that are selected from the map entries based at least in part on the source parameters, the external endpoint identifier, and characteristics of the border node(s) with their site and virtual network identifier(s) along the at least one connection.

Abstract: Systems and methods provide for end-to-end identity-aware routing across multiple administrative domains. A first ingress edge device of a second overlay network can receive a first encapsulated packet from a first egress edge device of a first overlay network. The first ingress edge device can de-encapsulate the first encapsulated packet to obtain an original packet and a user or group identifier. The first ingress edge device can apply a user or group policy matching the user or group identifier to determine a next hop for the original packet. The first ingress edge device can encapsulate the original packet and the user or group identifier to generate a second encapsulated packet. The first ingress edge device can forward the second encapsulated packet to the next hop.

Abstract: In one embodiment, a method is performed at a controller of a fabric that is connected to a first seed device in the fabric. The method includes obtaining a connectivity graph of the fabric including the first seed device. The method further includes causing the first seed device to send a first request to a first neighboring device in the connectivity graph via a first interface of the first seed device connectable to the first neighboring device. The method also includes assigning fabric component properties to devices in the fabric based at least in part on a first message from the first seed device, where the first seed device generates the first message based at least in part on a first response from the first neighboring device received via the first interface. The method additionally includes converting the first neighboring device to a second seed device in the fabric.

Abstract: A mapping system, under administrative control of a Wide Area Network (WAN) controller, can track each host, authorized to access a plurality of Local Area Networks (LANs), in one or more mapping databases including a first network address representing an identifier and a second network addressing representing a locator for each host. The mapping system can receive a request for resolution of a first identifier of a host not presently connected to the network. The mapping system can determine the mapping databases exclude a mapping for the first identifier. The mapping system can update the mapping databases with a first mapping including the first identifier and a first locator corresponding to a honeypot network device. The mapping system can transmit, to one or more LANs of the plurality of LANs, routing information to route traffic destined for the first identifier to the honeypot network device.

Abstract: Multi-VRF universal device Internet Protocol (IP) address for fabric edge devices may be provided. This address may be used to send and receive packets in a connectivity message for all VRFs on a fabric edge device. First, a request packet may be created by a first network device in response to receiving a connectivity message. The request packet may have a source address corresponding to an address of the first network device and a destination address corresponding to an address of a first client device. Next, the first network device may encapsulate the request packet. The first network device may then forward the encapsulated request packet to a second network device associated with the first client device.

Abstract: Systems and methods for network authorization are described herein. An example method can include receiving a user credential from a host device connected to a network, authenticating the user credential, and in response to authenticating the user credential, determining an authorization policy associated with the host device. The method can also include polling a network overlay control plane of the network to obtain a network location information associated with the host device, identifying at least one network device of the network using the network location information, and transmitting the authorization policy to the at least one network device.

Abstract: Systems and methods provide for algorithmic problem identification and resolution in fabric networks by software defined operation, administration, and maintenance.

Abstract: Present technology is directed to a system and method for implementing an offline scheme to automatically and efficiently transform a set of conventional IP-based Access Control Entries in a supplied configuration into compressed form that can then be represented as Object-Group based Access Control Entries. The compression is performed on contiguous blocks of the supplied Access Control List having a common prescribed filtering access. The compression is performed by iteratively selecting a data field with mismatching data values across the ACEs and merging the data values into a corresponding data field of the output ACE. The common values of other data fields are then imported to the corresponding data fields of the output ACE. The process is repeated in an iterative manner by assigning a different data field as the selected data field for each iteration round.

Abstract: In one embodiment, a method is performed at a first node. The method may include receiving, at a first node, a request from a source host associated with a network to communicate with a destination host. The first node may determine whether the destination host is associated with the network. If the destination host is not associated with the network, the first node may determine an instance identifier (IID) and a proxy egress tunnel router (PETR) locator address used to communicate with the destination host. The first node may send an indicator to an ingress tunnel router (ITR) to encapsulate a packet with the IID and the PETR locator address before sending the packet from the source host to the destination host.

Abstract: In one example, a router is configured to process communications according to a tunneling protocol to provide network overlay tunnels to facilitate virtual private networks (VPNs) for hosts, and to process communications associated with an external network with use of a provider virtualization routing and forwarding (VRF) instance. With use of a subscription function, the router receives an initial set of extranet VPN prefixes associated with the network overlays for storage in association with the provider VRF, as well as regularly receive publications of updates to extranet VPN prefixes associated with the network overlays. With use of a route obtaining function, the router, in response to receiving a communication associated with one of the stored extranet VPN prefixes at the provider VRF, sends to a communications management server a message indicating request for a host-to-router mapping and receive from the communications management server a reply including the host-to-router mapping.

Abstract: A method is described that includes receiving at a network element a transmission control protocol (“TCP”) packet with TCP options set on a link between a controller and a destination node. If the network element comprises a transit node, the method includes comparing a bandwidth value indicated in a TCP options field of the received TCP packet with an outgoing link bandwidth of the network element. If the bandwidth value indicated in the TCP options field is greater than the outgoing link bandwidth of the network element, the method includes updating the bandwidth value in the TCP options field to be equal to the outgoing link bandwidth of the network element, and forwarding the packet to a next network element. If the bandwidth value indicated in the TCP options field is not greater than the outgoing link bandwidth, the bandwidth value in the TCP options field is not changed.

Abstract: A Location/Identifier Separation Protocol (LISP) mapping server, including: a network interface for communicating with a LISP-enabled network; a mapping database; a subscription database; and an overlapping subscription publication engine (OSPE) to: receive a first mapping of a first subnetwork to a first routing locator (RLOC); add the first mapping to the mapping database; receive from a first ingress tunnel router (ITR) a subscription request for an endpoint identifier (EID) within the first subnetwork; add to a first subscription entry for the first subnetwork in the subscription database a subscription for the first ITR; receive a second mapping of a second subnetwork to a second RLOC, wherein the second subnetwork overlaps the first subnetwork; add the second mapping to the mapping database; and copy at least part of the first subscription entry to a second subscription entry for the second subnetwork.

Abstract: In one example embodiment, a network appliance is configured to process packets in a network. The network appliance obtains a mapping of a domain name to a security group tag having associated therewith one or more security policies. The network appliance receives a network packet having an Internet Protocol address. The network appliance determines a particular domain name associated with the Internet Protocol address of the packet. Based on the mapping of the domain name to the security group tag and the particular domain name, the network appliance determines whether the network packet is associated with the security group tag. The network appliance applies the one or more security policies to the network packet based on the security group tag when the particular domain name of the network packet matches the domain name.

Abstract: A Location/Identifier Separation Protocol (LISP) mapping server, including: a network interface for communicating with a LISP-enabled network; a mapping database; a subscription database; and an overlapping subscription publication engine (OSPE) to: receive a first mapping of a first subnetwork to a first routing locator (RLOC); add the first mapping to the mapping database; receive from a first ingress tunnel router (ITR) a subscription request for an endpoint identifier (EID) within the first subnetwork; add to a first subscription entry for the first subnetwork in the subscription database a subscription for the first ITR; receive a second mapping of a second subnetwork to a second RLOC, wherein the second subnetwork overlaps the first subnetwork; add the second mapping to the mapping database; and copy at least part of the first subscription entry to a second subscription entry for the second subnetwork.

Abstract: A method including determining that network traffic being transmitted is unicast or multicast; mapping to which virtual network and locator address each host belongs; generating leaking data for unicast and multicast traffic, wherein the leaking data indicates that a first virtual network leaks traffic to a second virtual network; receiving a request from the second virtual network to receive traffic from a host in the first virtual network; determining, based on the leaking data and the type of traffic being transmitted, if the first virtual network leaks traffic to the second virtual network; if the first virtual network leaks traffic to the second virtual network, determining a locator address for the host in the first virtual network using the mapping data; and transmitting the locator address for the host to the second virtual network to enable traffic leaking from the host to the second virtual network is disclosed.

Abstract: A Location/Identifier Separation Protocol (LISP) mapping server, including: a network interface for communicating with a LISP-enabled network; a mapping database; an extranet policy table; and a shared subnetwork mapping engine (SSME), including at least a hardware platform, configured to: receive a map request from a first endpoint serviced by a first xTR, the first endpoint on a first subnetwork, the map request for a second endpoint; determine that the second endpoint is not a member of the first subnetwork; query the extranet policy table to identify a second subnetwork that the first subnetwork subscribes to, and to determine that the second endpoint is a member of the second subnetwork; and provide to the first subnetwork a routing locator (RLOC) of an xTR servicing the second endpoint.