Abstract: A method for routing is disclosed. The method comprises provisioning an endpoint in a network with a reactive path selection policy; monitoring, by the endpoint, current conditions relating to various paths available to said end point for the transmission of traffic; and selectively applying, by the endpoint, at least a portion of the reactive path selection policy based on the current conditions of the available paths.

Abstract: Methods for establishing a stateless extranet in a secure communication network include transmitting a consumer NHOP to a provider CPE from a consumer CPE in a control plane. The consumer NHOP is associated with at least one attribute of an NHOP, including an encryption key available with the consumer CPE, to establish a secure communication tunnel in a data plane. The consumer CPE receives a service definition over the control plane associated with a service available with the provider CPE. A service anchor point is created based on an identifier of the service definition. A network address translation (NAT) IP request is transmitted to the provider CPE. The consumer CPE receives a NAT IP from the provider CPE in response to the NAT IP request. The NAT IP is associated with the service anchor point of the consumer CPE. A stateless service is thereby instantiated on the consumer CPE.

Abstract: Systems, methods, and computer-readable media for locally applying endpoint-specific policies to an endpoint in a network environment. A network device local to one or more endpoints in a network environment can receive from a centralized network controller one or more network-wide endpoint policies. A first endpoint of the one or more endpoints can be configured to inject policy metadata into first data traffic. Policy metadata injected into the first traffic data can be received from the first endpoint. The network device can determine one or more first endpoint-specific polices for the first endpoint by evaluation the first policy metadata with respect to the one or more network-wide endpoint policies. As follows, the one or more first endpoint-specific policies can be applied to control data traffic associated with the first endpoint.

Abstract: In one embodiment, an apparatus includes one or more processors and one or more computer-readable non-transitory storage media coupled to the one or more processors. The one or more computer-readable non-transitory storage media include instructions that, when executed by the one or more processors, cause the apparatus to perform operations including receiving a user credential from a remote access client within a network and communicating the user credential to an authentication, authorization and accounting (AAA) server within the network. The operations also include receiving a user attribute from the AAA server and generating a contextual label based on the user attribute. The contextual label includes routing instructions associated with traffic behavior within the network. The operations further include advertising a control message, which includes the contextual label, to the remote access client.

Abstract: Systems, methods, and computer-readable media for locally applying endpoint-specific policies to an endpoint in a network environment. A network device local to one or more endpoints in a network environment can receive from a centralized network controller one or more network-wide endpoint policies. A first endpoint of the one or more endpoints can be configured to inject policy metadata into first data traffic. Policy metadata injected into the first traffic data can be received from the first endpoint. The network device can determine one or more first endpoint-specific polices for the first endpoint by evaluation the first policy metadata with respect to the one or more network-wide endpoint policies. As follows, the one or more first endpoint-specific policies can be applied to control data traffic associated with the first endpoint.

Abstract: A method for routing is disclosed. The method comprises provisioning an endpoint in a network with a reactive path selection policy; monitoring, by the endpoint, current conditions relating to various paths available to said end point for the transmission of traffic; and selectively applying, by the endpoint, at least a portion of the reactive path selection policy based on the current conditions of the available paths.

Abstract: Embodiments of a method of communicating a packet by a network address translation (NAT) enabled router, are described. In an embodiment, the method includes receiving a return packet to be communicated to a destination. The destination is associated with a first source address in the context of a forward packet. The method further includes determining a return path to transmit the return packet to the destination based on security association data. The security association data is pre-recorded in a routing table of the NAT enabled router when the forward packet is received, prior to receiving the return packet, over a forward path established between the NAT enabled router and an enterprise node. The security association data uniquely identifies the forward path as the return path.

Abstract: In one embodiment, an apparatus includes one or more processors and one or more computer-readable non-transitory storage media coupled to the one or more processors. The one or more computer-readable non-transitory storage media include instructions that, when executed by the one or more processors, cause the apparatus to perform operations including receiving a user credential from a remote access client within a network and communicating the user credential to an authentication, authorization and accounting (AAA) server within the network. The operations also include receiving a user attribute from the AAA server and generating a contextual label based on the user attribute. The contextual label includes routing instructions associated with traffic behavior within the network. The operations further include advertising a control message, which includes the contextual label, to the remote access client.

Abstract: According to certain embodiments, a system comprises one or more processors and one or more computer-readable non-transitory storage media comprising instructions that, when executed by the one or more processors, cause one or more components of the system to perform operations comprising: receiving location data associated with a plurality of remote users accessing one or more existing remote access gateways that are located at one or more network locations; building a heatmap of user locations based at least in part on the received location data; and identifying, from the heatmap of user locations, at least one new network location in which to generate at least one new remote access gateway, or at least one existing network location in which to remove at least one of the existing remote access gateways.

Abstract: A method may include determining, by a first network device, a type of control channel to open across a transport in a software-defined network (SDN). The method may also include establishing the control channel with a control device via a control plane that is separate from a data plane. The method may further include advertising first security association parameters to the control device via the control channel. The method may include receiving, from the control device via the control channel, second security association parameters associated with a second network device. The method may also include establishing a data plane connection with the second network device using the second security association parameters.

Abstract: According to certain embodiments, a system comprises one or more processors and one or more computer-readable non-transitory storage media comprising instructions that, when executed by the one or more processors, cause one or more components of the system to perform operations comprising: receiving location data associated with a plurality of remote users accessing one or more existing remote access gateways that are located at one or more network locations; building a heatmap of user locations based at least in part on the received location data; and identifying, from the heatmap of user locations, at least one new network location in which to generate at least one new remote access gateway, or at least one existing network location in which to remove at least one of the existing remote access gateways.

Abstract: Systems, methods, and computer-readable media for locally applying endpoint-specific policies to an endpoint in a network environment. A network device local to one or more endpoints in a network environment can receive from a centralized network controller one or more network-wide endpoint policies. A first endpoint of the one or more endpoints can be configured to inject policy metadata into first data traffic. Policy metadata injected into the first traffic data can be received from the first endpoint. The network device can determine one or more first endpoint-specific polices for the first endpoint by evaluation the first policy metadata with respect to the one or more network-wide endpoint policies. As follows, the one or more first endpoint-specific policies can be applied to control data traffic associated with the first endpoint.

Abstract: In one embodiment, a method includes detecting a request to route traffic to a service associated with an application. The method also includes identifying an application identifier associated with the application and selecting, using the application identifier, a label from a plurality of labels included in a routing table. The label includes one or more routes. The method further includes routing the traffic to the service associated with the application using the label.

Abstract: Systems, methods, and computer-readable media for locally applying endpoint-specific policies to an endpoint in a network environment. A network device local to one or more endpoints in a network environment can receive from a centralized network controller one or more network-wide endpoint policies. A first endpoint of the one or more endpoints can be configured to inject policy metadata into first data traffic. Policy metadata injected into the first traffic data can be received from the first endpoint. The network device can determine one or more first endpoint-specific polices for the first endpoint by evaluation the first policy metadata with respect to the one or more network-wide endpoint policies. As follows, the one or more first endpoint-specific policies can be applied to control data traffic associated with the first endpoint.

Abstract: In one embodiment, a router includes one or more processors and one or more computer-readable non-transitory storage media coupled to the one or more processors. The one or more computer-readable non-transitory storage media include instructions that, when executed by the one or more processors, cause the router to perform operations including receiving software-defined networking in a wide area network (SD-WAN) policies from a component of an SD-WAN network. The operations also include establishing a session with a mobile device and receiving information associated with the mobile device in response to establishing the session with the mobile device. The operations further include filtering the SD-WAN policies based on the information associated with the mobile device to generate SD-WAN device-specific policies and communicating the SD-WAN device-specific policies to the mobile device.

Abstract: In one embodiment, a router includes one or more processors and one or more computer-readable non-transitory storage media coupled to the one or more processors. The one or more computer-readable non-transitory storage media include instructions that, when executed by the one or more processors, cause the router to perform operations including receiving software-defined networking in a wide area network (SD-WAN) policies from a component of an SD-WAN network. The operations also include establishing a session with a mobile device and receiving information associated with the mobile device in response to establishing the session with the mobile device. The operations further include filtering the SD-WAN policies based on the information associated with the mobile device to generate SD-WAN device-specific policies and communicating the SD-WAN device-specific policies to the mobile device.

Abstract: A method for operating a network is provided. The method comprises segmenting the network into a plurality of virtual private networks, wherein each virtual private network runs on an underlying physical network; and wherein each virtual private network represents a particular context; and configuring at least some nodes within the network to send and receive traffic based on context.

Abstract: A method may include receiving a domain name system (DNS) query at a network device, where the DNS query may be associated with a traffic flow identified for rerouting through an alternative path utilizing an alternative network device instead of a default path. The method may also include rewriting the DNS query such that the DNS query is routed through the alternative network device along the alternative path and to a DNS server associated with the alternative path. The method may additionally include receiving a DNS response from the DNS server, where a resource identified in the DNS response may be based on the DNS query coming through the alternative network device.

Abstract: A method for routing is disclosed. The method comprises provisioning an endpoint in a network with a reactive path selection policy; monitoring, by the endpoint, current conditions relating to various paths available to said end point for the transmission of traffic; and selectively applying, by the endpoint, at least a portion of the reactive path selection policy based on the current conditions of the available paths.

Abstract: According to certain embodiments, a system comprises one or more processors and one or more computer-readable non-transitory storage media comprising instructions that, when executed by the one or more processors, cause one or more components of the system to perform operations comprising: receiving location data associated with a plurality of remote users accessing one or more existing remote access gateways that are located at one or more network locations; building a heatmap of user locations based at least in part on the received location data; and identifying, from the heatmap of user locations, at least one new network location in which to generate at least one new remote access gateway, or at least one existing network location in which to remove at least one of the existing remote access gateways.