Abstract: In one embodiment, a method by a first edge router includes receiving a request control message from a second edge router requesting a first identifier of a first group associated with a first host having a first Internet Protocol (IP) address, determining the first identifier of the first group based on the first IP address, sending a response control message to the second edge router including the first identifier of the first group, receiving a data packet destined to the first host from the second edge router, determining that a second group is a source group and the first group is a destination group of the data packet, applying one or more policies associated with a combination of the source group and the destination group to the data packet, and causing the data packet to be routed to the first host within the first site.

Abstract: In one embodiment, a method by an edge router configured to operate at a first site of a software-defined wide-area network includes receiving a data packet from a first host located in the first site, where the data packet is destined to a second host located in a second site, determining that an identifier of a second group to which the second host belongs is not available at the edge router, sending a request for an identifier of the second group to a network apparatus, where the request may comprise an address of the second host, receiving a response comprising the identifier of the second group from the network apparatus, determining that the second group is a destination group, applying one or more policies associated with the destination group to the data packet, and causing the data packet to be routed to the second host.

Abstract: A magnetic nanofluid that includes magnetic transition metal ferrite nanoparticles, ferroelectric nanoparticles, and a carrier fluid, and a method of changing the temperature of an object (e.g., heating or cooling) using the magnetic nanofluid. The magnetic transition metal ferrite nanoparticles and ferroelectric nanoparticles can be present as a composite comprising both types of nanoparticles. The use of the magnetic nanofluid is associated with an increase in the Nusselt number in the presence of a magnetic field.

Abstract: A magnetic nanofluid that includes magnetic transition metal ferrite nanoparticles, ferroelectric nanoparticles, and a carrier fluid, and a method of changing the temperature of an object (e.g., heating or cooling) using the magnetic nanofluid. The magnetic transition metal ferrite nanoparticles and ferroelectric nanoparticles can be present as a composite comprising both types of nanoparticles. The use of the magnetic nanofluid is associated with an increase in the Nusselt number in the presence of a magnetic field.

Abstract: A magnetic nanofluid that includes magnetic transition metal ferrite nanoparticles, ferroelectric nanoparticles, and a carrier fluid, and a method of changing the temperature of an object (e.g., heating or cooling) using the magnetic nanofluid. The magnetic transition metal ferrite nanoparticles and ferroelectric nanoparticles can be present as a composite comprising both types of nanoparticles. The use of the magnetic nanofluid is associated with an increase in the Nusselt number in the presence of a magnetic field.

Abstract: In one embodiment, a method by an edge router configured to operate at a first site of a software-defined wide-area network includes receiving a data packet from a first host located in the first site, where the data packet is destined to a second host located in a second site, determining that an identifier of a second group to which the second host belongs is not available at the edge router, sending a request for an identifier of the second group to a network apparatus, where the request may comprise an address of the second host, receiving a response comprising the identifier of the second group from the network apparatus, determining that the second group is a destination group, applying one or more policies associated with the destination group to the data packet, and causing the data packet to be routed to the second host.

Abstract: In one embodiment, a method includes receiving a data packet from a first host located in the first site, where the data packet may be destined to a second host located in a second site that may be different from the first site, determining that an identifier of a second group to which the second host belongs is not available at the first network apparatus, sending a request for an identifier of the second group to a second network apparatus, where the request may comprise an address of the second host, receiving a response comprising the identifier of the second group from the second network apparatus, determining that the second group is a destination group, applying one or more policies associated with the destination group to the data packet, and causing the data packet to be routed to the second host.

Abstract: Network controls for application access secured by transport layer security (TLS) using single sign on (SSO) flow may be provided. An application access request for authenticating a user may be received in response to the user requesting an access to an application. User credentials associated with the user may be validated. In response to validating the user credentials, user attributes associated with the user may be determined. Network controls for a user session associated with the application access request may be determined based on the user attributes. The application access request may be redirected to a plain text user session. The plain text user session may comprise the network controls for the user session.

Abstract: A plurality of policies to be enforced in a network environment via a plurality of devices are determined. A topology of the plurality of devices within the network environment is also determined. For each policy of the plurality of policies, a device of the plurality of devices is selected as the location at which to enforce the policy of the plurality of policies. Selecting the device for each policy of the plurality of policies includes correlating the policy of the plurality of policies with another of the plurality of policies and correlating the policy of the plurality of policies with the topology.

Abstract: Network controls for application access secured by transport layer security (TLS) using single sign on (SSO) flow may be provided. An application access request for authenticating a user may be received in response to the user requesting an access to an application. User credentials associated with the user may be validated. In response to validating the user credentials, user attributes associated with the user may be determined. Network controls for a user session associated with the application access request may be determined based on the user attributes. The application access request may be redirected to a plain text user session. The plain text user session may comprise the network controls for the user session.

Abstract: This technology enables normalized lookup and forwarding for diverse virtual private networks in multi-site network fabric deployments. A source device on a first Layer 2 site transmits a frame to a destination device on the same subnet, but on a second Layer 2 site. The frame is encapsulated and routed to a fabric border node. The fabric border node matches the source subnet to the destination subnet and transmits an address request protocol (“ARP”). In response to not receiving a reply to the ARP, the fabric border node transmits a map request to a Layer 3 transit fabric control plane node. The control plane node extracts a destination identifier from the map request and determines that the destination identifier is a Layer 2 identifier. The control plane node transmits a map reply to the fabric border node, where the frame is re-encapsulated and forwarded to the destination device.

Abstract: This technology enables normalized lookup and forwarding for diverse virtual private networks in multi-site network fabric deployments. A source device on a first Layer 2 site transmits a frame to a destination device on the same subnet, but on a second Layer 2 site. The frame is encapsulated and routed to a fabric border node. The fabric border node matches the source subnet to the destination subnet and transmits an address request protocol (“ARP”). In response to not receiving a reply to the ARP, the fabric border node transmits a map request to a Layer 3 transit fabric control plane node. The control plane node extracts a destination identifier from the map request and determines that the destination identifier is a Layer 2 identifier. The control plane node transmits a map reply to the fabric border node, where the frame is re-encapsulated and forwarded to the destination device.

Abstract: A machine-readable code rendering device may include an electronic paper display and a machine-readable code rendering module that dynamically renders machine-readable codes on the electronic paper display. The electronic paper display may be configured so that the machine-readable codes are read by a light-based code reader off of the electronic paper display.

Abstract: In one embodiment, a method includes receiving a data packet from a first host located in the first site, where the data packet may be destined to a second host located in a second site that may be different from the first site, determining that an identifier of a second group to which the second host belongs is not available at the first network apparatus, sending a request for an identifier of the second group to a second network apparatus, where the request may comprise an address of the second host, receiving a response comprising the identifier of the second group from the second network apparatus, determining that the second group is a destination group, applying one or more policies associated with the destination group to the data packet, and causing the data packet to be routed to the second host.

Abstract: In one example, a network element in a first network receives a network packet including a first security group identifier. The network element identifies the first security group identifier, determines that the first security group identifier is hierarchically correlated with a second security group identifier, and inserts the second security group identifier into the network packet. The network element forwards the network packet including the second security group identifier.

Abstract: A policy server correlates information from several messages associated with a client device to implement an identity-based network access policy. A network element connected to the client device obtains an authentication message including a first network address from the client device. The network element provides the authentication device to an identity server via a Network Address Translation (NAT) device, which translates the first network address to a second network address. The network element also provides a first message including the first network address to the policy server to request an identity-based policy for network communications of the client device. The network element implements the identity-based policy authorized by the policy server.

Abstract: Systems, methods, and computer-readable media for providing cross-domain policy enforcement. In some examples, transit VRFs for a destination network domain and a source network domain are created. Route advertisements for nodes coupled to source VRFs in the source network domain are created that include identifications of the source VRFs. The route advertisements can be transmitted from a source transit VRF in the source network domain to a destination transit VRF in the destination network domain. The route advertisements can then be filtered at the destination transit VRF based on a cross-domain policy using the identifications of the source VRFs to export routes to destination VRFs in the destination network domain according to the cross-domain policy.

Abstract: In one example embodiment, a network appliance is configured to process packets in a network. The network appliance obtains a mapping of a domain name to a security group tag having associated therewith one or more security policies. The network appliance receives a network packet having an Internet Protocol address. The network appliance determines a particular domain name associated with the Internet Protocol address of the packet. Based on the mapping of the domain name to the security group tag and the particular domain name, the network appliance determines whether the network packet is associated with the security group tag. The network appliance applies the one or more security policies to the network packet based on the security group tag when the particular domain name of the network packet matches the domain name.

Abstract: A device obtains access to an application resource from a remote application server based on an authenticated device identifier. The device sends a request to access the application resource provided by the remote application server. The device receives a first message from the remote application server directing the device to send an authentication message to a device identity server. The authentication message requests an authenticated device identity for the device. The device attaches metadata associated with the device to the authentication message and sends the authentication message with the attached metadata to the device identity server. The device receives the authenticated device identity from the device identity server and sends the authenticated device identity to the remote application. The device obtains access to the application resource from the remote application server based on the authenticated device identity.

Abstract: A policy server correlates information from several messages associated with a client device to implement an identity-based network access policy. A network element connected to the client device obtains an authentication message including a first network address from the client device. The network element provides the authentication device to an identity server via a Network Address Translation (NAT) device, which translates the first network address to a second network address. The network element also provides a first message including the first network address to the policy server to request an identity-based policy for network communications of the client device. The network element implements the identity-based policy authorized by the policy server.