Systems, methods, and devices for secure and configurable control of user equipment (UE) devices associated with enterprise accounts are disclosed herein. Each enterprise account is associated with a plurality of UE devices, which may access networked assets associated with the enterprise. In order to manage UE device access to enterprise assets and to other networks via an internet connection through a wireless telecommunications network, data associated with different enterprise accounts is virtually separated at the edge routers and maintained as separate data streams to distinct virtual environments associated with the enterprise accounts at one or more asset hosting servers. The virtual environments on the assets hosting servers further facilitate enterprise-specific control of mobile assets, such as enforcing security policies relating to access, connections, filtering, or encryption.

A policy driven zero touch provisioning (ZTP) system implements techniques for policy driven ZTP of network devices. One or more ZTP policies, configurations and/or boot images associated with one or more network devices are stored in a database. Upon execution of a boot sequence, a network device automatically sends a DHCP request including network device identification information to the policy driven ZTP system. The policy driven ZTP system identifies a matching ZTP policy having conditions that match the network device identification information. The ZTP system generates a DHCP response including IP leasing information, a boot configuration information by which a boot configuration may be automatically obtained, and/or boot image information by which a boot image may be automatically obtained as defined by the matching ZTP policy. The techniques allow ZTP policies to be defined with device-level granularity for boot configuration and/or boot images.

A network fabric deployment system includes a fabric deployment management system that is coupled to a DHCP server. The fabric deployment management system generates a cloud-based network fabric that is based on a network fabric topology file and that includes a plurality of cloud-based networking devices that are assigned a physical networking device identifier that identifies a corresponding physical networking device. The fabric deployment management system configures and validates each of the plurality of cloud-based networking devices causing each physical networking device identifier being mapped to an IP address at the DHCP server and then retrieves a deployment image file from each of the plurality of cloud-based networking devices that have been configured and validated, and stores each of the deployment image files in a database in association with the physical networking device identifier such that the corresponding physical networking device boots from that deployment image file.

A method and system for controlling access to external networks by an air-gapped endpoint is provided. The method includes providing, on the air-gapped endpoint, a plurality of isolated security zones by instantiating a plurality of corresponding virtual machines using a hypervisor; selecting one security zone of the plurality of isolated security zones; and tunneling a traffic from the selected security zone to a designated network location, wherein the tunneling is through a virtual private network (VPN).

A method and system for controlling access to external networks by an air-gapped endpoint is provided. The method includes providing, on the air-gapped endpoint, a plurality of isolated security zones by instantiating a plurality of corresponding virtual machines using a hypervisor; selecting one security zone of the plurality of isolated security zones; and tunneling a traffic from the selected security zone to a designated network location, wherein the tunneling is through a virtual private network (VPN).

Systems and methods described herein provide a high availability DHCP server capable of serving multiple tenants in a data center. The DHCP server may use a different logical DHCP server instance for each tenant, and may be implemented as one process without the use of namespaces. A DHCP server is executed on a gateway virtual machine (VM) that is capable of hosting a plurality of logical DHCP servers. For each tenant in a data center, a logical network and a corresponding logical DHCP server instance are implemented. The DHCP server may service requests for DHCP services from VMs via their physical host by determining the tenant that the VM originates from and leasing a DHCP resource from that tenant's corresponding logical DHCP server instance.

Systems and methods described herein provide a high availability DHCP server capable of serving multiple tenants in a data center. The DHCP server may use a different logical DHCP server instance for each tenant, and may be implemented as one process without the use of namespaces. A DHCP server is executed on a gateway virtual machine (VM) that is capable of hosting a plurality of logical DHCP servers. For each tenant in a data center, a logical network and a corresponding logical DHCP server instance are implemented. The DHCP server may service requests for DHCP services from VMs via their physical host by determining the tenant that the VM originates from and leasing a DHCP resource from that tenant's corresponding logical DHCP server instance.

Various embodiments of the teachings herein include a computer-implemented method for automated configuration of a joining computing device into a computing system. The method may include: using a device management service to listen for messages from joining devices; connecting via secure shell and factory default credentials to a discovered device; configuring the joining device based on device descriptions, including: downloading a description from the joining device; creating new security certificates which enable secure communication; closing the default ssh services and triggering a reboot; reading the description from the joining device; using the description to identify the set of connectors required for the container runtime environment to be deployed; and receiving into and executing containerized software in a deployed container runtime environment on the joining computer device.

Systems and methods for provisioning and validating a network are disclosed. One method can comprise providing a first communication tunnel between a network access point and a first tunnel endpoint. Availability of the first tunnel endpoint can be determined. If the first tunnel endpoint is determined to be available, network traffic can be routed to the first tunnel endpoint. If the first tunnel endpoint is determined to be unavailable, a second communication tunnel between the network access point and a second tunnel endpoint can be provided.

Systems and methods for provisioning and validating a network are disclosed. One method can comprise providing a first communication tunnel between a network access point and a first tunnel endpoint. Availability of the first tunnel endpoint can be determined. If the first tunnel endpoint is determined to be available, network traffic can be routed to the first tunnel endpoint. If the first tunnel endpoint is determined to be unavailable, a second communication tunnel between the network access point and a second tunnel endpoint can be provided.