Abstract: A cluster data replication system includes a plurality of network elements and controllers. The controllers form a cluster that is able to elect one of the controllers as a master controller with the others being follower controllers. The elected controller updates, responsive to being elected the master controller, state information in a system database of the elected controller to indicate that the elected one of the controllers is the master controller. The master controller includes one or more objects that are enabled in reaction to the state information, and which coordinate replication of changes to the data, system database, and state information from the master to the follower controllers. Each follower controller includes one or more objects able to, in reaction to the state information, disable initiation of the replication of changes to the data, system database and state information by the one or more objects in each follower controller.

Abstract: A computer-implemented method for generating a ternary content addressable memory (TCAM) profile includes obtaining an access control list (ACL) configuration and generating the TCAM profile by parsing the ACL configuration. Based upon the parsing, one or more configuration features are identified, each of the features based upon a context and direction of packet flow identified in the configuration. The context includes an interface type and a routing configuration type. Based upon identifying each of the one or more configuration features, a corresponding feature is generated in the TCAM profile. At least one qualifier and at least one action associated with the respective feature is identified and associated with the feature in the TCAM profile.

Abstract: Techniques described herein provide for fast updating of a forwarding table in a single active multihoming configuration. A first network device that is not connected to an ethernet segment (ES), receives a plurality of ethernet segment (ES) routes (e.g., EVPN type-4 routes) from a plurality of network devices that are connected to a host via the ES. When connectivity is lost to the on a designated forwarded for the ES, t the first network device performed a designated forwarding election algorithm based on the plurality of the received ES routes, to identify that a second network device of the plurality of network devices is designated as a new forwarding device. The first network device modifies an entry in a forwarding table to indicate that the host is now reachable via the second network device.

Abstract: In general, the disclosure relates to a method for forwarding a packet through a multi-tier network by establishing a routing protocol session with network devices in the multi-tier network, obtaining routing protocol information from network devices of the multi-tier network, determining a group using the routing protocol information, generating an ordered group listing using network device identifiers (NDIs) for the network devices in the group, and programming a network device hardware of a network device of the set of network devices of the multi-tier network using the ordered group listing. The group includes a set of the network devices of the multi-tier network.

Abstract: Provisioning a set of tunnel endpoint aliases for a tunnel endpoint. A request is sent from the first tunnel endpoint to the second tunnel endpoint over a control plane of a network to provision the set of tunnel endpoint aliases. The second tunnel endpoint generates the set of tunnel endpoints and sends a response including the set of tunnel endpoint aliases to the first tunnel endpoint over the control plane. The first tunnel endpoint sends network traffic over the network tunnel that includes a tunnel endpoint alias of the set of tunnel endpoint aliases received.

Abstract: The automatic classification of network devices in a network. Specifically, the disclosure entails the designation of network device roles to network devices, as well as the clustering of network devices into logical groups. The association of network devices with network device roles and logical groups may be contingent on the connections between the network devices and a set of network device classification heuristics.

Abstract: Techniques are provided for facilitating network devices to obtain configuration updates from a central configuration repository. Configuration update information is received regarding a configuration update in a configuration repository. A data tree is updated based on the configuration update information. An identifier unique to the update is generated. A determination is performed that network device properties of a network device correspond to a set of network device properties indicated for the configuration update information. A notification indicating the availability of the configuration update is sent over one or more networks to the network device.

Abstract: In some implementations, a method is provided. The method includes determining a plurality of field sets and a plurality of field set groups. Each field set of the plurality of field sets comprises one or more packet characteristics. Each field set group of the plurality of field set groups comprises one or more field sets from the plurality of field sets. Each field set group is associated with one or more packet classifier rules. The method also includes determining a set of encoded labels for the plurality of field sets based on a set of rule costs and intersections between field set groups. Each encoded label of the set of encoded labels is associated with a respective field set of the plurality of field sets. The method further includes generating a plurality of entries in a memory based on the set of encoded labels. At least one entry comprises an encoded label from the set of encoded labels and at least a portion of a packet classifier rule.

Abstract: Some embodiments provide a method, executable by a first network device, that receives a set of commands to create a custom routing table. The set of commands specifies that the custom routing table be configured to resolve next hops for routing protocol paths using routes determined by a subset of a set of protocols used by a predefined routing table of the first network device to determine next hops for routing protocol paths. Based on the set of commands, the method further generates the custom routing table. The method also receives a routing protocol path from a second network device. The method further uses one of the custom routing table and the predefined routing table to resolve a next hop for the routing protocol path.

Abstract: Some embodiments provide techniques for optimized programming of forwarding data in network device hardware. An operating system executing on the network device receives information associated with a network topology of a network(s) to which the network device belongs. Based on this information, the operating system can generate various data structures that facilitate the routing and forwarding of data through the network device. Based on the generated data structures, the operating system may then program hardware resources in the network device in order to implement routing and forwarding operations stored in the data structures. During generation of the data structures, the operating system may perform some operations to optimize the programing of the hardware resources in a manner that reduces the amount of hardware resources that would otherwise be used without such optimizations.

Abstract: Verifying a hardware license and controlling hardware features includes receiving a first part of a license payload and a license signature covering the license payload from a CPU, the license signature being generated using a private encryption key; receiving a second part of the license payload from a memory, the CPU being unable to modify the second part of the license payload; generating a hash using the first part and the second part of the license payload; and verifying the license signature using the hash and a public encryption key associated with the private encryption key. When the verifying is successful, communicating with circuitry to enable functionality of the circuitry specified in the license payload.

Abstract: A method and system for the post-adjustment (i.e., offline) of event timestamps to implement virtual time synchronization amongst detection node clocks. In existing methodologies with the goal of clock synchronization, clocks (and timestamps generated therefrom) are disciplined or adjusted at the recordation time of the events on a detection node (e.g., a switch/router, an Internet-of-Things (IoT) device, a wireless sensor, etc.). However, there is no particular reason for these clocks or timestamps to be accurate during the recordation time, but rather, should be accurate at their use or interpretation time. Further, through these recordation time adjustments, clock drifts and timing errors may be gradually introduced, leading to runaway inaccuracies. The disclosed method and system intentionally avoids the disciplining of clocks at event recordation times on the detection node and, instead, adjusts timestamps during interpretation times, to overcome the aforementioned issues.

Abstract: A distributed wireless gateway comprises several switches. Each switch is coupled to a respective set of wireless access points. When a given switch receives a packet from one of its wireless access points, it creates a mapping between that access point and the host that sent the packet to the access point. The given switch advertises to other switches in the distributed wireless gateway reachability information that maps that host to the switch, enabling the other switches to identify the given switch as the next hop when they receive a packet destined for that host.

Abstract: A central controller in a data network can maintain a set of access control list (ACL) rules that represent traffic and data policies of the data network. The controller can autonomously propagate the set of ACL rules to switches in the data network. Each switch that receives the set of ACL rules can selectively install rules from the set based on criteria such as whether or not a given rule in the set is close to the source and device class.

Abstract: Techniques disclosed herein provide a method and systems for installing routes by a route reflect (RR) device when the tunnel RIB of the RR device does not include any tunnel labels definitions. The unicast routing information base (RIB) of route reflector (RR) device is configured to include a next hop associated with a first network device. When the RR device receives a route from the first network device that comprises a tunnel label for reaching the second network device, the RR device resolves the next hop of the received route using the unicast RIB of the RR device. In response to the resolving, the RR device forwards the route to a third network device (e.g., identified by an export route target of the RR device).

Abstract: Techniques described herein relate to a method for computation of network flooding topologies. A flooding topology may refer to a subset of a network which can be utilized by a network device to limit the flooding of link state updates. The flooding topology may be determined by an area leader (i.e., a designated network device) of the network. Computation of the flooding topology may entail the iterative incorporation (or absorption) of nodes and edges of a first connected graph, representing network devices and interconnections of a network topology of the network, into a second connected graph representing the flooding topology.

Abstract: A network device, method, and non-transitory computer readable medium storing computer readable program code, for the post-deployment updating of network device management switch configurations. Particularly, in overcoming limitations imposed by the current state of technology, embodiments disclosed herein enable and implement multiple-master, single-slave interactions amongst network device hardware and using communication protocols otherwise designed to support single-master, single- or multiple-slave(s) configurations. Further, through said multiple-master, single-slave interactions, embodiments disclosed herein facilitate the in-the-field modification of management switch configurations across scenarios following and/or during deployment of network devices in networks.

Abstract: Embodiments of a method for redirecting, by a network device, a host to a captive portal are disclosed. The method includes receiving an incoming frame originating from the host. The incoming frame has a payload specifying information associated with an external server. A user of the host has not been authenticated by the captive portal at a time when the incoming frame is received by the network device. The network device matches at least a portion of the incoming frame to a custom redirect rule of a unified access control list (ACL) implemented by the network device. In response to the matching, the network device forwards the incoming frame towards an internal redirection server executing on the network device. The network device receives a redirection frame from the internal redirection server. The payload of the redirection frame is generated by the internal redirection server using at least a portion of the incoming frame. The redirection frame is transmitted towards the host.

Abstract: A method for processing routes by a network device connected to a network includes: generating a programmable route based on a route programming request associated with a route between the network device and a request origin device; storing the programmable route in a temporary route storage in the network device; and upon receiving a data packet associated with the programmable route, permitting installation of the programmable route in a network device hardware of the network device.

Abstract: A method for synchronizing a binding process among a group of network devices connected to a server that is multi-homed to the group of network devices in provided. The method is executed by a first network device among the group of network devices and includes: receiving, from the server, network traffic associated with a host executing on the server; configuring, using the network traffic, a binding between the first network device and the host and setting a binding status of the first network device for the host to a first status; and transmitting, in response to the setting and via an out-of-band (OOB) channel to a second network device among the plurality of network devices, first binding instructions for causing the second network device set a binding status of the second network device for the host to a second status different from the first status.