Abstract: In some implementations, a network device may establish a secure connection between the network device and another network device based on a first set of keys generated by the network device, wherein the first set of keys are generated based on a first connectivity association key (CAK) and the secure connection is established based on a media access control security (MACsec) protocol. The network device may transmit a message to the other network device, wherein the message includes an indication of a second CAK. The network device may communicate data via the secure connection based on a second set of keys, wherein the second set of keys are generated based on the second CAK.

Abstract: A network device may receive network traffic for an application. The network device may determine a first classification for the network traffic according to a first classification technique. The first classification may identify the network traffic as relating to a particular application or an unknown application. The network device may determine a second classification for the network traffic according to a second classification technique. The second classification may identify the network traffic as relating to an unknown application of a particular type and identity. The network device may process, based on whether the first classification identifies the network traffic as relating to the particular application or the unknown application, the network traffic according to a first security policy associated with the particular application or a second security policy associated with the unknown application of the particular type and identity.

Abstract: In one example, a network management system (NMS) device manages a plurality of network devices. The device includes a memory configured to store data representing a data model for a plurality of network devices managed by the NMS, and one or more processors configured to retrieve data representing the data model, construct a GraphQL model having a plurality of nodes, each of the nodes corresponding to one of the network devices according to the data model store data representing properties of the network devices associated with corresponding nodes of the GraphQL model according to the data model, receive a GraphQL query including data representing at least one query property, determine which of the nodes has a property matching the at least one query property, and return data identifying which of the network devices corresponds to the nodes having the property matching the at least one query property.

Abstract: Disclosed are embodiments for automatically resolving faults in a complex network system. Some embodiments monitor one or more of system operational parameter values and message exchanges between network components. A machine learning model detects a fault in the complex network system, and an action is selected based on a cause of the fault. After the action is applied to the complex network system, additional monitoring is performed to either determine the fault has been resolved or additional actions are to be applied to further resolve the fault.

Abstract: Methods and apparatus for automatically identifying and correcting faults relating to poor communications service in a wireless system, e.g., in real time, are described. The methods are well suited for use in a system with a variety of access points, e.g., wireless and/or wired access points, which can be used to obtain access to the Internet or another network. Access points (APs), which have been configured to monitor in accordance with received monitoring configuration information, e.g. on a per access point interface basis, captures messages, store captured messages, and in collaboration with network monitoring apparatus which can be in an AP or external thereto, use message sequences to determine a remedial action to be automatically taken when poor service is likely as may be predicted based on the detected message sequence between a UE and one or more APs.

Abstract: Techniques are disclosed for managing a network. In one example, a device configuration manager is configured to generate, in accordance with a device management protocol, a configuration change request representing a transaction having a first sub-transaction specifying a first configuration change for a network device of the network and a second sub-transaction specifying a second configuration change for the same network device. The device configuration manager is further configured to output the configuration change request to the network device and receive a reply message from the network device. The reply message includes a first response element specifying whether the first configuration change is successfully committed at the network device and a second response element specifying whether the second configuration change is successfully committed at the network device.

Abstract: A device receives information identifying a specific host threat to a network, where the information includes a list of network addresses associated with the specific host threat. The device identifies network elements, of the network, associated with the specific host threat to the network, and determines a network control system associated with the identified network elements. The device determines a policy enforcement group of network elements, of the identified network elements, that maps to the list of network addresses associated with the specific host threat, where the network control system is associated with the policy enforcement group of network elements. The device determines a threat policy action to enforce for the specific host threat, and causes, via the network control system, the threat policy action to be enforced by the policy enforcement group of network elements.

Abstract: In an example, a method comprises executing, by an access network user plane function (ANUP) for a mobile network, an access network protocol to implement a connection with a user equipment (UE); implementing, by the ANUP, based on session data received from a control plane function of a mobile core network for the mobile network, an interface with a data network; and routing or switching, by the ANUP, packets between the connection with the UE and the interface with the data network.

Abstract: A test fixture, for a heatsink, may include a probe assembly with a thermocouple probe configured to removably contact a bottom surface of a pedestal of the heatsink, and measure a surface temperature of the heatsink. The test fixture may include an insulator housing configured to house the probe assembly and a heater block, and to insulate the probe assembly from the heater block. The heater block may be provided within the insulator housing and may be configured to provide heat to the heatsink via the bottom surface of the pedestal of the heatsink. The test fixture may include a mounting block connected to the insulator housing and configured to connect to the heatsink.

Abstract: A controller device manages a plurality of network devices. The controller device includes one or more processing units configured to receive an indication of a stateful intent, the data structure including a plurality of nodes and a plurality of edges, each node of the plurality of nodes being representative of a respective network device of the plurality of network devices. The one or more processing units are configured to determine, using an abstract function configured at a node of the plurality of nodes, a stateless intent for implementing the stateful intent and generate low level configuration data for the plurality of network devices based on the stateless intent. The one or more processing units are configured to interface with one or more of the plurality of network devices to configure the one or more of the plurality of network devices with the low level configuration data.

Abstract: The network management system (NMS) assesses behavior data such as Ethernet error, speed flapping, cold restart, and/or cloud disconnect collected from a respective one of access points (APs) or other wired client-side devices at an edge of a wired network, and determines whether features of the behavior data are indicative of a bad cable issue at a particular port of a particular network device of the wired network to which the respective AP is connected via a cable. The particular network device may be a third-party network device from which the NMS does not receive behavior data. In the case of a bad cable issue being detected, the NMS outputs a bad cable notification including identification information of the particular port and the particular network device. The NMS enables client-side only, behavior-based bad cable detection at network devices that avoids network traffic disruptions caused by conventional cable tests.

Abstract: A network device may be configured to identify a first configuration data structure included in the network device and may be configured to obtain a data package associated with an ISSU procedure that includes a second configuration data structure. The network device may be configured to identify, based on the first configuration data structure and the second configuration data structure, one or more configuration functionalities of the network device that are to not be active during performance of the ISSU procedure. The network device may be configured to cause the one or more configuration functionalities of the network device to be deactivated and to thereafter cause the ISSU procedure to be performed. The network device may be configured to cause, after causing the ISSU procedure to be performed, the one or more configuration functionalities of the network device to be activated.

Abstract: In general, the disclosure describes techniques for measuring edge-based quality of experience (QoE) metrics. For instance, a network device may construct a topological representation of a network, including indications of nodes and links connecting the nodes within the network. For each of the links, the network device may select a node device of the two node devices connected by the respective link to measure one or more QoE metrics for the respective link, with the non-selected node device not measuring the QoE metrics. In response to selecting the selected node device, the network device may receive a set of one or more QoE metrics for the respective link for data flows flowing from the selected node device to the non-selected node device. The network device may store the QoE metrics and determine counter QoE metrics for data flows flowing from the non-selected node device to the selected node device.

Abstract: An example method comprises determining, by an edge services controller, based on a respective predicted resource utilization value for each of a plurality of servers, a corresponding server weight for each of the plurality of servers; the plurality of servers comprising respective network interface cards (NICs), wherein each NIC of the plurality of NICs comprises an embedded switch and a processing unit coupled to the embedded switch; determining, by the edge services controller, based on a respective predicted resource utilization value for each of a plurality of services, a corresponding application weight for each of the plurality of services; and scheduling, by the edge services controller, based on the respective server weight for a server of the plurality of servers and the respective application weight for the service, a service of the plurality of services on the server.

Abstract: In some implementations, a network device may determine, based on a routing table, a plurality of routing paths from the network device to another network device, wherein the plurality of routing paths are respectively associated with a plurality of security classifications. The network device may receive network traffic that is destined for the other network device and that is associated with a particular security classification of the plurality of security classifications. The network device may forward the network traffic based on a particular routing path, of the plurality of routing paths, that is associated with the other network device and the particular security classification.

Abstract: A device may receive a first telemetry data entry associated with an attribute and store a record associated with the first telemetry data entry, wherein the record identifies a first context value associated with the attribute. The device may log a first timestamp of the first telemetry data entry in a lookup table, wherein the lookup table includes a mapping of the attribute to the first context value and to the first timestamp. The device may receive a second telemetry data entry associated with the attribute and may determine, from the mapping, that the second telemetry data entry is associated with a second context value that is different from the first context value. The device may determine whether a second timestamp, of the second telemetry data entry, is before the first timestamp. The device may perform an action based on whether the second timestamp is before the first timestamp.

Abstract: In some implementations, a first endpoint device may assign a first metric to a first Internet Protocol security (IPsec) tunnel and a second metric to a second IPsec tunnel. The first IPsec tunnel may be a first communication channel for transmitting data between the first endpoint device and a second endpoint device, and the second IPsec tunnel may be a second communication channel for transmitting the data between the first endpoint device and the second endpoint device. The first endpoint device may select, based on the first metric and the second metric, the first IPsec tunnel or the second IPsec tunnel as a selected IPsec tunnel for transmitting the data toward the second endpoint device. The first endpoint device may transmit the data toward the second endpoint device via the selected IPsec tunnel.

Abstract: A network management system (NMS) is described that provides a granular troubleshooting workflow at an application session level using an application session-specific topology from a client device to a cloud-based application server. During an application session of a cloud-based application, a client device running the application exchanges data through one or more access point (AP) devices, one or more switches at a wired network edge, and one or more network nodes, e.g., switches, routers, and/or gateway devices, to reach a cloud-based application server. For a particular application session, the NMS generates a topology based on network data received from a subset of network devices, e.g., client devices, AP devices, switches, routers, and/or gateways, that were involved in the particular application session over a duration of the particular application session. In this way, the NMS enables backward-looking troubleshooting of the particular application session.

Abstract: A disclosed Thermal Test Vehicle (TTV) for simulating the thermal characteristics of a certain integrated circuit may include (1) a substrate that serves as both (A) an electrical insulator that resists electrical energy and (B) a thermal conductor that conducts thermal energy and (2) one or more resistive elements coupled to the substrate, wherein the resistive elements extend across a majority of at least one dimension of the substrate. Various other apparatuses, systems, and methods are also disclosed.

Abstract: The disclosure describes techniques that enable detection of memory leaks of software executing on devices within a computer network. An example network device includes memory and processing circuitry. The processing circuitry monitors a usage of the memory by a software component operating within the network device. The processing circuitry periodically determines a memory growth pattern score for the software component based on the usage of the memory. The processing circuitry also predicts whether the user-level process is experiencing a memory leak based on the memory growth pattern score. The processing circuitry applies confirmation criteria to current memory usage of the software component to confirm that the software component is experiencing the memory leak. When the software component is experiencing the memory leak, the processing circuitry generates an alert.