Abstract: Network devices are securely provisioned through authenticated ZTP servers. In some approaches, a storage device local to the network device includes information for connecting with and authenticating a local or remote ZTP server. This information may include a root of trust to use when connecting with a designated ZTP server. The ZTP server may be identified using either a dynamic host configuration protocol (DHCP) server or a network address specified in the local memory storage. In an approach, the local memory storage is a removable USB flash memory device inserted into the network device when the device is booted up. In another approach, the ZTP authentication information is stored within memory integrated within the network device. Once a ZTP server is connected to the network device, a secure connection may be established such as a secure transport layer session (TLS) utilizing the root of trust.

Abstract: A packet forwarding network may include spine and leaf switches that forward network traffic between end hosts. The packet forwarding network may be implemented on multiple network racks in a rack-based system. A controller may control the underlying spine and leaf switches to form on-premise virtual private cloud (VPC) resources. In particular, the controller may form enterprise VPC (EVPC) tenants, each having a virtual router that performs routing between different segments within the corresponding EVPC tenant. The different segments may separately include web, application, and database servers, as end hosts. The controller may form a system VPC tenant having a virtual system router that performs routing between different EVPC tenants. A segment in an internal VPC tenant formed by the controller and/or an external VPC tenant formed by the controller may provide external network access for one or more of the EVPC tenants.

Abstract: Incoming packets in a switch are associated with one or more group identifiers based on content contained in the incoming packets. Rules for processing the corresponding outgoing packets are identified based at least on the group identifiers associated with the incoming packets. Actions associated with matched rules are applied to the outgoing packets.

Abstract: A method and system for processing network traffic is disclosed. The method includes receiving one or more service policies from a control plane service. For each of service policies, a value pattern is generated using at least one of a source group data item and a destination group data item, and a pattern mask is generated on subset of bit locations in the value pattern. The method includes updating a lookup table to incorporate each of the one or more service policies that entails allocating memory for consolidating a new entry in a portion of the lookup table designated for control plane policies. The new entry includes a binding relating the value pattern and the pattern mask to a lookup table result, and the lookup table result specifies a traffic flow instruction and a priority level included in a service policy of the one or more service policies.

Abstract: In some embodiments, a method receives a first acknowledgement message that acknowledges receipt of a first packet and determines whether the first acknowledgement message is a duplicate of a previous acknowledgement message that was sent previous to the first acknowledgement message. When the first acknowledgement message is the duplicate of the previous acknowledgement message, the method detects when a second acknowledge message is received that acknowledges receipt of a second packet. Then, the method determines that the second acknowledgement message is not the duplicate of the previous acknowledgement message and measures a metric based on the detecting of the first acknowledgement message and the second acknowledgement message.

Abstract: Egress mirroring packets to a CPU includes processing ingress packets in a forwarding pipeline; egressing one or more packets from the forwarding pipeline to a first physical port of the switch; mirroring the one or more packets on the first physical port to a second physical port of the switch; recirculating the one or more packets on the second physical port to the forwarding pipeline, wherein the one or more packets on the second physical port become ingress packets on the second physical port and processing the recirculated one or more packets in the forwarding pipeline includes identifying packets that ingress on the second physical port; and sending the identified packets to a central processing unit (CPU) in the switch.

Abstract: Techniques disclosed herein provide a method for configuring a network in DCI environment. An EVPN session is established between a first gateway device of a first network, and a second gateway device of a second network that are linked by L2 DCI link. An ESI is allocated for that EVPN session. A label is created for every combination of the ESI and media access control virtual routing and forwarding table (MAC VRF) that is locally configured at the first gateway device. An EVPN path is received for a host in the first network that is associated with MAC VRF. The path in imported the first MAC VRF by the first gateway device and exported via the inter-DCI EVPN session. The second gateway device identifies a label for MAC and re-exports it in local EVPN session with the identified label.

Abstract: A network device includes a first agent programmed to provide a functionality of the network device. The network device also includes a message bus, distinct from the first agent, that identifies an update associated with the first agent, the update includes differential state information based, at least in part, on a state of the first agent, the state of the first agent is stored in a data structure exclusively managed by the first agent; in response to identifying the update: identifies a second agent that is subscribed to the first agent; and performs an action set to provide the second agent with access to the update.

Abstract: Systems and methods for implementing polymorphic allocators in an operating system are disclosed. An illustrative method includes a method of allocating memory space in a memory by creating a first allocator. In response to receiving a first request to allocate memory space in the memory for a data buffer instance using the first allocator, the method allocates one or more pages of a first region in the memory by populating one or more entries of an allocator table. The one or more entries of the allocator table correspond to the one or more pages of the first region. The entries of the allocator table are indexed by page indexes corresponding to page addresses identifying the pages of the first region in the memory. Each of the populated entries of the allocator table includes a specific allocator identifier identifying a corresponding allocator to that entry.

Abstract: A method for authenticating an origin of a network device. The method includes reading one or more encrypted parameters from a memory of the network device, decoding the one or more encrypted parameters, and determining whether one or more of the decoded parameters match parameters obtained from a trusted platform module (TPM) installed in the network device and/or a read only memory (ROM) of the network device. In response to a mismatch between the decoded parameters and the parameters obtained from the TPM or the ROM, at least one of suspending operation of the device or transmitting a report of an authentication failure across a network on which the device is operating.

Abstract: In general, the embodiments relate to systems and methods for receiving and processing network traffic data units (NTDUs) by one or more edge devices in order to generate a global ordering of NTDU. The methods include receiving, at an aggregator, a first set of locally ordered NTDUs from a first edge device, receiving, at the aggregator, a second set of locally ordered NTDUs from a second edge device, generating a globally ordered sequence of NTDUs using the first set of locally ordered NTDUs and the second set of locally ordered NTDUs; and transmitting the globally ordered sequence of NTDUs to a destination.

Abstract: In general, embodiments described herein relate to methods and systems for reorganizing processing information hierarchies to remove duplicative and/or redundant portions of a processing information hierarchy such that they, for example, require fewer resources of the network devices on which they are stored.

Abstract: Techniques described herein provide for expediting routing convergence in EVPN with multihomed ethernet segment when one of the redundant devices loses connection to the ethernet segment. When a first redundant device receives EVPN auto discovery (AD) route advertising an ethernet segment from a second redundant device, it creates an entry for a forwarding table. The entry has, for an advertised MAC address, a local identifier of the ethernet segment (marked as active next hop) and the identifier of the second network device (marked as backup next hop). When a packet for that MAC address is received, the first redundant device routes the data using data from the entry. In particular, the first redundant device uses the local identifier of the ethernet segment as next hop when the ethernet segment link is active; and uses the identifier of the second network device as next hop when the ethernet segment is down.

Abstract: A method and system for processing network traffic data units (NTDUs) is disclosed. The method includes establishing a virtual tunnel between a wireless access point (WAP) and a network device. A NTDU is received by the WAP from a client device, and the virtual tunnel is identified upon which to transmit the NTDU based on a header of the NTDU according to a policy. The policy maps a portion of the header to a plurality of available virtual tunnels. The NTDU is transmitted, via the virtual tunnel, to the network device.

Abstract: Processing an ingress packet in a packet pipeline to determine a forwarding rule includes identifying a matching rule in each forwarding table in the pipeline. Prefix lengths of the respective matching rules are compared. The matching rule with the greatest prefix length serves as the basis for forwarding an egress packet.

Abstract: A method and apparatus of a network element that processes a packet in the network element is described. In an exemplary embodiment, the network element receives a data packet that includes a destination address. The network element receives a packet, with a packet switch unit, wherein the packet was received by the network element on an ingress interface. The network element further determines if the packet is to be stored in an external queue. In addition, the network element identifies the external queue for the packet based on one or more characteristics of the packet. The network element additionally forwards the packet to a packet storage unit, wherein the packet storage unit includes storage for the external queue. Furthermore, the network element receives the packet from the packet storage unit and forwards the packet to an egress interface corresponding to the external queue.

Abstract: Systems and methods for creating a new entry in a hierarchical state data structure with object entries is disclosed. The method includes allocating a shared memory buffer for a new entry in a shared memory. A request to create the new entry for a child object in a hierarchical state data structure in the shared memory is received. The new entry is to span at least one shared memory buffer uniquely identifiable in a location of the shared memory. The child object is a logical representation of a state of a system. In response to a request for an allocation of a shared memory buffer within a region of the shared memory for the new entry, a location identifier corresponding to a location of a parent entry holding a parent object to the child object in the hierarchical state data structure of an allocated region is received. The child object is created in the shared memory buffer for the new entry, and the new entry is available for concurrent access by one or more readers of the shared memory.

Abstract: Methods, computer readable mediums, and systems for securing network traffic data. The method of securing network traffic data may include obtaining a network traffic data unit, that includes: a payload; forwarding information, that includes: a first forwarding portion; and a second forwarding portion that indicates a network tunnel; encryption type information; and encryption location information; analyzing a first segment of the first forwarding portion to obtain a first forwarding location; modifying the network traffic data unit, based on the encryption type information and the encryption location information, to obtain a modified network traffic data unit; and transmitting the modified network traffic data unit to the first forwarding location.

Abstract: Some embodiments provide a method, executable by a network device, that receives a packet from a network at a first port of the network device. The method further sends the packet to a second port of the network device. The second port includes an interface and a loopback function implemented at an egress of the interface. The loopback function is configured to transmit the packet back to the network device through the interface. The interface is configured to truncate the packet upon receiving the packet from the loopback function. Upon receiving the truncated packet from the interface of the second port, the method also forwards the truncated packet to a device through a third port of the network device that is coupled to the device.

Abstract: A method for initializing the border gateway protocol (BGP) on network devices. The method includes initializing a plurality of BGP convergence variables corresponding to a plurality of BGP sessions with a plurality of peer network devices. The first network device initializes the plurality of BGP sessions with the plurality of peer network devices, and receives from each of the plurality of peer network devices, route updates and a plurality of markers. The BGP convergence variables are updated and it is determined that first network device has received all the route updates. The duration of the BGP session is less than a C_TIMEOUT value for that peer network device, exceeds an I_P_TIMEOUT value, where the C_TIMEOUT value is greater than the I_P_TIMEOUT value. The first network device updates a routing information base (RIB) using the route updates and updates a forwarding information base (FIB) using the updated RIB.