Abstract: ECMP forwarding includes identifying and selecting an ECMP group of equal cost paths to a destination using destination information contained in a received packet. A member from the selected ECMP group is selected based on the ingress port on which the packet was received. The received packet is forwarded on the port that can reach the next hop associated with the selected member.

Abstract: Advertising a Selective Provider Multicast Service Interface Auto-Discovery (S-PMSI-AD) route to advertise encapsulation of a multicast group is triggered by receiving multicast traffic for that group from a host device behind the provider edge (PE) device. Multicast traffic received from behind remote PEs will not trigger a S-PMSI-AD route. Address Resolution Protocol (ARP) is used to determine whether a host is behind a PE or not behind a PE.

Abstract: A method of allocating programmable memory in a network device includes receiving a set of desired features for the network device, and determining a plurality of constraints associated with the set of desired features. The plurality of constraints are converted into a plurality of Boolean representations of the constraints, and a feasibility is evaluated for the desired features based on the plurality of constraints.

Abstract: A distributed wireless gateway comprises several switches. Each switch is coupled to a respective set of wireless access points. When a given switch receives a packet from one of its wireless access points, it creates a mapping between that access point and the host that sent the packet to the access point. The given switch advertises to other switches in the distributed wireless gateway reachability information that maps that host to the switch, enabling the other switches to identify the given switch as the next hop when they receive a packet destined for that host.

Abstract: In general, in one aspect, embodiments relate to a network device for forwarding packets as part of a network comprising an adjacent device connected to the network device via a link. The network device includes a switching system for directing the packets between ports of the network device, wherein a port of the ports is operably connected to the adjacent device via the link, and a switching system manager programmed to: identify a failure of the link, in response to identifying the failure of the link, perform a multi-tiered next hop failover of the switching system based on the failure of the link to obtain an updated switching system that does not forward the packets using the failed link, and forward a portion of the packets using the updated switching system.

Abstract: A command line interface in a network device provides for specifying Virtual Local Area Network (VLAN) tag manipulations using range mappings to avoid error-prone repetitive configuration. A flexible VLAN tag range mapping is described, where the original and transformed ranges can be specified for both inner and outer positions, as long as the number of tags on either side of the transformation is the same.

Abstract: An automated framework provides security monitoring and analysis in a network by autonomously detecting actual and potential threats to the network. In response to detection of a threat, the framework instantiates a Situation to provide directed monitoring of the threat. The Situation invokes specific skills based on the state of the Situation to monitor network traffic for activity specific to the threat that instantiated the Situation. As data is collected, additional skills may be invoked based on the additional data to collect new data, and previously invoked skills may be terminated depending on the additional data to avoid collecting information that is no-longer relevant.

Abstract: A method for managing optical transceivers includes obtaining laser measurements for a laser operating in an optical transceiver in a network device, obtaining a failure profile for the laser, making a first determination that the laser measurements match the failure profile, and based on the first determination, initiating a remediation action for the optical transceiver.

Abstract: A method for managing streams includes obtaining, by a state processing module in a coordination point, a notification for a standing query, and in response to the notification: identifying a storage location in the coordination point associated with a stream of the standing query, initiating a subscription to the standing query using the storage location, reserving a data buffer for the standing query, replicating, based on the standing query, data of the data stream using the storage location, updating the data buffer using the replicated data or a reference to the replicated data to obtain an updated data buffer, and servicing the standing query using the updated data buffer.

Abstract: In a virtual extensible local area network (VxLAN) that includes a deployment of aggregation VxLAN tunnel endpoints (VTEPs) and access point (AP) VTEPs, packet processing by the aggregation VTEPs includes distinguishing between Type 1 VTEPs and Type 2 VTEPs. When the source of an ingress packet and the next hop destination are both Type 1 VTEPs, the ingress packet is dropped.

Abstract: Embodiments of the present disclosure include systems and methods for updating packet processing rules of network devices. A request to update a first set of rules stored in the memory with a second set of rules is received. Upon determining the update from the first set of rules to the second set of rules satisfies a defined condition, the first set of rules in the memory is updated with the second set of rules. Upon determining the update from the first set of rules to the second set of rules does not satisfy the defined condition, the update from the first set of rules to the second set of rules is decomposed into a first set of operations and a second set of operations and the first set of rules in the memory are updated with the second set of rules.

Abstract: In general, embodiments relate to a network device, including network device hardware including a processor; and memory comprising instructions which, when executed by the processor, performs a method for creating segment mapping in a network. The method includes entering a fallback mode in response to detecting a fallback scenario, determining, based on the fallback mode, a segment identification (ID) for a client device of the network, wherein the segment ID identifies a segment of the network including a client device, obtaining an Internet Protocol (IP) address to segment ID mapping, wherein the client device is associated with the IP address, and processing at least one packet from the client device using the IP address to segment ID mapping.

Abstract: In general, the disclosure relates to a method for creating segment mapping in a network, by a network device. The method includes receiving a segment identification (ID) for a client device of the network from an authentication system. The segment ID identifies a segment of the network including the client device and the network device wherein the segment ID is associated with a media access control (MAC) address of the client device. The network device or a network management system (NMS) determines an internet protocol (IP) address of the client device and the network device creates an IP address to segment ID mapping for the client device using the IP address. The IP address to segment ID mapping is provided to the NMS for distribution to remaining network devices of the network. At least one packet of the client device is processed using the IP address to segment ID mapping.

Abstract: A method for transmitting network traffic across a wide area network (WAN) from a first site to a second site is provided. The method is executed by a first edge network device at the first site that further includes a second edge network device, and the method includes: receiving the network traffic from a client device at the first site; determining, using ipath characteristics and a classification of the network traffic, that the network traffic should be transmitted by the second edge network device to the second site; forwarding in response to the determination, the network traffic to the second edge network device using a local tunnel over a local area network (LAN) of the first site such that the network traffic is transmitted to the second site by the second edge network device.

Abstract: A network device includes a forwarding information base (FIB). The FIB includes a first number of entries and a default entry. The network device includes a routing information base that includes a second number of entries. The network device includes a FIB entry optimizer that ranks a first portion of the second number of entries based on access information of the first number of entries; ranks a second portion of the second number of entries based on access information of the default entry; and updates at least one entry of the FIB based on the ranks of the first portion of the second number of entries and the ranks of the second portion of the second number of entries. The first number of entries is less than the second number of entries.

Abstract: Embodiments of the present disclosure include techniques for interlocking border gateway protocol and multi-chassis link aggregation group processes for network devices. A first process for configuring a link aggregation group with a second network device is performed. Whether an option to use a media access control (MAC) address shared with the second network device is active is determined. Upon determining that the option to use the MAC address shared with the second network device is active, a second process for configuring the first network device to transmit inter-subnet connectivity information using the shared MAC address is performed.

Abstract: A network address translation (NAT) device may receive a network packet having a network address for translation. The NAT device may determine whether a translation for the network address exists on the NAT device. The NAT device may forward the network packet to a peer NAT device based on a criterion.

Abstract: A routing policy includes policy directives and policy functions. Execution of the routing policy includes invoking a policy function at a point of application in a policy directive. Execution of the invoked policy function can include making any number of nested function calls. When an EXIT statement is encountered in a nested policy function, execution of the policy function terminates and execution of the routing policy continues immediately with the policy directive following the point of application, irrespective of how deeply nested in the invocation hierarchy the policy function is.

Abstract: In general, embodiments relate to a method, for managing a network, that includes determining an occurrence of an operational issue on a network device of the network, based on the determining, executing an encoding phase and a causal feature identification phase on a feature database, wherein the feature database is associated with the operational issue, identifying a plurality of potential root causes using the encoding phase and the causal feature identification phase, and performing an action based on the plurality of potential root causes.