Abstract: In one embodiment, a device obtains, from a plurality of routers in a network, a set of routing patches that collectively specify a first set of paths in the network, a second set of paths in the network, and time periods during which traffic is to be rerouted from one of the first set of paths to one of the second set of paths in the network. The device identifies overlapping path segments of the second set of paths in the network. The device makes, based in part on the overlapping path segments, a prediction that two or more of the set of routing patches will cause congestion along paths with overlapping path segments. The device adjusts, based on the prediction, the set of routing patches, to avoid causing the congestion.

Abstract: Various implementations disclosed herein enable malleable routing for data packets. For example, in various implementations, a method of routing a type of data packets is performed by a device. In some implementations, the device includes a non-transitory memory and one or more processors coupled with the non-transitory memory. In some implementations, the method includes determining a routing criterion to transmit a set of data packets across a network. In some implementations, the method includes identifying network nodes and communication links in the network that satisfy the routing criterion. In some implementations, the method includes determining a route for the set of data packets through the network nodes and the communication links that satisfy the routing criterion. In some implementations, the method includes configuring the network nodes that are on the route with configuration information that allows the set of data packets to propagate along the route.

Abstract: Cloud delivered access may be provided. A network device may provide a client device with a pre-authentication virtual network and a pre-authentication address. Next, a policy may be received in response to the client device authenticating. The client device may then be moved to a post-authentication virtual network based on the policy. A post-authentication address may then be obtained for the client device in response to moving the client device to a post-authentication virtual network. Traffic for the client device may then be translated to the post-authentication address.

Abstract: Various implementations disclosed herein enable malleable routing for data packets. For example, in various implementations, a method of routing a type of data packets is performed by a device. In some implementations, the device includes a non-transitory memory and one or more processors coupled with the non-transitory memory. In some implementations, the method includes determining a routing criterion to transmit a set of data packets across a network. In some implementations, the method includes identifying network nodes and communication links in the network that satisfy the routing criterion. In some implementations, the method includes determining a route for the set of data packets through the network nodes and the communication links that satisfy the routing criterion. In some implementations, the method includes configuring the network nodes that are on the route with configuration information that allows the set of data packets to propagate along the route.

Abstract: Techniques for utilizing Software-Defined Field-Area Network (SD-FAN) controllers to receive a geographic location and transmission power of individual nodes and generate a geographic location topology of a Field-Area Network (FAN) to provide nodes with location-aware route paths for data transmission. One or more SD-FAN controller(s) may maintain a geographic location database to store the geographic location and transmission power of the individual nodes. Each node may utilize a Destination Address Object to advertise its geographic location and transmission power to the SD-FAN controller. The SD-FAN controller(s) may utilize the geographic location table to generate the geographic location topology of the FAN and determine a location-aware route path for optimized data transmission between nodes in the FAN.

Abstract: Aspects described herein include a mode multiplexer comprising a first optical waveguide extending between a first port and a second port. A first input mode of an optical signal entering the first port is propagated through the first optical waveguide to the second port. The mode multiplexer further comprises a second optical waveguide configured to evanescently couple with a coupling section of the first optical waveguide. A second input mode of the optical signal entering the first port is propagated through the second optical waveguide to a third port. The first optical waveguide further defines a filtering section between the coupling section and the second port, the filtering section configured to filter the second input mode.

Abstract: Embodiments for adaptive inline modulation tuning for optical interfaces is described. The inline modulation tuning is provided by optical nodes, where the optical nodes exchange optical modulation information and node ability information between optical devices in a node pair. An optimal modulation scheme for the node pair is selected based on modulation abilities of each node and associated transceiver, as well as a link quality and performance observed for the optical link.

Abstract: This disclosure describes techniques for managing path counts at a router. The techniques include monitoring available storage space at a router for storing per prefix routes. In an instance where the available storage space at the router may be inadequate to support continued, stable network operations, the techniques include reducing an amount of per prefix routes that are advertised to the router. The techniques may also include withdrawing previously advertised per prefix routes from the router. As such, path count management concepts may help prevent overload of storage space at a router.

Abstract: Parallel Redundancy Protocol (PRP) using non-overlapping Resource Unit (RU) groupings may be provided. A first computing device may associate to a first Access Point (AP) at a virtual Media Access Control (MAC) address. Next, the first computing device may associate to a second AP at the virtual MAC address. Then data from a data frame may be replicated to a first one or more RUs in a channel. The first one or more RUs may be assigned to the first AP. Data from the data frame may then be replicated to a second one or more RUs in the channel. The second one or more RUs may be assigned to the second AP and may not overlap the first one or more RUs.

Abstract: Out-of-link channel sounding using an out-of-band channel sounding link for multi-link devices (MLDs) in a wireless network may be provided. An Access Point (AP) may establish a first Wireless Communication Link (WCL) with a Multi-link Device (MLD). The AP may also establish a second WCL with the MLD. After establishing the first WCL, the AP may transmit a sounding trigger to the MLD on the first WCL. After transmission of the sounding trigger to the MLD on the first WCL, AP may transmit a Channel State Information (CSI) inquiry to the MLD on the second WCL. AP may receive a channel state quantification from the MLD on the second WCL in response to the CSI inquiry.

Abstract: Techniques and mechanisms for providing integrity verified paths using only integrity validated pods of nodes. A network service mesh (NSM) associated with a first pod may locally generate a nonce and provide the nonce to the first pod, where the request includes a request for an attestation token. Using the nonce, the first pod may generate the attestation token and reply back to the NSM. The NSM may generate a second request for an attestation token and forward it to a NSE pod, where the request includes a second locally generated nonce generated by the NSM. The NSE pod may generate the second attestation token using the second nonce and reply back to the NSM. The NSM may then have the attestation tokens verified or validated by a certificate authority (CA) server. The NSM may thus instantiate an integrity verified path between the first pod and the NSE pod.

Abstract: This disclosure describes techniques for providing a network diagnostic system with on-premise node processing and cloud node processing to optimize bandwidth usage and decrease memory footprint. The on-premise node may receive streaming telemetry from connected network devices and encode to the telemetry data into filtered data objects. The on-premise node may determine whether the state of a network device has changed to determine to push the filtered data object to a cloud node for further diagnostic analysis. The cloud node may include a gateway and a pool of proxy servers, wherein each proxy server is designated to perform diagnostic analysis on a single product type.

Abstract: Techniques for selective association and denial of association are provided. Association requests from a first device and a second device are received at an access point. A first media access control (MAC) address of the first device is determined, and a second MAC address of the second device is determined. A first role of the first device and a second role of the second device are each identified, based on a predefined mapping between MAC addresses and roles. Upon determining that the first device is associated with the first role, a unicast response is returned to the first device, where the unicast response includes an association disallowed frame. Additionally, upon determining that the second device is associated with the second role, a unicast response is returned to the second device, where the unicast response allows the second device to associate with the access point.

Abstract: An integrated circuit (IC) package having multiple ICs is provided. The IC package includes a printed circuit board (PCB) having a cutout region and a substrate disposed above the PCB. The substrate includes a first cavity on a first surface of the substrate. The IC package also includes a first IC disposed on a second surface of the substrate and in the cutout region of the PCB, The IC package further includes a second IC disposed above the substrate, and a first device disposed on the second IC and in the first cavity on the first surface of the substrate.

Abstract: Techniques for monitoring Voice-over-IP (VoIP) network services over the Internet are disclosed. In some embodiments, a system, process, and/or computer program product for monitoring and/or troubleshooting VoIP network services over the Internet includes performing VoIP call initiation testing using a source agent and a target agent; performing synthetic VoIP call quality testing using the source agent and the target agent over the Internet; and generating a report based on the VoIP call initiation testing and the synthetic VoIP call quality testing over the Internet.

Abstract: In one embodiment, a network security device is configured to monitor data traffic between a first device and a second device. The network security device may be configured to intercept a first initial message of a first encrypted handshaking procedure for a first secure communication session between the first device and the second device, the first initial message specifying a hostname that has been encrypted using first key information associated with the network security device, decrypt at least a portion of the first initial message using the first key information to determine the hostname, re-encrypt the hostname using second key information associated with the second device, and send, to the second device, a second initial message of a second encrypted handshaking procedure for a second secure communication session between the network security device and the second device, the second initial message specifying the hostname re-encrypted using the second key information.

Abstract: Customized feature vectors are used to train a machine learning algorithm to automatically identify a network component where a network fault has occurred. A database comprising network components and associated network faults is analyzed to select a set of network components associated with the largest quantity of network faults. Customized features associated with the network faults are identified and selected for use in a feature vector as input to a machine learning algorithm. The features are selected based upon analysis of consistency checks, component configuration limits, and network wide configurations.

Abstract: Techniques for policy-based connection provisioning using Domain Name System (DNS) requests are described herein. The techniques may include receiving policy data associated with one or more headend nodes that manage connections to computing resources. Additionally, the techniques may include receiving a DNS request from a client device to establish a connection between the client device and a first headend node of the one or more headend nodes. The DNS request may include an attribute associated with the client device. A provisioning service may determine that the connection should be established between the client device and the first headend node based at least in part on evaluating the attribute with respect to the policy data. Additionally, the techniques may include sending an internet protocol (IP) address, which is associated with the first headend node, to the client device to facilitate establishment of the connection.

Abstract: Aspects described herein include an optical apparatus comprising a plurality of light-carrying media, a wavelength division multiplexing (WDM) device optically coupled with the plurality of light-carrying media, and a lens arranged between the WDM device and a multicore optical fiber. An arrangement of the plurality of light carrying media and the WDM device are selected to align each of the plurality of light-carrying media with a respective optical core of the multicore optical fiber.

Abstract: In various embodiments, a device classification service makes a determination that an endpoint device in a network is eligible for expedited device classification based on a policy. The device classification service obtains, after making the determination that the endpoint device in the network is eligible for expedited device classification, telemetry data regarding the endpoint device generated by actively probing the endpoint device. The device classification service determines whether the telemetry data regarding the endpoint device matches any existing device classification rules. The device classification service generates, based on the telemetry data, a device classification rule that assigns a device type to the endpoint device, when the telemetry data does not match any existing device classification rules.