Abstract: A device receives border gateway protocol (BGP) data associated with links provided in a segment routing network. The segment routing network includes a first autonomous system (AS) with first network devices interconnected by a first portion of the links, a second AS with second network devices interconnected by a second portion of the links, and an inter-AS link provided between one of the first network devices and one of the second network devices. The device filters prefixes of the BGP data to identify BGP data associated with the inter-AS link, where the BGP data associated with the inter-AS link includes data identifying state information associated with the inter-AS link. The device determines an operational state of the inter-AS link based on the BGP data associated with the inter-AS link, and performs one or more actions based on the operational state of the inter-AS link.

Abstract: Techniques are disclosed for session-based routing of multipoint Open Systems Interconnection (OSI) Model Layer-2 (L2) frames of an L2 network extended over Layer-3 (L3) networks. In one example, L2 networks connect a source device to an ingress router and receiver devices to egress routers. An L3 network connects the ingress and egress routers. The ingress router receives, from the source device, a multipoint L2 frame destined for the receiver devices. The ingress router forms, for each egress router that is connected to at least one multipoint receiver device, a unicast L3 packet for the L2 frame and forwards the unicast L3 packet to the egress router. Each egress router generates, in response to receiving the unicast L3 packet, the multipoint L2 frame and forwards, to the receiver devices, the multipoint L2 frame.

Abstract: A network device may communicate with another network device via a media access control security (MACsec) key agreement (MKA) communication link, wherein an MKA session has been established between the network device and the other network device. The network device may determine that the other network device is unavailable. The network device may cause, based on determining that the other network device is unavailable, an MKA state of the network device to be placed in a paused state. The network device may receive, after causing the MKA state of the network device to be placed in the paused state, a packet from the other network device via the MKA communication link. The network device may determine, based on the packet, that the MKA session has not ended. The network device may continue, based on the MKA session having not ended, the MKA session by reactivating the MKA state.

Abstract: A first packet forwarding plane (PFE) of a network device may receive a packet and may perform a first lookup for the packet. The first PFE may provide the packet to a service plane based on the first lookup. The service plane may apply a service to the packet and may provide the packet to the first PFE. The first PFE may perform a second lookup. The first PFE may provide the packet to a second PFE of the network device based on the second lookup and may store flow information associated with the packet and second PFE information in a table. The network device may provide the flow information and the second PFE information from the table to the service plane to cause the service plane to send subsequent packets directly to the second PFE thereby saving fabric, memory, and processing bandwidth and improving overall network performance.

Abstract: This disclosure describes a network management system (NMS) configured to determine a particular network device of a plurality of network devices based on a first user input in a conversational assistant. The one or more processors are further configured to identify a set of actionable insights for the particular network device based on network data received from the plurality of network devices and determine a set of views of a dashboard based at least on the set of actionable insights, wherein each view of the set of views displays a portion of the network data received from the plurality of network devices. The one or more processors are further configured to select a view of the set of views of the dashboard based on a second user input in the conversational assistant and cause the dashboard to display the selected view.

Abstract: This disclosure describes a system including a plurality of access point (AP) devices configured to provide a wireless network at a site; and a network management system (NMS) including a memory storing client-side data collected by a plurality of client devices associated with the wireless network and storing location data associated with each of the plurality of client devices generated by a location engine in response to location requests issued by each of the plurality of client devices, and one or more processors coupled to the memory and configured to determine, based on at least one of the client-side data and the location data, one or more location metrics associated with the location requests issued by the plurality of client devices.

Abstract: Techniques are disclosed for inline security key exchanges between network devices. An example network device includes one or more processors and memory coupled to the one or more processors. The memory stores instructions that, upon execution, cause one or more processors to obtain a first payload key and obtain a path key. The instructions cause the one or more processors to encrypt a first payload of a first packet using the first payload key and insert the first payload key into first metadata of the first packet. The instructions cause the one or more processors to encrypt the first metadata using the path key and send the first packet to another network device.

Abstract: In general, techniques are described for a creating a virtual network router within a software defined network (SDN) architecture. A network controller for the SDN architecture system may include processing circuitry that is configured to execute a configuration node and a control node. The configuration node may process a request by which to create a virtual network router (VNR), where the virtual network router may cause the network controller to interconnect a first virtual network (VN) and a second VN. The VNR may represent a logical abstraction of one or more policies that cause import and/or export of routing information between the first VN and the second VN. The control node configures the first VN and the second VN according to the one or more policies to enable the import and/or the export of routing information between the first VN and the second VN via the VNR.

Abstract: In general, techniques are described for retrieving operational command response text from network devices. A collector network device comprising an interface and a processor may be configured to perform the techniques. The interface may receive, via a messaging bus between the network management system and a webserver, a first command to request management data stored by a managed network device, and send, in response to the first command, a second command to direct the managed network device to output the management data. The interface may also receive, from the managed network device, the management data. The processor may generate, from the management data, a plurality of partial responses that each includes a portion of the management data, where the interface may next send, via the messaging bus and to the webserver, each of the plurality of partial responses as a separate message.

Abstract: The same prefix segment identifier (SID) may be configured and/or used for either (A) more than one prefix within an interior gateway protocol (IGP) domain, or (B) one prefix with more than one path computation algorithm within the IGP domain by: (a) receiving, by a node in the IGP domain, an IGP advertisement including both (1) a prefix SID and a segment routing global block (SRGB) slice identifier; (b) determining whether or not the SRGB slice identified by the SRGB slice identifier is provisioned on the node; and (c) responsive to a determination that the SRGB slice identified by the SRGB slice identifier is not provisioned on the node, not processing the prefix SID included in the received IGP advertisement, and otherwise responsive to a determination that the SRGB slice identified by the SRGB slice identifier is provisioned on the node, (1) processing the prefix SID and SRGB slice to generate a unique, per SRGB slice, MPLS label for the prefix, and (2) updating a label forwarding information base (LFIB)

Abstract: A computing system includes a storage device and processing circuitry having access to the storage device. The processing circuitry is configured to receive a sequence of channel state information (CSI) samples, and calculate, based on the sequence of CSI samples, frequency domain information including a set of frequency domain values for each frequency band of a plurality of frequency bands. The processing circuitry is further configured to select a set of frequency bands of the plurality of frequency bands; and calculate, based on the set of frequency domain values for each frequency band of the set of frequency bands, a set of similarity values. Additionally, the processing circuitry is configured to determine, based on the set of similarity values, information indicative of one or more characteristics of a space between a first computing device and a second computing device, and perform an action based on the information.

Abstract: A network management system (NMS) is configured to control roaming in a wireless network using a variable mobility threshold. For a first wireless device associated with a current location, the NMS obtains at least one performance metric of a first wireless signal received by the first wireless device at the current location from a first AP of a plurality of APs, compares the at least one parameter of the first wireless signal to at least one performance metric of a second wireless signal received by at least one other wireless device at the current location from a second AP of the plurality of APs, and triggers a roaming operation of the first wireless device from the first AP to the second AP if the comparison satisfies a mobility threshold that varies based on the at least one performance metric of the first wireless signal.

Abstract: Disclosed embodiments utilize a layer three and/or layer four protocol to collect physical layer properties along a multi-hop network path between a source node and a destination node. The use of a layer three or layer four protocol provides an ability to span multiple links or networks between the source node and destination node, while also collecting the physical layer properties. Once physical layer properties along a network path can be understood, decisions relating to the configuration of the network path and/or whether to communicate via the network path are improved.

Abstract: A device may receive license data identifying device licenses and organization licenses associated with an organization of users of a multi-tenant system, and may identify, in the license data, entitlements for licenses associated with the organization. The device may combine the entitlements to generate combined entitlements, and may determine an entitlement count of the combined entitlements. The device may add quantities of new entitlements to the entitlement count, and may identify, in the license data, roles of the users and capabilities associated with each of the roles. The device may map the entitlements and the capabilities to generate a mapping, and may authorize a particular user based on the mapping. The device may process usage of the entitlements, with a machine learning model, to predict future usage of the entitlements, and may determine entitlement recommendations based on the future usage. The device may provide the entitlement recommendations for display.

Abstract: BIER architecture currently does not support anycast, in that each BIER Forwarding Router (BFR) has its own unique BFR-prefix and BFR-ID. BIER signaling protocols also check if there are duplicate BFR-IDs advertised. Anycast support with BIER is described. The description updates (e.g., relaxes and/or removes some requirements of) RFC 8279, RFC 8401, and RFC 8444.

Abstract: A first provider edge device may receive device information from a second provider edge device included in an Ethernet virtual private network (EVPN). The device information may identify a media access control (MAC) address and may indicate that the device is connected to the second provider edge device. The first provider edge device may receive data transmitted by the device and may determine, based on information included in the data, that the device has moved from the second provider edge device to the first provider edge device. The first provider edge device may generate a data packet including mobility information indicating that the device has moved to the first provider edge device. The first provider edge device may transmit, via a data plane of the EVPN, the data packet to the second provider edge device to permit the second provider edge device to update routing information for the device.

Abstract: The present invention addresses the need for improved virtualized cloud infrastructure policy implementation and management in order allow real-time monitoring and optimization of virtualized resources. It provides systems and methods for real-time cloud infrastructure policy implementation and management that include a plurality of host devices, a plurality of real-time probe agents associated with the plurality of host devices operating on each of the plurality of host devices, and a policy engine communicatively coupled to the plurality of host devices and containing a policy associated with an application program deployed in at least one of the plurality of host devices. The policy engine is programmed to monitor in real time changes in deployment of the application program across the plurality of host devices and to push the policy to the real-time probe agent operating on each host device on which the application program is deployed.

Abstract: A method includes receiving, by a network management system, network data from a plurality of network devices configured to provide a network at a site; receiving, by the processing circuitry, user impact data from a plurality of client devices that access the network at the site; determining, based on the network data, a pattern of one or more network events occurring over time; correlating in time the pattern of the one or more network events to an adverse user impact event indicated by the user impact data received from the plurality of client devices; and determining, in response to the correlating, an instance of overwhelming network traffic having an adverse user impact. In some examples, the network data includes network traffic impact data, such as a number of packets dropped at a switch port due to congestion.

Abstract: A plurality of switches may be arranged according to a spine and leaf topology in which each spine switch is connected to all leaf switches. A leaf switch includes a memory configured to store a plurality of policies, each of the plurality of policies being associated with a respective source identifier value and a respective destination address; a network interface communicatively coupled to one of the spine switches; and a processor implemented in circuitry and configured to: receive a packet from the spine switch via the network interface, the packet being encapsulated with a Virtual Extensible Local Area Network (VXLAN) header; extract a source identifier value from the VXLAN header; determine a destination address for the packet; determine a policy of the plurality of policies to apply to the packet according to the source identifier value and the destination address; and apply the policy to the packet.

Abstract: In one example, a method includes obtaining, by a policy controller for a virtualization infrastructure, a first profile for a first group of one or more elements, the first profile comprising a first ruleset having one or more alarms; obtaining, by the policy controller, a second profile for a second group of one or more elements, the second profile comprising a second ruleset having one or more alarms; receiving, by the policy controller, configuration data configuring an element of the virtualization infrastructure as a member of the first group of one or more elements and as a member of the second group of one or more elements; generating, by the policy controller based on the configuration data, a profile for the element comprising the first ruleset and the second ruleset; and outputting, by the policy controller to a computing device, the profile for the element.