Abstract: Techniques are disclosed for providing automatic policy configuration for packet flows. For example, a computing device comprises a virtual node and one or more virtual execution elements coupled to the virtual node. The computing device may also comprise one or more processors configured to: receive a packet originating from an application workload hosted on the one or more virtual execution elements and destined for a remote destination device; determine the packet is part of a new packet flow; in response, configure, by a kernel of the computing device and without sending the packet to a user space of the computing device, a policy for a forward packet flow for the new packet flow; configure, by the kernel, a policy for a reverse packet flow associated with the forward packet flow; and send the packet toward the remote destination device in accordance with the policy for the forward packet flow.

Abstract: A power supply assembly includes an input module that includes one or more captive screws, one or more first power supply connection components, and one or more first input feed connection components; and a power supply unit that includes one or more captive screw connection switches, one or more second power supply connection components, and one or more second input feed connection components. The input module is to physically and electrically connect to the power supply unit; the one or more captive screws are to physically engage, respectively, the one or more captive screw connection switches; the one or more first power supply connection components are to physically and electrically connect to, respectively, the one or more second power supply connection components; and the one or more first input feed connection components are to physically and electrically connect to, respectively, the one or more second input feed connection components.

Abstract: A virtual port group abstraction can facilitate automated configuration of devices in a data center. For example, a data center administrator can define a virtual port group to include a set of logical and physical interfaces for devices allocated to a particular department or other group within a company. An administrator for the department can then utilize a user interface to perform actions with respect to the virtual port group. The actions can include configuration actions, modeling actions and/or deployment actions. An action received by a network management controller such as a Software-Defined Networking (SDN) controller can be converted into the appropriate actions for the relevant logical and physical interfaces that are configured to be part of the virtual port group.

Abstract: An example first network device includes a control unit configured to execute at least one application and a forwarding unit. The forwarding unit includes an interface configured to receive packets, at least one packet processor operably coupled to a memory, and a forwarding path, wherein at least a portion of the forwarding path is stored in the memory and is executable by the at least one packet processor. The forwarding unit is configured to receive an advertisement originated by a second network device in a network, wherein the advertisement specifies a second micro segment identifier (SID), and store, in a destination lookup table, a route entry comprising a first micro SID associated with the first network device and the second micro SID.

Abstract: A virtual network device may identify a cloud provider associated with the virtual network device, and may provide a request for public network addresses and private network addresses associated with the cloud provider. The virtual network device may receive the public network addresses and the private network addresses from the cloud provider based on the request, and may generate a translation table that maps the public network addresses and the private network addresses. The virtual network device may utilize the translation table to establish a secure communication between an endpoint device and a server device, where the secure communication is associated with at least one packet that requires an inner payload network address change.

Abstract: A disclosed apparatus may include (1) a heat-emitting component, (2) a heatsink that includes a designated area thermally coupled to the heat-emitting component, (3) a plurality of springs that apply forces that support the thermal coupling between the designated area of the heatsink and the heat-emitting component, and (4) a pressure plate that concentrates the forces applied by the springs toward the designated area of the heatsink. Various other apparatuses, systems, and methods are also disclosed.

Abstract: In general, techniques are described for deploying a logically-related group of one or more containers (“pod”) that supports the Data Plane Development Kit (DPDK) to support fast path packet communication on a data channel between a virtual router and the pod. In an example, a computing device comprises a virtual router comprising processing circuitry and configured to implement, in a computing infrastructure that includes the computing device, a virtual network to enable communications among virtual network endpoints connected via the virtual network. The computing devices comprises a pod comprising a containerized application, wherein the virtual router and the pod are configured to create a Unix domain socket using a file system resource that is accessible by the pod and by the virtual router and is not accessible by any other pods deployed to the computing device.

Abstract: In general, this disclosure describes techniques for providing a hybrid data plane that can include a kernel-based data plane and a Data Plane Development Kit (DPDK)-based data plane. An example system includes a DPDK-based virtual router configured to send and receive packets via a physical network interface, and a kernel network stack configured to perform tunneling processing for packets destined to a containerized application and received by the DPDK-based virtual router via the physical interface.

Abstract: An example network analysis system includes a memory storing telemetry data received from a plurality of network devices, the plurality of network devices includes extract entity information and connectivity information from the received telemetry data, wherein the entity information represents one or more network devices of the plurality of network devices and the connectivity information represents network connections between one or more devices of the plurality of network devices; and store the connectivity information and entity information as a network topology graph in a graph database, wherein the entity information is stored as nodes of the network topology graph and the connectivity information is stored as edges of network topology graph, and wherein the network topology graph represents an organization level topology of the organization network.

Abstract: An example method includes receiving, by a software-defined networking in a wide area network (SD-WAN) system having a first WAN link and a second WAN link for an SD-WAN service, WAN link characterization data for the first WAN link over a time period; determining, by the SD-WAN system based on processing the WAN link characterization data for the first WAN link using a machine learning model trained with historical WAN link characterization data for one or more WAN links, an indicator of a predicted performance metric of the first WAN link at a future time; and reassigning, by the SD-WAN system based on the indicator, an application from the first WAN link to the second WAN link.

Abstract: In some implementations, a network device may establish a secure connection between the network device and another network device based on a first set of keys generated by the network device, wherein the first set of keys are generated based on a first connectivity association key (CAK) and the secure connection is established based on a media access control security (MACsec) protocol. The network device may transmit a message to the other network device, wherein the message includes an indication of a second CAK. The network device may communicate data via the secure connection based on a second set of keys, wherein the second set of keys are generated based on the second CAK.

Abstract: In one example, a network management system (NMS) device manages a plurality of network devices. The device includes a memory configured to store data representing a data model for a plurality of network devices managed by the NMS, and one or more processors configured to retrieve data representing the data model, construct a GraphQL model having a plurality of nodes, each of the nodes corresponding to one of the network devices according to the data model store data representing properties of the network devices associated with corresponding nodes of the GraphQL model according to the data model, receive a GraphQL query including data representing at least one query property, determine which of the nodes has a property matching the at least one query property, and return data identifying which of the network devices corresponds to the nodes having the property matching the at least one query property.

Abstract: Disclosed are embodiments for automatically resolving faults in a complex network system. Some embodiments monitor one or more of system operational parameter values and message exchanges between network components. A machine learning model detects a fault in the complex network system, and an action is selected based on a cause of the fault. After the action is applied to the complex network system, additional monitoring is performed to either determine the fault has been resolved or additional actions are to be applied to further resolve the fault.

Abstract: A network device may receive network traffic for an application. The network device may determine a first classification for the network traffic according to a first classification technique. The first classification may identify the network traffic as relating to a particular application or an unknown application. The network device may determine a second classification for the network traffic according to a second classification technique. The second classification may identify the network traffic as relating to an unknown application of a particular type and identity. The network device may process, based on whether the first classification identifies the network traffic as relating to the particular application or the unknown application, the network traffic according to a first security policy associated with the particular application or a second security policy associated with the unknown application of the particular type and identity.

Abstract: Methods and apparatus for automatically identifying and correcting faults relating to poor communications service in a wireless system, e.g., in real time, are described. The methods are well suited for use in a system with a variety of access points, e.g., wireless and/or wired access points, which can be used to obtain access to the Internet or another network. Access points (APs), which have been configured to monitor in accordance with received monitoring configuration information, e.g. on a per access point interface basis, captures messages, store captured messages, and in collaboration with network monitoring apparatus which can be in an AP or external thereto, use message sequences to determine a remedial action to be automatically taken when poor service is likely as may be predicted based on the detected message sequence between a UE and one or more APs.

Abstract: Techniques are disclosed for managing a network. In one example, a device configuration manager is configured to generate, in accordance with a device management protocol, a configuration change request representing a transaction having a first sub-transaction specifying a first configuration change for a network device of the network and a second sub-transaction specifying a second configuration change for the same network device. The device configuration manager is further configured to output the configuration change request to the network device and receive a reply message from the network device. The reply message includes a first response element specifying whether the first configuration change is successfully committed at the network device and a second response element specifying whether the second configuration change is successfully committed at the network device.

Abstract: A device receives information identifying a specific host threat to a network, where the information includes a list of network addresses associated with the specific host threat. The device identifies network elements, of the network, associated with the specific host threat to the network, and determines a network control system associated with the identified network elements. The device determines a policy enforcement group of network elements, of the identified network elements, that maps to the list of network addresses associated with the specific host threat, where the network control system is associated with the policy enforcement group of network elements. The device determines a threat policy action to enforce for the specific host threat, and causes, via the network control system, the threat policy action to be enforced by the policy enforcement group of network elements.

Abstract: In an example, a method comprises executing, by an access network user plane function (ANUP) for a mobile network, an access network protocol to implement a connection with a user equipment (UE); implementing, by the ANUP, based on session data received from a control plane function of a mobile core network for the mobile network, an interface with a data network; and routing or switching, by the ANUP, packets between the connection with the UE and the interface with the data network.

Abstract: A test fixture, for a heatsink, may include a probe assembly with a thermocouple probe configured to removably contact a bottom surface of a pedestal of the heatsink, and measure a surface temperature of the heatsink. The test fixture may include an insulator housing configured to house the probe assembly and a heater block, and to insulate the probe assembly from the heater block. The heater block may be provided within the insulator housing and may be configured to provide heat to the heatsink via the bottom surface of the pedestal of the heatsink. The test fixture may include a mounting block connected to the insulator housing and configured to connect to the heatsink.

Abstract: A controller device manages a plurality of network devices. The controller device includes one or more processing units configured to receive an indication of a stateful intent, the data structure including a plurality of nodes and a plurality of edges, each node of the plurality of nodes being representative of a respective network device of the plurality of network devices. The one or more processing units are configured to determine, using an abstract function configured at a node of the plurality of nodes, a stateless intent for implementing the stateful intent and generate low level configuration data for the plurality of network devices based on the stateless intent. The one or more processing units are configured to interface with one or more of the plurality of network devices to configure the one or more of the plurality of network devices with the low level configuration data.