Abstract: In general, various aspects of the techniques are described in this disclosure for distributed label assignment for labeled routes. In one example, a method includes obtaining, by a first thread of a plurality of execution threads for at least one routing protocol process executing on processing circuitry of a network device, an allocation of first labels drawn from a label space for a network service; adding, by the first thread, the first labels to a first local label pool for the first thread; generating, by the first thread, after obtaining the allocation of the first labels, a labeled route comprising a route for the network service and a label assigned by the first thread from the first local label pool; and outputting, by the network device, the labeled route.

Abstract: Embodiments of the invention describe apparatuses, optical systems, and methods for utilizing a dynamically reconfigurable optical transmitter. A laser array outputs a plurality of laser signals (which may further be modulated based on electrical signals), each of the plurality of laser signals having a wavelength, wherein the wavelength of each of the plurality of laser signals is tunable based on other electrical signals. An optical router receives the plurality of (modulated) laser signals at input ports and outputs the plurality of received (modulated) laser signals to one or more output ports based on the tuned wavelength of each of the plurality of received laser signals. This reconfigurable transmitter enables dynamic bandwidth allocation for multiple destinations via the tuning of the laser wavelengths.

Abstract: A ring node N belonging to a resilient MPLS ring (RMR) provisions and/or configures clockwise (CW) and anti-clockwise (AC) paths on the RMR by: (a) configuring two ring node segment identifiers (Ring-SIDs) on the ring node, wherein a first of the two Ring-SIDs (CW-Ring-SID) is to reach N in a clockwise direction on the ring and a second of the two Ring-SIDs (AC-Ring-SID) is to reach N in an anti-clockwise direction on the ring, and wherein the CW-Ring-SID and AC-Ring-SID are unique within a source packet routing in networking (SPRING) domain including the ring; (b) generating a message including the ring node's CW-Ring-SID and AC-Ring-SID; and (c) advertising the message, via an interior gateway protocol, for receipt by other ring nodes belonging to the ring such that (1) a clockwise multipoint-to-point path (CWP) is defined such that every other one of the ring nodes belonging to the ring can be an ingress for the CWP and such that only the node is an egress for the CWP, and (2) an anti-clockwise multipoint-

Abstract: A network device may receive packets, wherein the network device includes a first routing component, a second routing component, a first forwarding component, a second forwarding component, and a physical interface card concentrator with multiple physical interface cards. The first routing component may provide, to the physical interface card concentrator, a signal indicating that the second forwarding component is to be an active forwarding component. The physical interface card concentrator may cause, based on the signal, a data path for the multiple physical interface cards to be switched from the first forwarding component to the second forwarding component. The first routing component may provide the packets to the second forwarding component. The second forwarding component may provide the packets to the multiple physical interface cards via the data path. The multiple physical interface cards may forward the packets toward destinations associated with the packets.

Abstract: An example network device determines to assign a number of global Internet protocol (IP) addresses to respective network interfaces, determines a subnetwork for the network interfaces, determines a prefix corresponding to the subnetwork, determines a first global IP address having the prefix, determines a range value that is equal to or greater than the number of global IP addresses, generates a message according to Duplicate Address Detection Protocol (DAD) including data indicating that the message includes a range of addresses, the data further indicating the first global IP address and the range value, and sends the message according to DAD to one or more host network devices to determine whether any global IP address in a range starting with the first global IP address and through the range value is in use by the one or more host network devices.

Abstract: A network device may receive policy data identifying a first segment routing (SR) policy and a second SR policy. The first SR policy may be associated with a first path through a network and a first next hop, and the second SR policy may be associated with a second path through the network and a second next hop. The network device may advertise, to another device, reachability associated with the first next hop and the second next hop, and may receive, from the other device, a packet with a header. The network device may determine, from the header, data identifying the first next hop or the second next hop, without performing a lookup, and may cause the packet to be routed to a destination address, via the first path or the second path, based on the policy data associated with the first next hop or the second next hop.

Abstract: A non-transitory processor-readable medium storing code representing instructions to be executed by a processor can cause the processor to receive an indication to load balance a group of sessions associated with a network node and a switch across a group of links between a gateway device and the switch at a first time. The code causes the processor to calculate at a second time, a load based on the group of sessions and associated with a first set of links in an active configuration before the first time. The code causes the processor to send a signal to cause a set of sessions from the group of sessions to re-establish themselves at a third time based on a threshold value calculated based on the load such that the set of sessions are load balanced across a second set of links in the active configuration at the third time.

Abstract: A network device may receive an internet protocol (IP) packet that includes an IP packet header. The IP packet may include at least one extension header, which includes at least one of: a hop-by-hop options header, a first destination options header that precedes a routing header, or a second destination options header that precedes an upper-layer header. The network device may determine that: the hop-by-hop options header includes an Operations and Management capabilities (OAM) option, the first destination options header includes the OAM option and an IP address of the network device matches a destination IP address or a routing IP address identified in the routing header, or the second destination options header includes the OAM option and the IP address of the network device matches the destination IP address. The network device may perform one or more actions indicated by the OAM option.

Abstract: A network device may monitor a TCP session with another network device, and may identify ingress and/or egress packets, a TCP header, and a socket of the TCP session. The network device may inspect the ingress and/or egress packets, the TCP header, and the socket to identify a zero window advertisement, details of a last quantity of packets sent or received, synchronize, finish, or reset packets sent or received, negotiated TCP options, or buffer space utilization, and may temporarily record identified data based on the inspection. The network device may detect a TCP session flap when a finish packet or a reset packet is identified and recorded, and may store, in a dead TCP session list, the identified data based on the TCP session flap being detected.

Abstract: A device may receive data identifying malicious behavior by a compromised endpoint device associated with a network and may receive user identity data identifying a user of the compromised endpoint device associated with the network. The device may receive endpoint device data identifying the compromised endpoint device and other endpoint devices associated with the network and may receive network device data identifying network devices associated with the network. The device may utilize the data identifying malicious behavior, the user identity data, and the endpoint device data to generate, based on an identity of the user, a security policy to isolate the malicious behavior. The device may cause the security policy to be provided to the network devices and the other endpoint devices based on the network device data and the endpoint device data.

Abstract: In some examples, a method includes receiving, by an egress network device for a network, messages from each of a plurality of ingress network devices for the network, wherein each of the messages specifies a multicast source, a multicast group, and an upstream multicast hop weight value for multicast traffic for the multicast source and the multicast group; selecting, by the egress network device and based on the upstream multicast hop weight values specified by the received messages, one of the plurality of ingress network devices to which to send a multicast join message of a plurality of multicast join messages for the multicast source and multicast group; and sending, by the egress network device, the multicast join message to the selected one of the plurality of ingress network devices.

Abstract: An example method includes receiving, by an SD-WAN system, WAN link characterization data for a plurality of WAN links of the SD-WAN system over a time period; and for each site of a plurality of sites of the SD-WAN system, generating, by the SD-WAN system, a local policy for the site, wherein generating the local policy is based on a machine learning model trained with the WAN link characterization data for the plurality of WAN links, and providing the local policy to an SD-WAN edge device of the site.

Abstract: A network node may determine parameters of an authenticated client session for a client device, wherein the parameters comprise a network address of the client device. The network node may determine inactivity of the client device in the authenticated client session. The network node may generate, based on determining the inactivity of the client device, an address resolution protocol (ARP) message or a neighbor solicitation (NS) message to send to the client device, wherein the ARP message or the NS message is to trigger a response from the client device to indicate that the network address of the client device is in use. The network node may provide, toward the client device, the ARP message or the NS message. The network node may perform one or more actions based on receiving or not receiving the response, from the client device, to the ARP message or the NS message.

Abstract: An example network analysis system includes a memory storing telemetry data received from a plurality of network devices, the plurality of network devices includes extract entity information and connectivity information from the received telemetry data, wherein the entity information represents one or more network devices of the plurality of network devices and the connectivity information represents network connections between one or more devices of the plurality of network devices; and store the connectivity information and entity information as a network topology graph in a graph database, wherein the entity information is stored as nodes of the network topology graph and the connectivity information is stored as edges of network topology graph, and wherein the network topology graph represents an organization level topology of the organization network.

Abstract: A network device may receive, from a source device, an option request that includes a source address of the source device and a destination address of a destination device, wherein the network device is associated with an Internet protocol version 6 (IPv6) network. The network device may identify a map code that is associated with an address translation for traffic associated with the destination device and may determine, based on identifying the map code, a source prefix code and a destination prefix code for the address translation. The network device may determine a source IPv6 prefix and a destination IPv6 prefix for the address translation based on the source prefix code and the destination prefix code and may provide, to the source device, an option response to the option request to permit the source device to use the source IPv6 prefix and the destination IPv6 prefix for the traffic.

Abstract: A disclosed apparatus for accomplishing such a task may include (1) a circuit board incorporated into a module designed for insertion into slots of computing devices, (2) at least one conductive contact disposed on the circuit board, (3) a counter circuit disposed on the circuit board and communicatively coupled to the conductive contact, wherein the counter circuit comprises (A) a signal-change detector that detects signal changes as the module is inserted into one of the slots of the computing devices and (B) a counter device that maintains a dynamic count indicative of a number of times that the module has been inserted into one of the slots of the computing devices based at least in part on the signal changes, (4) a battery electrically coupled to the counter circuit, wherein the battery powers the counter device prior to the insertion. Various other apparatuses, systems, and methods are also disclosed.

Abstract: Techniques for EVPN Host Routed Bridging (HRB) and EVPN cloud-native data center with Host Routed Bridging (HRB) are described. A host computing device of a data center includes one or more containerized user-level applications. A cloud native virtual router is configured for dynamic deployment by the data center application orchestration engine and operable in a user space of the host computing device. Processing circuitry is configured for execution of the containerized user-level applications and the cloud native virtual router. The cloud native virtual router comprises a containerized routing protocol process configured to operate as a control plane, and a data plane for the containerized router. The data plane is configured to operate an ethernet virtual private network (EVPN) encapsulation/decapsulation data path of an overlay network for communicating layer two (L2) network traffic of the containerized user applications over a switch fabric of the data center.

Abstract: A device may receive first topology information from a first network device of a network, and may receive second topology information from a second network device of the network. The device may assign a first BGP-LS identifier to the first network device, and may associate the first topology information with the first BGP-LS identifier. The device may assign a second BGP-LS identifier to the second network device, and may associate the second topology information with the second BGP-LS identifier. The device may store the first topology information, as a first route, based on the first BGP-LS identifier, and may store the second topology information, as a second route, based on the second BGP-LS identifier. The device may select the first route or the second route as a primary route, and may utilize the primary route to control routing of traffic through the network.

Abstract: A node may be an active node associated with a high-availability service and may route session traffic communicated via a first route path between a first endpoint and a second endpoint. The node may determine a first measurement of a traffic metric of the first route path and may receive, from another node associated with the high-availability service, a second measurement of the traffic metric of a second route path. The node may compare the first measurement and the second measurement and determine that the traffic metric is enhanced on the second route path relative to the first route path. The node may cause, via a high-availability link between the node and the other node, the other node to become the active node for routing the session traffic between the first endpoint and the second endpoint.

Abstract: A network device may receive packets and may calculate, during a time interval, an arrival rate and a departure rate, of the packets, at one of multiple virtual output queues. The network device may calculate a current oversubscription factor based on the arrival rate and the departure rate, and may calculate a target oversubscription factor based on an average of previous oversubscription factors associated with the multiple virtual output queues. The network device may determine whether a difference exists between the target oversubscription factor and the current oversubscription factor and may calculate, when the difference exists, a scale factor based on the current oversubscription factor and the target oversubscription factor. The network device may calculate new scheduling weights based on prior scheduling weights and the scale factor, and may process packets received by the multiple virtual output queues based on the new scheduling weights.