Abstract: Techniques are described by which a network management system (NMS) provides a common user interface (UI) to enable a user to collectively configure network devices to establish an EVPN topology. For example, an NMS is configured to: generate data representative of a common UI comprising UI elements representing a plurality of network devices to be configured in an EVPN topology; receive, via the common UI, an indication of a user input selecting one or more of the UI elements representing selected network devices; generate UI elements representing a plurality of ports of the selected network devices; receive, via the common UI, an indication of a user input selecting the UI elements representing one or more selected ports; and generate, based on the one or more selected network devices and one or more selected ports, topology relationship information of the one or more selected devices to establish the EVPN topology.

Abstract: Techniques are described in which a centralized controller constructs a service chain between a bare metal server (BMS) and a virtual execution element (e.g., virtual machine or container), or in some instances a remote BMS, across a plurality of networks. In some examples, the controller may construct a service chain between a BMS and a virtual execution element or remote BMS using Ethernet Virtual Private Network (EVPN)-Virtual Extensible Local Area Network (VXLAN) and Internet Protocol Virtual Private Networks (IP VPNs) such as BGP/Multiprotocol Label Switching (BGP/MPLS) IP VPNs.

Abstract: An example network element includes one or more interfaces and a control unit, the control unit includes one or more processors configured to determine an egress network domain identifier (ID) and determine an abstracted interdomain network topology. The one or more processors are also configured to determine one or more interdomain paths from an abstracted ingress domain node to an abstracted egress domain node and determine whether an abstracted domain node is on the one or more interdomain paths. The one or more processors are configured to, based on the abstracted domain node being on the one or more interdomain paths, include one or more resources within a network domain in a filtered traffic engineering database (TED) and compute a path from an ingress node within the ingress network domain to an egress node within the egress network domain based on the filtered TED.

Abstract: This disclosure describes techniques that include using an automatically trained machine learning system to generate a prediction. In one example, this disclosure describes a method comprising: based on a request for the prediction: training each respective machine learning (ML) model in a plurality of ML models to generate a respective training-phase prediction in a plurality of training-phase predictions; automatically determining a selected ML model in the plurality of ML models based on evaluation metrics for the plurality of ML; and applying the selected ML model to generate the prediction based on data collected from a network that includes a plurality of network devices.

Abstract: An Access Gateway Function (AGF) node can receive requests to join a multicast stream from a computing device. If the request is the first request to join the multicast stream, the AGF can forward the request to the UPF node. The multicast stream is then received via a tunnel between the AGF node and UPF node that is associated with the computing device. The tunnel associated with the first computing device to request joining the multicast stream can be a primary tunnel for the multicast stream. Subsequent requests to join the same multicast stream can cause the AGF node add tunnels associated with the requesting computing devices as secondary tunnels. The multicast stream is received via the primary tunnel and replicated to computing devices associated with the secondary tunnels. A secondary tunnel may be promoted to a primary tunnel in response to a failure or disconnection of the primary tunnel.

Abstract: The disclosure describes techniques for detecting network measurement inaccuracies through the detection of sender delays or packet drops. For example, a sender device of a test packet may determine whether the sender device is experiencing any issues in sending the test packet to a receiver device and notify a controller of the issues such that the controller may generate an indication that one or more Key Performance Indicator (KPI) measurements based on the test packets from the sender device are inaccurate and/or untrustworthy, remove the inaccurate KPI measurements, and/or adjust the inaccurate KPI measurements.

Abstract: In general, this disclosure describes techniques for a containerized router operating within a cloud native orchestration framework. In an example, a computing device comprises a containerized routing protocol process executing on processing circuitry of the computing device and configured to receive routing information; a containerized set of workloads; a data plane development kit (DPDK)-based virtual router executing on the processing circuitry and configured to forward traffic to and from the workloads based on the routing information from the containerized routing protocol; and a virtual router agent for the virtual router, the virtual router agent executing on the processing circuitry and configured to expose a generic data plane interface.

Abstract: A first network device may receive first traffic of a session that involves a service. The first network device may identify that the service is configured for distributed node processing. The first network device may identify a second network device that is configured for distributed node processing. The first network device may identify a state machine that is associated with the service. The first network device may determine, based on the state machine, a first function and a second function, wherein the first function is identified by a first label and the second function is identified by a second label. The first network device may process the first traffic based on the first function. The first network device may provide, to the second network device, the first traffic and the second label to permit the second network device to process second traffic in association with the second function.

Abstract: The disclosed embodiments provide for identification of a remedial action based on analysis of a system log file. In some example embodiments, messages from the system log file are used as input to generate vectors within a vector space. Portions of the log messages may generate vectors that cluster into a region in the vector space. The region of vector space is associated with one or more remedial actions. The disclosed embodiments are configured, in some example embodiments, to perform the one or more remedial actions when activity in the log file maps to the region of vector space associated with the one or more remedial actions. In some example embodiments, a remedial action can include submitting a problem report to a problem tracking database.

Abstract: A broadband network gateway (BNG) controller is described that includes a network subscriber database (NSDB) and one or more core applications. The NSDB is configured to store vBNG instance information for one or more subscriber devices. The vBNG instance information specifies vBNG instances operable by one or more edge routers. The vBNG instances are configured to receive requests to access service provider services from the one or more subscriber devices and to selectively authenticate the one or more subscriber devices for network services based on authentication information included in the requests to access services provider services. The one or more core applications include a network instance and configuration manager (NICM). The NICM is configured to modify the vBNG instance information at the NSDB to include an additional vBNG instance and to output, to an edge router, an instruction to generate the additional vBNG instance at the edge router.

Abstract: In some implementations, a device may receive, via a universal serial bus (USB) interface, configuration information and a supply of power from a network device. The device may receive, via an antenna that is external to the device, a first signal indicating timing information. The device may generate, based on the first signal, a second signal and a third signal, wherein the second signal comprises a one pulse per second signal and the third signal comprises a ten-megahertz signal. The device may provide, to the network device, the second signal and the third signal. The device may receive, via an input port, a clock signal to provide an extended holdover functionality to the network device.

Abstract: In an example, a method includes computing, by a computing device, for a segment routing policy that specifies a bandwidth constraint for the segment routing policy, first shortest paths through a network of network nodes, wherein each shortest path of the first shortest paths represents a different sequence of links connecting pairs of the network nodes from a source to a destination; in response to determining, by the computing device based on the bandwidth constraint for the segment routing policy, a link of one of the first shortest paths has insufficient bandwidth to meet a required bandwidth for the link, increasing a metric of the link; computing, by the computing device, for the segment routing policy that specifies the bandwidth constraint, based on the increased metric of the link, second shortest paths through the network of network nodes; and provisioning the second shortest paths in the network of nodes.

Abstract: In the present disclosure, systems and techniques for network device hardware containerization is described. In one example, a network device of a network having a topology of network devices includes processing circuitry of a routing component wherein the processing circuitry generates user space containers to operate forwarding engines in each of a plurality of forwarding components of the network device; stores information for directing communications involving the plurality of forwarding components and the network devices; and configures, by at least one user space container running on the processing circuitry of the routing component, one or more corresponding forwarding engines in a respective forwarding component using the information.

Abstract: A network device may receive a request to access a network from a client device. The network device may determine that the client device is authenticated based on a set of authentication credentials obtained for the client device. The network device may determine, based on the client device being authenticated, that a quantity of devices currently accessing the network using the set of authentication credentials is equal to a maximum quantity of devices permitted to access the network using the set of authentication credentials. The network device may deny the client device access to the network based on the quantity of devices being equal to the maximum quantity of device.

Abstract: A disclosed method may include (1) receiving, at a network node within a network, a packet from another network node within the network, (2) identifying, within the packet, a slice label that indicates a network slice that has been logically partitioned on the network, (3) determining a QoS policy that corresponds to the network slice indicated by the slice label, (4) applying the QoS policy to the packet, and then upon applying the QoS policy to the packet, (5) forwarding the packet to an additional network node within the network. Various other apparatuses, systems, and methods are also disclosed.

Abstract: A device may generate a display of a firewall policy management GUI. The device may generate a display in the firewall policy management GUI of a list of existing firewall policies and a firewall policy interface that is adjacent to the list of existing firewall policies in a same view of the firewall policy management GUI. The device may generate a display in the firewall policy management GUI of at least one of a plurality of candidate sources for a new firewall policy, a plurality of candidate destinations for the new firewall policy, or a plurality of candidate security configurations for the new firewall policy. The device may display, in the firewall policy interface, at least one of a first column that includes two or more sources, a second column that includes two or more destinations, or a third column that includes two or more security configurations.

Abstract: A device may provide, to a network device, a subscribe request that includes a request for sensor data, and may receive sensor data packets that include the sensor data and header extensions identifying a group identifier for a group of sensor data and final packet information indicating whether the sensor data packet is a final one for the group. The device may store the sensor data packets until the final packet information of one of the sensor data packets indicates that the one of the sensor data packets is a final sensor data packet for the group, and may identify a complete set of the sensor data packets when the final packet information of the one of the sensor data packets indicates that the one of the sensor data packets is the final sensor data packet. The device may perform actions based on the complete set.

Abstract: A secure IGP topology or other link state topology can be implemented by a network security unit that runs in a centralized environment on servers separate from a network associated with the IGP topology. The network security unit acquires the topology information, such as by participating in IGP or through border gateway protocol with link state (BGP-LS). The network security unit detects possible network problems, such as indicators of potential network attacks. Once an indicator of a potential network attack is detected, the network security unit identifies the node that is compromised. Once the compromised node is identified, the network security unit can report the node for manual or automated intervention. In some aspects, the network security unit can isolate the compromised node by shutting down links connected to the compromised node.

Abstract: A controller device includes a memory and one or more processors coupled to the memory. The memory stores instructions that, when executed, cause the one or more processors to receive a query indicating a first time and a network service, determine a first set of configuration elements using telemetry data associated with the first time and the network service, and determine a second set of configuration elements using an intent model. The instructions further cause the one or more processors to determine one or more first metrics that occur at the first time using the first set of configuration elements and the second set of configuration elements, determine one or more second metrics at a second time using telemetry data received from the plurality of network devices, and generate data representing a user interface presenting the one or more first metrics and the one or more second metrics.

Abstract: Systems, devices and techniques for an adaptive application-specific probing scheme are disclosed. An example network device includes memory configured to store a network address and probe protocol usable for probing a first network device associated with a source of an application, and one or more processors configured to determine a network address and probe protocol usable for probing the first network device, wherein the first network device comprises a server that is responsive to the probing, the server executing the application for the data flow, or a closest network device, to the server, that is responsive to the probing. The one or more processors are also configured to send to a second network device at a location serviced by the application, a message specifying the network address and probe protocol usable for probing the first network device.