Abstract: This disclosure describes techniques for configuring software defined network (SDN) controllers within different cloud computing domains and, in particular, a multi-cluster controller that operates and presents, in some examples, a single interface for seamlessly controlling and configuring SDN controllers in different cloud computing domains. In one example, this disclosure describes a system that includes a plurality of clusters, each of the plurality of clusters including a plurality of configurable endpoints; a storage system; and processing circuitry having access to the storage system and capable of communicating with each of the plurality of configurable endpoints. In some examples, the processing circuitry is configured to receive a plurality of requests, each specifying a configuration operation, identify, for each of the requests, a configuration cluster and a configuration endpoint within the configuration cluster, and perform, for each of the requests, the specified configuration operation.

Abstract: In one embodiment, a processor-readable medium storing code representing instructions that when executed by a processor cause the processor to update, at a memory location, a first flow state value associated with a data flow to a second flow state value when at least one of a packet from the data flow is received or the memory location is selected after a time period has expired. At least a portion of the packet is analyzed when the second flow state value represents a flow rate of a network data flow anomaly.

Abstract: This disclosure describes techniques for monitoring, scheduling, and performance management for computing environments, such as virtualization infrastructures deployed within data centers. In one example, a method includes obtaining, by a policy controller, a first profile for an element of a virtualization infrastructure, the first profile comprising a first ruleset having one or more alarms; obtaining, by the policy controller, a second profile for a group of one or more elements including the element, the second profile comprising a second ruleset having one or more alarms; modifying, by the policy controller based at least on the element being a member of the group, the first profile to generate a modified first profile comprising the first ruleset and the second ruleset; and outputting, by the policy controller to a computing device, the modified first profile.

Abstract: An example computing device is configured to receive, from a customer device, an indication of a plurality of resources and an indication of a plurality of customer services, each of the plurality of customer services being associated with a corresponding at least one requirement and a corresponding at least one constraint. The computing device is configured to automatically determine, for each requirement and each constraint, whether the requirement or the constraint can only be satisfied by a particular resource of the plurality of resources, and allocate, based on the determining, at least one resource of the plurality of resources to at least one customer service of the plurality of customer services. The example computing device is configured to provide, to the customer device and subsequent to the determining for every requirement and for every constraint, information to enable the customer device to provision the at least one customer service.

Abstract: In general, various aspects of the techniques described in this disclosure provide a sequence number checksum for link state protocols. In one example, the disclosure describes an apparatus, such as a network device, having a control unit operative to obtain link state information describing links between pairs of the network devices in a network topology, the link state information being fragmented into a plurality of link state protocol (LSP) fragments; compute a sequence number checksum from sequence numbers of the link state protocol (LSP) fragments; receive an LSP data unit from another network device in the network; determine whether a sequence number checksum in the LSP data unit matches a sequence number checksum computed from the link state information; and configure a delay for processing the LSP data unit in response to determining a mismatch between the sequence number checksum of the LSP data unit and the sequence number checksum computed from the link state information.

Abstract: A traffic planning platform may receive information related to a traffic flow including a traffic bandwidth to transport through a network with various network devices interconnected by links. The traffic planning platform may generate a traffic plan by assigning the traffic flow to a set of the links that includes network resources connecting a source of the traffic flow to a destination of the traffic flow. The traffic planning platform may render a visualization of the traffic plan, wherein the visualization includes a user interface (e.g., a diagram, an animation, and/or the like) in which geometric shapes that represent the source, the peer link, and the destination are connected by bands that represent the tunnel and the external route and further in which the geometric shapes and the bands each have a first visual property and a second visual property based on the traffic bandwidth of the traffic flow.

Abstract: A network device may receive traffic to be processed by a routing component, and may determine temperatures of an ASIC and an HBM of the routing component at a first time. The network device may determine whether the temperature of the ASIC satisfies a first ASIC temperature threshold or a second ASIC temperature threshold, and may determine whether the temperature of the HBM satisfies a first HBM temperature threshold or a second HBM temperature threshold. The network device may selectively throttle processing of the traffic by a first quantity when the temperature of the ASIC satisfies the first ASIC temperature threshold or the temperature of the HBM satisfies the first HBM temperature threshold, or throttle the processing of the traffic by a second quantity when the temperature of the ASIC satisfies the second ASIC temperature threshold or the temperature of the HBM satisfies the second HBM temperature threshold.

Abstract: A network device may receive network traffic for an application. The network device may determine a first classification for the network traffic according to a first classification technique. The first classification may identify the network traffic as relating to a particular application or an unknown application. The network device may determine a second classification for the network traffic according to a second classification technique. The second classification may identify the network traffic as relating to an unknown application of a particular type and identity. The network device may process, based on whether the first classification identifies the network traffic as relating to the particular application or the unknown application, the network traffic according to a first security policy associated with the particular application or a second security policy associated with the unknown application of the particular type and identity.

Abstract: Techniques are described for managing a split-brain scenario in a multihomed environment by exchanging isolation information between a leaf device and two or more spine devices to which the leaf device is multihomed via a link aggregation group (LAG). The techniques include selecting one of the spine devices as a primary spine device and determining, based on the isolation information, whether the spine devices are isolated from each other. In the split-brain scenario in which all of the spine devices are isolated from each other, the primary spine device is configured to maintain the LAG with the leaf device while the other spine devices mark the LAG with the leaf device as down. In this way, in the split-brain scenario, the leaf device may continue to send traffic to other leaf devices in the leaf layer using the LAG to the primary spine device.

Abstract: This disclosure describes techniques for using Operations, Administration, and Management (OAM) operations when routing packets using micro SIDs in segment routing. For example, a network device comprises one or more processors configured to: receive a packet; determine whether the packet is encapsulated with one or more micro segment identifiers (SIDs); in response to a determination that the packet is not encapsulated with one or more micro SIDs, determine whether the packet has reached a segment routing tunnel endpoint; and in response to a determination that the packet has reached the segment routing tunnel endpoint, initiate Operations, Administration, and Maintenance (OAM).

Abstract: The disclosure describes techniques for network monitoring and fault localization. For example, a controller comprises one or more processors operably coupled to a memory configured to: receive a first one or more Quality of Experience (QoE) metrics measured by a first probe traversing a first path comprising one or more links; receive a second one or more QoE metrics measured by a second probe traversing a second path comprising one or more links; determine, from the first one or more QoE metrics, that the first path has an anomaly; determine, from the second one or more QoE metrics, that the second path has an anomaly; and determine, in response to determining the first path and the second path has an anomaly, based on the type of metrics and the type of links, that an intersection between the first path and the second path is a root cause of the anomaly.

Abstract: A cloud network may include a distributed security switch (DSS). The DSS may be to receive configuration information from the hypervisor. The configuration information may include a set of access mode attributes and a security policy. The DSS may be to determine that a packet is to be directed from a source virtual machine to a target virtual machine. The DSS may be to identify an egress interface of the source virtual machine and an ingress interface of the target virtual machine. The egress interface may be associated with a first access mode attribute and the ingress interface being associated with a second access mode attribute. The DSS may be to selectively route the packet, using the shared memory, based on the first access mode attribute, the second access mode attribute, and the security policy.

Abstract: Techniques are disclosed for managing a network. In one example, a device configuration manager is configured to generate, in accordance with a device management protocol, a configuration change request representing a transaction having a first sub-transaction specifying a first configuration change for a network device of the network and a second sub-transaction specifying a second configuration change for the same network device. The device configuration manager is further configured to output the configuration change request to the network device and receive a reply message from the network device. The reply message includes a first response element specifying whether the first configuration change is successfully committed at the network device and a second response element specifying whether the second configuration change is successfully committed at the network device.

Abstract: Techniques are described for prioritized establishment of communication sessions. In one example, a network device parses a configuration file that defines a plurality of communication sessions of a routing protocol and includes priority values assigned to the communication sessions. The network device creates two or more lists of communication sessions for two or more of the priority values based on the configuration file, wherein each list of the two or more lists is created for a particular priority value of the priority values and defines one or more communication sessions of the plurality of communication sessions that are assigned the particular priority value. The network device then establishes the one or more communication sessions included in each list of the two or more lists according to an ordering based on the priority values associated with the two or more lists.

Abstract: A network device may receive forwarding data associated with a multi-level hybrid hierarchy forwarding information base of the network device. The network device may process the forwarding data to generate a first set of transformed forwarding next hop entries. The network device may process the first set of transformed forwarding next hop entries, associated with default forwarding classes, to generate a second set of transformed forwarding next hop entries. The network device may process the first set of transformed forwarding next hop entries, associated with all classes of traffic, to generate a third set of transformed forwarding next hop entries. The network device may group the sets of transformed forwarding next hop entries, based on transformed group next hop entries, to generate a final set of transformed forwarding next hop entries. The network device may transform the final set of transformed forwarding next hop entries into a particular format.

Abstract: A network node may receive a packet having an inner internet protocol (IP) header and an outer IP header. The inner IP header may be encrypted. A loose source routing (LSR) field of the outer IP header may identify a recipient address. The network node may determine, based on the recipient address identified in the LSR field, a tunnel endpoint associated with a receiving network node. The network node may update the outer IP header of the packet to obtain an updated packet with an updated outer IP header. A source address of the updated outer IP header may be updated to a tunnel endpoint associated with the network node, and the destination address of the updated outer IP header may be updated to a tunnel endpoint associated with the receiving network node. The network node may route the updated packet according to the updated outer IP header.

Abstract: A network device may receive a message from a device. The network device may process the message to determine identification information associated with the device. The network device may process the message to determine identification information associated with a packet data unit (PDU) session, of one or more PDU sessions, of the device. The network device may transmit based on the identification information associated with the device and the identification information associated with the PDU session of the device, the message to another network device.

Abstract: Techniques are described to provide layer 2 (L2) circuit failover in the event connectivity to an Ethernet Virtual Private Network (EVPN) instance is lost. For example, if one of multi-homed provider edge (PE) devices loses connectivity to the EVPN instance, the PE device may mark its customer-facing interface as down and propagate the interface status to the access node such that the access node may update its routing information to switch L2 circuits to another one of the multi-homed PE devices having reachability to the EVPN instance. In some examples, the plurality of PE devices may further implement Connectivity Fault Management (CFM) techniques to propagate the interface status to the access node such that the access node may update its forwarding information to send traffic on a different L2 circuit to another one of the multi-homed PE devices having reachability to the EVPN instance.

Abstract: In general, the disclosure describes techniques for a hybrid diagramming application to provide a flexible network diagramming environment while also ensuring that the rules of the network are not violated. A service provider defines rules for various network objects, where the rules define where the various network objects can reside in the network topology, as well as how the various devices can be connected. A computing device executing the application receives an indication of user input assigning a first network device to a first area network in a network topology. The computing device validates, based on one or more characteristics of the first network device, that the first network device does not violate one or more rules for the first area network. The computing device, responsive to validating the first network device, generates a graphical user interface of the network topology and outputs, for display, the graphical user interface.

Abstract: A device may determine that a first link of the device is active. The device may determine whether a Media Access Control Security (MACsec) session is established on the first link. The device may selectively enable or disable a second link of the device based on determining whether the MACsec session is established on the first link.