Abstract: A first network device may install a new receive key on a data plane of the first network device, and may provide, to a second network device, a first request to install the new receive key. The first network device may receive a first indication that the new receive key is installed by the second network device, and may install a new transmit key on the data plane of the first network device based on the first indication. The first network device may provide, to the second network device, a second request to install the new transmit key, and may receive a second indication that the new transmit key is installed and that an old receive key is deleted by the second network device. The first network device may delete the old receive key from the data plane of the first network device based on the second indication.

Abstract: An example method includes receiving, by a control system for a software upgrade image, respective characterization data for network devices of a network; generating, by the control system and based on the characterization data for the network devices, an image map that indicates, for each portion of a plurality of different portions of the software upgrade image, an image proxy network device selected by the control system from among the network devices to store the portion based on the characterization data; and outputting, by the control system, the image map to a network device of the network devices to cause the network device to obtain each portion of the plurality of different portions of the software upgrade image from the corresponding image proxy network device selected by the control system to store the portion.

Abstract: Techniques are described for monitoring application performance in a computer network. For example, a network management system (NMS) includes a memory storing path data received from a plurality of network devices, the path data reported by each network device of the plurality of network devices for one or more logical paths of a physical interface from the given network device over a wide area network (WAN). Additionally, the NMS may include processing circuitry in communication with the memory and configured to: determine, based on the path data, one or more application health assessments for one or more applications, wherein the one or more application health assessments are associated with one or more application time periods for a site, and in response to determining at least one failure state, output a notification including identification of a root cause of the at least one failure state.

Abstract: A network device may receive topology data identifying a spine and leaf topology of network devices, and may set link metrics to a common value to generate modified topology data. The network device may remove data identifying connections from leaf network devices to any devices outside the topology from the modified topology data to generate further modified topology data, and may process the further modified topology data, with a model, to determine path data identifying paths to destinations. The network device may determine particular path data identifying shorter paths and longer paths to corresponding destinations, and may determine hop counts associated with the paths. The network device may determine whether the hop counts are all odd values, all even values, or odd and even values, and may perform actions based on whether the hop counts are all odd values, all even values, or odd and even values.

Abstract: A computing system comprising a memory and processing circuitry may perform the techniques. The memory may store time series data comprising measurements of one or more performance indicators. The processing circuitry may determine, based on the time series data, an anomaly in the performance of the network system, and create, based on the time series data, a knowledge graph. The processing circuitry may determine, in response to detecting the anomaly, and based on the knowledge graph and a machine learning (ML) model trained with previous time series data, a causality graph. The processing circuitry may determine a weighting for each edge in the causality graph, determine, based on the edges in the causality graph, a candidate root cause associated with the anomalies, and determine a ranking of the candidate root cause based on the weighting. The analysis framework system may output at least a portion of the ranking.

Abstract: A first network device may identify a MACsec session between the first network device and a second network device that utilizes a CAK, may determine, using a KDF and one or more KDF input parameters, an additional CAK, may encrypt the one or more KDF input parameters and/or KDF identification information that identifies the KDF and the one or more KDF input parameters to generate encrypted KDF input information, and may send, to the second network device, a first message that includes the encrypted KDF input information. The first network device may receive, from the second network device, based on sending the first message, a second message that includes a checksum value, may determine, based on the checksum value, that the second network device has determined the additional CAK, and may communicate, with the second network device, to cause the MACsec session to utilize the additional CAK.

Abstract: Methods and apparatus for automatically reconfiguring network parameters are described. Some embodiments identify communication channels that may interfere with higher priority equipment and deactivate communication channels that may cause harmful interference. Some APs are switched to 2.4 GHz communication channels. In some embodiments, AP operating parameters, such as transmission power are adjusted to reduce interference for higher priority receivers.

Abstract: Techniques are described for configuration and application of intent-based network access control (NAC) policies for authentication and authorization of multi-tenant, network access server (NAS) devices to access enterprise networks of organizations. A network management system configures intent-based NAC policies for an organization. A cloud-based NAC system may apply an appropriate intent-based NAC policy in response to an authentication request from a NAS device. The NAC system identifies a vendor of the NAS device, matches incoming attributes in the authentication request to a set of normalized match rules of the intent-based NAC policy, and translates a set of abstracted policy results corresponding to the set of normalized match rules into a vendor-specific set of return attributes based on the vendor of the NAS device. The NAC system sends the vendor-specific set of return attributes to the NAS device to enable the NAS device to access the enterprise network of the organization.

Abstract: A network device may receive, from a transmission network device, a link state message associated with an origination network device. The network device may determine an order of a set of one-hop neighbor network devices from the transmission network device. The network device may determine, based on the link state message and the order of the set of one-hop neighbor network devices, whether the network device is to send a copy of the link state message to at least one one-hop neighbor network device of the network device. The network device may send, or refraining from sending, by the network device and based on determining whether the network device is to send the copy of the link state message to the at least one one-hop neighbor network device of the network device, the link state message to the at least one one-hop neighbor network device of the network device.

Abstract: In some implementations, a provider edge device associated with a link aggregation group (LAG) may maintain, according to a link aggregation control protocol (LACP), a set of links that connect the PE device to a consumer edge device. The provider edge device may determine that the provider edge device and another provider edge device associated with the LAG are not receiving link aggregation control protocol data units (LACPDUs) from the consumer edge device. The provider edge device may cause the set of links to have a maintain LAG status, which causes the provider edge device to keep up the set of links and to cease maintaining the set of links according to the LACP. The provider edge device may route, based on causing the set of links to have the maintain LAG status, one or more packets to or from the consumer edge device via the set of links.

Abstract: This disclosure is directed to devices, systems, and techniques for enforcing access to resources within a computer network. In some examples, a system includes a network managed by a service provider and configured to provide a plurality of microservices to a plurality of tenants each having one or more users and a controller having access to the network. The controller is configured to output, to a user interface, data indicative of a plurality of capabilities for presentation by the user interface and receive, from the user interface, data indicative of a user selection of a set of capabilities and a user selection of a new role identifier. The controller is further configured to create, based on the set of capabilities and the role identifier, a role which enables access to a set of actions within a computer network, the set of actions corresponding to the set of capabilities.

Abstract: Techniques are described for monitoring application performance in a computer network. For example, a network management system (NMS) includes a memory storing path data received from a plurality of network devices, the path data reported by each network device of the plurality of network devices for one or more logical paths of a physical interface from the given network device over a wide area network (WAN). Additionally, the NMS may include processing circuitry in communication with the memory and configured to: determine, based on the path data, one or more application health assessments for one or more applications, wherein the one or more application health assessments are associated with one or more application time periods for a site, and in response to determining at least one failure state, output a notification including identification of a root cause of the at least one failure state.

Abstract: An autonomous system border router (ASBR) provided in a domain in which routers share an anycast address, may perform a method comprising: (a) receiving, from an exterior Border Gateway Protocol (eBGP) peer, first reachability information for a first prefix, the first reachability information including a first next hop (NH) address; (b) communicating first link state information about the first prefix to another router in the domain, the first link state information associating the first prefix with the anycast address; (c) receiving, from an eBGP peer, second reachability information for a second prefix, the second reachability information including a second next hop (NH) address; and (d) communicating second link state information about the second prefix to the other router in the domain, the second link state information associating the second prefix with the anycast address. This effectively reduces the number of next hops related to a prefix learned by two or more ASBRs (e.g.

Abstract: A network device may receive an original configuration that includes configuration objects, and may generate, based on the original configuration, a dependency graph that includes nodes representing and entries representing the configuration objects. The network device may receive a configuration update that includes new configuration objects, and may update the dependency graph based on the configuration update and to generate an updated dependency graph that includes new nodes and/or new entries representing the new configuration objects. The network device may test the configuration update, based on the updated dependency graph, to determine whether the configuration update fails or succeeds. The network device may selectively implement the configuration update based on the configuration update succeeding or perform a rollback of the configuration update, based on the configuration update failing, to restore the original configuration.

Abstract: A device may receive a lock request associated with using an embedded device of a containerized environment from a first instance of an application being executed in a first container of the containerized environment. The device may perform a lock operation associated with the embedded device to permit the first instance of the application to use the embedded device and to prevent a second instance of the application, executing in a second container of the containerized environment, from using the embedded device. The device may monitor use of the embedded device during an access operation of the first instance of the application to detect an unlock event associated with unlocking the embedded device. The device may perform an unlock operation based on detecting the unlock event to permit the second instance of the application to use the embedded device.

Abstract: A network device may establish, via a routing protocol daemon (RPD) of the network device, border gateway protocol (BGP) sockets with peer network devices and may establish a socket between the RPD and a periodic packet management daemon (PPMD) of the network device. The network device may provide file descriptors of the BGP sockets from the RPD to the PPMD, via the socket, and may provide, from the RPD and via the BGP sockets, non-keep alive protocol data units (PDUs) to the peer network devices. The network device may provide, from the PPMD and via the BGP sockets, keep alive PDUs to the peer network devices.

Abstract: In some implementations, a transit node associated with a label switched path (LSP), may identify a performance issue of the transit node. The transit node may generate, based on identifying the performance issue, a message associated with the performance issue. The transit node may send, to an ingress node associated with the LSP, the message to allow the ingress node to perform one or more actions associated with the LSP. The one or more actions associated with the LSP may include performance of an assessment operation associated with the LSP and/or initiation of a termination operation associated with the LSP.

Abstract: A method includes deploying a network device within a fabric having a management network by attaching the network device through the management network to a port of a role allocator, wherein the role allocator includes one or more ports designated as first level port connections and one or more other ports designated as second level port connections. If the deployed network device is attached to one of the ports designated as first level port connections, the deployed network device is configured as a first level device. If the deployed network device is attached to one of the ports designated as second level port connections, the deployed network device is configured as a second level device.

Abstract: A device may transmit a packet for communicating via a tunnel. The packet may be associated with a protocol. The device may determine that the packet has been dropped by a security device. The device may selectively encrypt, after determining that the packet has been dropped, the packet using a null encryption for transport layer security (TLS) or a combination of encryption associated with the protocol and TLS encryption to generate an encrypted packet. The device may transmit the encrypted packet for communicating via the tunnel.

Abstract: A network device may create an encrypted packet and may duplicate the encrypted packet to create a plurality of encrypted packets that includes a first set of encrypted packets that is associated with a first receiving network device and a second set of encrypted packets that is to be associated with a second receiving network device. The network device may modify the second set of encrypted packets by replacing a first virtual destination address in the second set of the plurality of encrypted packets with a second virtual destination address that identifies a virtual tunnel endpoint of the second receiving network device. The network device may encapsulate and may send, based on the first virtual destination address and the second virtual destination address, individual encapsulated encrypted packets to the first receiving network device or the second receiving network device.