Abstract: A network device may create an encrypted packet and may duplicate the encrypted packet to create a plurality of encrypted packets that includes a first set of encrypted packets that is associated with a first receiving network device and a second set of encrypted packets that is to be associated with a second receiving network device. The network device may modify the second set of encrypted packets by replacing a first virtual destination address in the second set of the plurality of encrypted packets with a second virtual destination address that identifies a virtual tunnel endpoint of the second receiving network device. The network device may encapsulate and may send, based on the first virtual destination address and the second virtual destination address, individual encapsulated encrypted packets to the first receiving network device or the second receiving network device.

Abstract: In an example, a method comprises obtaining, by a policy controller from a first SDN architecture system, flow metadata for packet flows exchanged among workloads of a distributed application deployed to the first SDN architecture system; identifying, using flow metadata for a packet flow of the packet flows, a source endpoint workload and a destination endpoint workload of the packet flow; generating a network policy rule to allow packet flows from the source endpoint workload to the destination endpoint workload of the packet flow; and adding the network policy rule to a configuration repository as configuration data for a second SDN architecture system to cause a deployment system to configure the second SDN architecture system with the network policy rule to allow packet flows from the source endpoint workload to the destination endpoint workload when the distributed application is deployed to the second SDN architecture system.

Abstract: Techniques are described in which a network management system processes network event data received from the AP devices. The NMS is configured to dynamically determine, in real-time, a minimum (MIN) threshold and a maximum (MAX) threshold for expected occurrences for each event type, wherein the MIN thresholds and MAX thresholds define ranges of expected occurrences for the network events of the corresponding event types. The NMS applies an unsupervised machine learning model to the network event data to determine predicted counts of occurrences of the network events for each of the event types and identify, based on the predicted counts of occurrences and the dynamically-determined minimum threshold values and maximum threshold values for each event type, one or more of the network events as indicative of abnormal network behavior.

Abstract: A system includes a plurality of access point devices (APs) configured to provide a wireless network at a site, each of the plurality of APs having a known location, and a network management system comprising one or more processors and a memory comprising instructions that when executed by the one or more processors cause the one or more processors to: determine, based on a known location of a first AP of the plurality of APs, a known location of a second AP of the plurality of APs, and received signal strength measurements of wireless signals originating at one or more antennas of the first AP and received by one or more antennas of the second AP, an orientation angle of the second AP; and generate an output indicative of the orientation angle of the second AP.

Abstract: An example system includes a plurality of AP devices configured to provide a wireless network at a site, the plurality of AP devices including a first AP device configured to determine a set of roaming candidates within the site for client devices connected to the first AP device, wherein the set of roaming candidates includes one or more AP devices of the plurality of AP selected according to a selection criteria; in response to establishing a connection with a client device, cache a key associated with the client device in the memory of the first AP device; generate a packet with the key associated with the client device, and a list of APs that includes one or more identifiers of the one or more AP devices within the set of roaming candidates for the first AP device; and transmit the packet to the plurality of AP devices at the site.

Abstract: A device comprises processing circuitry configured to identify a telemetry packet indicating telemetry data for a plurality of packets output by a network device of a plurality of network devices and select a source identifier for the network device from a plurality of source identifiers. The processing circuitry is further configured to modify the telemetry packet to further indicate the selected source identifier and output the modified telemetry packet.

Abstract: This disclosure describes techniques that include assessing trust in a system, and in particular, assessing trust by performing a sentiment analysis for an entity or device within a system. In one example, this disclosure describes a method that includes performing, by a computing system and based on information collected about a network entity in a computer network, a sentiment analysis associated with the network entity; determining, by the computing system and based on the sentiment analysis, a trust score for the network entity; and modifying, by the computing system and based on the trust score for the network entity, network operations within the computer network.

Abstract: A controller device manages a plurality of network devices. The controller device includes one or more processing units configured to receive an indication of a stateful intent, the data structure including a plurality of nodes and a plurality of edges, each node of the plurality of nodes being representative of a respective network device of the plurality of network devices. The one or more processing units are configured to determine, using an abstract function configured at a node of the plurality of nodes, a stateless intent for implementing the stateful intent and generate low level configuration data for the plurality of network devices based on the stateless intent. The one or more processing units are configured to interface with one or more of the plurality of network devices to configure the one or more of the plurality of network devices with the low level configuration data.

Abstract: A network device may receive IPv6 fragments of a flow. Source and/or destination port information may be encoded into an upper sixteen bits of an identification number of an IPv6 fragment header of each of the IPv6 fragments. The network device may extract the source and/or destination port information from the IPv6 fragments, and may perform a spoof check of the IPv6 fragments. The network device may drop any of the IPv6 fragments that fail the spoof check, to generate remaining IPv6 fragments, and may translate the remaining IPv6 fragments into IPv4 fragments based on the source and/or destination port information. The network device may forward the IPv4 fragments toward an IPv4 cloud network.

Abstract: A network device may be configured to receive network traffic. The network device may be configured to identify one or more entry points of the network device associated with the network traffic and to determine, based on the one or more entry points of the network device, a source zone associated with the network traffic. The network device may be configured to identify one or more exit points of the network device associated with the network traffic and to determine, based on the one or more exit points of the network device, a destination zone associated with the network traffic. The network device may be configured to identify, based on the source zone and the destination zone, a set of security policies and to apply a security policy, of the set of security policies, to the network traffic.

Abstract: A system determines identification information associated with an endpoint device, which is associated with a tenant of the system, and the tenant. The system generates and sends, to the endpoint device, a certificate that includes the identification information. The system receives, from the endpoint device and as part of an attempt by the endpoint device to initiate a dial-out communication session with the system, the certificate. The system causes, based on the certificate, the dial-out communication session to be established and processes the certificate to determine the identification information. The system receives, from the endpoint device and via the dial-out communication session, one or more messages; modifies the one or more messages to include the identification information; and provides the one or more modified messages to facilitate provisioning of services or resources associated with the system to the endpoint device.

Abstract: A disclosed computing device capable of instantly switching over between routing engines may include (1) a packet forwarding board configured to (A) forward control traffic via a first link to a traffic replication device and (B) forward data traffic via a second link to a first routing engine, (2) the traffic replication device configured to (A) replicate the control traffic received from the packet forwarding board and (B) select control signals received from the first routing engine, (3) the first routing engine configured to receive control traffic from the traffic replication device, and (4) a second routing engine configured to receive control traffic from the traffic replication device. Various other apparatuses, systems, and methods are also disclosed.

Abstract: Techniques are described for providing network provisioning by a network management system (NMS) based on fingerprint information determined by a network access control (NAC) system. An example method includes receiving, by the NAC system, a network access request for a client device to access an enterprise network; obtaining, by the NAC system, fingerprint information of the client device associated with the network access request, wherein the fingerprinting information comprises information specifying one or more attributes associated with the client device; authenticating, by the NAC system, the client device to access the enterprise network; sending, by the NAC system and to the NMS, the fingerprint information of the client device; and provisioning, by the NMS, one or more network resources associated with the client device based on the fingerprint information of the client device.

Abstract: A container orchestration platform manages a plurality of instances of resources including a first custom resource and a second custom resource. An API server of the container orchestration platform receives a request to delete an instance of the second custom resource; determines whether instance data associated with the instance of the second custom resource has a backreference identifying an instance of the first custom resource, the backreference indicating the instance of the first custom resource is dependent on the instance of the second custom resource; and in response to determining that the instance data has the backreference to the instance of the first custom resource, bypasses deletion of the instance of the second custom resource.

Abstract: In general, techniques are described for extending network connectivity software utilities, such as traceroute, to provide complete visibility into a network topology between a source device and a destination device, even when an intermediate network device may be actively utilizing multiple network links when forwarding packets toward the destination. In one example, a network device coupled to a plurality of paths and positioned between a source network device and destination network device may receive a traceroute packet. The network device may also, for each of the plurality of paths, modify a payload of the traceroute packet to include a respective identifier for a corresponding path of the plurality of paths to construct a respective modified traceroute packet for the corresponding path. The network device may also forward the respective modified traceroute packets on the corresponding paths.

Abstract: In general, this disclosure describes techniques for a containerized router operating within a cloud native orchestration framework. In an example, a virtualized cell site router comprises a computing device configured with a containerized router, the computing device comprising: a containerized virtual router configured to execute on the processing circuitry and configured to implement a data plane for the containerized router; a containerized routing protocol process configured to execute on the processing circuitry and configured to implement a control plane for the containerized router; and a pod comprising a containerized distributed unit, wherein the containerized routing protocol process is configured to advertise routing information comprising reachability information for the containerized distributed unit.

Abstract: Methods and apparatus for controlling monitoring operations performed by various devices, e.g., access points, in a communications network and for using information obtained by the devices which perform the monitoring are described. The methods are well suited for use in a system with a variety of access points, e.g., wireless and/or wired access points, which can be used to obtain access to the Internet or another network. An access point, which has been configured to monitor in accordance with received monitoring configuration information, e.g. on a per access point interface basis, captures packets, stores captured packets, and monitors to detect communications failures corresponding to communications devices using said access point. In response to detecting a communications failure, the access point generates, an event failure notification indicating the type of detected failure and sends the event failure notification to the network monitoring node along with corresponding captured packets.

Abstract: Techniques are described for a router providing metric-based multi-hop path selection. For example, a first router of a plurality of routers receives a plurality of network performance metrics for a plurality of links interconnecting the plurality of routers. The plurality of links form a plurality of multi-hop paths through the plurality of routers to a service instance. The router determines, based on the plurality of network performance metrics for the plurality of links, an end-to-end performance of each of the plurality of multi-hop paths. The router selects a multi-hop path over which to forward traffic associated with the session based on the end-to-end performance of each of the plurality of multi-hop paths and one or more performance requirements for a service associated between a session between a client device and the service instance. The router forwards the traffic to the service instance along the selected multi-hop path.

Abstract: A broadband network gateway (BNG) controller is described that includes a network subscriber database (NSDB) and one or more core applications. The NSDB is configured to store vBNG instance information for one or more subscriber devices. The vBNG instance information specifies vBNG instances operable by one or more edge routers. The vBNG instances are configured to receive requests to access service provider services from the one or more subscriber devices and to selectively authenticate the one or more subscriber devices for network services based on authentication information included in the requests to access services provider services. The one or more core applications include a network instance and configuration manager (NICM). The NICM is configured to modify the vBNG instance information at the NSDB to include an additional vBNG instance and to output, to an edge router, an instruction to generate the additional vBNG instance at the edge router.

Abstract: In general, this disclosure describes techniques for provisioning virtual private network (VPN) services for cloud native routers using a multi-stage process. In an example, a method comprises deploying, in a first computing device, using a layer 2 bridge domain that includes the first computing device, a containerized routing protocol process; deploying, in the first computing device, using the layer 2 bridge domain, a containerized application; configuring, in the containerized routing protocol process executing on the first computing device, a virtual private network (VPN); and exchanging, by the containerized routing protocol process executing on the first computing device, routing protocol messages with another router to provide virtual connectivity between the containerized application and another application that is external to the first computing device.