Abstract: A network device may receive, from a first network, one or more fragments of a first network packet of a first network packet type, where the first network packet encapsulates a second network packet of a second network packet type. The network device may buffer the one or more fragments in. The network device may, upon receiving a fragment of the first network packet that includes an indication of a source network address and a source port for the second network packet, perform an anti-spoof check of the fragment flow without assembling the first network packet. The network device may, based on the fragment flow passing the anti-spoof check, in response to receiving all fragments of the first network packet: assemble the first network packet, decapsulate the second network packet from the assembled first network packet, and forward, to a second network, the second network packet.

Abstract: A variety of different graphical user interfaces are generated that when displayed provide a visual and interactive representation of one or more performance metrics associated with the operation of a computer network. The graphical user interfaces may be used to monitor the underlay computer network for a virtualization infrastructure, as one example. Aspects include grouping the servers of a computer network into a plurality of aggregates, each aggregate comprising one or more servers. A set of probes are configured that are issued by an agent of a server in one aggregate and sent through the computer network to one or more agents in the server(s) of a different aggregate. Responses and other measurements taken based on the issuance of the probes is gathered and analyzed to generate metrics that are then used to generate, at least in part, the information provided in the graphical user interfaces.

Abstract: A tactical solution to network congestion is provided by a data forwarding device having (1) a first interface with a first link to a downstream data forwarding device and (2) second interface with a second link to a downstream data forwarding device, and executing a method comprising: (a) configuring the second interface as part of a loop-free alternate (LFA) path to a destination device, wherein the first interface is part of a shortest/preferred path to the destination device; (b) monitoring congestion at the first interface to determine whether or not the congestion exceeds a first threshold; and (c) responsive to a determination that the congestion exceeds the first threshold, forwarding at least some data addressed to the destination device, over the LFA path via the second interface instead of over the shortest/preferred path via the first interface, thereby alleviating congestion at the first interface, and otherwise, responsive to a determination that the congestion does not exceed the first threshol

Abstract: In an example, a method includes receiving, by a network management system (NMS), a configuration request comprising first configuration data for a network device, the first configuration data defining a data structure comprising a first property/value pair; generating, by the NMS from the first configuration data, a corresponding first path/value pair for the first property/value pair, wherein a path of the first path/value pair uniquely identifies the first path/value pair in an associative data structure; modifying, by the NMS, the associative data structure based on the first path/value pair; generating, by the NMS, from the associative data structure, a configuration resource comprising second configuration data for the network device, the second configuration data comprising a second property/value pair that corresponds to the first path/value pair; and sending, by the NMS, the second configuration data to the network device to modify a configuration of the network device.

Abstract: In one embodiment, an apparatus includes a switch core that has a multi-stage switch fabric. A first set of peripheral processing devices coupled to the multi-stage switch fabric by a set of connections that have a protocol. Each peripheral processing device from the first set of peripheral processing devices is a storage node that has virtualized resources. The virtualized resources of the first set of peripheral processing devices collectively define a virtual storage resource interconnected by the switch core. A second set of peripheral processing devices coupled to the multi-stage switch fabric by a set of connections that have the protocol. Each peripheral processing device from the first set of peripheral processing devices is a compute node that has virtualized resources. The virtualized resources of the second set of peripheral processing devices collectively define a virtual compute resource interconnected by the switch core.

Abstract: An example control plane that is executed on one or more processors in a distributed computing system is configured to receive an indication of a node to be onboarded into the distributed computing system, wherein the node comprises one of a compute node or a network device node, to discover one or more compute resources or network device resources that are associated with the node, and to assign, based on the discovery, the node to a collector that is executed in the distributed computing system, wherein the collector is configured to collect real-time telemetry data for the node during operation of the node. The control plane is further configured to receive, from the collector, the real-time telemetry data for the node that is collected by the collector, and to output, for display, a visual representation of the real-time telemetry data for the node.

Abstract: Techniques are described by which a network management system (NMS) provides a common user interface (UI) to enable a user to collectively configure network devices to establish an EVPN topology. For example, an NMS is configured to: generate data representative of a common UI comprising UI elements representing a plurality of network devices to be configured in an EVPN topology; receive, via the common UI, an indication of a user input selecting one or more of the UI elements representing selected network devices; generate UI elements representing a plurality of ports of the selected network devices; receive, via the common UI, an indication of a user input selecting the UI elements representing one or more selected ports; and generate, based on the one or more selected network devices and one or more selected ports, topology relationship information of the one or more selected devices to establish the EVPN topology.

Abstract: This disclosure describes techniques that include receiving underlay flow data from a network having an underlay network and one or more overlay network, storing information identifying, for each underlay data flow, an overlay network, displaying, within a display, a topological map of at least a portion of the underlay network, highlighting a data path through the displayed topological map, the highlighted data path extending through the underlay network from the underlay network source of the respective underlay data flow to the underlay network destination of the respective underlay data flow; receiving a request for metrics associated with the highlighted data path, wherein receiving a request includes receiving, via a graphical user interface, an indication selecting at least a portion of the highlighted data path; and displaying, proximate to the highlighted data path, metrics associated with data traffic through the selected portion of the highlighted data path.

Abstract: In general, the disclosure describes examples where a single software-defined network (SDN) controller is configured to receive an indication of a first cluster identifier for a first cluster of computing devices and receive an indication of a second cluster identifier for a second cluster of computing devices. In response to a determination that first configuration information indicates the first cluster identifier, the SDN controller is configured to configure a first set of virtual routers at the first cluster to connect the first group of workloads to a network using the first configuration information. In response to a determination that second configuration information indicates the second cluster identifier, the SDN controller is configured to configure a second set of virtual routers at the second cluster to connect the second group of workloads to a network using the second configuration information.

Abstract: An apparatus includes a first reconfigurable optical add/drop multiplexer (ROADM) to receive a first optical signal and a second ROADM to receive a second optical signal. The apparatus also includes a reconfigurable optical switch that includes a first switch, switchable between a first state and a second state, to transmit the first optical signal at the first state and block the first optical signal at the second state. The reconfigurable optical switch also includes a second switch, switchable between the first state and the second state, to transmit the second optical signal at the first state and block the second optical signal at the second state. The reconfigurable optical switch also includes an output port to transmit an output signal that is a sum of possible optical signals transmitted through the first switch and the second switch.

Abstract: A controller device manages a plurality of network devices. The controller device includes one or more processing units configured to receive an indication of a stateful intent, the data structure including a plurality of nodes and a plurality of edges, each node of the plurality of nodes being representative of a respective network device of the plurality of network devices. The one or more processing units are configured to determine, using an abstract function configured at a node of the plurality of nodes, a stateless intent for implementing the stateful intent and generate low level configuration data for the plurality of network devices based on the stateless intent. The one or more processing units are configured to interface with one or more of the plurality of network devices to configure the one or more of the plurality of network devices with the low level configuration data.

Abstract: Techniques are described for buffering data traffic destined for a mobile device when a data path to a base station for the mobile device is unavailable. For example, a network device comprises: a control unit comprising processing circuitry, wherein the control unit is configured to allocate, in response to determining that a data path from the network device to the base station for a mobile device is unavailable, a hardware queue of a packet processor of the network device to the data path; and a forwarding component with access to the hardware queue, wherein the forwarding component is configured to store data traffic for the mobile device to the allocated hardware queue, wherein the control unit is configured to, in response determining that the data path is available, configure the forwarding component to output the data traffic from the allocated hardware queue to the base station along the data path.

Abstract: Techniques are described for providing security extensions to neighbor discovery in Ethernet Virtual Private Network (EVPN). For example, a network device that implements Ethernet Virtual Private Network (EVPN) receives a neighbor discovery response message including a nonce originated by a second network device and not originated by the first network device. The network device processes the neighbor discovery response message including the nonce originated by the second network device and not originated by the first network device.

Abstract: In general, techniques are described for enabling a network of network devices (or “nodes”) to provide redundant multicast streams from redundant multicast sources to an egress network node. In some examples, the egress network node (or a controller for the network) computes maximally redundant trees (MRTs) from the egress network node to a virtual proxy node virtually added to the network topology by the egress network node for redundant multicast sources of redundant multicast streams.

Abstract: Support is provided for flexible algorithms, used by the border gateway protocol (BGP) route selection process, in the context of segment routing (SR) Prefix segment identifiers (SIDS) advertised using BGP.

Abstract: Some organizations have a deployed and functional “controllerless” EVPN VxLAN Fabric in their data centers. Eventually, however, the organization may deploy a controller within the network. In one example, this disclosure describes a method that includes configuring a controller to communicate with each of a plurality of elements in a network; determining, by the controller, an initial operational state of the network; translating, by the controller, the initial operational state of the network to an intent-based configuration; pushing, by the controller, the intent-based configuration to the network to reconfigure each of the plurality of elements in the network in a manner consistent with the intent-based configuration; determining, by the controller and after pushing the intent-based configuration, an updated operational state of the network; and comparing, by the controller, the initial operational state of the network with the updated operational state of the network.

Abstract: In some examples, a method includes receiving, by an egress network device for a network, messages from each of a plurality of ingress network devices for the network, wherein each of the messages specifies a multicast source, a multicast group, and an upstream multicast hop weight value for multicast traffic for the multicast source and the multicast group; selecting, by the egress network device and based on the upstream multicast hop weight values specified by the received messages, one of the plurality of ingress network devices to which to send a multicast join message of a plurality of multicast join messages for the multicast source and multicast group; and sending, by the egress network device, the multicast join message to the selected one of the plurality of ingress network devices.

Abstract: This disclosure describes techniques for improving speed of network convergence after node failure. In one example, a method includes storing, by SDN controller, an underlay routing table having routes for an underlay network of a data center and an overlay routing table having a set of routes for a virtual network of an overlay network for the data center, wherein the underlay network includes physical network switches, gateway routers, and a set of virtual routers executing on respective compute nodes of the data center; installing, within the underlay routing table, a route to a destination address assigned to a particular one of the virtual routers as an indicator of a reachability status to the particular virtual router in the underlay network. The SDN controller controls, based on presence or absence of the route within the underlay routing table, advertisement of the routes for the virtual network of the overlay network.

Abstract: Disclosed are embodiments for determining a location of a device based on phase differences of a signal received from the device. In some embodiments, expected phase differences for signals transmitted from a plurality of regions are determined. The expected phase differences are those differences of the signal when received at each of a plurality of receive elements of a receiving device. By comparing phase differences of a signal received from the device to the expected phase differences, a location of the device is determined.

Abstract: Techniques are described for dynamically computing a segment routing policy for a segment routing for traffic engineering (SR-TE) path. For example, in a discontinuous SR network in which SR islands (e.g., groups of neighboring routers that are enabled for segment routing) are separated by one or more routers not enabled for segment routing, instead of returning a failure because one or more routers along a path are not enabled for SR, an ingress router may generate an SR-TE operations, administrations, and management (OAM) Multi-Protocol Label Switching (MPLS) traceroute packet send the packet to a first border router of the RSVP-enabled devices along a computed path to trigger the creation of a resource reservation Label Switched Path (LSP) through the RSVP-enabled devices. In this way, segment routed LSP may be established to tunnel through the resource reservation LSP for a SR-TE path used in an SR-TE policy.