Abstract: In some implementations, a security device may receive a traffic flow. The security device may determine an amount of a padding included in the traffic flow. The security device may determine whether the amount of the padding included in the traffic flow satisfies a padding threshold. The security device may perform, based on the amount of the padding satisfying the padding threshold, offloading for the traffic flow. The security device may inspect, based on the amount of the padding failing to satisfy the padding threshold, an entire portion of the traffic flow.

Abstract: A device receives border gateway protocol (BGP) data associated with links provided in a segment routing network. The segment routing network includes a first autonomous system (AS) with first network devices interconnected by a first portion of the links, a second AS with second network devices interconnected by a second portion of the links, and an inter-AS link provided between one of the first network devices and one of the second network devices. The device filters prefixes of the BGP data to identify BGP data associated with the inter-AS link, where the BGP data associated with the inter-AS link includes data identifying state information associated with the inter-AS link. The device determines an operational state of the inter-AS link based on the BGP data associated with the inter-AS link, and performs one or more actions based on the operational state of the inter-AS link.

Abstract: Example network devices, systems, and methods are disclosed. In an example, a network device includes memory configured to store information associated with one or more service level agreements (SLAs) for applications in a software-defined wide area network (SD-WAN) and an application-based multipath routing (AMR) module including processing circuitry. The AMR module is configured to identify, based on criteria, one or more of the applications for AMR, wherein each criterion of the criteria is associated with a corresponding property of an application. The AMR module is configured to determine a breach of one of the SLAs on each WAN link associated with a first application of the identified one or more applications. The AMR module is configured to apply, in response to determining the breach, AMR for the first application.

Abstract: Methods and apparatus relating to use of actual and/or virtual beacons are described. Virtual beacons are virtual in that an actual beacon need not be transmitted but a rather a virtual beacon transmitter at a desired location maybe considered to transmit virtual beacons. In some embodiments a set of beacon transmitter information for one or more beacons is supplied to devices in a communications system. The beacon transmitter information indicates transmission power and location of actual and virtual beacon transmitters as well as information to be communicated by virtual beacons. Devices with access to beacon information can determine based on the location of a wireless terminal whether the wireless terminal is within coverage area of a virtual beacon and report reception of the virtual beacon to the wireless terminal or a component of the wireless terminal which acts upon receiving an indication of beacon reception.

Abstract: Techniques are disclosed for session-based routing of multipoint Open Systems Interconnection (OSI) Model Layer-2 (L2) frames of an L2 network extended over Layer-3 (L3) networks. In one example, L2 networks connect a source device to an ingress router and receiver devices to egress routers. An L3 network connects the ingress and egress routers. The ingress router receives, from the source device, a multipoint L2 frame destined for the receiver devices. The ingress router forms, for each egress router that is connected to at least one multipoint receiver device, a unicast L3 packet for the L2 frame and forwards the unicast L3 packet to the egress router. Each egress router generates, in response to receiving the unicast L3 packet, the multipoint L2 frame and forwards, to the receiver devices, the multipoint L2 frame.

Abstract: This disclosure describes a network management system (NMS) configured to determine a particular network device of a plurality of network devices based on a first user input in a conversational assistant. The one or more processors are further configured to identify a set of actionable insights for the particular network device based on network data received from the plurality of network devices and determine a set of views of a dashboard based at least on the set of actionable insights, wherein each view of the set of views displays a portion of the network data received from the plurality of network devices. The one or more processors are further configured to select a view of the set of views of the dashboard based on a second user input in the conversational assistant and cause the dashboard to display the selected view.

Abstract: This disclosure describes a system including a plurality of access point (AP) devices configured to provide a wireless network at a site; and a network management system (NMS) including a memory storing client-side data collected by a plurality of client devices associated with the wireless network and storing location data associated with each of the plurality of client devices generated by a location engine in response to location requests issued by each of the plurality of client devices, and one or more processors coupled to the memory and configured to determine, based on at least one of the client-side data and the location data, one or more location metrics associated with the location requests issued by the plurality of client devices.

Abstract: Techniques are disclosed for inline security key exchanges between network devices. An example network device includes one or more processors and memory coupled to the one or more processors. The memory stores instructions that, upon execution, cause one or more processors to obtain a first payload key and obtain a path key. The instructions cause the one or more processors to encrypt a first payload of a first packet using the first payload key and insert the first payload key into first metadata of the first packet. The instructions cause the one or more processors to encrypt the first metadata using the path key and send the first packet to another network device.

Abstract: A network device may communicate with another network device via a media access control security (MACsec) key agreement (MKA) communication link, wherein an MKA session has been established between the network device and the other network device. The network device may determine that the other network device is unavailable. The network device may cause, based on determining that the other network device is unavailable, an MKA state of the network device to be placed in a paused state. The network device may receive, after causing the MKA state of the network device to be placed in the paused state, a packet from the other network device via the MKA communication link. The network device may determine, based on the packet, that the MKA session has not ended. The network device may continue, based on the MKA session having not ended, the MKA session by reactivating the MKA state.

Abstract: A first packet forwarding plane (PFE) of a network device may receive a packet and may perform a first lookup for the packet. The first PFE may provide the packet to a service plane based on the first lookup. The service plane may apply a service to the packet and may provide the packet to the first PFE. The first PFE may perform a second lookup. The first PFE may provide the packet to a second PFE of the network device based on the second lookup and may store flow information associated with the packet and second PFE information in a table. The network device may provide the flow information and the second PFE information from the table to the service plane to cause the service plane to send subsequent packets directly to the second PFE thereby saving fabric, memory, and processing bandwidth and improving overall network performance.

Abstract: The same prefix segment identifier (SID) may be configured and/or used for either (A) more than one prefix within an interior gateway protocol (IGP) domain, or (B) one prefix with more than one path computation algorithm within the IGP domain by: (a) receiving, by a node in the IGP domain, an IGP advertisement including both (1) a prefix SID and a segment routing global block (SRGB) slice identifier; (b) determining whether or not the SRGB slice identified by the SRGB slice identifier is provisioned on the node; and (c) responsive to a determination that the SRGB slice identified by the SRGB slice identifier is not provisioned on the node, not processing the prefix SID included in the received IGP advertisement, and otherwise responsive to a determination that the SRGB slice identified by the SRGB slice identifier is provisioned on the node, (1) processing the prefix SID and SRGB slice to generate a unique, per SRGB slice, MPLS label for the prefix, and (2) updating a label forwarding information base (LFIB)

Abstract: A network management system (NMS) is configured to control roaming in a wireless network using a variable mobility threshold. For a first wireless device associated with a current location, the NMS obtains at least one performance metric of a first wireless signal received by the first wireless device at the current location from a first AP of a plurality of APs, compares the at least one parameter of the first wireless signal to at least one performance metric of a second wireless signal received by at least one other wireless device at the current location from a second AP of the plurality of APs, and triggers a roaming operation of the first wireless device from the first AP to the second AP if the comparison satisfies a mobility threshold that varies based on the at least one performance metric of the first wireless signal.

Abstract: Disclosed embodiments utilize a layer three and/or layer four protocol to collect physical layer properties along a multi-hop network path between a source node and a destination node. The use of a layer three or layer four protocol provides an ability to span multiple links or networks between the source node and destination node, while also collecting the physical layer properties. Once physical layer properties along a network path can be understood, decisions relating to the configuration of the network path and/or whether to communicate via the network path are improved.

Abstract: In general, techniques are described for a creating a virtual network router within a software defined network (SDN) architecture. A network controller for the SDN architecture system may include processing circuitry that is configured to execute a configuration node and a control node. The configuration node may process a request by which to create a virtual network router (VNR), where the virtual network router may cause the network controller to interconnect a first virtual network (VN) and a second VN. The VNR may represent a logical abstraction of one or more policies that cause import and/or export of routing information between the first VN and the second VN. The control node configures the first VN and the second VN according to the one or more policies to enable the import and/or the export of routing information between the first VN and the second VN via the VNR.

Abstract: In general, techniques are described for retrieving operational command response text from network devices. A collector network device comprising an interface and a processor may be configured to perform the techniques. The interface may receive, via a messaging bus between the network management system and a webserver, a first command to request management data stored by a managed network device, and send, in response to the first command, a second command to direct the managed network device to output the management data. The interface may also receive, from the managed network device, the management data. The processor may generate, from the management data, a plurality of partial responses that each includes a portion of the management data, where the interface may next send, via the messaging bus and to the webserver, each of the plurality of partial responses as a separate message.

Abstract: A device may receive license data identifying device licenses and organization licenses associated with an organization of users of a multi-tenant system, and may identify, in the license data, entitlements for licenses associated with the organization. The device may combine the entitlements to generate combined entitlements, and may determine an entitlement count of the combined entitlements. The device may add quantities of new entitlements to the entitlement count, and may identify, in the license data, roles of the users and capabilities associated with each of the roles. The device may map the entitlements and the capabilities to generate a mapping, and may authorize a particular user based on the mapping. The device may process usage of the entitlements, with a machine learning model, to predict future usage of the entitlements, and may determine entitlement recommendations based on the future usage. The device may provide the entitlement recommendations for display.

Abstract: A computing system includes a storage device and processing circuitry having access to the storage device. The processing circuitry is configured to receive a sequence of channel state information (CSI) samples, and calculate, based on the sequence of CSI samples, frequency domain information including a set of frequency domain values for each frequency band of a plurality of frequency bands. The processing circuitry is further configured to select a set of frequency bands of the plurality of frequency bands; and calculate, based on the set of frequency domain values for each frequency band of the set of frequency bands, a set of similarity values. Additionally, the processing circuitry is configured to determine, based on the set of similarity values, information indicative of one or more characteristics of a space between a first computing device and a second computing device, and perform an action based on the information.

Abstract: BIER architecture currently does not support anycast, in that each BIER Forwarding Router (BFR) has its own unique BFR-prefix and BFR-ID. BIER signaling protocols also check if there are duplicate BFR-IDs advertised. Anycast support with BIER is described. The description updates (e.g., relaxes and/or removes some requirements of) RFC 8279, RFC 8401, and RFC 8444.

Abstract: In one example, a method includes obtaining, by a policy controller for a virtualization infrastructure, a first profile for a first group of one or more elements, the first profile comprising a first ruleset having one or more alarms; obtaining, by the policy controller, a second profile for a second group of one or more elements, the second profile comprising a second ruleset having one or more alarms; receiving, by the policy controller, configuration data configuring an element of the virtualization infrastructure as a member of the first group of one or more elements and as a member of the second group of one or more elements; generating, by the policy controller based on the configuration data, a profile for the element comprising the first ruleset and the second ruleset; and outputting, by the policy controller to a computing device, the profile for the element.

Abstract: A first provider edge device may receive device information from a second provider edge device included in an Ethernet virtual private network (EVPN). The device information may identify a media access control (MAC) address and may indicate that the device is connected to the second provider edge device. The first provider edge device may receive data transmitted by the device and may determine, based on information included in the data, that the device has moved from the second provider edge device to the first provider edge device. The first provider edge device may generate a data packet including mobility information indicating that the device has moved to the first provider edge device. The first provider edge device may transmit, via a data plane of the EVPN, the data packet to the second provider edge device to permit the second provider edge device to update routing information for the device.