Abstract: A network device may detect an error associated with a packet based on error information being generated from processing the packet at a layer of a network stack. The network device may determine, based on detecting the error, metadata associated with the packet. The network device may generate telemetry data to include the metadata. The network device may provide the telemetry data to a network analyzer for policy enforcement.

Abstract: A network node may determine parameters of an authenticated client session for a client device, wherein the parameters comprise a network address of the client device. The network node may determine inactivity of the client device in the authenticated client session. The network node may generate, based on determining the inactivity of the client device, an address resolution protocol (ARP) message or a neighbor solicitation (NS) message to send to the client device, wherein the ARP message or the NS message is to trigger a response from the client device to indicate that the network address of the client device is in use. The network node may provide, toward the client device, the ARP message or the NS message. The network node may perform one or more actions based on receiving or not receiving the response, from the client device, to the ARP message or the NS message.

Abstract: Techniques for EVPN Host Routed Bridging (HRB) and EVPN cloud-native data center with Host Routed Bridging (HRB) are described. A host computing device of a data center includes one or more containerized user-level applications. A cloud native virtual router is configured for dynamic deployment by the data center application orchestration engine and operable in a user space of the host computing device. Processing circuitry is configured for execution of the containerized user-level applications and the cloud native virtual router. The cloud native virtual router comprises a containerized routing protocol process configured to operate as a control plane, and a data plane for the containerized router. The data plane is configured to operate an ethernet virtual private network (EVPN) encapsulation/decapsulation data path of an overlay network for communicating layer two (L2) network traffic of the containerized user applications over a switch fabric of the data center.

Abstract: Disclosed are methods for detecting misconfigured VLANs. In some embodiments, traffic on a VLAN across multiple access points is categorized. Traffic on the VLAN at a single access point is then also categorized. The categorization of the VLAN traffic at the single access point can be in response to, for example, communication errors or other conditions. The two categorizations are then compared to determine if the VLAN traffic at the AP is consistent with the VLAN traffic across a network (e.g., an enterprise network). If the VLAN traffic at the AP is generally consistent with that across the network, this may indicate that a downstream network component, such as a switch or router, is misconfigured. Thus, some embodiments programmatically reconfigure the downstream component to forward traffic for the VLAN.

Abstract: A network device, associated with peer network devices, may receive policy information for a protocol; and compute a first update message based on information regarding a route associated with the policy information. The network device may determine that an upper utilization threshold for one or more of peer queues, associated with the peer network devices, is not satisfied; and write the first update message to the peer queues based on determining that the upper utilization threshold is not satisfied. The network device may compute a second update message based on the information regarding the route; determine that the upper utilization threshold for one or more of the peer queues is satisfied; and pause writing the second update message to the peer queues based on the upper utilization threshold being satisfied. The network device may permit the peer network devices to obtain data from corresponding ones of the peer queues.

Abstract: Techniques are disclosed for identifying a maximum segment size (MSS) for a path. For example, a first router includes a routing engine and a packet forwarding engine. The routing engine is configured to identify a path maximum transmission unit (MTU) corresponding to a path between the first router and a second router; and identify a maximum packet overhead size corresponding to a session between a first client device and a second client device over the path between the first router and the second router. Additionally, the routing engine is configured to calculate, based on the path MTU and the maximum packet overhead size, a path maximum segment size (MSS), wherein the path MSS represents a maximum packet payload size corresponding to the path; and control the packet forwarding engine to output information indicative of the path MSS.

Abstract: A network device may receive, from a source device, an option request that includes a source address of the source device and a destination address of a destination device, wherein the network device is associated with an Internet protocol version 6 (IPv6) network. The network device may identify a map code that is associated with an address translation for traffic associated with the destination device and may determine, based on identifying the map code, a source prefix code and a destination prefix code for the address translation. The network device may determine a source IPv6 prefix and a destination IPv6 prefix for the address translation based on the source prefix code and the destination prefix code and may provide, to the source device, an option response to the option request to permit the source device to use the source IPv6 prefix and the destination IPv6 prefix for the traffic.

Abstract: Techniques for resource monitoring and managed message reordering in a data center are described. In one example, a computing system comprises an ingress engine to receive a message from a network device in a data center comprising a plurality of network devices and the computing system; and in response to receiving the message from a network device in the data center, communicate the message to an appropriate collector application corresponding to the message's protocol type in compliance with at least one requirement for data stored in a message flow communicated from one or more network devices to the computing system.

Abstract: A node may receive, from a quantum key-distribution (QKD) device, a first message that includes an identifier associated with a key. The node may send, to another node, a second message that includes the identifier and a request to perform at least one task. A node may receive, from the other node, a third message that includes information associated with performance of the at least one task by the other node and information indicating a time of performance. The node may receive, from the QKD device, a fourth message that includes the key and information indicating a time window associated with the quantum key; wherein the fourth message is received after expiration of the time window. The node may process, based on the fourth message, the third message to determine whether the third message is valid and thereby cause one or more actions to be performed.

Abstract: A network device may maintain, for a user device, a pool domain into which address prefixes are allocated from a partition of an address pool management (APM) device, and may estimate, based on pool domain data, an average subscriber login rate for the pool domain by the user device. The network device may estimate, based on the pool domain data, an average response latency per apportionment alarm, and may calculate a dynamic apportionment threshold based on the average subscriber login rate for the pool domain and the average response latency per apportionment alarm. The network device may utilize the dynamic apportionment threshold for the user device.

Abstract: In general, techniques are described for deploying virtualized cell site routers (vCSRs) capable of layer 2 (L2) forwarding to cell site servers to support management and orchestration of functional units for mobile networks executing on the cell site servers. In an example, a method comprises receiving, at a forwarding plane of a virtualized cell site router (vCSR) of a first Distributed Unit (DU) of a plurality of DU servers of a cell site for a 5G radio access network, the vCSR having a containerized routing protocol process and a forwarding plane configured to perform Layer 2 (L2) switching, L2 packets on a second interface for a second physical link connecting the first DU server to an L2 switch; and switching, by the forwarding plane of the vCSR of the first DU, the L2 packets on a first interface for a first physical link connecting the first DU server to a second DU server of the plurality of DU servers.

Abstract: A device may receive a malicious file associated with a network of network devices and may identify a file type and file characteristics associated with the malicious file. The device may determine one or more rules to apply to the malicious file based on the file type and the file characteristics associated with the malicious file and may apply the one or more rules to the malicious file to generate a partial file signature for the malicious file. The device may provide the partial file signature for the malicious file to one or more of the network devices of the network. The partial file signature may cause the one or more of the network devices to block the malicious file.

Abstract: A semiconductor package may include a substrate, an application-specific integrated circuit (ASIC) provided on a first portion of a surface of the substrate, a memory device provided on a second portion of the surface of the substrate, and a stiffener plate provided on a third portion of the surface of the substrate. The stiffener plate may be spaced from and may surround the ASIC and the memory device. The semiconductor package may include an electromagnetic interference (EMI) absorber provided on a fourth portion of the surface of the substrate. The EMI absorber may be provided between the stiffener plate and the ASIC and the memory device. The EMI absorber may surround the ASIC and the memory device and may block EMI radiation generated by the ASCI and the memory device.

Abstract: A network device obtains information, associated with blacklisted domains, that includes blacklisted domain identifiers, and sinkhole server identifiers associated with the blacklisted domain identifiers. The network device obtains a set of rules that specify match criteria, associated with the blacklisted domains, that include source network addresses and/or destination network addresses for comparison to packet source network addresses and/or packet destination network addresses associated with incoming packets. The set of rules specify actions to perform based on a result of comparing the match criteria and the packet source network addresses and/or the packet destination network addresses for the incoming packets.

Abstract: A network device may establish a media access control security (MACsec) key agreement (MKA) session with another network device via a MACsec communication link; establish a fast heartbeat session via the MACsec communication link, between a first packet processing engine of the network device and a second packet processing engine of the other network device, where the fast heartbeat session is to permit the first packet processing engine and the second packet processing engine to exchange fast heartbeat messages via the fast heartbeat session and the MACsec communication link; place an MKA protocol of the MKA session in a pause state until the first packet processing engine detects a rekey event; determine that a key for the MKA session is to be regenerated based on detection of the rekey event; and perform an action based on the rekey event for the MKA session.

Abstract: An example method includes receiving, by a computing system, a declarative testing descriptor for active testing of a virtualized service; obtaining, from an orchestration layer, metadata associated with the virtualized service, wherein the metadata specifies a unique name for a virtualized service within the namespace of a cluster managed by the orchestration layer; determining, by the computing system using the declarative testing descriptor and the metadata, an active testing configuration for an instance of the virtualized service; and starting an active test according to the active testing configuration and determining service level violations for the instance of the virtualized service based on a result of the active test.

Abstract: A device receives network segment information identifying network segments associated with a network, and receives endpoint host session information identifying sessions associated with endpoint hosts communicating with the network. The device generates, based on the network segment information and the endpoint host session information, a data structure that includes information associating the network segments with the sessions associated with the endpoint hosts. The device updates the data structure based on changes in the sessions associated with the endpoint hosts and based on changes in locations of the endpoint hosts within the network segments, and identifies, based on the data structure, a particular endpoint host, of the endpoint hosts, that changed locations within the network segments. The device determines a threat policy action to enforce for the particular endpoint host, and causes the threat policy action to be enforced, by the network, for the particular endpoint host.

Abstract: A flexible-algorithm routing method comprises: receiving, by a first router, a route advertisement including a base node label, for a second router, associated with a segment routing path without flexible-algorithm, wherein the second router participates in a flexible-algorithm; deducing, by the first router and from the base node label, a node label, for the second router, associated with a segment routing path with the flexible-algorithm; and constructing, by the first router, a label stack including the node label for the second router to steer a packet to the second router via the segment routing path with the flexible-algorithm.

Abstract: This disclosure describes techniques that include collecting underlay flow data within a network and associating underlay flow data with a source and a destination virtual network to enable insights into network operation and performance. In one example, this disclosure describes a method that includes identifying, for each underlay data flow, a source overlay network and a destination overlay network associated with the underlay data flow, wherein identifying includes retrieving, from one or more Ethernet Virtual Private Network (EVPN) databases, information identifying the source and destination overlay networks.

Abstract: In general, techniques are described for managing address spaces across network elements. A network device including a processor may be configured to perform the techniques. The processor may execute a pool manager that automatically distributes a first block of network addresses to a first network element acting, for a first network, as a first address allocation server to assign the first block of network addresses. The pool manager may further automatically distribute a second block of contiguous network addresses to a second network element acting, for a second network, as a second address allocation server. The pool manager may then dynamically manage a size of the first block of network addresses and a size of the second block of network addresses to address exhaustion of available network addresses within either or both of the first block of network addresses and the second block of network addresses.