Abstract: A method includes deploying a network device within a fabric having a management network by attaching the network device through the management network to a port of a role allocator, wherein the role allocator includes one or more ports designated as first level port connections and one or more other ports designated as second level port connections. If the deployed network device is attached to one of the ports designated as first level port connections, the deployed network device is configured as a first level device. If the deployed network device is attached to one of the ports designated as second level port connections, the deployed network device is configured as a second level device.

Abstract: Techniques are described for dynamically computing a segment routing policy for a segment routing for traffic engineering (SR-TE) path. For example, in a discontinuous SR network in which SR islands (e.g., groups of neighboring routers that are enabled for segment routing) are separated by one or more routers not enabled for segment routing, instead of returning a failure because one or more routers along a path are not enabled for SR, an ingress router may generate an SR-TE operations, administrations, and management (OAM) Multi-Protocol Label Switching (MPLS) traceroute packet send the packet to a first border router of the RSVP-enabled devices along a computed path to trigger the creation of a resource reservation Label Switched Path (LSP) through the RSVP-enabled devices. In this way, segment routed LSP may be established to tunnel through the resource reservation LSP for a SR-TE path used in an SR-TE policy.

Abstract: In an example, a method comprises obtaining, by a policy controller from a first SDN architecture system, flow metadata for packet flows exchanged among workloads of a distributed application deployed to the first SDN architecture system; identifying, using flow metadata for a packet flow of the packet flows, a source endpoint workload and a destination endpoint workload of the packet flow; generating a network policy rule to allow packet flows from the source endpoint workload to the destination endpoint workload of the packet flow; and adding the network policy rule to a configuration repository as configuration data for a second SDN architecture system to cause a deployment system to configure the second SDN architecture system with the network policy rule to allow packet flows from the source endpoint workload to the destination endpoint workload when the distributed application is deployed to the second SDN architecture system.

Abstract: A network device may create an encrypted packet and may duplicate the encrypted packet to create a plurality of encrypted packets that includes a first set of encrypted packets that is associated with a first receiving network device and a second set of encrypted packets that is to be associated with a second receiving network device. The network device may modify the second set of encrypted packets by replacing a first virtual destination address in the second set of the plurality of encrypted packets with a second virtual destination address that identifies a virtual tunnel endpoint of the second receiving network device. The network device may encapsulate and may send, based on the first virtual destination address and the second virtual destination address, individual encapsulated encrypted packets to the first receiving network device or the second receiving network device.

Abstract: A device may transmit a packet for communicating via a tunnel. The packet may be associated with a protocol. The device may determine that the packet has been dropped by a security device. The device may selectively encrypt, after determining that the packet has been dropped, the packet using a null encryption for transport layer security (TLS) or a combination of encryption associated with the protocol and TLS encryption to generate an encrypted packet. The device may transmit the encrypted packet for communicating via the tunnel.

Abstract: An example system includes a plurality of AP devices configured to provide a wireless network at a site, the plurality of AP devices including a first AP device configured to determine a set of roaming candidates within the site for client devices connected to the first AP device, wherein the set of roaming candidates includes one or more AP devices of the plurality of AP selected according to a selection criteria; in response to establishing a connection with a client device, cache a key associated with the client device in the memory of the first AP device; generate a packet with the key associated with the client device, and a list of APs that includes one or more identifiers of the one or more AP devices within the set of roaming candidates for the first AP device; and transmit the packet to the plurality of AP devices at the site.

Abstract: A device comprises processing circuitry configured to identify a telemetry packet indicating telemetry data for a plurality of packets output by a network device of a plurality of network devices and select a source identifier for the network device from a plurality of source identifiers. The processing circuitry is further configured to modify the telemetry packet to further indicate the selected source identifier and output the modified telemetry packet.

Abstract: Techniques are described for predicting future behavior of links in a network and generating dynamic thresholds for link metrics for use in path selection. In one example, a computing system receives historical values of a link metric for links of a network. The computing system executes a machine learning system which processes the historical values of the link metric to generate: (1) a predicted future value of the link metric for each link; and (2) a threshold for the link metric indicating whether the predicted future value for each link is anomalous. The computing system computes a path based on the predicted future values of the link metric and the threshold for the link metric. The computing system provisions the computed path, thereby enabling a network device to forward network traffic along the computed path.

Abstract: A network device may receive IPv6 fragments of a flow. Source and/or destination port information may be encoded into an upper sixteen bits of an identification number of an IPv6 fragment header of each of the IPv6 fragments. The network device may extract the source and/or destination port information from the IPv6 fragments, and may perform a spoof check of the IPv6 fragments. The network device may drop any of the IPv6 fragments that fail the spoof check, to generate remaining IPv6 fragments, and may translate the remaining IPv6 fragments into IPv4 fragments based on the source and/or destination port information. The network device may forward the IPv4 fragments toward an IPv4 cloud network.

Abstract: This disclosure describes techniques that include assessing trust in a system, and in particular, assessing trust by performing a sentiment analysis for an entity or device within a system. In one example, this disclosure describes a method that includes performing, by a computing system and based on information collected about a network entity in a computer network, a sentiment analysis associated with the network entity; determining, by the computing system and based on the sentiment analysis, a trust score for the network entity; and modifying, by the computing system and based on the trust score for the network entity, network operations within the computer network.

Abstract: Techniques are described in which a network management system processes network event data received from the AP devices. The NMS is configured to dynamically determine, in real-time, a minimum (MIN) threshold and a maximum (MAX) threshold for expected occurrences for each event type, wherein the MIN thresholds and MAX thresholds define ranges of expected occurrences for the network events of the corresponding event types. The NMS applies an unsupervised machine learning model to the network event data to determine predicted counts of occurrences of the network events for each of the event types and identify, based on the predicted counts of occurrences and the dynamically-determined minimum threshold values and maximum threshold values for each event type, one or more of the network events as indicative of abnormal network behavior.

Abstract: A controller device manages a plurality of network devices. The controller device includes one or more processing units configured to receive an indication of a stateful intent, the data structure including a plurality of nodes and a plurality of edges, each node of the plurality of nodes being representative of a respective network device of the plurality of network devices. The one or more processing units are configured to determine, using an abstract function configured at a node of the plurality of nodes, a stateless intent for implementing the stateful intent and generate low level configuration data for the plurality of network devices based on the stateless intent. The one or more processing units are configured to interface with one or more of the plurality of network devices to configure the one or more of the plurality of network devices with the low level configuration data.

Abstract: A system includes a plurality of access point devices (APs) configured to provide a wireless network at a site, each of the plurality of APs having a known location, and a network management system comprising one or more processors and a memory comprising instructions that when executed by the one or more processors cause the one or more processors to: determine, based on a known location of a first AP of the plurality of APs, a known location of a second AP of the plurality of APs, and received signal strength measurements of wireless signals originating at one or more antennas of the first AP and received by one or more antennas of the second AP, an orientation angle of the second AP; and generate an output indicative of the orientation angle of the second AP.

Abstract: A first router generates session establishment metrics for use in network path selection. For example, a plurality of routers connect a client device to a network service instance hosted by a server. A first router is connected to the network service instance via first and second paths. The first router receives session performance requirements for a session between the client device and the network service instance. The first router forwards, along the first path, network traffic for the session by modifying a first packet of the session to include a session identifier for the session. The first router determines that session establishment metrics for the session do not satisfy the session performance requirements. In response, the first router forwards, along the second path, the network traffic for the session by modifying a second packet of the session to include the session identifier for the session.

Abstract: Techniques are disclosed for deploying software upgrades to a mixed network of In-Service Software Upgrade (ISSU)-capable and ISSU-incapable network devices without interrupting network traffic serviced by the mixed network. In one example, a centralized controller for a network determines that first network devices of a plurality of network devices for the network are In-Service Software Upgrade (ISSU)-capable and second network devices of the plurality of network devices are not ISSU-capable. The centralized controller transmits messages instructing the first network devices to perform an ISSU operation. Further, the centralized controller transmits messages instructing each network device of the second network devices to transmit a message to peer network devices of the network device, the message indicating that the network device is not ISSU-capable.

Abstract: A system determines identification information associated with an endpoint device, which is associated with a tenant of the system, and the tenant. The system generates and sends, to the endpoint device, a certificate that includes the identification information. The system receives, from the endpoint device and as part of an attempt by the endpoint device to initiate a dial-out communication session with the system, the certificate. The system causes, based on the certificate, the dial-out communication session to be established and processes the certificate to determine the identification information. The system receives, from the endpoint device and via the dial-out communication session, one or more messages; modifies the one or more messages to include the identification information; and provides the one or more modified messages to facilitate provisioning of services or resources associated with the system to the endpoint device.

Abstract: Techniques are described for providing network provisioning by a network management system (NMS) based on fingerprint information determined by a network access control (NAC) system. An example method includes receiving, by the NAC system, a network access request for a client device to access an enterprise network; obtaining, by the NAC system, fingerprint information of the client device associated with the network access request, wherein the fingerprinting information comprises information specifying one or more attributes associated with the client device; authenticating, by the NAC system, the client device to access the enterprise network; sending, by the NAC system and to the NMS, the fingerprint information of the client device; and provisioning, by the NMS, one or more network resources associated with the client device based on the fingerprint information of the client device.

Abstract: A disclosed computing device capable of instantly switching over between routing engines may include (1) a packet forwarding board configured to (A) forward control traffic via a first link to a traffic replication device and (B) forward data traffic via a second link to a first routing engine, (2) the traffic replication device configured to (A) replicate the control traffic received from the packet forwarding board and (B) select control signals received from the first routing engine, (3) the first routing engine configured to receive control traffic from the traffic replication device, and (4) a second routing engine configured to receive control traffic from the traffic replication device. Various other apparatuses, systems, and methods are also disclosed.

Abstract: A network device may be configured to receive network traffic. The network device may be configured to identify one or more entry points of the network device associated with the network traffic and to determine, based on the one or more entry points of the network device, a source zone associated with the network traffic. The network device may be configured to identify one or more exit points of the network device associated with the network traffic and to determine, based on the one or more exit points of the network device, a destination zone associated with the network traffic. The network device may be configured to identify, based on the source zone and the destination zone, a set of security policies and to apply a security policy, of the set of security policies, to the network traffic.

Abstract: Methods and apparatus for controlling monitoring operations performed by various devices, e.g., access points, in a communications network and for using information obtained by the devices which perform the monitoring are described. The methods are well suited for use in a system with a variety of access points, e.g., wireless and/or wired access points, which can be used to obtain access to the Internet or another network. An access point, which has been configured to monitor in accordance with received monitoring configuration information, e.g. on a per access point interface basis, captures packets, stores captured packets, and monitors to detect communications failures corresponding to communications devices using said access point. In response to detecting a communications failure, the access point generates, an event failure notification indicating the type of detected failure and sends the event failure notification to the network monitoring node along with corresponding captured packets.