Abstract: A disclosed method may include (1) determining that a packet traversing a network device has been selected for conditional tracing by (A) comparing a characteristic of the packet against a firewall rule that calls for all packets exhibiting the characteristic to be conditionally debugged while traversing the network device and (B) determining, based at least in part on the comparison, that the firewall rule applies to the packet due at least in part to the packet exhibiting the characteristic, (2) tracing a journey of the packet within the network device in response to the determination by collecting information about the packet's journey through a network stack of the network device, and then (3) performing at least one action on the network device based at least in part on the information collected about the packet's journey through the network stack. Various other systems, methods, and computer-readable media are also disclosed.

Abstract: A disclosed method for applying firewall rules on packets in kernel space on network devices may include (1) intercepting, via a socket-intercept layer in kernel space on a routing engine of a network device, a packet that is destined for a remote device and then, in response to intercepting the packet in kernel space on the routing engine, (2) identifying an egress interface index that specifies an egress interface that (A) is external to kernel space and (B) is capable of forwarding the packet from the network device to the remote device, and (3) applying, on the packet in kernel space, at least one firewall rule based at least in part on the egress interface index before the packet egresses from the routing engine. Various other apparatuses, systems, and methods are also disclosed.

Abstract: The disclosed apparatus may include (1) a plurality of individual heatsink bases designed to interface with a plurality of removable communication modules installed on a telecommunications device, (2) a plurality of heat pipes that are thermally coupled to the individual heatsink bases, and (3) a ganged heat exchanger that is (A) mechanically coupled to the telecommunications device and (B) thermally coupled to the heat pipes. Various other apparatuses, systems, and methods are also disclosed.

Abstract: The techniques describe adaptive load-balancing based on traffic feedback from packet processors. In one example, a source virtual network node of the network device may determine whether a particular destination packet processor is or may become oversubscribed. For example, source packet processors of the source virtual network node may exchange feedback messages including traffic flow rate information. The source virtual network node may compute a total traffic flow rate and compare the total traffic flow rate with a bandwidth of the particular destination packet processor. In response to determining that the bandwidth of the destination packet processor is oversubscribed, the source virtual network node may update a forwarding plane data structure to reduce a likelihood of selecting the destination packet processor to which to forward packet flows.

Abstract: A device may receive a set of design parameters for a network service. The set of design parameters may include information that identifies one or more network functions associated with the network service. The device may determine attribute information associated with a plurality of virtual network functions (VNFs). A VNF, of the plurality of VNFs, may be configurable to perform at least one network function of the one or more network functions. The device may generate a network service design, associated with providing the network service, based on the set of design parameters and the attribute information. The network service design may include information identifying one or more VNFs, of the plurality of VNFs, that are capable of providing the network service in accordance with the set of design parameters. The device may provide information associated with the network service design.

Abstract: Apparatus and methods described herein relate to an apparatus including a set of ports and a processor operatively coupled to each port of the set of ports. A port from the set of ports can be associated with a port of a multi-chassis aggregate (MCAE) interface and a virtual local area network (VLAN). The processor can generate an untagged data unit and tagged data units. The processor can send the untagged data unit and the tagged data units via the port from the set of ports, and can receive a tagged data unit included in the tagged data units, and/or the untagged data unit. The processor can also forward the received data unit to a destination network peer when the received tagged data unit is associated with the VLAN, and can disable the port of the MCAE interface in response to the port from the set of ports receiving the data unit, when the received data unit is associated with the VLAN.

Abstract: Techniques are disclosed for implementing scalable port range policies across a plurality of categories that support application workloads. In one example, a policy agent receives, from a centralized controller for a computer network, a plurality of policies. Each policy of the plurality of policies includes one or more policy rules, and each of the one or more policy rules specifies one or more tags specifying one or more dimensions for application workloads executed by the one or more computing devices and a corresponding port range. The policy agent assigns, based on a policy rule, a port range specified by the policy rule to objects of the one or more computing devices that belong to categories described by the one or more dimensions of the one or more tags of the policy rule. The categories support the application workloads and are assigned to the tags by a centralized controller.

Abstract: An example device includes one or more memories; and one or more processors, communicatively coupled to the one or more memories, to, during a loading process of a boot process of an operating system, identify a file to be loaded for the operating system, where the operating system is being loaded during the boot process; identify a manifest of the file; verify the manifest of the file based on a supplied signature of the manifest; identify a fingerprint, associated with the file, in a fingerprint library; calculate a hash of the file; compare the hash of the file and the fingerprint; and verify the file based on the hash of the file matching the fingerprint associated with the file.

Abstract: Optical alignment of an optical connector to input/output couplers of a photonic integrated circuit can be achieved by first actively aligning the optical connector successively to two loopback alignment features formed in the photonic chip of the PIC, optically unconnected to the PIC, and then moving the optical connector, based on precise knowledge of the positions of the loopback alignment features relative to the input/output couplers of the PIC, to a position aligned with the input/output couplers of the PIC and locking it in place.

Abstract: A variety of different graphical user interfaces are generated that when displayed provide a visual and interactive representation of one or more performance metrics associated with the operation of a computer network. The graphical user interfaces may be used to monitor the underlay computer network for a virtualization infrastructure, as one example. Aspects include grouping the servers of a computer network into a plurality of aggregates, each aggregate comprising one or more servers. A set of probes are configured that are issued by an agent of a server in one aggregate and sent through the computer network to one or more agents in the server(s) of a different aggregate. Responses and other measurements taken based on the issuance of the probes is gathered and analyzed to generate metrics that are then used to generate, at least in part, the information provided in the graphical user interfaces.

Abstract: A control device may subscribe to receive data from a network device. The data may be associated with a plurality of packets that have been dropped by the network device and include a first descriptor based on a type of packet drop associated with a packet of the plurality of packets that have been dropped by the network device, and one or more second descriptors based on a packet flow associated with the plurality of packets that have been dropped by the network device. The control device may determine a dropped packet profile associated with the network device, based on the first descriptor and the one or more second descriptors. The control device may generate a first notification based on the dropped packet profile associated with the network device and transmit the first notification to cause an action to be performed based on the first notification.

Abstract: Embodiments of the invention describe flexible (i.e., elastic) data center architectures capable of meeting exascale, while maintaining low latency and using reasonable sizes of electronic packet switches, through the use of optical circuit switches such as optical time, wavelength, waveband and space circuit switching technologies. This flexible architecture enables the reconfigurability of the interconnectivity of servers and storage devices within a data center to respond to the number, size, type and duration of the various applications being requested at any given point in time.

Abstract: A device may include one or more processors to receive network topology information of a network and device capability information of devices in the network; detect a threat to the network; determine threat information associated with the threat; select a security policy and an enforcement device of the network to enforce the security policy based on the network topology information, the device capability information, and the threat information; and perform an action associated with the threat based on the security policy and the enforcement device.

Abstract: A device stores time series data, based on time stamps, in a compact prefix tree, and receives new time series data to be added to the compact prefix tree. The device determines whether the new time series data is different than previously stored time series data in the compact prefix tree. The device selectively stores the new time series data in the compact prefix tree by storing the new time series data in the compact prefix tree when the new time series data is different than the previously stored time series data in the compact prefix tree, and updates a last time stamp for one of the previously stored time series data, based on the new time series data, when the new time series data is not different than the one of the previously stored time series data.

Abstract: A device may store first information regarding a first pseudowire connection with a first device, wherein the first pseudowire connection provides access to an Ethernet virtual private network (EVPN) to communicate with a host device. The device may store second information regarding a second pseudowire connection with a second device, wherein the second pseudowire connection provides access to the EVPN to communicate with the host device. The device may receive a message that includes a configuration identifier and identify the configuration identifier. The device may change a first characteristic of the first pseudowire connection based on the configuration identifier. The device may change a second characteristic of the second pseudowire connection based on the configuration identifier. The device may receive data from the host device based on changing the first characteristic of the first pseudowire connection and changing the second characteristic of the second pseudowire connection.

Abstract: A system and method for modifying services provided by one or more network devices. A processor of a first network device identifies defined events in each of a plurality of applications, including a first defined event associated with a first application. The processor assigns a signal-route to each defined event. The processor then executes the first application and, when the processor detects occurrence of the first defined event during execution of the first application, the processor modifies services provided by a second network device by adding the first signal-route to or removing the first signal-route from a routing information base (RIB) on the first network device and advertising, to the second network device, the change in the RIB.

Abstract: A first network device permits a bidirectional forwarding detection (BFD) session with a second network device. The first network device is a designated forwarder for a third network device, a first link is provided between the first network device and the third network device, the second network device is a backup designated forwarder for the third network device, a second link is provided between the second network device and the third network device. The first network device detects a link failure associated with the first link between the first network device and the third network device, and provides, via the BFD session, a BFD message to the second network device. The BFD message includes an indication of the link failure, and the BFD message is to cause the second network device to be a new designated forwarder for the third network device.

Abstract: The disclosed computer-implemented method may include (1) receiving, at a source node, a request to discover a plurality of network paths that each lead from the source node to a destination node and (2) discovering the plurality of network paths by (A) identifying each next hop between the source node and the destination node, (B) sending, from the source node to each next hop, a path-request probe that prompts the next hop to (i) determine each next-closest hop and (ii) return, to the source node, a path-response probe that identifies the next-closest hops, (C) receiving the path-response probes from the next hops, (D) determining, at the source node based on the path-response probes, that one or more of the plurality of network paths include the next hops and the next-closest hops, and then (E) iteratively discovering any subsequent hops by sending a subsequent path-request probe to each next-closest hop.

Abstract: Apparatus and methods described herein relate to an apparatus including a memory and a processor operatively coupled to the memory. The processor can receive a package associated with a network management device and management input. The processor can generate at least one management device schema based on the package, and can modify a controller schema based on the management input and the at least one management device schema. The processor can receive a configuration input signal that includes instructions to configure the network management device. The processor can determine a management device schema associated with the network management device based on the controller schema, and can convert the configuration input signal into a configuration signal based on the management device schema. The processor can also send the configuration signal to cause a modification to a configuration of the network management device based on the configuration signal.

Abstract: A network device is configured to receive an inbound packet from a first server device via a network tunnel, the first inbound packet including an outer header, a virtual private network (VPN) label, an inner header, and a data payload, the inner header including an inner source IP address of a source virtual machine. The processors are also configured to determine a first tunnel identifier, determine, based on the inner source IP address, a second tunnel identifier associated with a second server device hosting the source virtual machine, compare the second tunnel identifier with the first tunnel identifier to determine whether the tunnel on which the first inbound packet was received is the same as a tunnel used for forwarding traffic to the source virtual machine, and drop the inbound packet when the second tunnel identifier does not match the first tunnel identifier.