Abstract: In general, this disclosure describes techniques for a containerized router operating within a cloud native orchestration framework. In an example, a virtualized cell site router comprises a computing device configured with a containerized router, the computing device comprising: a containerized virtual router configured to execute on the processing circuitry and configured to implement a data plane for the containerized router; a containerized routing protocol process configured to execute on the processing circuitry and configured to implement a control plane for the containerized router; and a pod comprising a containerized distributed unit, wherein the containerized routing protocol process is configured to advertise routing information comprising reachability information for the containerized distributed unit.

Abstract: In general, techniques are described for extending network connectivity software utilities, such as traceroute, to provide complete visibility into a network topology between a source device and a destination device, even when an intermediate network device may be actively utilizing multiple network links when forwarding packets toward the destination. In one example, a network device coupled to a plurality of paths and positioned between a source network device and destination network device may receive a traceroute packet. The network device may also, for each of the plurality of paths, modify a payload of the traceroute packet to include a respective identifier for a corresponding path of the plurality of paths to construct a respective modified traceroute packet for the corresponding path. The network device may also forward the respective modified traceroute packets on the corresponding paths.

Abstract: A container orchestration platform manages a plurality of instances of resources including a first custom resource and a second custom resource. An API server of the container orchestration platform receives a request to delete an instance of the second custom resource; determines whether instance data associated with the instance of the second custom resource has a backreference identifying an instance of the first custom resource, the backreference indicating the instance of the first custom resource is dependent on the instance of the second custom resource; and in response to determining that the instance data has the backreference to the instance of the first custom resource, bypasses deletion of the instance of the second custom resource.

Abstract: Techniques are described for a router providing metric-based multi-hop path selection. For example, a first router of a plurality of routers receives a plurality of network performance metrics for a plurality of links interconnecting the plurality of routers. The plurality of links form a plurality of multi-hop paths through the plurality of routers to a service instance. The router determines, based on the plurality of network performance metrics for the plurality of links, an end-to-end performance of each of the plurality of multi-hop paths. The router selects a multi-hop path over which to forward traffic associated with the session based on the end-to-end performance of each of the plurality of multi-hop paths and one or more performance requirements for a service associated between a session between a client device and the service instance. The router forwards the traffic to the service instance along the selected multi-hop path.

Abstract: A device may load a process under test into virtual memory associated with the device. The virtual memory may include a plurality of memory pages. The device may insert a malware inspection element and a memory tracking element into the process under test and may provide a notification of an event associated with the process under test to a memory tracking element. The device may identify, using the memory tracking element, one or more memory pages of the plurality of memory pages. The one or more memory pages may be assigned to, and used by, the process under test. The device may generate, based on identifying the one or more memory pages, a memory map, associated with the process under test, that may include information identifying the one or more memory pages as being assigned to, and used by, the process under test.

Abstract: In general, this disclosure describes techniques for provisioning virtual private network (VPN) services for cloud native routers using a multi-stage process. In an example, a method comprises deploying, in a first computing device, using a layer 2 bridge domain that includes the first computing device, a containerized routing protocol process; deploying, in the first computing device, using the layer 2 bridge domain, a containerized application; configuring, in the containerized routing protocol process executing on the first computing device, a virtual private network (VPN); and exchanging, by the containerized routing protocol process executing on the first computing device, routing protocol messages with another router to provide virtual connectivity between the containerized application and another application that is external to the first computing device.

Abstract: A broadband network gateway (BNG) controller is described that includes a network subscriber database (NSDB) and one or more core applications. The NSDB is configured to store vBNG instance information for one or more subscriber devices. The vBNG instance information specifies vBNG instances operable by one or more edge routers. The vBNG instances are configured to receive requests to access service provider services from the one or more subscriber devices and to selectively authenticate the one or more subscriber devices for network services based on authentication information included in the requests to access services provider services. The one or more core applications include a network instance and configuration manager (NICM). The NICM is configured to modify the vBNG instance information at the NSDB to include an additional vBNG instance and to output, to an edge router, an instruction to generate the additional vBNG instance at the edge router.

Abstract: A system identifies an intent policy model associated with an initial time. The system updates a data structure to cause the data structure to include one or more portions. Each portion of the data structure is associated with a start time and an end time. Each portion includes: a first delta snapshot that indicates one or more first changes to the intent policy model from the initial time to the start time associated with the portion, and one or more additional delta snapshots that respectively indicate one or more incremental changes to the intent policy model at times from the start time and to the end time associated with the portion of the data structure.

Abstract: An example system includes first servers deployed in a public cloud computing infrastructure and second servers deployed external to the public cloud computing infrastructure connected to the first servers via a layer 3 network. The first servers include first virtual routers to implement one or more virtual networks and first virtual execution elements. The first virtual execution elements execute a network controller that includes a plurality of microservices. A network device manages network routing for the second servers. The network controller is configured to exchange routing information with the network device. The network controller is configured to configure, based on the routing information, the first virtual routers to configure a virtual network of the one or more virtual networks for packetized communications among the first virtual execution elements executing on the first servers in the public cloud computing infrastructure and the second servers.

Abstract: Techniques are described for learning an unknown virtual network information, such as an virtual Internet Protocol (IP) address, of a pod in a virtual network. In some examples, a virtual router executing at a computing device may receive an Address Resolution Protocol (ARP) packet from a virtual execution element in the virtual network, the virtual execution element executing at the computing device. The virtual router may determine, based at least in part on the ARP packet, whether virtual network information for the virtual execution element in a virtual network is known to the virtual router. The virtual router may, in response to determining that the virtual network information of the virtual execution element in the virtual network is not known to the virtual router, perform learning of the virtual network information for the virtual execution element.

Abstract: In some implementations, a network device may determine a maximum bandwidth requirement (MBR) associated with a network device. The network device may reduce based at least in part on the MBR, a power level of a component of the network device.

Abstract: In some examples, an access control policy controller in a computer network may receive a request to create an access control policy that permits a role to perform one or more functions in the computer network. The access control policy controller may determine one or more operations performed on one or more objects in the computer network to perform the one or more functions based at least in part on tracking performance of the one or more functions in the computer network. The access control policy controller may create the access control policy for the role that permits the role to perform the one or more operations on the one or more objects in the computer network.

Abstract: This disclosure describes techniques that include collecting underlay flow data along with overlay flow data within a network and correlating the data to enable insights into network operation and performance. In one example, this disclosure describes a method that includes collecting flow data for a network having a plurality of network devices and a plurality of virtual networks established within the network; storing the flow data in a data store; receiving a request for information about a data flow, wherein the request for information specifies a source virtual network for the data flow and further specifies a destination virtual network for the data flow; and querying the data store with the specified source virtual network and the specified destination virtual network to identify, based on the stored flow data, one or more network devices that have processed at least one packet in the data flow.

Abstract: Techniques are described for providing fast reroute for BUM traffic in EVPN. For example, a first provider edge (PE) device, elected as a designated forwarder (DF) of an Ethernet segment, configures a backup path using a label received from a second PE device of the Ethernet segment (e.g., backup DF) that identifies the second PE device as a “protector” of the Ethernet segment. For example, a routing component of the DF configures within a forwarding component a backup path to the second PE device, e.g., installing the label and operation(s) within the forwarding component to cause the forwarding component to add the label to BUM packets received from a core network. Therefore, when an access link to the local CE device has failed, the DF reroutes BUM packets from the core network via the backup path to the second PE device, which sends the BUM packets to the CE device.

Abstract: An example system includes access point (AP) devices configured to provide a wireless network at a site; and a network management system that stores network data received from the AP devices, the network data collected by the AP devices or client devices associated with the wireless network, and one or more processors configured to: receive a time series of SLE metrics based on the network data, determine, based on the time series, whether a network event has occurred, in response to a determination that a network event has occurred, determine a root cause for the network event, and in response to a determination that the root cause of the network event is associated with an AP device, determine a classification of the AP device, and determine a network management action for the AP device based on the network event and the classification of the AP device.

Abstract: Techniques are described for optimizing multipaths of a segment routing-enabled network. For example, a computing device is configured to: for each link in a network layer of a multi-layer network, compute a usage (metric) of the link by all paths of a first plurality of multipaths provisioned in the network layer to compute a total usage by the first plurality of multipaths, the first plurality of multipaths having been computed and placed to a model of the network layer in a first order; compute a second plurality of multipaths, wherein the second plurality of multipaths are computed and placed, to the model of the network layer, in a second, different order; and in response to determining that the total usage by the second plurality of multipaths is less than the total usage by the first plurality of multipaths, provision the second plurality of multipaths in the network layer.

Abstract: Techniques are described for a router providing metric-based multi-hop path selection. For example, a first router of a plurality of routers receives a plurality of network performance metrics for a plurality of links interconnecting the plurality of routers. The plurality of links form a plurality of multi-hop paths through the plurality of routers to a service instance. The router determines, based on the plurality of network performance metrics for the plurality of links, an end-to-end performance of each of the plurality of multi-hop paths. The router selects a multi-hop path over which to forward traffic associated with the session based on the end-to-end performance of each of the plurality of multi-hop paths and one or more performance requirements for a service associated between a session between a client device and the service instance. The router forwards the traffic to the service instance along the selected multi-hop path.

Abstract: An example device includes multiple Bluetooth Low Energy (BLE) transceivers, wherein a first BLE transceiver is configured to receive a first BLE advertising signal on a first channel of a BLE frequency band, a second BLE transceiver is configured to receive a second BLE advertising signal on a second channel of the BLE frequency band, and a third BLE transceiver is configured to receive a third BLE advertising signal on a third BLE channel. The first BLE transceiver, the second BLE transceiver, and the third BLE transceiver currently listen for the BLE advertising signals. Processing logic coupled to the BLE transceivers determines data indicative of a distance from the device to a tag that is a source of BLE advertising signals and provides the data to one of a location server or an asset management system.