Abstract: Techniques are described for determining one or more outlier logical paths in a computer network. A cloud-based network management system stores path data received from a plurality of network devices operating as network gateways for an enterprise network, the path data collected by each network device of the plurality of network devices for one or more logical paths of a physical interface from the network device over a wide area network (WAN). The network management system compares the path data for the plurality of logical paths to determine one or more outlier logical paths out of the plurality of logical paths. The network management system, in response to determining the one or more outlier logical paths, output a notification indicative of the one or more outlier path data out of the plurality of logical paths.

Abstract: Disclosed are embodiments of a device that includes an orientation sensor. Based on the device's orientation, a transmit power of the device is limited to ensure that transmission of the device do not exceed regulatory requirements. The transmit power limit is based, in some embodiments, on a manufacturer or model of the device, which indicates a position of one or more antennas relative to the device, and allows for a determination of an amount of power transmitted above the horizon in a given orientation.

Abstract: A computing device may determine an occurrence of a network event associated with a pair of network devices of a plurality of network devices included in a network. The computing device may, in response to determining the occurrence of the network event, determine a plurality of network parameters associated with the network. The computing device may determine, using a plurality of decision trees and based on the plurality of network parameters, a number of overlay tunnels to add between the pair of network devices. The computing device may create the number of overlay tunnels over an underlay topology of the network between the pair of network devices.

Abstract: In an example, systems and methods enable automatic implementation of intent-based security policies in a network system, such as a software-defined wide area network system, in which network segment prefixes for network segments at one or more sites are dynamically learned. A service orchestrator controller translates an intent-based security policy input by a user to a security policy for a first site. The security policy for the first site specifies a segment-specific queryable resource associated with a second site. To implement the security policy, a device associated with the first site queries the segment-specific queryable resource associated with the second site, and updates one or more forwarding tables of the device with the network segment prefixes associated with one or more network segments at the second site received in response to the query. The first site forwards network traffic to the second site based on the updated forwarding tables.

Abstract: Embodiments of the invention describe apparatuses, optical systems, and methods for utilizing a dynamically reconfigurable optical transmitter. A laser array outputs a plurality of laser signals (which may further be modulated based on electrical signals), each of the plurality of laser signals having a wavelength, wherein the wavelength of each of the plurality of laser signals is tunable based on other electrical signals. An optical router receives the plurality of (modulated) laser signals at input ports and outputs the plurality of received (modulated) laser signals to one or more output ports based on the tuned wavelength of each of the plurality of received laser signals. This reconfigurable transmitter enables dynamic bandwidth allocation for multiple destinations via the tuning of the laser wavelengths.

Abstract: A network device may receive an internet protocol (IP) packet that includes an IP packet header. The IP packet may include at least one extension header, which includes at least one of: a hop-by-hop options header, a first destination options header that precedes a routing header, or a second destination options header that precedes an upper-layer header. The network device may determine that: the hop-by-hop options header includes an Operations and Management capabilities (OAM) option, the first destination options header includes the OAM option and an IP address of the network device matches a destination IP address or a routing IP address identified in the routing header, or the second destination options header includes the OAM option and the IP address of the network device matches the destination IP address. The network device may perform one or more actions indicated by the OAM option.

Abstract: An example network device determines to assign a number of global Internet protocol (IP) addresses to respective network interfaces, determines a subnetwork for the network interfaces, determines a prefix corresponding to the subnetwork, determines a first global IP address having the prefix, determines a range value that is equal to or greater than the number of global IP addresses, generates a message according to Duplicate Address Detection Protocol (DAD) including data indicating that the message includes a range of addresses, the data further indicating the first global IP address and the range value, and sends the message according to DAD to one or more host network devices to determine whether any global IP address in a range starting with the first global IP address and through the range value is in use by the one or more host network devices.

Abstract: A network device may receive policy data identifying a first segment routing (SR) policy and a second SR policy. The first SR policy may be associated with a first path through a network and a first next hop, and the second SR policy may be associated with a second path through the network and a second next hop. The network device may advertise, to another device, reachability associated with the first next hop and the second next hop, and may receive, from the other device, a packet with a header. The network device may determine, from the header, data identifying the first next hop or the second next hop, without performing a lookup, and may cause the packet to be routed to a destination address, via the first path or the second path, based on the policy data associated with the first next hop or the second next hop.

Abstract: A non-transitory processor-readable medium storing code representing instructions to be executed by a processor can cause the processor to receive an indication to load balance a group of sessions associated with a network node and a switch across a group of links between a gateway device and the switch at a first time. The code causes the processor to calculate at a second time, a load based on the group of sessions and associated with a first set of links in an active configuration before the first time. The code causes the processor to send a signal to cause a set of sessions from the group of sessions to re-establish themselves at a third time based on a threshold value calculated based on the load such that the set of sessions are load balanced across a second set of links in the active configuration at the third time.

Abstract: A network device may receive packets, wherein the network device includes a first routing component, a second routing component, a first forwarding component, a second forwarding component, and a physical interface card concentrator with multiple physical interface cards. The first routing component may provide, to the physical interface card concentrator, a signal indicating that the second forwarding component is to be an active forwarding component. The physical interface card concentrator may cause, based on the signal, a data path for the multiple physical interface cards to be switched from the first forwarding component to the second forwarding component. The first routing component may provide the packets to the second forwarding component. The second forwarding component may provide the packets to the multiple physical interface cards via the data path. The multiple physical interface cards may forward the packets toward destinations associated with the packets.

Abstract: A ring node N belonging to a resilient MPLS ring (RMR) provisions and/or configures clockwise (CW) and anti-clockwise (AC) paths on the RMR by: (a) configuring two ring node segment identifiers (Ring-SIDs) on the ring node, wherein a first of the two Ring-SIDs (CW-Ring-SID) is to reach N in a clockwise direction on the ring and a second of the two Ring-SIDs (AC-Ring-SID) is to reach N in an anti-clockwise direction on the ring, and wherein the CW-Ring-SID and AC-Ring-SID are unique within a source packet routing in networking (SPRING) domain including the ring; (b) generating a message including the ring node's CW-Ring-SID and AC-Ring-SID; and (c) advertising the message, via an interior gateway protocol, for receipt by other ring nodes belonging to the ring such that (1) a clockwise multipoint-to-point path (CWP) is defined such that every other one of the ring nodes belonging to the ring can be an ingress for the CWP and such that only the node is an egress for the CWP, and (2) an anti-clockwise multipoint-

Abstract: In general, various aspects of the techniques are described in this disclosure for distributed label assignment for labeled routes. In one example, a method includes obtaining, by a first thread of a plurality of execution threads for at least one routing protocol process executing on processing circuitry of a network device, an allocation of first labels drawn from a label space for a network service; adding, by the first thread, the first labels to a first local label pool for the first thread; generating, by the first thread, after obtaining the allocation of the first labels, a labeled route comprising a route for the network service and a label assigned by the first thread from the first local label pool; and outputting, by the network device, the labeled route.

Abstract: Disclosed are methods for detecting misconfigured VLANs. In some embodiments, traffic on a VLAN across multiple access points is categorized. Traffic on the VLAN at a single access point is then also categorized. The categorization of the VLAN traffic at the single access point can be in response to, for example, communication errors or other conditions. The two categorizations are then compared to determine if the VLAN traffic at the AP is consistent with the VLAN traffic across a network (e.g., an enterprise network). If the VLAN traffic at the AP is generally consistent with that across the network, this may indicate that a downstream network component, such as a switch or router, is misconfigured. Thus, some embodiments programmatically reconfigure the downstream component to forward traffic for the VLAN.

Abstract: A node receives an internet protocol (IP) payload packet that includes an IPv6 transport header that has been extended with a compressed routing header (CRH). The CRH includes a list of segment identifiers (SIDs) that identify nodes that the IP payload packet is to traverse. The node determines, by referencing the list of SIDs, a next segment for the IP payload packet. The node updates a destination IP address that is included in the IPv6 transport header to a particular destination IP address of a next-hop node. The node updates a remaining segments value, included in the CRH, that identifies a number of segments left in a route of the IP payload packet. The node provides the IP payload packet to the next-hop node to allow the next-hop node to route the IP payload packet to another node in the network or to a destination device.

Abstract: A device may cause a Media Access Control Security (MACsec) session to be established on a first link of a link aggregation group (LAG) that includes a plurality of links with a different device. The device may cause a data structure to be updated to identify the first link as a MACsec enabled LAG link and may send traffic via the first link. The device may cause a MACsec session to be established on at least one additional link of the LAG and may cause the data structure to be updated to identify the at least one additional link as a MACsec enabled LAG link. The device may send, after causing the data structure to be updated to identify the at least one additional link as a MACsec enabled LAG link, additional traffic via the first link and the at least one additional link.

Abstract: In some examples, a method includes receiving, by an egress network device for a network, messages from each of a plurality of ingress network devices for the network, wherein each of the messages specifies a multicast source, a multicast group, and an upstream multicast hop weight value for multicast traffic for the multicast source and the multicast group; selecting, by the egress network device and based on the upstream multicast hop weight values specified by the received messages, one of the plurality of ingress network devices to which to send a multicast join message of a plurality of multicast join messages for the multicast source and multicast group; and sending, by the egress network device, the multicast join message to the selected one of the plurality of ingress network devices.

Abstract: Techniques for EVPN Host Routed Bridging (HRB) and EVPN cloud-native data center with Host Routed Bridging (HRB) are described. A host computing device of a data center includes one or more containerized user-level applications. A cloud native virtual router is configured for dynamic deployment by the data center application orchestration engine and operable in a user space of the host computing device. Processing circuitry is configured for execution of the containerized user-level applications and the cloud native virtual router. The cloud native virtual router comprises a containerized routing protocol process configured to operate as a control plane, and a data plane for the containerized router. The data plane is configured to operate an ethernet virtual private network (EVPN) encapsulation/decapsulation data path of an overlay network for communicating layer two (L2) network traffic of the containerized user applications over a switch fabric of the data center.

Abstract: A device may receive first topology information from a first network device of a network, and may receive second topology information from a second network device of the network. The device may assign a first BGP-LS identifier to the first network device, and may associate the first topology information with the first BGP-LS identifier. The device may assign a second BGP-LS identifier to the second network device, and may associate the second topology information with the second BGP-LS identifier. The device may store the first topology information, as a first route, based on the first BGP-LS identifier, and may store the second topology information, as a second route, based on the second BGP-LS identifier. The device may select the first route or the second route as a primary route, and may utilize the primary route to control routing of traffic through the network.

Abstract: An example network device includes memory, a communication unit, and processing circuitry coupled to the memory and the communication unit. The processing circuitry is configured to receive first samples of flows from an interface of another network device sampled at a first sampling rate and determine a first parameter based on the first samples. The processing circuitry is configured to receive second samples of flows from the interface sampled at a second sampling rate, wherein the second sampling rate is different than the first sampling rate and determine a second parameter based on the second samples. The processing circuitry is configured to determine a third sampling rate based on the first parameter and the second parameter, control the communication unit to transmit a signal indicative of the third sampling rate to the another network device; and receive third samples of flows from the interface sampled at the third sampling rate.

Abstract: A network node may determine parameters of an authenticated client session for a client device, wherein the parameters comprise a network address of the client device. The network node may determine inactivity of the client device in the authenticated client session. The network node may generate, based on determining the inactivity of the client device, an address resolution protocol (ARP) message or a neighbor solicitation (NS) message to send to the client device, wherein the ARP message or the NS message is to trigger a response from the client device to indicate that the network address of the client device is in use. The network node may provide, toward the client device, the ARP message or the NS message. The network node may perform one or more actions based on receiving or not receiving the response, from the client device, to the ARP message or the NS message.