Abstract: A network device may receive a request to access a network from a client device. The network device may determine that the client device is authenticated based on a set of authentication credentials obtained for the client device. The network device may determine, based on the client device being authenticated, that a quantity of devices currently accessing the network using the set of authentication credentials is equal to a maximum quantity of devices permitted to access the network using the set of authentication credentials. The network device may deny the client device access to the network based on the quantity of devices being equal to the maximum quantity of device.

Abstract: Failure impact analysis (or “impact analysis”) is a process that involves identifying effects of a network event that are may or will results from the network event. In one example, this disclosure describes a method that includes generating, by a control system managing a resource group, a resource graph that models resource and event dependencies between a plurality of resources within the resource group; detecting, by the control system, a first event affecting a first resource of the plurality of resources, wherein the first event is a network event; and identifying, by the control system and based on the dependencies modeled by the resource graph, a second resource that is expected to be affected by the first event.

Abstract: A disclosed method may include (1) querying, in connection with a monitoring service, a network device for device-specific data that identifies features of the network device, (2) determining, based at least in part on the device-specific data, identities of a set of ports on the network device, (3) identifying, based at least in part on the device-specific data, one or more port-specific data objects corresponding to the set of ports, (4) dynamically creating, based at least in part on the device-specific data, a device-visualization interface of the network device by (A) generating a graphical chassis widget that illustrates a logical view of the set of ports and (B) generating a graphical table that illustrates the port-specific data objects, and then (5) providing, in connection with the monitoring service, the device-visualization interface for presentation on a computing device. Various other systems and methods are also disclosed.

Abstract: In some implementations, a device may include a first flexible barrier that is configured to prevent dust from passing through a cable slot of a network device. The device may further include a second flexible barrier that is configured to absorb at least a portion of an amount of electromagnetic energy generated by the network device.

Abstract: In general, this disclosure describes techniques for a containerized router operating within a cloud native orchestration framework. In an example, a computing device comprises processing circuity; a containerized set of workloads; a containerized routing protocol process configured to execute on the processing circuitry and configured to receive routing information; a kernel network stack executing on the processing circuitry and configured to forward packets based on first routing information from the containerized routing protocol process; and a data plane development kit (DPDK)-based virtual router executing on processing circuitry and configured to forward traffic to and from the workloads based on second routing information from the containerized routing protocol process.

Abstract: A traffic planning platform may receive information related to a traffic flow including a traffic bandwidth to transport through a network with various network devices interconnected by links. The traffic planning platform may generate a traffic plan by assigning the traffic flow to a set of the links that includes network resources connecting a source of the traffic flow to a destination of the traffic flow. The traffic planning platform may render a visualization of the traffic plan, wherein the visualization includes a user interface (e.g., a diagram, an animation, and/or the like) in which geometric shapes that represent the source, the peer link, and the destination are connected by bands that represent the tunnel and the external route and further in which the geometric shapes and the bands each have a first visual property and a second visual property based on the traffic bandwidth of the traffic flow.

Abstract: In some implementations, a broadband network gateway (BNG) may receive, from a customer premises equipment, a dynamic host configuration protocol (DHCP) discover request, wherein the BNG is connected to the customer premises equipment and a fixed mobile interworking function (FMIF). The BNG may communicate with, based on the DHCP discover request, the FMIF. The BNG may provide to the customer premises equipment, and based on communicating with the FMIF, a DHCP offer that offers utilization of the BNG as a DHCP server. The BNG may receive from the customer premises equipment, and based on providing the DHCP offer, a DHCP request to request utilization of the BNG as the DHCP server. The BNG may provide to the customer premises equipment, and based on the DHCP request, a DHCP acknowledgment that acknowledges utilization of the BNG as the DHCP server.

Abstract: A network device ensures availability of content destination devices, and may receive a request to install a filter, and the request may include information identifying a set of content destination devices capable of receiving packets that match the filter, and priority values indicating priorities by which the set of content destination devices are to receive the packets. The network device may receive status indications indicating availabilities associated with the set of content destination devices, and may receive a packet destined for an endpoint device. The network device may generate a copy of the packet, and may determine that a packet feature matches the filter. The network device may select a particular content destination device, from the set of content destination devices, based on the priority values and the status indications, and may cause the copy of the packet to be forwarded to the particular content destination device.

Abstract: An example virtual router includes a plurality of logical cores (“lcores”), where each lcore comprises a CPU core or hardware thread. The virtual router is configured to determine a latency profile, select, based at least in part on the latency profile, a packet processing mode from the plurality of packet processing modes. In response to a determination that the packet processing mode comprises the run-to-completion mode, an lcore of the plurality of lcores is configured to: read a network packet from a device queue, process the network packet to determine a destination virtual device for the network packet, the destination virtual device having a plurality of interface queues, and insert the network packet into an interface queue of the plurality of interface queues.

Abstract: An auto-discovery route reflector (auto-discovery-RR) may obtain a route from an originating network device and may update a data structure to include at least some information contained in the route. The auto-discovery-RR may identify, based on the data structure, a plurality of target network devices, wherein the plurality of target network devices includes at least one route reflector (RR) and at least one route reflector client (RR-client). The auto-discovery-RR may send the route to the plurality of target network devices to facilitate establishment of a connection between the originating network device and at least one target network device of the plurality of target network devices.

Abstract: In general, techniques are described for signaling IP path tunnels for traffic engineering using constraints in an IP network. For example, network devices, e.g., routers, of an IP network may compute an IP path using constraint information and establish the IP path using, for example, Resource Reservation Protocol, to signal the IP path without using MPLS. As one example, the egress router generates a path reservation signaling message that includes an egress IP address that is assigned for use by the routers on the IP path to send traffic of the data flow by encapsulating the traffic with the egress IP address and forwarding toward the egress router. As each router in the IP path receives the path reservation signaling message, the router configures a forwarding state to forward traffic encapsulated with the egress IP address to a next hop along the IP path toward the egress router.

Abstract: A device may provide, to a network device, a subscribe request that includes a request for sensor data, and may receive sensor data packets that include the sensor data and header extensions identifying a group identifier for a group of sensor data and final packet information indicating whether the sensor data packet is a final one for the group. The device may store the sensor data packets until the final packet information of one of the sensor data packets indicates that the one of the sensor data packets is a final sensor data packet for the group, and may identify a complete set of the sensor data packets when the final packet information of the one of the sensor data packets indicates that the one of the sensor data packets is the final sensor data packet. The device may perform actions based on the complete set.

Abstract: A network device may receive a redundant identifier certificate associated with a redundant routing module, and may provide, to a bootstrap device, a primary identifier certificate associated with a primary routing module associated with the network device. The network device may establish a secure connection with the bootstrap device based on the bootstrap device verifying an authenticity of the primary routing module via the primary identifier certificate. The network device may provide, to the bootstrap device via the secure connection, a redundant routing module identifier associated with the redundant routing module and may receive, from the bootstrap device via the secure connection, a signed certificate chain associated with the redundant routing module. The network device may verify the signed certificate chain and may verify the redundant identifier certificate, associated with the redundant routing module, based on verifying the signed certificate chain.

Abstract: Systems, devices and techniques for an adaptive application-specific probing scheme are disclosed. An example network device includes memory configured to store a network address and probe protocol usable for probing a first network device associated with a source of an application, and one or more processors configured to determine a network address and probe protocol usable for probing the first network device, wherein the first network device comprises a server that is responsive to the probing, the server executing the application for the data flow, or a closest network device, to the server, that is responsive to the probing. The one or more processors are also configured to send to a second network device at a location serviced by the application, a message specifying the network address and probe protocol usable for probing the first network device.

Abstract: Disclosed are embodiments for determining a location of a device based on phase differences of a signal received from the device. In some embodiments, expected phase differences for signals transmitted from a plurality of regions are determined. The expected phase differences are those differences of the signal when received at each of a plurality of receive elements of a receiving device. By comparing phase differences of a signal received from the device to the expected phase differences, a location of the device is determined.

Abstract: A secure IGP topology or other link state topology can be implemented by a network security unit that runs in a centralized environment on servers separate from a network associated with the IGP topology. The network security unit acquires the topology information, such as by participating in IGP or through border gateway protocol with link state (BGP-LS). The network security unit detects possible network problems, such as indicators of potential network attacks. Once an indicator of a potential network attack is detected, the network security unit identifies the node that is compromised. Once the compromised node is identified, the network security unit can report the node for manual or automated intervention. In some aspects, the network security unit can isolate the compromised node by shutting down links connected to the compromised node.

Abstract: A network monitoring device may receive, from a mediation device, flow-tap content data (generated by the mediation device based on current and/or previous investigation reports associated with flow tapping) that needs to be monitored. The network monitoring device may map the content data to a flow-tap content destination address of a content destination device in an entry of a flow-tap content filter. The network monitoring device may analyze, using the flow-tap content filter, network traffic of the network to detect a traffic flow that includes the content data. The network monitoring device may generate, based on successfully detecting a traffic flow that includes the content data, a traffic flow copy and may provide the traffic flow copy to the flow-tap content destination address, wherein the traffic flow copy is to be accessible to the content destination device to enable a context analysis of the content data.

Abstract: Disclosed is an attachment mechanism for attaching a wireless access point to a vertical structure, such as a wall. The attachment mechanism includes a bracket that is mounted to the vertical structure. The attachment mechanism also includes at least two engagement members positioned on opposing sides of the access point. The two engagement members are horizontally aligned, in some embodiments, when the access point is engaged with a bracket. The two engagement members engage with receptacles that are part of the bracket. One of the receptacles includes a tab which prevents its corresponding engagement member from fully engaging with the receptacle, allowing the attachment mechanism to disengage via disengagement of only one of the engagement members.

Abstract: A network device may receive a first data packet. The network device may determine that a level of available computing resources satisfies a threshold level. The network device may perform a secure socket layer (SSL) proxy function based on the level of available computing resources satisfying the threshold level. The network device may receive a second data packet. The network device may determine that the level of available computing resources fails to satisfy the threshold level. The network device may determine a security characteristic associated with the second data packet. The network device may determine a security rating associated with the second data packet based on the security characteristic. The network device may selectively perform the SSL proxy function based on the security rating.

Abstract: In one example, a network management system discovers a plurality of network devices behind a network address translation device, such as a firewall. The network management system may receive a model of a seed network device, generate a first activation configuration and commit the first activation configuration on the seed network device. The network management system may connect to the seed network device and discover neighboring devices from information in the seed network device. The network management system may connect to the neighboring devices, automatically create a model of the neighboring network devices, generate s activation configurations for the neighboring network devices and commit the activation configurations on the neighboring network devices. The network management system may iterative perform these steps until it discovers all the discoverable network devices behind the network address translation device.