Abstract: A controller device manages a plurality of network devices arranged at a plurality of sites. The controller device includes one or more processing units configured to determine a stateful intent for managing a software application at the plurality of network devices and represented by a graph model and translate the stateful intent into low-level configuration data. The one or more processing units are further configured to determine, for each site, a priority index based on a site-level usage of the software application, determine, an ordered list of the plurality of sites based on the priority index for each respective site, and configure, for each respective site, and in an order specified by the ordered list of the plurality of sites, one or more network devices of the plurality of network devices that are arranged at the respective site according to the low-level configuration data.

Abstract: In general, techniques are described for signaling IP path tunnels for traffic engineering using constraints in an IP network. For example, network devices, e.g., routers, of an IP network may compute an IP path using constraint information and establish the IP path using, for example, Resource Reservation Protocol, to signal the IP path without using MPLS. As one example, the egress router generates a path reservation signaling message that includes an egress IP address that is assigned for use by the routers on the IP path to send traffic of the data flow by encapsulating the traffic with the egress IP address and forwarding toward the egress router. As each router in the IP path receives the path reservation signaling message, the router configures a forwarding state to forward traffic encapsulated with the egress IP address to a next hop along the IP path toward the egress router.

Abstract: In general, techniques are described by which to provide a topology-based graphical user interface for network management systems. A controller device comprising a processor and a memory may be configured to perform the techniques. The processor may monitor network devices arranged according to a network topology to obtain operational data, and obtain configuration data defining the network topology. The memory may store the operational data and the configuration data. The processor may analyze the configuration data and the operational data to provide a graphical representation of the network topology that graphically depicts the operational data, and present a single graphical user interface that presents the graphical representation of the network topology that graphically depicts the operational data.

Abstract: A disclosed method may include (1) receiving, at a node within a network, an MPLS echo request from an additional node adjacent to the node, (2) determining that a FEC query is included in a FEC stack of the MPLS echo request and then, in response to determining that the FEC query is included in the FEC stack of the MPLS echo request, (3) determining at least one FEC that corresponds to a label included in a label stack of the MPLS echo request, and then (4) notifying the additional node of the FEC that corresponds to the label included in the label stack by sending, to the additional node, an MPLS echo reply that identifies the FEC that corresponds to the label. Various other systems, methods, and computer-readable media are also disclosed.

Abstract: A network device may receive a packet and may determine whether a next header of the packet is an Internet protocol (IP) header, an Internet control message protocol (ICMP) header, or a segment routing header. The network device may determine, when the next header of the packet is the IP header, whether policy processing of the packet is set to ultimate segment decapsulation and may discard the packet when the policy processing of the packet is not set to ultimate segment decapsulation. The network device may decapsulate an outer header of the packet when the policy processing of the packet is set to ultimate segment decapsulation and may process the packet after decapsulating the outer header of the packet, to generate a processed packet. The network device may forward the processed packet toward a destination.

Abstract: Techniques are described for supporting multiple virtual networks over an underlay network. The techniques may provide support for network slicing and enhanced virtual private networks (VPNs) over an underlay network. In general, the techniques include allocating a subset of resources (e.g., nodes and/or links) of the underlay network to a particular virtual network, and advertising the subset of resources to provider edge (PE) routers that are participating in the virtual network. A network controller device may advertise the subset of resources for the virtual network to the respective PE routers using BGP-LS (Border Gateway Protocol-Link State). Based on the advertisements, each of the PE routers generates a restricted view of the full underlay network topology for the virtual network and, thus, only uses the subset of resources in the restricted view to generate routing and forwarding tables for the virtual network.

Abstract: Techniques are disclosed for generating session-specific packet capture records. In one example, a first network device receives a first packet of a session between first and second client devices, the session comprising forward and reverse packet flows. The first network device modifies the first packet to include metadata comprising a packet capture indicator that indicates whether packet capture is to be performed for the session. The first network device stores at least a portion of the first packet and each subsequent packet of the session and forwards the modified first packet. A second network device receives the modified first packet and, based on the packet capture indicator, stores at least a portion of the first packet and each subsequent packet of the session in a session-specific packet capture record. The first and second network devices may generate, from the stored packet data, a packet capture record for the session.

Abstract: In general, a device comprising a processor and a memory may be configured to perform various aspects of the techniques described in this disclosure. The processor may conduct, based on configuration parameters, each of a plurality of simulation iterations within the test environment to collect a corresponding plurality of simulation datasets representative of operating states of the network device. The processor may perform a regression analysis with respect to each of the plurality of configuration parameters and each of the plurality of simulation datasets to generate a light weight model representative of the network device that predicts an operating state of the network device. The processor may output the light weight model for use in a computing resource restricted network device to enable prediction of the operating state of the computing resource restricted network device when configured with the configuration parameters. The memory may store the light weight model.

Abstract: Techniques are described to provide layer 2 (L2) circuit failover in the event connectivity to an Ethernet Virtual Private Network (EVPN) instance is lost. For example, if one of multi-homed provider edge (PE) devices loses connectivity to the EVPN instance, the PE device may mark its customer-facing interface as down and propagate the interface status to the access node such that the access node may update its routing information to switch L2 circuits to another one of the multi-homed PE devices having reachability to the EVPN instance. In some examples, the plurality of PE devices may further implement Connectivity Fault Management (CFM) techniques to propagate the interface status to the access node such that the access node may update its forwarding information to send traffic on a different L2 circuit to another one of the multi-homed PE devices having reachability to the EVPN instance.

Abstract: Techniques are disclosed for session-based routing within Open Systems Interconnection (OSI) Model Layer-2 (L2) networks extended over Layer-3 (L3) networks. In one example, L2 networks connect a first client device to a first router and a second client device to a second router. An L3 network connects the first and second routers. The first router receives, from the first client device, an L2 frame destined for the second client device. The first router generates an L3 packet comprising an L3 header specifying L3 addresses of the first and second routers, a first portion of metadata comprising L2 addresses for the first and second client devices, and a second portion of metadata comprising L3 addresses for the first and second client devices, and forwards the L3 packet to the second router. The second router recovers the L2 frame from the metadata and forwards the L2 frame to the second client device.

Abstract: In some implementations, a first processing component of a network device may receive first traffic data obtained by a second processing component of the network device. The first processing component may store the first traffic data as residual statistics. The first processing component may obtain second traffic data associated with a copy of a traffic stream processed by the first processing component based on storing the first traffic data as the residual statistics. The first processing component may perform a switchover from the second processing component to the first processing component. The first processing component may determine current traffic data based on the residual statistics and the second traffic data. The current traffic data may be determined based on performing the switchover from the second processing component to the first processing component.

Abstract: Techniques are described for specifying a backend virtual network for a service load balancer. An example orchestrator of this disclosure is configured to receive a service definition for a service implemented by load balancing service traffic for the service among a plurality of backend virtual execution elements, wherein the service definition specifies a first virtual network to use as a backend virtual network for the service, to instantiate, in a selected one of the computing devices, a backend virtual execution element for the service, and to configure, based on the service definition specifying the first virtual network to use as the backend virtual network for the service, a network controller for the virtualized computing infrastructure to configure a load balancer to load balance service traffic to a first virtual network interface, of the backend virtual element, for the first virtual network.

Abstract: A device may store raw random data in a raw random data store. The raw random data may include a first plurality of data strings. The device may generate, using a quotient ring transform (QRT), cryptographic random data based on the raw random data. The cryptographic random data includes a second plurality of data strings that is transformed from the first plurality of data strings based on an extraction state stored in an extraction state store. The device may store the cryptographic random data in a cryptographic random data store and may use the cryptographic random data for various purposes.

Abstract: In some implementations, a first network device may communicate, with a second network device, one or more internet key exchange (IKE) messages to exchange a first identifier associated with the first network device and a second identifier associated with the second network device, and to indicate that a post-quantum preshared key (PPK) is to be used as a shared key for an IKE security association (SA) between the first network device and the second network device. The first network device may obtain, from a key management entity (KME), a quantum key based on providing the second identifier to the KME, wherein the PPK is based on the quantum key. The first network device may communicate, with the second network device, one or more IKE authentication messages to exchange a third identifier associated with the quantum key and to confirm that the second network device successfully obtained the PPK.

Abstract: An example computing system includes one or more processing units implemented in circuitry and configured to: process an intent for configuration of a plurality of managed network devices, the intent representing authorization of access to capabilities of applications accessible to users of the managed network devices according to roles assigned to the users; receive advertised capabilities from a new application accessible to the users; receive a request for authorization to one of the capabilities of the new application from one of the users; determine one of the roles assigned to the one of the users; determine whether the intent grants authorization to the one of the capabilities according to the one of the roles; and grant the one of the users access to the one of the capabilities when the intent grants authorization to the one of the capabilities according to the one of the roles.

Abstract: A controller device includes a memory configured to store a tree structure comprising a plurality of nodes, wherein the tree structure comprises a set of sub-structures, and wherein the tree structure defines a configuration of a network device of a set of network devices such that each node of the plurality of nodes corresponds to a respective resource of the network device. Additionally, the controller device includes processing circuitry configured to receive an instruction to update the configuration of the network device, wherein the instruction to update the configuration of the network device indicates a node of the set of nodes corresponding to the update; and verify, based on a sub-structure of the set of sub-structures corresponding to the node indicated by the instruction, the instruction to update the configuration of the network device.

Abstract: Virtual network controllers are described that automatically generate policies and configuration data for routing traffic through physical network function (PNF) service chains in a multi-tenant data center. An example network controller includes a memory and processing circuitry configured to: automatically generate, for one or more integrated routing and bridging (IRB) units of corresponding virtual network forwarding tables of a switch of a switch fabric of a data center network, configuration information that, when deployed, causes the IRB units to direct data traffic conforming to multiple communication protocols and flowing over a plurality of virtual networks between a first set of server devices and a second set of server devices positioned outside of the switch fabric (i) toward a service device logically positioned outside of the switch fabric and coupled to the switch, and (ii) back from the service device into the switch fabric via the switch.

Abstract: An apparatus for switching network traffic includes an ingress packet forwarding engine and an egress packet forwarding engine. The ingress packet forwarding engine is configured to determine, in response to receiving a network packet, an egress packet forwarding engine for outputting the network packet and enqueue the network packet in a virtual output queue. The egress packet forwarding engine is configured to output, in response to a first scheduling event and to the ingress packet forwarding engine, information indicating the network packet in the virtual output queue and that the network packet is to be enqueued at an output queue for an output port of the egress packet forwarding engine. The ingress packet forwarding engine is further configured to dequeue, in response to receiving the information, the network packet from the virtual output queue and enqueue the network packet to the output queue.

Abstract: In general, this disclosure describes a network device to determine a cause of packets being dropped within a network. An example method includes generating, by a traffic monitor operating on a network device, an exception packet that includes a unique exception code that identifies a cause for a component in the network device to discard a transit packet, and a nexthop index identifying a forwarding path being taken by the transit packet experiencing the exception. The method also includes forwarding the exception packet to a collector to be processed.

Abstract: Techniques are disclosed for session-based routing within Open Systems Interconnection (OSI) Model Layer-2 (L2) networks extended over Layer-3 (L3) networks. In one example, L2 networks connect a first client device to a first router and a second client device to a second router. An L3 network connects the first and second routers. The first router receives, from the first client device, an non-session-based L2 frame destined for the second client device. The first router forms an L3 packet comprising an L3 header specifying L3 addresses of the first and second routers and a protocol selected based on an L3 service for the L2 frame, a payload comprising the L2 frame, and metadata comprising a session identifier distinctly identifying the L2 frame, and forwards the L3 packet to the second router. The second router recovers the L2 frame from the payload and forwards the L2 frame to the second client device.