Abstract: A network management system may discover a plurality of network devices behind a network address translation device, such as a firewall. The network management system may receive a model of N network devices, generate a bulk activation configuration for the N network devices and commit the bulk activation configuration on a seed network device. The network management system may receive a request for a first connection from a first neighboring network device and may connect to the first neighboring network device. The first neighboring network device may have received the bulk activation configuration from the seed device. The network management system may determine whether the first neighboring network device is one of the N network devices and commit a second activation configuration on the first neighboring network device if it is one of the N network devices. A plurality of neighboring network device may be configured in this fashion.

Abstract: A network node may receive a packet that originated from a root network node and may process the packet to determine segment identifier (SID) information associated with a point-to-multipoint transport chain. The network node may determine, based on the SID information, that the network node is a transit leaf node in the point-to-multipoint transport chain. The network node may generate, based on determining that the network node is a transit leaf node in the point-to-multipoint transport chain, a copy of the packet and may process the copy of the packet to perform one or more actions. The network node may update, based on determining that the network node is a transit leaf node in the point-to-multipoint transport chain, the SID information and may send, after updating the SID information, the packet, with the updated SID information, to another network node.

Abstract: A controller device manages a plurality of network devices. The controller device includes a memory comprising a configuration database including a set of stored network device configurations, wherein each stored network device configuration of the set of stored network device configurations corresponds to a network device of the set of network devices. Additionally, the controller device includes processing circuitry configured to receive an intent file corresponding to an intended configuration for the set of network devices; receive a message from a network device of the set of network devices indicating an out-of-band configuration change at the network device; and determine, based on a stored network device configuration corresponding to the network device and an actual configuration of the network device, whether the intent file is compatible with the out-of-band configuration change.

Abstract: A network device may decrypt a record received from a source device and associated with an encrypted session. The network device may process the decrypted record. The network device may encrypt the record to generate an encrypted payload. The network device may store an entry in a retransmission mapping that includes a decryption key used to decrypt the record and an encryption key used to encrypt the record. The network device may transmit the encrypted payload in a first TCP packet toward the destination device. The network device may receive retransmitted data and may determine, based on the record entry, that the retransmitted data is associated with the record. The network device may decrypt, using the decryption key, the retransmitted data and may re-encrypt, using the encryption key, the decrypted record. The network device may transmit, toward the destination device, the encrypted payload in a second TCP packet.

Abstract: Techniques are described in which a centralized controller constructs a service chain between a bare metal server (BMS) and a virtual execution element (e.g., virtual machine or container), or in some instances a remote BMS, across a plurality of networks. In some examples, the controller may construct a service chain between a BMS and a virtual execution element or remote BMS using Ethernet Virtual Private Network (EVPN)-Virtual Extensible Local Area Network (VXLAN) and Internet Protocol Virtual Private Networks (IP VPNs) such as BGP/Multiprotocol Label Switching (BGP/MPLS) IP VPNs.

Abstract: The disclosed embodiments estimate a location of a first wireless device based on signals received from the wireless device from two other wireless devices. To combine estimates of the two wireless devices, the two wireless devices share a definition of a plurality of geographic regions. A first set of expected phase differences for the plurality of regions are determined for a first of the two wireless devices, and a second set of expected phase differences for the plurality of regions are determined for a second of the two wireless devices. Based on these two sets of expected phase differences, each of the two devices estimate a position of the first wireless device.

Abstract: The disclosed embodiments provide for rules-based deployment of software installations. In some aspects, operational parameters for a computer system are monitored over time to generate a historical database of values for the operational parameters. The computer system may include multiple instances of a software installation. A portion of the multiple instances is updated with a new version of software. The operational parameters are then monitored to quantify whether the new version results in an improvement or degradation of performance of the computer system. The improvement or degradation is based on comparing values of the operational parameters after deployment to their historical values. Depending on the evaluation of the operational parameters after the installation, the installation may be rolled back if a degradation is indicated. Otherwise, the new software version may be propagated to additional installation instances.

Abstract: Methods and apparatus for controlling monitoring operations performed by various devices, e.g., access points, in a communications network and for using information obtained by the devices which perform the monitoring are described. The methods are well suited for use in a system with a variety of access points, e.g., wireless and/or wired access points, which can be used to obtain access to the Internet or another network. An access point, which has been configured to monitor in accordance with received monitoring configuration information, e.g. on a per access point interface basis, captures packets, stores captured packets, and monitors to detect communications failures corresponding to communications devices using said access point. In response to detecting a communications failure, the access point generates, an event failure notification indicating the type of detected failure and sends the event failure notification to the network monitoring node along with corresponding captured packets.

Abstract: An example system includes access point (AP) devices configured to provide a wireless network at a site; and a network management system that stores network data received from the AP devices, the network data collected by the AP devices or client devices associated with the wireless network, and one or more processors configured to: receive a time series of SLE metrics based on the network data, determine, based on the time series, whether a network event has occurred, in response to a determination that a network event has occurred, determine a root cause for the network event, and in response to a determination that the root cause of the network event is associated with an AP device, determine a classification of the AP device, and determine a network management action for the AP device based on the network event and the classification of the AP device.

Abstract: A network device may receive an MPLS packet destined for a destination via a label-switched path (LSP), and may determine whether to apply a first special purpose label (SPL) option or a second SPL option for a label stack of the MPLS packet. The network device may apply, when the first SPL option is determined to be applied, one of a first type of the first SPL option for the label stack via a policy data indicator (PDI) and policy data (PD), or a second type of the first SPL option for the label stack via the PDI and the PD. The network device may forward the MPLS packet to a hop of the LSP based on the first type of the first SPL option or the second type of the first SPL option applied to the MPLS packet.

Abstract: In general, the disclosure describes techniques for evaluating application quality of experience metrics over a software-defined wide area network. For instance, a network device may receive an application data packet of a data flow for an application. In response to receiving the application data packet, the network device may assign the data flow to a first link of a plurality of links and initiate a probing process for the data flow on the first link to determine one or more quality of experience (QoE) metrics for the first link. The network device may, at a later time, detect that the data flow is no longer being received. In response to detecting that the data flow is no longer being received, the network device may cease the probing process for the data flow on the first link.

Abstract: A network device may receive, from a timing source of a network, timing information. The network device may identify a client device to which the timing information is to be provided, wherein the network device provides an interface between the client device and the network. The network device may select a virtual network address to associate with a timing agent of the network device, wherein the virtual network address is within an address range that is reachable by the client device. The network device may provide to the client device, and via a network layer communication, a timing control packet comprising the timing information, wherein the timing control packet identifies the virtual network address as a source network address of the timing control packet, and wherein the timing information is to be used by the client device to update a clock of the client device.

Abstract: A network device may receive network traffic associated with a session, wherein the session is associated with a network. The network device may determine, from the network traffic, an application path that is associated with the session and may determine an application path identifier associated with the application path. The network device may determine, based on policy information that is associated with the application path identifier, whether the network traffic associated with the session is permitted to be communicated via the network and may perform, based on whether the network traffic is determined to be permitted, an action associated with communication of the network traffic.

Abstract: In some implementations, a proxy device may intercept a client session associated with a client device and a destination device. The proxy device may allocate a first port of the proxy device as a source port of a proxy session for the client session. The proxy device may determine, based on allocating the first port, whether session information associated with the proxy session would match session information associated with another proxy session. The proxy device may initiate the proxy session. A source port of the proxy session is the first port of the proxy device based on a determination that the session information associated with the proxy session would not match session information associated with another proxy session, or is a second port of the proxy device based on a determination that the session information associated with the proxy session would match session information associated with another proxy session.

Abstract: An example network device includes a primary node and a standby node. The primary node includes one or more processors implemented in circuitry and configured to execute an operating system providing an application space and a kernel space, execute a replication application in the application space to receive a write function call including data to be written to a socket of the operating system and to send a representation of the data to a replication driver executed in the kernel space, execute the replication driver to send the representation of the data to a replication module executed in the kernel space, and execute the replication module to send the representation of the data to the standby node and, after receiving an acknowledgement from the standby node, to send the data to the socket.

Abstract: In some examples, a main thread of a plurality of execution threads executing on a plurality of processing cores of at least one hardware-based processor of a network device may receive a request for information associated with network routes that meet one or more criteria. Each of the plurality of execution threads may process a respective routing information partition to generate respective displayable information associated with a respective subset of the network routes that meets the one or more criteria. The main thread may generate consolidated displayable information associated with the network routes that meet the one or more criteria based on the respective displayable information generated by each of the plurality of execution threads. The main thread may output the consolidated displayable information associated with the network routes that meet the one or more criteria for display at a display device.

Abstract: A method includes receiving, by a network analyzer implemented in circuitry, from a network device of a plurality of network devices, a sensor message for telemetry flow data. The sensor message indicates an interface index for a network interface, a virtual network identifier associated with a virtual network, and an IP address. The method further includes receiving, by the network analyzer, from the network device, a telemetry flow message for the telemetry flow data. The method further includes, in response to determining that the telemetry flow message includes an indication of an interface index that matches the interface index of the sensor message and that the telemetry flow message includes an indication of a virtual network identifier that matches the virtual network identifier of the sensor message, setting, by the network analyzer, the IP address as the source of the telemetry flow data.

Abstract: An alarm service can receive an alarm rule as an “intent” that defines a rule in a high level “natural language.” An alarm rule compiler can receive the intent and translate the high level intent into one or more lower level rules that can be programmatically processed by multiple alarm rule execution engines. Devices in a network system can be associated with alarm rule execution engines in a distributed manner. For example, devices in a network can be associated with different instances of an alarm rule execution engine, thus distributing the resource usage for obtaining telemetry data and processing alarms with respect to the devices in a network across multiple alarm rule execution engines.

Abstract: A network device may receive traffic to be processed by a routing component, and may determine temperatures of an ASIC and an HBM of the routing component at a first time. The network device may determine whether the temperature of the ASIC satisfies a first ASIC temperature threshold or a second ASIC temperature threshold, and may determine whether the temperature of the HBM satisfies a first HBM temperature threshold or a second HBM temperature threshold. The network device may selectively throttle processing of the traffic by a first quantity when the temperature of the ASIC satisfies the first ASIC temperature threshold or the temperature of the HBM satisfies the first HBM temperature threshold, or throttle the processing of the traffic by a second quantity when the temperature of the ASIC satisfies the second ASIC temperature threshold or the temperature of the HBM satisfies the second HBM temperature threshold.

Abstract: Ping or traceroute functionality is supported in a path spanning multiple autonomous systems (ASes) having segment routing (SR) enabled, the path including an ingress node in a first autonomous system (AS) and an egress node in an AS other than the first AS, using a reverse path label pair including (1) a node segment identifier (SID) corresponding to an AS Border Router (ASBR) of the second AS (second ASBR), and (2) an egress peer engineering (EPE) SID corresponding to a segment between the second ASBR to an ASBR of the first AS (first ASBR). Responsive to receiving a ping or traceroute request by a router in the second AS, the router generates a ping or traceroute reply including the reverse path label pair. The ping or traceroute reply is forwarded to the second ASBR using the node SID of the reverse path label pair. The ping or traceroute reply is then forwarded from the second ASBR to the first ASBR using the EPE SID of the reverse path label pair.