Abstract: A network device receives an attribute identifying paths associated with an open shortest path first (OSPF) domain of a network and an intermediate system to intermediate system (ISIS) domain of the network, and provides the attribute to other network devices of the network. The network device receives traffic destined for one of the other network devices of the network, and determines that a primary path is unavailable for routing the traffic to the one of the other network devices. The network device selects a secondary path from the paths identified by the attribute. The secondary path is selected based on determining that the primary path is unavailable, and the secondary path is associated with the OSPF domain or the ISIS domain of the network. The network device provides the traffic to the one of the other network devices via the secondary path.

Abstract: A network device may communicate with another network device via a media access control security (MACsec) key agreement (MKA) communication link, wherein an MKA session has been established between the network device and the other network device. The network device may determine that the other network device is unavailable. The network device may cause, based on determining that the other network device is unavailable, an MKA state of the network device to be placed in a paused state. The network device may receive, after causing the MKA state of the network device to be placed in the paused state, a packet from the other network device via the MKA communication link. The network device may determine, based on the packet, that the MKA session has not ended. The network device may continue, based on the MKA session having not ended, the MKA session by reactivating the MKA state.

Abstract: Network elements are managed with a server to support client data models from heterogeneous data sources. A server receives a first query for configuration data of a network element to be returned in a first model. The server determines a model type for the configuration data of the network element. When the model type is a second model that is not the first model, the server sends a second query to the network element for the configuration data to be returned in the second model and transforms the configuration data received from the network element into the first model. Additionally, the server returns the configuration data in the first model as a response to the first query.

Abstract: A network device may receive, from an application on a user device, a first network packet associated with a packet flow. The network device may identify an application identifier of the first network packet, wherein the application identifier identifies the application on the user device. The network device may select, based on the application identifier, a security protocol, wherein the security protocol is associated with at least one of an authentication header (AH) or an encryption algorithm. The network device may selectively apply, to a second network packet associated with the packet flow, at least one of the AH or the encryption algorithm, associated with the security protocol, to generate a protected network packet. The network device may transmit the protected network packet.

Abstract: Techniques are disclosed for avoiding sending network traffic through a backup network device when an active network device is operational. An example device is configured to receive a first address resolution protocol (ARP) request from an active network device and a second ARP request from a backup network device. The device is also configured to, in response to receiving the first ARP request and the second ARP request, send a first ARP response to the active network device.

Abstract: Example security systems for use between at least one upstream router and at least one downstream router, are described. A group or pool of security devices can be used to provide stateful security to bidirectional packet flows between upstream and downstream routers. The packets of the bidirectional flows are forwarded to particular security devices based on a consistent hash ring process. For a given flow, bidirectional state information is synchronized among some, but not all, of the security devices. The security devices among which such bidirectional flow state information is shared are determined using the same consistent hash ring process.

Abstract: A first network device may receive an advertisement that includes a prefix for a second network device, wherein the advertisement is destined for a third network device. The first network device may determine, based on a network topology, whether a next hop is one hop away or multiple hops away. The first network device may selectively modify the advertisement to include a first segment identifier, based on the next hop being one hop away and to generate a first modified advertisement, or may modify the advertisement to include a second segment identifier, based on the next hop being multiple hops away and to generate a second modified advertisement. The first network device may forward the first modified advertisement or the second modified advertisement toward the third network device.

Abstract: In some examples, a computing device comprises a first service function instance to apply a service function and a service function forwarder to: receive a first layer 3 routing protocol route advertisement that includes service function instance data for a second service function instance, the service function instance data indicating a service function type and a service identifier for the service function instance; receive a second layer 3 routing protocol route advertisement that includes service function chain data for a service function chain, the service function chain data indicating a service path identifier and one or more service function items; and send, to the second service function instance and based at least on determining a service function item of the one or more service function items indicates the second service function instance, a packet classified to the service function chain.

Abstract: A network device is configured to receive an inbound packet from a first server device via a network tunnel, the first inbound packet including an outer header, a virtual private network (VPN) label, an inner header, and a data payload, the inner header including an inner source IP address of a source virtual machine. The processors are also configured to determine a first tunnel identifier, determine, based on the inner source IP address, a second tunnel identifier associated with a second server device hosting the source virtual machine, compare the second tunnel identifier with the first tunnel identifier to determine whether the tunnel on which the first inbound packet was received is the same as a tunnel used for forwarding traffic to the source virtual machine, and drop the inbound packet when the second tunnel identifier does not match the first tunnel identifier.

Abstract: An optical receiver can implement a transimpedance amplifier (TIA) to process received light using a closed loop optical pre-amplification. The optical receiver can use an average input value of the TIA to control an semiconductor optical amplifier (SOA) or pre-amplification as received average signal varies. The optical receiver can include a gain controller for the TIA that can measure the TIA swing to adjust the gain of the SOA to pre-amplify received light in a closed loop control configuration.

Abstract: A computing system includes a computing device configured to execute a plurality of virtual machines, each virtual machine of the plurality of virtual machines configured to provide control plane functionality for at least a different respective subset of forwarding units of a network device, the computing device distinct from the network devices. The computing system also includes a policy agent configured to execute on the computing device. The agent is configured to determine that a particular virtual machine of the plurality of virtual machines provides control plane functionality for one or more forwarding units of the network device; determine control plane usage metrics for resources of the particular virtual machine; and output, to a policy controller, data associated with the control plane usage metrics and data associating the particular virtual machine with the one or more forwarding units for which the particular virtual machine provides control plane functionality.

Abstract: A method includes deploying a network device within a fabric having a management network by attaching the network device through the management network to a port of a role allocator, wherein the role allocator includes one or more ports designated as first level port connections and one or more other ports designated as second level port connections. If the deployed network device is attached to one of the ports designated as first level port connections, the deployed network device is configured as a first level device. If the deployed network device is attached to one of the ports designated as second level port connections, the deployed network device is configured as a second level device.

Abstract: An example controller device that manages a plurality of network devices includes one or more processing units implemented in circuitry and configured to receive, via an application programming interface (API) framework, an indication of an intent. The intent includes data indicating an update to a data structure including a plurality of nodes representing the plurality of network devices and a plurality of edges connecting the plurality of nodes. The one or more processing units are further configured to process the intent to select a topology compiler from a plurality of topology compilers and invoke, via the API framework, the selected topology compiler using a role of a network device of the plurality of network devices and an indication of the network device as input to generate abstract configuration information. The one or more processing units are further configured to configure the network device based on the abstract configuration information.

Abstract: Techniques are disclosed for generating intent-based policies and applying the policies to traffic of a computer network. In one example, a policy controller for the computer network receives traffic statistics for traffic flows among a plurality of application workloads executed by a first set of computing devices. The policy controller correlates the traffic statistics into session records for the plurality of application workloads. The policy controller generates, based on the session records for the application workloads, application firewall policies for the application workloads. Each of the application firewall policies define whether traffic flows between application workloads are to be allowed or denied. The policy controller distributes the application firewall policies to a second set of one or more computing devices for application to traffic flows between instances of the application workloads.

Abstract: Techniques are disclosed for redirecting network traffic of virtualized application workload to a host-based firewall. For example, a system comprises a software defined networking (SDN) controller of a multi-tenant virtualized data center configured to: receive a security policy expressed as one or more tags to redirect traffic of a virtualized application workload to a host-based firewall (HBF) of the multi-tenant virtualized data center; configure network connectivity to the HBF in accordance with the security policy; a security controller that manages the HBF configured to: obtain the one or more tags from the SDN controller; receive one or more firewall policies expressed in terms of the one or more tags, wherein each of the one or more firewall policies specifies a function of the HBF; and configure the function of the HBF in accordance with the one or more firewall policies.

Abstract: A device may receive information identifying a set of tasks to be executed by a microservices application that includes a plurality of microservices. The device may determine an execution time of the set of tasks based on a set of parameters and a model. The set of parameters may include a first parameter that identifies a first number of instances of a first microservice of the plurality of microservices, and a second parameter that identifies a second number of instances of a second microservice of the plurality of microservices. The device may compare the execution time and a threshold. The threshold may be associated with a service level agreement. The device may selectively adjust the first number of instances or the second number of instances based on comparing the execution time and the threshold.

Abstract: Disclosed are embodiments that determine a location of a first wireless device based on estimates of two other wireless devices. Each of the other wireless devices is assigned or defines its own plurality of regions. Each wireless device estimates a location of the first wireless device with respect to its assigned or defined plurality of regions. One of the estimates is then translated to the other device's plurality of regions. The two estimates are then combined to estimate the location of the first wireless device.

Abstract: Techniques are described for computing lists of segment identifiers (SIDs) that satisfy each path in a multipath solution for a segment routing (SR) policy. In an example, a method includes obtaining, by a computing device, a plurality of paths through a network comprising one or more network nodes, each path of the plurality of paths representing a different sequence of links connecting pairs of the network nodes from a source to a destination; computing, by the computing device, one or more lists of segments identifiers (SIDs) that satisfy each path of the plurality of paths; and programming the network to forward network traffic based at least on the one or more lists of SIDs.

Abstract: A device receives network data associated with a network that includes network devices interconnected by links, and receives parameters associated with determining a network plan for the network. The device generates candidate links for each potential network plan of multiple potential network plans for the network, based on the parameters and based on a criterion associated with generating the candidate links. The device generates candidate paths for each potential network plan based on the parameters, and selects a portion of the candidate links and a portion of the candidate paths. The device generates each potential network plan based on the portion of the candidate links and the portion of the candidate paths, and identifies a potential network plan, of the multiple potential network plans, that reduces resource usage associated with operating the network. The device causes the potential network plan to be implemented in the network.

Abstract: A co-packaged optical-electrical chip can include an application-specific integrated circuit (ASIC) and a plurality of optical modules, such as optical transceivers. The ASIC and each of the optical modules can exchange electrical signaling via integrated electrical paths. The ASIC can include Ethernet switch, error correction, bit-to-symbol mapping/demapping, and digital signal processing circuits to pre-compensate and post-compensate channel impairments (e.g., inter-channel/intra-channel impairments) in electrical and optical domains. The co-packaged inter-chip interface can be scaled to handle different data rates using spectral efficient signaling formats (e.g., QAM-64, PAM-8) without adding additional data lines to a given design and without significantly increasing the power consumption of the design.