Abstract: Graphical user interfaces are generated that, when displayed, provide a visual and interactive representation of one or more aspects associated with the execution of one or more applications on a computer network. The graphical user interfaces may in include graphical depictions representation policy objects, each policy object assigned one or more tags, each tag assigned to a category or a sub-category. The tags, when taken in combination, may identify an application, and one or more other characteristics associated with each of the policy objects. The graphical elements representing the policy objects may be displayed in the graphical user interfaces so that the policy objects assigned to tags in a category are positioned in an outer ring, and policy objects assigned to sub-category tags are positioned in a inner ring surrounded by the outer ring, with interconnection elements representing communications between policy objects extending within an interior area.

Abstract: Access points can be mounted in a variety of locations or orientations and can support multiple communications protocols. In some embodiments, an access point includes a main housing and a front housing. The main and front housing are connected by a hinge. A Wi-Fi antenna is included in the front housing in some embodiments. The access point is configured for use in either an open or closed position. When mounted in a vertical position, the front housing can be lowered into a horizontal position, which facilitates a preferred orientation of an antenna with respect to the ground. A first set of cooling fins serves to maintain components of the access point offset from a wall to which the access point is mounted. This facilitates airflow. Additional fins act as a spacer between the main housing and the front housing when the access point is used in a closed position. This facilitates air flow around both sides of the main housing.

Abstract: A controller device includes a memory and one or more processors coupled to the memory. The memory stores instructions that, when executed, cause the one or more processors to receive a query indicating a first time and a network service, determine a first set of configuration elements using telemetry data associated with the first time and the network service, and determine a second set of configuration elements using an intent model. The instructions further cause the one or more processors to determine one or more first metrics that occur at the first time using the first set of configuration elements and the second set of configuration elements, determine one or more second metrics at a second time using telemetry data received from the plurality of network devices, and generate data representing a user interface presenting the one or more first metrics and the one or more second metrics.

Abstract: The disclosure describes techniques for enhancements to the Multicast Source Discovery Protocol (MSDP) to reduce Source Active (SA) message loops in one or more multicast domains having overlapping MSDP mesh groups. In some examples, a method includes receiving, by a first MSDP speaker, from a second MSDP speaker, a SA message. The method also includes, when the second MSDP speaker is in a mesh group with the first MSDP speaker, determining whether the first MSDP speaker includes an active SA state corresponding to the SA message. Additionally, the method includes, when the first MSDP speaker does not include the active SA state corresponding to the SA message, accepting the SA message and forwarding the SA message to a third MSDP speaker that is not in the mesh group with the first MSDP speaker and the second MSDP speaker.

Abstract: In general, techniques are described for automatic intent provisioning and management in computer networks. A device comprising a processor, a memory, and an interface may perform the techniques. The processor may obtain a policy that includes high-level configuration data defining a service to be deployed within a network, the high-level configuration data including resource selector criteria that identifies one or more criteria for selecting a resource to support the service from a plurality of potential resources. The processor may also determine, based on the resource selector criteria, the resource to support the service from the plurality of potential resources, and translate the high-level configuration data to low-level configuration data specific to the determined resource. The memory may store the low-level configuration data specific to the determined resource.

Abstract: Embodiments provide for guided alignment of the orientation of two wireless devices. A first wireless device is at a known position and a known orientation. A signal from a second wireless device is received via a plurality of receive elements of the first wireless device. The first wireless device measures phase differences of the signal at the plurality of receive elements, and determines locations of each of the second wireless device's transmit elements based on the differences. Based on the transmit element locations, and a known antenna layout of the second wireless device, an orientation of the second wireless device is determined. Based on differences between the determined orientation and the known orientation of the first wireless device, instructions for aligning the devices are generated. Once the devices are aligned, location estimates of a third wireless device are made by both the first wireless device and the second wireless device.

Abstract: A network device may create an encrypted packet and may duplicate the encrypted packet to create a plurality of encrypted packets that includes a first set of encrypted packets that is associated with a first receiving network device and a second set of encrypted packets that is to be associated with a second receiving network device. The network device may modify the second set of encrypted packets by replacing a first virtual destination address in the second set of the plurality of encrypted packets with a second virtual destination address that identifies a virtual tunnel endpoint of the second receiving network device. The network device may encapsulate and may send, based on the first virtual destination address and the second virtual destination address, individual encapsulated encrypted packets to the first receiving network device or the second receiving network device.

Abstract: A first plurality of network configuration controllers of a controller may distribute, using a consistent hashing algorithm, a plurality of connection sessions with a plurality of network devices among the plurality of network configuration controllers. The controller may monitor a number of connection sessions maintained by each of the first plurality of network configuration controllers. The controller may add, based on monitoring the number of connection sessions maintained by each of the first plurality of network configuration controllers, an additional network configuration controller to the first plurality of network configuration controllers to form a second plurality of network configuration controllers.

Abstract: Methods and apparatus relating to the detection of one or more devices in zones, e.g., non-overlapping areas, are described. Individual device locations are made based on RSSI information. Whether a user is determined to be in a zone or not is determined based on location determinations corresponding to the device. Thresholds used to determine whether a device is to be considered as being within a zone differs depending on whether the device is newly detected in the zone or is already determined to be in the zone. In some embodiments it is easier to be determined to be in a zone than to be determined to have left a zone. A device may be determined to be in two non-overlapping zones at the same time thereby increasing the chance that devices in edge areas will be counted with regard to the number of devices for which resources should be provided.

Abstract: Methods and apparatus for obtaining status from an isolated AP that cannot connect to a remote management server are described. The status information is obtained from a second device and then provided, via the second device, to the remote management server. At least some of the disclosed embodiments are utilized in a system including a plurality of access points, which can provide alternate pathways to the remote management server. The remote management server determines a remedial action based on the status information.

Abstract: Methods, systems, and devices map an arbitrary number of Virtual Routing and Forwarding (VRF) instances to an Ethernet Virtual Private Network (EVPN) instance (EVI) of a leaf and spine network. For example, a spine network device executes a primary EVI to provide an EVPN to a plurality of leaf network devices, each leaf network device executing a secondary EVI to provide a plurality of network virtualization overlays to tenants of the network. The primary EVI is associated with a primary VRF instance, and each secondary EVI of the plurality of secondary EVIs is associated with a secondary VRF instance of a plurality of secondary VRF instances. The spine network device defines mappings between routes within the primary VRF instance and routes within each secondary VRF instance. The spine network device translates, based on the one or more mappings, network traffic between the primary EVI and the plurality of secondary EVIs.

Abstract: A network device decrypts a record, received from a client device, that is associated with an encrypted session between the client device and an application platform. The network device incorporates decrypted record data, from the decrypted record, into a payload field of a transmission control protocol (TCP) packet to be transmitted to another device, identifies a record header in the record, and determines, based on the record header, a record type associated with the decrypted record. Based on the record type, the network device marks the one or more TCP packets as including urgent data by setting a TCP urgent control bit in a header of the one or more TCP packets, and sets a second field, in the header of the TCP packet, to a second value that identifies an end of the urgent data, which corresponds to an end of the decrypted record data in the payload field.

Abstract: A device receives network data associated with a network that includes network devices interconnected by links at an Internet protocol (IP) layer and an optical layer of the network. The device receives constraints associated with determining a network plan for the network, where the constraints include a constraint indicating a particular time period associated with determining potential network plans for the network. The device identifies variables and values of the variables for the network plan based on the network data, and determines, within the particular time period, the potential network plans for the network based on the constraints and the values of the variables. The device identifies a potential network plan, of the potential network plans, that minimizes costs associated with operating the network, and causes the identified potential network plan to be implemented in the network by the network devices.

Abstract: A device may receive, from a first network device, an authentication request that requests authentication of the device, and may provide, to the first network device, an authentication response that includes the authentication of the device. The device may provide, to the first network device and based on the authentication response, a PDU session establishment request that requests establishment of a PDU session for customer premises equipment, and may receive, from the first network device and based on the PDU session establishment request, a PDU session resource setup request that requests a resource to be established for the PDU session. The device may provide, to the first network device and based on the PDU session resource setup request, a PDU session resource setup response indicating that the resource is a GTP tunnel, and may establish the GTP tunnel with a second network device.

Abstract: An example network device receives an encapsulated network packet via a network tunnel; extracts IPv6 header information from the encapsulated network packet; extracts IPv4 header information from the encapsulated network packet; determines that the encapsulated network packet is a spoofed network packet based on the IPv6 header information and the IPv4 header information; and in response to detecting the spoofed network packet, transmits a message to a Tunnel Entry Point (TEP) device, the message including data representing the IPv6 header information and IPv4 header information. A tunnel entry point (TEP) device may receive the message and use the message to detect spoofed IPv6 traffic, e.g., when an IPv6 header and an IPv4 header of an encapsulated packet matches the IPv6 header and the IPv4 header specified in the message. In this manner, the TEP device may block, rate limit, or redirect spoofed network traffic.

Abstract: A secondary routing device is configured as a backup routing device for a primary routing device. The primary routing device performs asynchronous socket replication with the secondary routing device. The secondary routing device includes a transmission buffer, in memory, for storing replicated socket data transmitted between the primary routing device and the standby routing device and one or more processors implemented in circuitry and configured to execute a replication driver to: determine a threshold value; determine that an amount of data equaling or exceeding the threshold value has been read from the transmission buffer; in response to determining that the amount of data equaling or exceeding the threshold value has been read from the transmission buffer, schedule a window update for the transmission buffer at a scheduled time; and send the window update at the scheduled time.

Abstract: Techniques are described for providing fast reroute for BUM traffic in EVPN. For example, a first provider edge (PE) device, elected as a designated forwarder (DF) of an Ethernet segment, configures a backup path using a label received from a second PE device of the Ethernet segment (e.g., backup DF) that identifies the second PE device as a “protector” of the Ethernet segment. For example, a routing component of the DF configures within a forwarding component a backup path to the second PE device, e.g., installing the label and operation(s) within the forwarding component to cause the forwarding component to add the label to BUM packets received from a core network. Therefore, when an access link to the local CE device has failed, the DF reroutes BUM packets from the core network via the backup path to the second PE device, which sends the BUM packets to the CE device.

Abstract: A method may include obtaining a printed circuit board (PCB) that includes a set of vias that include a set of stub regions. The PCB may include a set of layers perpendicular to the set of vias. The set of layers may include a signal layer and a ground layer. The ground layer may be located between the set of stub regions and the signal layer. The method may include drilling to remove at least a portion of a stub region of a via of the set of vias. The method may include performing an electrical test to determine whether a sliver of conductive material is included within the via after drilling to remove the at least a portion of the stub region of the via.

Abstract: A disaggregated broadband network gateway (DBNG) control plane system may receive an association setup request message from a DBNG user plane device, wherein the association setup request message is received via a state control interface between the DBNG control plane system and the DBNG user plane device. The DBNG control plane system may determine, based on the association setup request message, one or more capabilities of the DBNG user plane device and may thereby cause one or more additional state control interfaces to be established between the DBNG control plane system and the DBNG user plane device. The DBNG control plane system and the DBNG control plane system may communicate messages associated with a first message type via the state control interface and may communicate messages associated with a second message type via at least one of the one or more additional state control interfaces.

Abstract: A key server network device may install, on the key server network device, a new decryption key based on a timer-based key rollover setting and may provide, to peer network devices, messages identifying the new decryption key. The key server network device may utilize an original encryption key, to encrypt traffic, until all of the peer network devices provide acknowledgements of installation of the new decryption key. The key server network device may be configured to utilize the original encryption key based on the timer-based key rollover setting. The key server network device may generate an alarm. The alarm may include information indicating that the key server network device is waiting for the acknowledgements from one or more peer network devices and information identifying the one or more peer network devices.