Abstract: A method may include (1) preparing, at a slave device, a request message that identifies an initial time-to-live value, (2) sending the request message to a plurality of candidate master devices, (3) receiving, at the slave device from one of the candidate master devices, a reply message that identifies a number of hops between the slave device and the one of the candidate master devices, (4) receiving, at the slave device from another one of the candidate master devices, another reply message that identifies another number of hops between the slave device and the another one of the candidate master devices, and then (5) synchronizing a clock of the slave device with a clock of the one of the candidate master devices due at least in part to the number of hops being less than the another number of hops. Various other apparatuses, systems, and methods are also disclosed.

Abstract: In some embodiments a method includes receiving, at a first network device, a data unit to be sent to second network device via a tunnel, the data unit associated with an application. The method includes appending, to the data unit, an encapsulation header that includes a first portion configured such that the second network device is configured to forward the data unit based on the second portion of the encapsulation header that is configured to identify the application. The method includes sending, from the first network device to the second network device via a first portion of the tunnel, the data unit such that the second network device appends the encapsulation header to the data unit prior to forwarding the data unit via a second portion of the tunnel.

Abstract: A device may receive an input associated with deploying a virtual firewall on a computing device. The device may determine a first set of characteristics associated with the virtual firewall and a second set of characteristics associated with a hypervisor associated with the computing device. The device may automatically tune the virtual firewall based on the first set of characteristics and the second set of characteristics. The device may deploy the virtual firewall after tuning the virtual firewall.

Abstract: An improved traceroute mechanism for use in a label-switched path (LSP) is provided by (a) receiving, by a device in the LSP, an echo request message, wherein the echo request includes a label stack having a least one label, and wherein each of the at least one label has an associated time-to-live (TTL) value; (b) responsive to receiving the echo request, determining by the device, whether or not the device is a penultimate hop popping (PHP) device for the outermost label of the label stack; and (c) responsive to determining that the device is the PHP device for the outermost label of the label stack, (1) generating an echo reply message corresponding to the echo request message, wherein the echo reply message is encoded to indicate that the device is the PHP device for the outermost label of the label stack, and (2) sending the echo reply message back towards a source of the echo request message.

Abstract: Embodiments are generally directed to managing power consumption of powered devices. In some embodiments, the powered devices draw power from a common source of power, which is limited. Under certain circumstances, exceeding the power limits can cause interruption of power to one or more of the devices, thus introducing a source of communication failures. To ensure reliable communications, an attempt to increase a power consumption of a first powered device in a power group is first reviewed to determine if the increase will cause a supplied power of the group to exceed a maximum power of the group. If the increase will cause the maximum power to be exceeded, the increase is modified, in some circumstances, to fit within the maximum power level. Alternatively, power consumption of a lower priority device is reduced to accommodate the requested power consumption increase.

Abstract: A method includes applying, to a modulated digital signal, a forward error correction (FEC) including a low-density parity-check (LDPC) to produce a coded digital signal. Nyquist shaping is applied to the coded digital signal to generate a filtered digital signal. A representation of the filtered digital signal is transmitted in an optical communication channel via a dense wavelength division multiplexing (DWDM) scheme.

Abstract: A network device in a network may determine a tentative network address for a network interface of the network device and may determine whether the tentative network address is duplicative of any one of the network addresses in the network. If the tentative network address is duplicative of a network address assigned to another network interface in the network, the network device may store an indication of the other network interface. In response to receiving an indication that a new network address is assigned to the other network interface, the network device may re-determine whether the tentative network address is duplicative of any one of the network addresses in the network. If the network device determines that the tentative network address is not duplicative of any one of the plurality of network addresses in the network, the network device may assign the tentative network address to the network interface.

Abstract: In some examples, a system includes a network managed by a service provider and configured to provide access to one or more objects to a set of tenants each having one or more users, the service provider and the set of tenants being part of a set of entities that form a hierarchy, and a controller having access to the network. The controller is configured to obtain data indicative of a set of parameters, where the data indicative of the set of parameters is associated with an owner entity of the set of entities, generate a rule which incorporates the set of parameters, where the rule enables the controller to control access to an object of the one or more objects, and add the rule to a rules database, wherein the rules database is accessible to the controller.

Abstract: In some examples, a method includes receiving, by an egress network device for a network, messages from each of a plurality of ingress network devices for the network, wherein each of the messages specifies a multicast source, a multicast group, and an upstream multicast hop weight value for multicast traffic for the multicast source and the multicast group; selecting, by the egress network device and based on the upstream multicast hop weight values specified by the received messages, one of the plurality of ingress network devices to which to send a multicast join message of a plurality of multicast join messages for the multicast source and multicast group; and sending, by the egress network device, the multicast join message to the selected one of the plurality of ingress network devices.

Abstract: A method includes determining, by a controller device that manages a plurality of network devices, device characteristic information for a network device of the plurality of network devices and selecting, by the controller device, one or more sensors from a plurality of sensors based on the device characteristic information for the network device. The method further includes outputting, by the controller device, an instruction to cause the network device to generate the one or more selected sensors at the network device and receiving, by the controller device, sensor information from the one or more selected sensors generated at the network device.

Abstract: In an example, a method includes computing, by a computing device, for a segment routing policy that specifies a bandwidth constraint for the segment routing policy, first shortest paths through a network of network nodes, wherein each shortest path of the first shortest paths represents a different sequence of links connecting pairs of the network nodes from a source to a destination; in response to determining, by the computing device based on the bandwidth constraint for the segment routing policy, a link of one of the first shortest paths has insufficient bandwidth to meet a required bandwidth for the link, increasing a metric of the link; computing, by the computing device, for the segment routing policy that specifies the bandwidth constraint, based on the increased metric of the link, second shortest paths through the network of network nodes; and provisioning the second shortest paths in the network of nodes.

Abstract: A network device may receive, from a timing source of a network, timing information. The network device may identify a client device to which the timing information is to be provided, wherein the network device provides an interface between the client device and the network. The network device may select a virtual network address to associate with a timing agent of the network device, wherein the virtual network address is within an address range that is reachable by the client device. The network device may provide to the client device, and via a network layer communication, a timing control packet comprising the timing information, wherein the timing control packet identifies the virtual network address as a source network address of the timing control packet, and wherein the timing information is to be used by the client device to update a clock of the client device.

Abstract: This disclosure is directed to devices, systems, and techniques for enforcing access to resources within a computer network. In some examples, a system includes a network managed by a service provider and configured to provide a plurality of microservices to a plurality of tenants each having one or more users and a controller having access to the network. The controller is configured to output, to a user interface, data indicative of a plurality of capabilities for presentation by the user interface and receive, from the user interface, data indicative of a user selection of a set of capabilities and a user selection of a new role identifier. The controller is further configured to create, based on the set of capabilities and the role identifier, a role which enables access to a set of actions within a computer network, the set of actions corresponding to the set of capabilities.

Abstract: A first network device may receive first traffic of a session that involves a service. The first network device may identify that the service is configured for distributed node processing. The first network device may identify a second network device that is configured for distributed node processing. The first network device may identify a state machine that is associated with the service. The first network device may determine, based on the state machine, a first function and a second function, wherein the first function is identified by a first label and the second function is identified by a second label. The first network device may process the first traffic based on the first function. The first network device may provide, to the second network device, the first traffic and the second label to permit the second network device to process second traffic in association with the second function.

Abstract: In general, techniques are disclosed to facilitate communicating within computer networks. For example, a layer three (L3) router including a service card and an interface card may be configured to perform the techniques. The interface card receives a query from a network that sources communications in accordance with a plurality of models. The query may specify a customer device and one of the sourced communications, and request that the service card select one of the models for the specified sourced communication and the specified customer device. The service card further stores data defining a profile for the one of the customer devices. The service card may also, in response to the query, analyze the profile data for the specified customer device to determine the selected one of the models for the specified sourced communication with respect to the specified customer device.

Abstract: A network device may detect an error associated with a packet based on error information being generated from processing the packet at a layer of a network stack. The network device may determine, based on detecting the error, metadata associated with the packet. The network device may generate telemetry data to include the metadata. The network device may provide the telemetry data to a network analyzer for policy enforcement.

Abstract: A network device may receive one or more packets, and may determine a flow control parameter, a rate limiting parameter, and a statistical sampling parameter associated with a slow counter. The network device may determine whether the flow control parameter satisfies a first threshold, whether the rate limiting parameter satisfies a second threshold, and whether the statistical sampling parameter satisfies a third threshold. The network device may identify a counter event associated with one of the one or more packets, and may selectively assign the counter event to a fast counter when at least one of the first threshold, the second threshold, or the third threshold being satisfied, or to the slow counter when none of the first threshold, the second threshold, and the third threshold being satisfied.

Abstract: This disclosure describes techniques that include using an automatically trained machine learning system to generate a prediction. In one example, this disclosure describes a method comprising: based on a request for the prediction: training each respective machine learning (ML) model in a plurality of ML models to generate a respective training-phase prediction in a plurality of training-phase predictions; automatically determining a selected ML model in the plurality of ML models based on evaluation metrics for the plurality of ML; and applying the selected ML model to generate the prediction based on data collected from a network that includes a plurality of network devices.

Abstract: A network device may receive policy data identifying a first segment routing (SR) policy and a second SR policy. The first SR policy may be associated with a first path through a network and a first next hop, and the second SR policy may be associated with a second path through the network and a second next hop. The network device may advertise, to another device, reachability associated with the first next hop and the second next hop, and may receive, from the other device, a packet with a header. The network device may determine, from the header, data identifying the first next hop or the second next hop, without performing a lookup, and may cause the packet to be routed to a destination address, via the first path or the second path, based on the policy data associated with the first next hop or the second next hop.

Abstract: In general, various aspects of the techniques are described in this disclosure for distributed label assignment for labeled routes. In one example, a method includes obtaining, by a first thread of a plurality of execution threads for at least one routing protocol process executing on processing circuitry of a network device, an allocation of first labels drawn from a label space for a network service; adding, by the first thread, the first labels to a first local label pool for the first thread; generating, by the first thread, after obtaining the allocation of the first labels, a labeled route comprising a route for the network service and a label assigned by the first thread from the first local label pool; and outputting, by the network device, the labeled route.