Abstract: A node may be an active node associated with a high-availability service and may route session traffic communicated via a first route path between a first endpoint and a second endpoint. The node may determine a first measurement of a traffic metric of the first route path and may receive, from another node associated with the high-availability service, a second measurement of the traffic metric of a second route path. The node may compare the first measurement and the second measurement and determine that the traffic metric is enhanced on the second route path relative to the first route path. The node may cause, via a high-availability link between the node and the other node, the other node to become the active node for routing the session traffic between the first endpoint and the second endpoint.

Abstract: A node receives an internet protocol (IP) payload packet that includes an IPv6 transport header that has been extended with a compressed routing header (CRH). The CRH includes a list of segment identifiers (SIDs) that identify nodes that the IP payload packet is to traverse. The node determines, by referencing the list of SIDs, a next segment for the IP payload packet. The node updates a destination IP address that is included in the IPv6 transport header to a particular destination IP address of a next-hop node. The node updates a remaining segments value, included in the CRH, that identifies a number of segments left in a route of the IP payload packet. The node provides the IP payload packet to the next-hop node to allow the next-hop node to route the IP payload packet to another node in the network or to a destination device.

Abstract: Disclosed are methods and systems for determining combinations of system parameters that indicate a root cause of a system level experience deterioration (SLED). Some of the disclosed embodiments generate a decision tree from a first class of operational parameter datasets. Rules are derived from the decision tree. Filtered rule sets for feature parameters included in the system parameters are then determined. Pairs of features within a particular dataset that each satisfy their respective filtered rule sets are indicative of a root cause of the degradation, at least in some embodiments.

Abstract: A device may receive first topology information from a first network device of a network, and may receive second topology information from a second network device of the network. The device may assign a first BGP-LS identifier to the first network device, and may associate the first topology information with the first BGP-LS identifier. The device may assign a second BGP-LS identifier to the second network device, and may associate the second topology information with the second BGP-LS identifier. The device may store the first topology information, as a first route, based on the first BGP-LS identifier, and may store the second topology information, as a second route, based on the second BGP-LS identifier. The device may select the first route or the second route as a primary route, and may utilize the primary route to control routing of traffic through the network.

Abstract: A network device obtains a data package associated with an ISSU procedure and determines, based on the data package, that a control plane of the network device is to be rebooted to facilitate performance of the ISSU procedure. The network device causes, based on determining that the control plane is to be rebooted, a plurality of applications of the network device to stop executing on the network device and a control plane state of the network device to be frozen. The network device then causes the ISSU procedure to be performed. The network causes, based on causing the ISSU procedure to be performed, the control plane state of the network device to be restored and the plurality of applications to resume executing on the network device.

Abstract: Network management techniques are described. A controller device of this disclosure manages a device group of a network. The controller device includes processing circuitry in communication with the memory, the processing circuitry being configured to receive, using a programmable diagnosis service executed by the processing circuitry, a programming input, to form, using the programmable diagnosis service, based on the programming input, a resource definition graph that models interdependencies between a plurality of resources supported by the device group, to detect, using the programmable diagnosis service, an event affecting a first resource of the plurality of resources, and to identify, using the programmable diagnosis service, based on the interdependencies modeled in the resource definition graph formed based on the programming input, a root cause event that caused the event affecting the first resource, the root cause event occurring at a second resource of the plurality of resources.

Abstract: A network device may receive packets and may calculate, during a time interval, an arrival rate and a departure rate, of the packets, at one of multiple virtual output queues. The network device may calculate a current oversubscription factor based on the arrival rate and the departure rate, and may calculate a target oversubscription factor based on an average of previous oversubscription factors associated with the multiple virtual output queues. The network device may determine whether a difference exists between the target oversubscription factor and the current oversubscription factor and may calculate, when the difference exists, a scale factor based on the current oversubscription factor and the target oversubscription factor. The network device may calculate new scheduling weights based on prior scheduling weights and the scale factor, and may process packets received by the multiple virtual output queues based on the new scheduling weights.

Abstract: A network device may monitor a TCP session with another network device, and may identify ingress and/or egress packets, a TCP header, and a socket of the TCP session. The network device may inspect the ingress and/or egress packets, the TCP header, and the socket to identify a zero window advertisement, details of a last quantity of packets sent or received, synchronize, finish, or reset packets sent or received, negotiated TCP options, or buffer space utilization, and may temporarily record identified data based on the inspection. The network device may detect a TCP session flap when a finish packet or a reset packet is identified and recorded, and may store, in a dead TCP session list, the identified data based on the TCP session flap being detected.

Abstract: An example network device includes memory, a communication unit, and processing circuitry coupled to the memory and the communication unit. The processing circuitry is configured to receive first samples of flows from an interface of another network device sampled at a first sampling rate and determine a first parameter based on the first samples. The processing circuitry is configured to receive second samples of flows from the interface sampled at a second sampling rate, wherein the second sampling rate is different than the first sampling rate and determine a second parameter based on the second samples. The processing circuitry is configured to determine a third sampling rate based on the first parameter and the second parameter, control the communication unit to transmit a signal indicative of the third sampling rate to the another network device; and receive third samples of flows from the interface sampled at the third sampling rate.

Abstract: A system configured to detect a threat activity on a network. The system including a digital device configured to detect a first order indicator of compromise on a network, detect a second order indicator of compromise on the network, generate a risk score based on correlating said first order indicator of compromise on the network with the second order indicator of compromise on said network, and generate at least one incident alert based on comparing the risk score to a threshold.

Abstract: A device may receive data identifying malicious behavior by a compromised endpoint device associated with a network and may receive user identity data identifying a user of the compromised endpoint device associated with the network. The device may receive endpoint device data identifying the compromised endpoint device and other endpoint devices associated with the network and may receive network device data identifying network devices associated with the network. The device may utilize the data identifying malicious behavior, the user identity data, and the endpoint device data to generate, based on an identity of the user, a security policy to isolate the malicious behavior. The device may cause the security policy to be provided to the network devices and the other endpoint devices based on the network device data and the endpoint device data.

Abstract: An example network analysis system includes a memory storing telemetry data received from a plurality of network devices, the plurality of network devices includes extract entity information and connectivity information from the received telemetry data, wherein the entity information represents one or more network devices of the plurality of network devices and the connectivity information represents network connections between one or more devices of the plurality of network devices; and store the connectivity information and entity information as a network topology graph in a graph database, wherein the entity information is stored as nodes of the network topology graph and the connectivity information is stored as edges of network topology graph, and wherein the network topology graph represents an organization level topology of the organization network.

Abstract: A device may cause a Media Access Control Security (MACsec) session to be established on a first link of a link aggregation group (LAG) that includes a plurality of links with a different device. The device may cause a data structure to be updated to identify the first link as a MACsec enabled LAG link and may send traffic via the first link. The device may cause a MACsec session to be established on at least one additional link of the LAG and may cause the data structure to be updated to identify the at least one additional link as a MACsec enabled LAG link. The device may send, after causing the data structure to be updated to identify the at least one additional link as a MACsec enabled LAG link, additional traffic via the first link and the at least one additional link.

Abstract: In some examples, a method includes receiving, by an egress network device for a network, messages from each of a plurality of ingress network devices for the network, wherein each of the messages specifies a multicast source, a multicast group, and an upstream multicast hop weight value for multicast traffic for the multicast source and the multicast group; selecting, by the egress network device and based on the upstream multicast hop weight values specified by the received messages, one of the plurality of ingress network devices to which to send a multicast join message of a plurality of multicast join messages for the multicast source and multicast group; and sending, by the egress network device, the multicast join message to the selected one of the plurality of ingress network devices.

Abstract: A disclosed apparatus for accomplishing such a task may include (1) a circuit board incorporated into a module designed for insertion into slots of computing devices, (2) at least one conductive contact disposed on the circuit board, (3) a counter circuit disposed on the circuit board and communicatively coupled to the conductive contact, wherein the counter circuit comprises (A) a signal-change detector that detects signal changes as the module is inserted into one of the slots of the computing devices and (B) a counter device that maintains a dynamic count indicative of a number of times that the module has been inserted into one of the slots of the computing devices based at least in part on the signal changes, (4) a battery electrically coupled to the counter circuit, wherein the battery powers the counter device prior to the insertion. Various other apparatuses, systems, and methods are also disclosed.

Abstract: A network device may detect an error associated with a packet based on error information being generated from processing the packet at a layer of a network stack. The network device may determine, based on detecting the error, metadata associated with the packet. The network device may generate telemetry data to include the metadata. The network device may provide the telemetry data to a network analyzer for policy enforcement.

Abstract: A network node may determine parameters of an authenticated client session for a client device, wherein the parameters comprise a network address of the client device. The network node may determine inactivity of the client device in the authenticated client session. The network node may generate, based on determining the inactivity of the client device, an address resolution protocol (ARP) message or a neighbor solicitation (NS) message to send to the client device, wherein the ARP message or the NS message is to trigger a response from the client device to indicate that the network address of the client device is in use. The network node may provide, toward the client device, the ARP message or the NS message. The network node may perform one or more actions based on receiving or not receiving the response, from the client device, to the ARP message or the NS message.

Abstract: Techniques for EVPN Host Routed Bridging (HRB) and EVPN cloud-native data center with Host Routed Bridging (HRB) are described. A host computing device of a data center includes one or more containerized user-level applications. A cloud native virtual router is configured for dynamic deployment by the data center application orchestration engine and operable in a user space of the host computing device. Processing circuitry is configured for execution of the containerized user-level applications and the cloud native virtual router. The cloud native virtual router comprises a containerized routing protocol process configured to operate as a control plane, and a data plane for the containerized router. The data plane is configured to operate an ethernet virtual private network (EVPN) encapsulation/decapsulation data path of an overlay network for communicating layer two (L2) network traffic of the containerized user applications over a switch fabric of the data center.

Abstract: Disclosed are methods for detecting misconfigured VLANs. In some embodiments, traffic on a VLAN across multiple access points is categorized. Traffic on the VLAN at a single access point is then also categorized. The categorization of the VLAN traffic at the single access point can be in response to, for example, communication errors or other conditions. The two categorizations are then compared to determine if the VLAN traffic at the AP is consistent with the VLAN traffic across a network (e.g., an enterprise network). If the VLAN traffic at the AP is generally consistent with that across the network, this may indicate that a downstream network component, such as a switch or router, is misconfigured. Thus, some embodiments programmatically reconfigure the downstream component to forward traffic for the VLAN.

Abstract: A network device, associated with peer network devices, may receive policy information for a protocol; and compute a first update message based on information regarding a route associated with the policy information. The network device may determine that an upper utilization threshold for one or more of peer queues, associated with the peer network devices, is not satisfied; and write the first update message to the peer queues based on determining that the upper utilization threshold is not satisfied. The network device may compute a second update message based on the information regarding the route; determine that the upper utilization threshold for one or more of the peer queues is satisfied; and pause writing the second update message to the peer queues based on the upper utilization threshold being satisfied. The network device may permit the peer network devices to obtain data from corresponding ones of the peer queues.