Abstract: A device may receive a lock request associated with using an embedded device of a containerized environment from a first instance of an application being executed in a first container of the containerized environment. The device may perform a lock operation associated with the embedded device to permit the first instance of the application to use the embedded device and to prevent a second instance of the application, executing in a second container of the containerized environment, from using the embedded device. The device may monitor use of the embedded device during an access operation of the first instance of the application to detect an unlock event associated with unlocking the embedded device. The device may perform an unlock operation based on detecting the unlock event to permit the second instance of the application to use the embedded device.

Abstract: Techniques are described for monitoring application performance in a computer network. For example, a network management system (NMS) includes a memory storing path data received from a plurality of network devices, the path data reported by each network device of the plurality of network devices for one or more logical paths of a physical interface from the given network device over a wide area network (WAN). Additionally, the NMS may include processing circuitry in communication with the memory and configured to: determine, based on the path data, one or more application health assessments for one or more applications, wherein the one or more application health assessments are associated with one or more application time periods for a site, and in response to determining at least one failure state, output a notification including identification of a root cause of the at least one failure state.

Abstract: An autonomous system border router (ASBR) provided in a domain in which routers share an anycast address, may perform a method comprising: (a) receiving, from an exterior Border Gateway Protocol (eBGP) peer, first reachability information for a first prefix, the first reachability information including a first next hop (NH) address; (b) communicating first link state information about the first prefix to another router in the domain, the first link state information associating the first prefix with the anycast address; (c) receiving, from an eBGP peer, second reachability information for a second prefix, the second reachability information including a second next hop (NH) address; and (d) communicating second link state information about the second prefix to the other router in the domain, the second link state information associating the second prefix with the anycast address. This effectively reduces the number of next hops related to a prefix learned by two or more ASBRs (e.g.

Abstract: In some implementations, a transit node associated with a label switched path (LSP), may identify a performance issue of the transit node. The transit node may generate, based on identifying the performance issue, a message associated with the performance issue. The transit node may send, to an ingress node associated with the LSP, the message to allow the ingress node to perform one or more actions associated with the LSP. The one or more actions associated with the LSP may include performance of an assessment operation associated with the LSP and/or initiation of a termination operation associated with the LSP.

Abstract: A device may transmit a packet for communicating via a tunnel. The packet may be associated with a protocol. The device may determine that the packet has been dropped by a security device. The device may selectively encrypt, after determining that the packet has been dropped, the packet using a null encryption for transport layer security (TLS) or a combination of encryption associated with the protocol and TLS encryption to generate an encrypted packet. The device may transmit the encrypted packet for communicating via the tunnel.

Abstract: A network device may create an encrypted packet and may duplicate the encrypted packet to create a plurality of encrypted packets that includes a first set of encrypted packets that is associated with a first receiving network device and a second set of encrypted packets that is to be associated with a second receiving network device. The network device may modify the second set of encrypted packets by replacing a first virtual destination address in the second set of the plurality of encrypted packets with a second virtual destination address that identifies a virtual tunnel endpoint of the second receiving network device. The network device may encapsulate and may send, based on the first virtual destination address and the second virtual destination address, individual encapsulated encrypted packets to the first receiving network device or the second receiving network device.

Abstract: In an example, a method comprises obtaining, by a policy controller from a first SDN architecture system, flow metadata for packet flows exchanged among workloads of a distributed application deployed to the first SDN architecture system; identifying, using flow metadata for a packet flow of the packet flows, a source endpoint workload and a destination endpoint workload of the packet flow; generating a network policy rule to allow packet flows from the source endpoint workload to the destination endpoint workload of the packet flow; and adding the network policy rule to a configuration repository as configuration data for a second SDN architecture system to cause a deployment system to configure the second SDN architecture system with the network policy rule to allow packet flows from the source endpoint workload to the destination endpoint workload when the distributed application is deployed to the second SDN architecture system.

Abstract: A method includes deploying a network device within a fabric having a management network by attaching the network device through the management network to a port of a role allocator, wherein the role allocator includes one or more ports designated as first level port connections and one or more other ports designated as second level port connections. If the deployed network device is attached to one of the ports designated as first level port connections, the deployed network device is configured as a first level device. If the deployed network device is attached to one of the ports designated as second level port connections, the deployed network device is configured as a second level device.

Abstract: Techniques are described for dynamically computing a segment routing policy for a segment routing for traffic engineering (SR-TE) path. For example, in a discontinuous SR network in which SR islands (e.g., groups of neighboring routers that are enabled for segment routing) are separated by one or more routers not enabled for segment routing, instead of returning a failure because one or more routers along a path are not enabled for SR, an ingress router may generate an SR-TE operations, administrations, and management (OAM) Multi-Protocol Label Switching (MPLS) traceroute packet send the packet to a first border router of the RSVP-enabled devices along a computed path to trigger the creation of a resource reservation Label Switched Path (LSP) through the RSVP-enabled devices. In this way, segment routed LSP may be established to tunnel through the resource reservation LSP for a SR-TE path used in an SR-TE policy.

Abstract: A device comprises processing circuitry configured to identify a telemetry packet indicating telemetry data for a plurality of packets output by a network device of a plurality of network devices and select a source identifier for the network device from a plurality of source identifiers. The processing circuitry is further configured to modify the telemetry packet to further indicate the selected source identifier and output the modified telemetry packet.

Abstract: A network device may receive IPv6 fragments of a flow. Source and/or destination port information may be encoded into an upper sixteen bits of an identification number of an IPv6 fragment header of each of the IPv6 fragments. The network device may extract the source and/or destination port information from the IPv6 fragments, and may perform a spoof check of the IPv6 fragments. The network device may drop any of the IPv6 fragments that fail the spoof check, to generate remaining IPv6 fragments, and may translate the remaining IPv6 fragments into IPv4 fragments based on the source and/or destination port information. The network device may forward the IPv4 fragments toward an IPv4 cloud network.

Abstract: Techniques are described in which a network management system processes network event data received from the AP devices. The NMS is configured to dynamically determine, in real-time, a minimum (MIN) threshold and a maximum (MAX) threshold for expected occurrences for each event type, wherein the MIN thresholds and MAX thresholds define ranges of expected occurrences for the network events of the corresponding event types. The NMS applies an unsupervised machine learning model to the network event data to determine predicted counts of occurrences of the network events for each of the event types and identify, based on the predicted counts of occurrences and the dynamically-determined minimum threshold values and maximum threshold values for each event type, one or more of the network events as indicative of abnormal network behavior.

Abstract: Techniques are described for predicting future behavior of links in a network and generating dynamic thresholds for link metrics for use in path selection. In one example, a computing system receives historical values of a link metric for links of a network. The computing system executes a machine learning system which processes the historical values of the link metric to generate: (1) a predicted future value of the link metric for each link; and (2) a threshold for the link metric indicating whether the predicted future value for each link is anomalous. The computing system computes a path based on the predicted future values of the link metric and the threshold for the link metric. The computing system provisions the computed path, thereby enabling a network device to forward network traffic along the computed path.

Abstract: This disclosure describes techniques that include assessing trust in a system, and in particular, assessing trust by performing a sentiment analysis for an entity or device within a system. In one example, this disclosure describes a method that includes performing, by a computing system and based on information collected about a network entity in a computer network, a sentiment analysis associated with the network entity; determining, by the computing system and based on the sentiment analysis, a trust score for the network entity; and modifying, by the computing system and based on the trust score for the network entity, network operations within the computer network.

Abstract: An example system includes a plurality of AP devices configured to provide a wireless network at a site, the plurality of AP devices including a first AP device configured to determine a set of roaming candidates within the site for client devices connected to the first AP device, wherein the set of roaming candidates includes one or more AP devices of the plurality of AP selected according to a selection criteria; in response to establishing a connection with a client device, cache a key associated with the client device in the memory of the first AP device; generate a packet with the key associated with the client device, and a list of APs that includes one or more identifiers of the one or more AP devices within the set of roaming candidates for the first AP device; and transmit the packet to the plurality of AP devices at the site.

Abstract: A controller device manages a plurality of network devices. The controller device includes one or more processing units configured to receive an indication of a stateful intent, the data structure including a plurality of nodes and a plurality of edges, each node of the plurality of nodes being representative of a respective network device of the plurality of network devices. The one or more processing units are configured to determine, using an abstract function configured at a node of the plurality of nodes, a stateless intent for implementing the stateful intent and generate low level configuration data for the plurality of network devices based on the stateless intent. The one or more processing units are configured to interface with one or more of the plurality of network devices to configure the one or more of the plurality of network devices with the low level configuration data.

Abstract: A system includes a plurality of access point devices (APs) configured to provide a wireless network at a site, each of the plurality of APs having a known location, and a network management system comprising one or more processors and a memory comprising instructions that when executed by the one or more processors cause the one or more processors to: determine, based on a known location of a first AP of the plurality of APs, a known location of a second AP of the plurality of APs, and received signal strength measurements of wireless signals originating at one or more antennas of the first AP and received by one or more antennas of the second AP, an orientation angle of the second AP; and generate an output indicative of the orientation angle of the second AP.

Abstract: A disclosed computing device capable of instantly switching over between routing engines may include (1) a packet forwarding board configured to (A) forward control traffic via a first link to a traffic replication device and (B) forward data traffic via a second link to a first routing engine, (2) the traffic replication device configured to (A) replicate the control traffic received from the packet forwarding board and (B) select control signals received from the first routing engine, (3) the first routing engine configured to receive control traffic from the traffic replication device, and (4) a second routing engine configured to receive control traffic from the traffic replication device. Various other apparatuses, systems, and methods are also disclosed.

Abstract: A system determines identification information associated with an endpoint device, which is associated with a tenant of the system, and the tenant. The system generates and sends, to the endpoint device, a certificate that includes the identification information. The system receives, from the endpoint device and as part of an attempt by the endpoint device to initiate a dial-out communication session with the system, the certificate. The system causes, based on the certificate, the dial-out communication session to be established and processes the certificate to determine the identification information. The system receives, from the endpoint device and via the dial-out communication session, one or more messages; modifies the one or more messages to include the identification information; and provides the one or more modified messages to facilitate provisioning of services or resources associated with the system to the endpoint device.

Abstract: Techniques are described for providing network provisioning by a network management system (NMS) based on fingerprint information determined by a network access control (NAC) system. An example method includes receiving, by the NAC system, a network access request for a client device to access an enterprise network; obtaining, by the NAC system, fingerprint information of the client device associated with the network access request, wherein the fingerprinting information comprises information specifying one or more attributes associated with the client device; authenticating, by the NAC system, the client device to access the enterprise network; sending, by the NAC system and to the NMS, the fingerprint information of the client device; and provisioning, by the NMS, one or more network resources associated with the client device based on the fingerprint information of the client device.