Abstract: This disclosure describes techniques for improving speed of network convergence after node failure. In one example, a method includes storing, by a virtual router agent of a compute node managed by a Software Defined Networking (SDN) controller, a forwarding information data structure with a shared liveness vector orthogonal to the forwarding path to indicate a liveness state of a plurality of overlay network tunnel endpoint next hops, wherein the shared liveness vector is shared by each of a plurality of members for a plurality of composite next hops that share a common list of the plurality of overlay network tunnel endpoint next hops; and in response to determining, by the virtual router agent, that the orthogonal liveness vector indicates that each of the plurality of overlay network tunnel endpoint next hops are reachable, distributing network traffic to one or more of the plurality of overlay network tunnel endpoint next hops.

Abstract: In general, various aspects of the techniques described in this disclosure provide a sequence number checksum for link state protocols. In one example, the disclosure describes an apparatus, such as a network device, having a control unit operative to obtain link state information describing links between pairs of the network devices in a network topology, the link state information being fragmented into a plurality of link state protocol (LSP) fragments; compute a sequence number checksum from sequence numbers of the link state protocol (LSP) fragments; receive an LSP data unit from another network device in the network; determine whether a sequence number checksum in the LSP data unit matches a sequence number checksum computed from the link state information; and configure a delay for processing the LSP data unit in response to determining a mismatch between the sequence number checksum of the LSP data unit and the sequence number checksum computed from the link state information.

Abstract: This disclosure describes techniques for monitoring, scheduling, and performance management for computing environments, such as virtualization infrastructures deployed within data centers. In one example, a method includes obtaining, by a policy controller, a first profile for an element of a virtualization infrastructure, the first profile comprising a first ruleset having one or more alarms; obtaining, by the policy controller, a second profile for a group of one or more elements including the element, the second profile comprising a second ruleset having one or more alarms; modifying, by the policy controller based at least on the element being a member of the group, the first profile to generate a modified first profile comprising the first ruleset and the second ruleset; and outputting, by the policy controller to a computing device, the modified first profile.

Abstract: An example network device includes a primary node and a standby node. The primary node engages in a routing session with a peer network device via a connected socket. The standby node includes one or more processors implemented in circuitry and configured to execute a backup replication module to receive, from the primary node, data to be written to a backup socket for the connected socket, and, in response to a switchover, to send a representation of the data to the peer network device via the backup socket.

Abstract: Methods and apparatus for controlling monitoring operations performed by various devices, e.g., access points, in a communications network and for using information obtained by the devices which perform the monitoring are described. The methods are well suited for use in a system with a variety of access points, e.g., wireless and/or wired access points, which can be used to obtain access to the Internet or another network. An access point, which has been configured to monitor in accordance with received monitoring configuration information, e.g. on a per access point interface basis, captures packets, stores captured packets, and monitors to detect communications failures corresponding to communications devices using said access point. In response to detecting a communications failure, the access point generates, an event failure notification indicating the type of detected failure and sends the event failure notification to the network monitoring node along with corresponding captured packets.

Abstract: Techniques are disclosed for implementing scalable policies across a plurality of categories that support application workloads. In one example, a policy controller assigns to the plurality of categories tags specifying one or more of a plurality of dimensions. The policy controller distributes a plurality of policies to policy agents for the plurality of categories. Each policy includes one or more policy rules, and each policy rule includes one or more tags specifying one or more of the plurality of dimensions. For each policy rule, the policy agents allow or deny a traffic flow between objects that belong to categories of the plurality of categories described by the one or more dimensions of a respective tag of the policy rule.

Abstract: A first network device may communicate, in association with a tunnel establishment network protocol, with a second network device to cause a network tunnel between the first network device and the second network device to be established. The first network device may determine, based on communicating with the second network device to cause the network tunnel to be established, that the network tunnel is to support network micro-tunnel functionality within the network tunnel. The first network device may communicate, based on determining that the network tunnel is to support network micro-tunnel functionality, with the second network device to identify a traffic class, of one or more traffic classes, to which network micro-tunnel functionality within the network tunnel is to be applied. The first network device may cause a network micro-tunnel to be established within the network tunnel for traffic associated with the traffic class.

Abstract: A device may determine that a first link of the device is active. The device may determine whether a Media Access Control Security (MACsec) session is established on the first link. The device may selectively enable or disable a second link of the device based on determining whether the MACsec session is established on the first link.

Abstract: In one embodiment, a processor-readable medium storing code representing instructions that when executed by a processor cause the processor to update, at a memory location, a first flow state value associated with a data flow to a second flow state value when at least one of a packet from the data flow is received or the memory location is selected after a time period has expired. At least a portion of the packet is analyzed when the second flow state value represents a flow rate of a network data flow anomaly.

Abstract: Techniques are described for managing a split-brain scenario in a multihomed environment by exchanging isolation information between a leaf device and two or more spine devices to which the leaf device is multihomed via a link aggregation group (LAG). The techniques include selecting one of the spine devices as a primary spine device and determining, based on the isolation information, whether the spine devices are isolated from each other. In the split-brain scenario in which all of the spine devices are isolated from each other, the primary spine device is configured to maintain the LAG with the leaf device while the other spine devices mark the LAG with the leaf device as down. In this way, in the split-brain scenario, the leaf device may continue to send traffic to other leaf devices in the leaf layer using the LAG to the primary spine device.

Abstract: A network device may receive network traffic for an application. The network device may determine a first classification for the network traffic according to a first classification technique. The first classification may identify the network traffic as relating to a particular application or an unknown application. The network device may determine a second classification for the network traffic according to a second classification technique. The second classification may identify the network traffic as relating to an unknown application of a particular type and identity. The network device may process, based on whether the first classification identifies the network traffic as relating to the particular application or the unknown application, the network traffic according to a first security policy associated with the particular application or a second security policy associated with the unknown application of the particular type and identity.

Abstract: This disclosure describes techniques for using Operations, Administration, and Management (OAM) operations when routing packets using micro SIDs in segment routing. For example, a network device comprises one or more processors configured to: receive a packet; determine whether the packet is encapsulated with one or more micro segment identifiers (SIDs); in response to a determination that the packet is not encapsulated with one or more micro SIDs, determine whether the packet has reached a segment routing tunnel endpoint; and in response to a determination that the packet has reached the segment routing tunnel endpoint, initiate Operations, Administration, and Maintenance (OAM).

Abstract: A network node may receive a packet having an inner internet protocol (IP) header and an outer IP header. The inner IP header may be encrypted. A loose source routing (LSR) field of the outer IP header may identify a recipient address. The network node may determine, based on the recipient address identified in the LSR field, a tunnel endpoint associated with a receiving network node. The network node may update the outer IP header of the packet to obtain an updated packet with an updated outer IP header. A source address of the updated outer IP header may be updated to a tunnel endpoint associated with the network node, and the destination address of the updated outer IP header may be updated to a tunnel endpoint associated with the receiving network node. The network node may route the updated packet according to the updated outer IP header.

Abstract: In general, the disclosure describes techniques for a hybrid diagramming application to provide a flexible network diagramming environment while also ensuring that the rules of the network are not violated. A service provider defines rules for various network objects, where the rules define where the various network objects can reside in the network topology, as well as how the various devices can be connected. A computing device executing the application receives an indication of user input assigning a first network device to a first area network in a network topology. The computing device validates, based on one or more characteristics of the first network device, that the first network device does not violate one or more rules for the first area network. The computing device, responsive to validating the first network device, generates a graphical user interface of the network topology and outputs, for display, the graphical user interface.

Abstract: In general, this disclosure describes a network device to determine a cause of packets being dropped within a network. An example method includes generating, by a traffic monitor operating on a network device, an exception packet that includes a unique exception code that identifies a cause for a component in the network device to discard a transit packet, and a nexthop index identifying a forwarding path being taken by the transit packet experiencing the exception. The method also includes forwarding the exception packet to a collector to be processed.

Abstract: The disclosure describes techniques for network monitoring and fault localization. For example, a controller comprises one or more processors operably coupled to a memory configured to: receive a first one or more Quality of Experience (QoE) metrics measured by a first probe traversing a first path comprising one or more links; receive a second one or more QoE metrics measured by a second probe traversing a second path comprising one or more links; determine, from the first one or more QoE metrics, that the first path has an anomaly; determine, from the second one or more QoE metrics, that the second path has an anomaly; and determine, in response to determining the first path and the second path has an anomaly, based on the type of metrics and the type of links, that an intersection between the first path and the second path is a root cause of the anomaly.

Abstract: In some examples, a network device may determine whether a first egress network device is segment routing (SR) aware. Based on the first egress network device being SR aware, the network device may initiate establishment of an SR tunnel toward the first egress network device. The network device may forward multicast traffic on the SR tunnel. The network device may also determine whether a second egress network device is SR aware. Based on the second egress network device not being segment routing aware, the network device may initiate establishment of a non-SR tunnel toward the second egress network device. The network device may forward multicast traffic on the non-SR tunnel.

Abstract: A network device may receive a message from a device. The network device may process the message to determine identification information associated with the device. The network device may process the message to determine identification information associated with a packet data unit (PDU) session, of one or more PDU sessions, of the device. The network device may transmit based on the identification information associated with the device and the identification information associated with the PDU session of the device, the message to another network device.

Abstract: A traffic planning platform may receive information related to a traffic flow including a traffic bandwidth to transport through a network with various network devices interconnected by links. The traffic planning platform may generate a traffic plan by assigning the traffic flow to a set of the links that includes network resources connecting a source of the traffic flow to a destination of the traffic flow. The traffic planning platform may render a visualization of the traffic plan, wherein the visualization includes a user interface (e.g., a diagram, an animation, and/or the like) in which geometric shapes that represent the source, the peer link, and the destination are connected by bands that represent the tunnel and the external route and further in which the geometric shapes and the bands each have a first visual property and a second visual property based on the traffic bandwidth of the traffic flow.

Abstract: Techniques are disclosed for managing a network. In one example, a device configuration manager is configured to generate, in accordance with a device management protocol, a configuration change request representing a transaction having a first sub-transaction specifying a first configuration change for a network device of the network and a second sub-transaction specifying a second configuration change for the same network device. The device configuration manager is further configured to output the configuration change request to the network device and receive a reply message from the network device. The reply message includes a first response element specifying whether the first configuration change is successfully committed at the network device and a second response element specifying whether the second configuration change is successfully committed at the network device.