Abstract: A first network device may install a new receive key on a data plane of the first network device, and may provide, to a second network device, a first request to install the new receive key. The first network device may receive a first indication that the new receive key is installed by the second network device, and may install a new transmit key on the data plane of the first network device based on the first indication. The first network device may provide, to the second network device, a second request to install the new transmit key, and may receive a second indication that the new transmit key is installed and that an old receive key is deleted by the second network device. The first network device may delete the old receive key from the data plane of the first network device based on the second indication.

Abstract: An example method includes receiving, by a control system for a software upgrade image, respective characterization data for network devices of a network; generating, by the control system and based on the characterization data for the network devices, an image map that indicates, for each portion of a plurality of different portions of the software upgrade image, an image proxy network device selected by the control system from among the network devices to store the portion based on the characterization data; and outputting, by the control system, the image map to a network device of the network devices to cause the network device to obtain each portion of the plurality of different portions of the software upgrade image from the corresponding image proxy network device selected by the control system to store the portion.

Abstract: In some implementations, a head Level 2 (L2) node of an intermediate system-intermediate system (IS-IS) flood reflection (FR) network may determine an end-to-end path from the head L2 node to a tail L2 node of the IS-IS FR network. The IS-IS FR network includes a plurality of L2 nodes and a plurality of FR clusters that each comprise a plurality of Level 1 (L1) nodes and a plurality of L1 and L2 (L1/L2) nodes connected by a plurality of L1 links. The head L2 node may send information associated with the end-to-end path to another node identified in the end-to-end path to cause a label switched path (LSP) to be established from the head L2 node to the tail L2 node, wherein the LSP traverses one or more L1 links within an FR cluster of the IS-IS FR network.

Abstract: A network device may receive topology data identifying a spine and leaf topology of network devices, and may set link metrics to a common value to generate modified topology data. The network device may remove data identifying connections from leaf network devices to any devices outside the topology from the modified topology data to generate further modified topology data, and may process the further modified topology data, with a model, to determine path data identifying paths to destinations. The network device may determine particular path data identifying shorter paths and longer paths to corresponding destinations, and may determine hop counts associated with the paths. The network device may determine whether the hop counts are all odd values, all even values, or odd and even values, and may perform actions based on whether the hop counts are all odd values, all even values, or odd and even values.

Abstract: An example device includes one or more processors; an image capture device coupled to the one or more processors and configured to generate image capture data representative of a three-dimensional (3D) physical environment; an electronic display coupled to the one or more processors; and a memory coupled to the one or more processors, the memory storing instructions to cause the one or more processors to: obtain characteristics of a network associated with the device, generate overlay image data indicative of the one or more characteristics of the network, augment the image capture data with the overlay image data to create augmented image capture data, and output, to the electronic display, the augmented image capture data.

Abstract: Techniques are described for monitoring application performance in a computer network. For example, a network management system (NMS) includes a memory storing path data received from a plurality of network devices, the path data reported by each network device of the plurality of network devices for one or more logical paths of a physical interface from the given network device over a wide area network (WAN). Additionally, the NMS may include processing circuitry in communication with the memory and configured to: determine, based on the path data, one or more application health assessments for one or more applications, wherein the one or more application health assessments are associated with one or more application time periods for a site, and in response to determining at least one failure state, output a notification including identification of a root cause of the at least one failure state.

Abstract: A cloud-based network management system (NMS) stores path data from network devices operating as network gateways for an enterprise network, the path data collected by each network device of the plurality of network devices. The NMS determines, for a logical path within a specified time window, a wireless signal quality and a link quality based at least in part on the path data. The NMS, in response to determining that the logical path is of a poor link quality, determine a correlation between a poor wireless quality and the poor link quality. The NMS may output a notification that indicates the correlation between the poor wireless quality and the poor link quality of the logical path.

Abstract: A computing system comprising a memory and processing circuitry may perform the techniques. The memory may store time series data comprising measurements of one or more performance indicators. The processing circuitry may determine, based on the time series data, an anomaly in the performance of the network system, and create, based on the time series data, a knowledge graph. The processing circuitry may determine, in response to detecting the anomaly, and based on the knowledge graph and a machine learning (ML) model trained with previous time series data, a causality graph. The processing circuitry may determine a weighting for each edge in the causality graph, determine, based on the edges in the causality graph, a candidate root cause associated with the anomalies, and determine a ranking of the candidate root cause based on the weighting. The analysis framework system may output at least a portion of the ranking.

Abstract: Methods and apparatus for automatically reconfiguring network parameters are described. Some embodiments identify communication channels that may interfere with higher priority equipment and deactivate communication channels that may cause harmful interference. Some APs are switched to 2.4 GHz communication channels. In some embodiments, AP operating parameters, such as transmission power are adjusted to reduce interference for higher priority receivers.

Abstract: A first network device may identify a MACsec session between the first network device and a second network device that utilizes a CAK, may determine, using a KDF and one or more KDF input parameters, an additional CAK, may encrypt the one or more KDF input parameters and/or KDF identification information that identifies the KDF and the one or more KDF input parameters to generate encrypted KDF input information, and may send, to the second network device, a first message that includes the encrypted KDF input information. The first network device may receive, from the second network device, based on sending the first message, a second message that includes a checksum value, may determine, based on the checksum value, that the second network device has determined the additional CAK, and may communicate, with the second network device, to cause the MACsec session to utilize the additional CAK.

Abstract: In some implementations, a provider edge device associated with a link aggregation group (LAG) may maintain, according to a link aggregation control protocol (LACP), a set of links that connect the PE device to a consumer edge device. The provider edge device may determine that the provider edge device and another provider edge device associated with the LAG are not receiving link aggregation control protocol data units (LACPDUs) from the consumer edge device. The provider edge device may cause the set of links to have a maintain LAG status, which causes the provider edge device to keep up the set of links and to cease maintaining the set of links according to the LACP. The provider edge device may route, based on causing the set of links to have the maintain LAG status, one or more packets to or from the consumer edge device via the set of links.

Abstract: A network device may receive, from a transmission network device, a link state message associated with an origination network device. The network device may determine an order of a set of one-hop neighbor network devices from the transmission network device. The network device may determine, based on the link state message and the order of the set of one-hop neighbor network devices, whether the network device is to send a copy of the link state message to at least one one-hop neighbor network device of the network device. The network device may send, or refraining from sending, by the network device and based on determining whether the network device is to send the copy of the link state message to the at least one one-hop neighbor network device of the network device, the link state message to the at least one one-hop neighbor network device of the network device.

Abstract: Techniques are described for configuration and application of intent-based network access control (NAC) policies for authentication and authorization of multi-tenant, network access server (NAS) devices to access enterprise networks of organizations. A network management system configures intent-based NAC policies for an organization. A cloud-based NAC system may apply an appropriate intent-based NAC policy in response to an authentication request from a NAS device. The NAC system identifies a vendor of the NAS device, matches incoming attributes in the authentication request to a set of normalized match rules of the intent-based NAC policy, and translates a set of abstracted policy results corresponding to the set of normalized match rules into a vendor-specific set of return attributes based on the vendor of the NAS device. The NAC system sends the vendor-specific set of return attributes to the NAS device to enable the NAS device to access the enterprise network of the organization.

Abstract: A device may receive a lock request associated with using an embedded device of a containerized environment from a first instance of an application being executed in a first container of the containerized environment. The device may perform a lock operation associated with the embedded device to permit the first instance of the application to use the embedded device and to prevent a second instance of the application, executing in a second container of the containerized environment, from using the embedded device. The device may monitor use of the embedded device during an access operation of the first instance of the application to detect an unlock event associated with unlocking the embedded device. The device may perform an unlock operation based on detecting the unlock event to permit the second instance of the application to use the embedded device.

Abstract: Techniques are described for monitoring application performance in a computer network. For example, a network management system (NMS) includes a memory storing path data received from a plurality of network devices, the path data reported by each network device of the plurality of network devices for one or more logical paths of a physical interface from the given network device over a wide area network (WAN). Additionally, the NMS may include processing circuitry in communication with the memory and configured to: determine, based on the path data, one or more application health assessments for one or more applications, wherein the one or more application health assessments are associated with one or more application time periods for a site, and in response to determining at least one failure state, output a notification including identification of a root cause of the at least one failure state.

Abstract: An autonomous system border router (ASBR) provided in a domain in which routers share an anycast address, may perform a method comprising: (a) receiving, from an exterior Border Gateway Protocol (eBGP) peer, first reachability information for a first prefix, the first reachability information including a first next hop (NH) address; (b) communicating first link state information about the first prefix to another router in the domain, the first link state information associating the first prefix with the anycast address; (c) receiving, from an eBGP peer, second reachability information for a second prefix, the second reachability information including a second next hop (NH) address; and (d) communicating second link state information about the second prefix to the other router in the domain, the second link state information associating the second prefix with the anycast address. This effectively reduces the number of next hops related to a prefix learned by two or more ASBRs (e.g.

Abstract: A network device may establish, via a routing protocol daemon (RPD) of the network device, border gateway protocol (BGP) sockets with peer network devices and may establish a socket between the RPD and a periodic packet management daemon (PPMD) of the network device. The network device may provide file descriptors of the BGP sockets from the RPD to the PPMD, via the socket, and may provide, from the RPD and via the BGP sockets, non-keep alive protocol data units (PDUs) to the peer network devices. The network device may provide, from the PPMD and via the BGP sockets, keep alive PDUs to the peer network devices.

Abstract: A network device may receive an original configuration that includes configuration objects, and may generate, based on the original configuration, a dependency graph that includes nodes representing and entries representing the configuration objects. The network device may receive a configuration update that includes new configuration objects, and may update the dependency graph based on the configuration update and to generate an updated dependency graph that includes new nodes and/or new entries representing the new configuration objects. The network device may test the configuration update, based on the updated dependency graph, to determine whether the configuration update fails or succeeds. The network device may selectively implement the configuration update based on the configuration update succeeding or perform a rollback of the configuration update, based on the configuration update failing, to restore the original configuration.

Abstract: This disclosure is directed to devices, systems, and techniques for enforcing access to resources within a computer network. In some examples, a system includes a network managed by a service provider and configured to provide a plurality of microservices to a plurality of tenants each having one or more users and a controller having access to the network. The controller is configured to output, to a user interface, data indicative of a plurality of capabilities for presentation by the user interface and receive, from the user interface, data indicative of a user selection of a set of capabilities and a user selection of a new role identifier. The controller is further configured to create, based on the set of capabilities and the role identifier, a role which enables access to a set of actions within a computer network, the set of actions corresponding to the set of capabilities.

Abstract: In some implementations, a transit node associated with a label switched path (LSP), may identify a performance issue of the transit node. The transit node may generate, based on identifying the performance issue, a message associated with the performance issue. The transit node may send, to an ingress node associated with the LSP, the message to allow the ingress node to perform one or more actions associated with the LSP. The one or more actions associated with the LSP may include performance of an assessment operation associated with the LSP and/or initiation of a termination operation associated with the LSP.