Abstract: A traffic planning platform may receive information related to a traffic flow including a traffic bandwidth to transport through a network with various network devices interconnected by links. The traffic planning platform may generate a traffic plan by assigning the traffic flow to a set of the links that includes network resources connecting a source of the traffic flow to a destination of the traffic flow. The traffic planning platform may render a visualization of the traffic plan, wherein the visualization includes a user interface (e.g., a diagram, an animation, and/or the like) in which geometric shapes that represent the source, the peer link, and the destination are connected by bands that represent the tunnel and the external route and further in which the geometric shapes and the bands each have a first visual property and a second visual property based on the traffic bandwidth of the traffic flow.

Abstract: A network device may receive a redundant identifier certificate associated with a redundant routing module, and may provide, to a bootstrap device, a primary identifier certificate associated with a primary routing module associated with the network device. The network device may establish a secure connection with the bootstrap device based on the bootstrap device verifying an authenticity of the primary routing module via the primary identifier certificate. The network device may provide, to the bootstrap device via the secure connection, a redundant routing module identifier associated with the redundant routing module and may receive, from the bootstrap device via the secure connection, a signed certificate chain associated with the redundant routing module. The network device may verify the signed certificate chain and may verify the redundant identifier certificate, associated with the redundant routing module, based on verifying the signed certificate chain.

Abstract: An example virtual router includes a plurality of logical cores (“lcores”), where each lcore comprises a CPU core or hardware thread. The virtual router is configured to determine a latency profile, select, based at least in part on the latency profile, a packet processing mode from the plurality of packet processing modes. In response to a determination that the packet processing mode comprises the run-to-completion mode, an lcore of the plurality of lcores is configured to: read a network packet from a device queue, process the network packet to determine a destination virtual device for the network packet, the destination virtual device having a plurality of interface queues, and insert the network packet into an interface queue of the plurality of interface queues.

Abstract: A controller device includes a memory and one or more processors coupled to the memory. The memory stores instructions that, when executed, cause the one or more processors to receive a query indicating a first time and a network service, determine a first set of configuration elements using telemetry data associated with the first time and the network service, and determine a second set of configuration elements using an intent model. The instructions further cause the one or more processors to determine one or more first metrics that occur at the first time using the first set of configuration elements and the second set of configuration elements, determine one or more second metrics at a second time using telemetry data received from the plurality of network devices, and generate data representing a user interface presenting the one or more first metrics and the one or more second metrics.

Abstract: In general, this disclosure describes techniques for a containerized router operating within a cloud native orchestration framework. In an example, a computing device comprises processing circuity; a containerized set of workloads; a containerized routing protocol process configured to execute on the processing circuitry and configured to receive routing information; a kernel network stack executing on the processing circuitry and configured to forward packets based on first routing information from the containerized routing protocol process; and a data plane development kit (DPDK)-based virtual router executing on processing circuitry and configured to forward traffic to and from the workloads based on second routing information from the containerized routing protocol process.

Abstract: In one example, a network management system discovers a plurality of network devices behind a network address translation device, such as a firewall. The network management system may receive a model of a seed network device, generate a first activation configuration and commit the first activation configuration on the seed network device. The network management system may connect to the seed network device and discover neighboring devices from information in the seed network device. The network management system may connect to the neighboring devices, automatically create a model of the neighboring network devices, generate s activation configurations for the neighboring network devices and commit the activation configurations on the neighboring network devices. The network management system may iterative perform these steps until it discovers all the discoverable network devices behind the network address translation device.

Abstract: A controller device manages a plurality of network devices arranged at a plurality of sites. The controller device includes one or more processing units configured to determine a stateful intent for managing a software application at the plurality of network devices and represented by a graph model and translate the stateful intent into low-level configuration data. The one or more processing units are further configured to determine, for each site, a priority index based on a site-level usage of the software application, determine, an ordered list of the plurality of sites based on the priority index for each respective site, and configure, for each respective site, and in an order specified by the ordered list of the plurality of sites, one or more network devices of the plurality of network devices that are arranged at the respective site according to the low-level configuration data.

Abstract: In general, techniques are described for signaling IP path tunnels for traffic engineering using constraints in an IP network. For example, network devices, e.g., routers, of an IP network may compute an IP path using constraint information and establish the IP path using, for example, Resource Reservation Protocol, to signal the IP path without using MPLS. As one example, the egress router generates a path reservation signaling message that includes an egress IP address that is assigned for use by the routers on the IP path to send traffic of the data flow by encapsulating the traffic with the egress IP address and forwarding toward the egress router. As each router in the IP path receives the path reservation signaling message, the router configures a forwarding state to forward traffic encapsulated with the egress IP address to a next hop along the IP path toward the egress router.

Abstract: In general, techniques are described by which to provide a topology-based graphical user interface for network management systems. A controller device comprising a processor and a memory may be configured to perform the techniques. The processor may monitor network devices arranged according to a network topology to obtain operational data, and obtain configuration data defining the network topology. The memory may store the operational data and the configuration data. The processor may analyze the configuration data and the operational data to provide a graphical representation of the network topology that graphically depicts the operational data, and present a single graphical user interface that presents the graphical representation of the network topology that graphically depicts the operational data.

Abstract: In general, a device comprising a processor and a memory may be configured to perform various aspects of the techniques described in this disclosure. The processor may conduct, based on configuration parameters, each of a plurality of simulation iterations within the test environment to collect a corresponding plurality of simulation datasets representative of operating states of the network device. The processor may perform a regression analysis with respect to each of the plurality of configuration parameters and each of the plurality of simulation datasets to generate a light weight model representative of the network device that predicts an operating state of the network device. The processor may output the light weight model for use in a computing resource restricted network device to enable prediction of the operating state of the computing resource restricted network device when configured with the configuration parameters. The memory may store the light weight model.

Abstract: Techniques are disclosed for generating session-specific packet capture records. In one example, a first network device receives a first packet of a session between first and second client devices, the session comprising forward and reverse packet flows. The first network device modifies the first packet to include metadata comprising a packet capture indicator that indicates whether packet capture is to be performed for the session. The first network device stores at least a portion of the first packet and each subsequent packet of the session and forwards the modified first packet. A second network device receives the modified first packet and, based on the packet capture indicator, stores at least a portion of the first packet and each subsequent packet of the session in a session-specific packet capture record. The first and second network devices may generate, from the stored packet data, a packet capture record for the session.

Abstract: Techniques are disclosed for session-based routing within Open Systems Interconnection (OSI) Model Layer-2 (L2) networks extended over Layer-3 (L3) networks. In one example, L2 networks connect a first client device to a first router and a second client device to a second router. An L3 network connects the first and second routers. The first router receives, from the first client device, an L2 frame destined for the second client device. The first router generates an L3 packet comprising an L3 header specifying L3 addresses of the first and second routers, a first portion of metadata comprising L2 addresses for the first and second client devices, and a second portion of metadata comprising L3 addresses for the first and second client devices, and forwards the L3 packet to the second router. The second router recovers the L2 frame from the metadata and forwards the L2 frame to the second client device.

Abstract: Techniques are described to provide layer 2 (L2) circuit failover in the event connectivity to an Ethernet Virtual Private Network (EVPN) instance is lost. For example, if one of multi-homed provider edge (PE) devices loses connectivity to the EVPN instance, the PE device may mark its customer-facing interface as down and propagate the interface status to the access node such that the access node may update its routing information to switch L2 circuits to another one of the multi-homed PE devices having reachability to the EVPN instance. In some examples, the plurality of PE devices may further implement Connectivity Fault Management (CFM) techniques to propagate the interface status to the access node such that the access node may update its forwarding information to send traffic on a different L2 circuit to another one of the multi-homed PE devices having reachability to the EVPN instance.

Abstract: Techniques are described for supporting multiple virtual networks over an underlay network. The techniques may provide support for network slicing and enhanced virtual private networks (VPNs) over an underlay network. In general, the techniques include allocating a subset of resources (e.g., nodes and/or links) of the underlay network to a particular virtual network, and advertising the subset of resources to provider edge (PE) routers that are participating in the virtual network. A network controller device may advertise the subset of resources for the virtual network to the respective PE routers using BGP-LS (Border Gateway Protocol-Link State). Based on the advertisements, each of the PE routers generates a restricted view of the full underlay network topology for the virtual network and, thus, only uses the subset of resources in the restricted view to generate routing and forwarding tables for the virtual network.

Abstract: A disclosed method may include (1) receiving, at a node within a network, an MPLS echo request from an additional node adjacent to the node, (2) determining that a FEC query is included in a FEC stack of the MPLS echo request and then, in response to determining that the FEC query is included in the FEC stack of the MPLS echo request, (3) determining at least one FEC that corresponds to a label included in a label stack of the MPLS echo request, and then (4) notifying the additional node of the FEC that corresponds to the label included in the label stack by sending, to the additional node, an MPLS echo reply that identifies the FEC that corresponds to the label. Various other systems, methods, and computer-readable media are also disclosed.

Abstract: A network device may receive a packet and may determine whether a next header of the packet is an Internet protocol (IP) header, an Internet control message protocol (ICMP) header, or a segment routing header. The network device may determine, when the next header of the packet is the IP header, whether policy processing of the packet is set to ultimate segment decapsulation and may discard the packet when the policy processing of the packet is not set to ultimate segment decapsulation. The network device may decapsulate an outer header of the packet when the policy processing of the packet is set to ultimate segment decapsulation and may process the packet after decapsulating the outer header of the packet, to generate a processed packet. The network device may forward the processed packet toward a destination.

Abstract: A controller device includes a memory configured to store a tree structure comprising a plurality of nodes, wherein the tree structure comprises a set of sub-structures, and wherein the tree structure defines a configuration of a network device of a set of network devices such that each node of the plurality of nodes corresponds to a respective resource of the network device. Additionally, the controller device includes processing circuitry configured to receive an instruction to update the configuration of the network device, wherein the instruction to update the configuration of the network device indicates a node of the set of nodes corresponding to the update; and verify, based on a sub-structure of the set of sub-structures corresponding to the node indicated by the instruction, the instruction to update the configuration of the network device.

Abstract: Virtual network controllers are described that automatically generate policies and configuration data for routing traffic through physical network function (PNF) service chains in a multi-tenant data center. An example network controller includes a memory and processing circuitry configured to: automatically generate, for one or more integrated routing and bridging (IRB) units of corresponding virtual network forwarding tables of a switch of a switch fabric of a data center network, configuration information that, when deployed, causes the IRB units to direct data traffic conforming to multiple communication protocols and flowing over a plurality of virtual networks between a first set of server devices and a second set of server devices positioned outside of the switch fabric (i) toward a service device logically positioned outside of the switch fabric and coupled to the switch, and (ii) back from the service device into the switch fabric via the switch.

Abstract: In some implementations, a first network device may communicate, with a second network device, one or more internet key exchange (IKE) messages to exchange a first identifier associated with the first network device and a second identifier associated with the second network device, and to indicate that a post-quantum preshared key (PPK) is to be used as a shared key for an IKE security association (SA) between the first network device and the second network device. The first network device may obtain, from a key management entity (KME), a quantum key based on providing the second identifier to the KME, wherein the PPK is based on the quantum key. The first network device may communicate, with the second network device, one or more IKE authentication messages to exchange a third identifier associated with the quantum key and to confirm that the second network device successfully obtained the PPK.

Abstract: In some implementations, a first processing component of a network device may receive first traffic data obtained by a second processing component of the network device. The first processing component may store the first traffic data as residual statistics. The first processing component may obtain second traffic data associated with a copy of a traffic stream processed by the first processing component based on storing the first traffic data as the residual statistics. The first processing component may perform a switchover from the second processing component to the first processing component. The first processing component may determine current traffic data based on the residual statistics and the second traffic data. The current traffic data may be determined based on performing the switchover from the second processing component to the first processing component.