Abstract: A controller device includes a memory and one or more processors coupled to the memory. The memory stores instructions that, when executed, cause the one or more processors to receive a query indicating a first time and a network service, determine a first set of configuration elements using telemetry data associated with the first time and the network service, and determine a second set of configuration elements using an intent model. The instructions further cause the one or more processors to determine one or more first metrics that occur at the first time using the first set of configuration elements and the second set of configuration elements, determine one or more second metrics at a second time using telemetry data received from the plurality of network devices, and generate data representing a user interface presenting the one or more first metrics and the one or more second metrics.

Abstract: A controller device includes a memory and one or more processors coupled to the memory. The memory stores instructions that, when executed, cause the one or more processors to receive a query indicating a first time and a network service, determine a first set of configuration elements using telemetry data associated with the first time and the network service, and determine a second set of configuration elements using an intent model. The instructions further cause the one or more processors to determine one or more first metrics that occur at the first time using the first set of configuration elements and the second set of configuration elements, determine one or more second metrics at a second time using telemetry data received from the plurality of network devices, and generate data representing a user interface presenting the one or more first metrics and the one or more second metrics.

Abstract: A controller device includes a memory and one or more processors coupled to the memory. The memory stores instructions that, when executed, cause the one or more processors to receive, from a set of sensor devices, first telemetry data indicating a first set of changes for telemetry parameters that occur during a first time range. The instructions further cause the one or more processors to determine, using the first snapshot and the first telemetry data, a second snapshot that specifies a first complete state at an end of the first time range. The instructions further cause the one or more processors to determine a second complete state of the telemetry parameters for the second time range based on the second snapshot and second telemetry data indicating a second set of changes for the set of telemetry parameters that occur during a second time range.

Abstract: A controller device includes a memory and one or more processors coupled to the memory. The memory stores instructions that, when executed, cause the one or more processors to receive a query indicating a first time and a network service, determine a first set of configuration elements using telemetry data associated with the first time and the network service, and determine a second set of configuration elements using an intent model. The instructions further cause the one or more processors to determine one or more first metrics that occur at the first time using the first set of configuration elements and the second set of configuration elements, determine one or more second metrics at a second time using telemetry data received from the plurality of network devices, and generate data representing a user interface presenting the one or more first metrics and the one or more second metrics.

Abstract: A controller device includes a memory and one or more processors coupled to the memory. The memory stores instructions that, when executed, cause the one or more processors to receive a query indicating a first time and a network service, determine a first set of configuration elements using telemetry data associated with the first time and the network service, and determine a second set of configuration elements using an intent model. The instructions further cause the one or more processors to determine one or more first metrics that occur at the first time using the first set of configuration elements and the second set of configuration elements, determine one or more second metrics at a second time using telemetry data received from the plurality of network devices, and generate data representing a user interface presenting the one or more first metrics and the one or more second metrics.

Abstract: Methods and apparatus for providing one-arm node clustering using a port channel are provided herein. An example application node may be communicatively connected to at least one application node, and the application node may be connected to a network through a port channel. The application node may include: a link included in the port channel for accommodating the network data being communicated between the remote client and server; and a processor configured to send/receive a cluster control packet to/from the at least one application node through the link included in the port channel.

Abstract: Methods and apparatus for providing one-arm node clustering using a port channel are provided herein. An example application node may be communicatively connected to at least one application node, and the application node may be connected to a network through a port channel. The application node may include: a link included in the port channel for accommodating the network data being communicated between the remote client and server; and a processor configured to send/receive a cluster control packet to/from the at least one application node through the link included in the port channel.

Abstract: Methods and apparatus for providing one-arm node clustering using a port channel are provided herein. An example application node may be communicatively connected to at least one application node, and the application node may be connected to a network through a port channel. The application node may include: a link included in the port channel for accommodating the network data being communicated between the remote client and server; and a processor configured to send/receive a cluster control packet to/from the at least one application node through the link included in the port channel.

Abstract: Methods and apparatus are disclosed for processing data packets using a router and a proxy in order to transparently proxy a connection between a client and a server. One method involves mapping a TCP connection to a connection ID and sending a segment from the TCP connection to a proxy, including the connection ID, a direction value and an identifier of an assigned proxy application, such that the segment appears to be from the connection. The method further involves a proxy creating and reading from an IP socket which corresponds to the segment, the connection ID, direction and assigned proxy application and then spoofing the segment using the connection ID, a second direction value, and an identifier of the assigned proxy application.

Abstract: A method is provided in one example and includes receiving a request message from a first network element using an out-of-band control link. The request message includes a request to bundle a first port associated with the first network element into a channel group associated with a cluster. The cluster includes a plurality of clustered network elements. The method further includes determining a status of the first port with respect to the channel group, and sending a reply message to the first network element using the out-of-band control link. The reply message indicates the determined status of the first port of the first network element.

Abstract: Methods and apparatus for providing one-arm node clustering using a port channel are provided herein. An example application node may be communicatively connected to at least one application node, and the application node may be connected to a network through a port channel. The application node may include: a link included in the port channel for accommodating the network data being communicated between the remote client and server; and a processor configured to send/receive a cluster control packet to/from the at least one application node through the link included in the port channel.

Abstract: An example method includes disengaging a target node from a cluster, where the disengaging comprises: selecting an inheritor; migrating flows from the target node to the inheritor; informing a migration manager that the target node is disengaged from the cluster; and broadcasting to peer nodes of the target node that the target node is replaced by the inheritor. In particular implementations of the present disclosure, the cluster can include a first layer of a network topology including a forwarding engine that implements hash-based packet forwarding; a second layer of the network topology comprising the target node and the inheritor, where the target node and the inheritor implement flow-based packet forwarding; and a third layer including service nodes configured for packet processing in a network.

Abstract: Methods and apparatus for providing one-arm node clustering using a port channel are provided herein. An example application node may be communicatively connected to at least one application node, and the application node may be connected to a network through a port channel. The application node may include: a link included in the port channel for accommodating the network data being communicated between the remote client and server; and a processor configured to send/receive a cluster control packet to/from the at least one application node through the link included in the port channel.

Abstract: A method is provided in one example and includes receiving a request message from a first network element using an out-of-band control link. The request message includes a request to bundle a first port associated with the first network element into a channel group associated with a cluster. The cluster includes a plurality of clustered network elements. The method further includes determining a status of the first port with respect to the channel group, and sending a reply message to the first network element using the out-of-band control link. The reply message indicates the determined status of the first port of the first network element.

Abstract: Methods and apparatus for providing one-arm node clustering using a port channel are provided herein. An example application node may be communicatively connected to at least one application node, and the application node may be connected to a network through a port channel. The application node may include: a link included in the port channel for accommodating the network data being communicated between the remote client and server; and a processor configured to send/receive a cluster control packet to/from the at least one application node through the link included in the port channel.

Abstract: An example method includes disengaging a target node from a cluster, where the disengaging comprises: selecting an inheritor; migrating flows from the target node to the inheritor; informing a migration manager that the target node is disengaged from the cluster; and broadcasting to peer nodes of the target node that the target node is replaced by the inheritor. In particular implementations of the present disclosure, the cluster can include a first layer of a network topology including a forwarding engine that implements hash-based packet forwarding; a second layer of the network topology comprising the target node and the inheritor, where the target node and the inheritor implement flow-based packet forwarding; and a third layer including service nodes configured for packet processing in a network.

Abstract: A method and apparatus that provide network access control are disclosed. In one embodiment, a network device is configured to intercept network traffic initiated from a client and directed toward a network resource, and to locally authenticate the client. Authentication is carried out by comparing information identifying the client to authentication information stored in the network device. In one embodiment, an authentication cache in the network device stores the authentication information. If the client identifying information is authenticated successfully against the stored authentication information, the network device is dynamically re-configured to allow network traffic initiated by the client to reach the network resource. If local authentication fails, new stored authentication is created for the client, and the network device attempts to authenticate the client using a remote authentication server.

Abstract: Methods and apparatus are disclosed for processing data packets using a router and a proxy in order to transparently proxy a connection between a client and a server. One method involves mapping a TCP connection to a connection ID and sending a segment from the TCP connection to a proxy, including the connection ID, a direction value and an identifier of an assigned proxy application, such that the segment appears to be from the connection. The method further involves a proxy creating and reading from an IP socket which corresponds to the segment, the connection ID, direction and assigned proxy application and then spoofing the segment using the connection ID, a second direction value, and an identifier of the assigned proxy application.

Abstract: A firewall system and method which optimizes the performance of the firewall process by reducing overhead associated with ACL verification and firewall application-level authorization. The firewall system comprises a session manager operating in the firewall services component and a firewall module operating in the switching process component. In one embodiment, the firewall module is configured to provide certain “non-application” level inspection of data packets and update the context of “sessions” associated with the data packets without sending the packets to the firewall services component using session information provided by the session manager.

Abstract: A method and apparatus that provide network access control are disclosed. In one embodiment, a network device is configured to intercept network traffic initiated from a client and directed toward a network resource, and to locally authenticate the client. Authentication is carried out by comparing information identifying the client to authentication information stored in the network device. In one embodiment, an authentication cache in the network device stores the authentication information. If the client identifying information is authenticated successfully against the stored authentication information, the network device is dynamically re-configured to allow network traffic initiated by the client to reach the network resource. If local authentication fails, new stored authentication is created for the client, and the network device attempts to authenticate the client using a remote authentication server.