Abstract: A system comprises an edge services controller configured to: compute, based on a physical topology of physical links that connect a plurality of network interface cards (NICs) that comprise embedded switches and processing units coupled to the embedded switches, a virtual topology comprising a strict subset of the physical links; and program the virtual topology into the respective processing units of the NICs to cause the processing units of the NICs to send data packets via physical links in the strict subset of the physical links.

Abstract: Techniques are disclosed for a network device to preserve packet flow information across bump-in-the-wire (BITW) firewalls. For example, a method comprises receiving, by a network device, a packet. The method also comprises determining, by the network device, that the packet matches a packet flow that is associated with an action to redirect the packet to a firewall configured as a bump-in-the-wire. The method further comprises, in response to the determination: modifying, by the network device, a Media Access Control (MAC) address field of a layer 2 (L2) packet header with a flow identifier of the packet flow; sending, by the network device, the packet to the firewall; receiving, by the network device, the packet from the firewall; and recovering, by the network device, the packet flow by modifying the packet according to the flow identifier in the packet to restore the L2 packet header of the packet.

Abstract: In general, techniques are described for deploying virtualized cell site routers (vCSRs) capable of layer 2 (L2) forwarding to cell site servers to support management and orchestration of functional units for mobile networks executing on the cell site servers. In an example, a method comprises receiving, at a forwarding plane of a virtualized cell site router (vCSR) of a first Distributed Unit (DU) of a plurality of DU servers of a cell site for a 5G radio access network, the vCSR having a containerized routing protocol process and a forwarding plane configured to perform Layer 2 (L2) switching, L2 packets on a second interface for a second physical link connecting the first DU server to an L2 switch; and switching, by the forwarding plane of the vCSR of the first DU, the L2 packets on a first interface for a first physical link connecting the first DU server to a second DU server of the plurality of DU servers.

Abstract: In general, this disclosure describes techniques for providing a hybrid data plane that can include a kernel-based data plane and a Data Plane Development Kit (DPDK)-based data plane. An example system includes a DPDK-based virtual router configured to send and receive packets via a physical network interface, and a kernel network stack configured to perform tunneling processing for packets destined to a containerized application and received by the DPDK-based virtual router via the physical interface.

Abstract: An example virtual router includes a plurality of logical cores (“lcores”), where each lcore comprises a CPU core or hardware thread. The virtual router is configured to determine a latency profile, select, based at least in part on the latency profile, a packet processing mode from the plurality of packet processing modes. In response to a determination that the packet processing mode comprises the run-to-completion mode, an lcore of the plurality of lcores is configured to: read a network packet from a device queue, process the network packet to determine a destination virtual device for the network packet, the destination virtual device having a plurality of interface queues, and insert the network packet into an interface queue of the plurality of interface queues.

Abstract: Techniques are disclosed for redirecting network traffic of virtualized application workload to a host-based firewall. For example, a system comprises a software defined networking (SDN) controller of a multi-tenant virtualized data center configured to: receive a security policy expressed as one or more tags to redirect traffic of a virtualized application workload to a host-based firewall (HBF) of the multi-tenant virtualized data center; configure network connectivity to the HBF in accordance with the security policy; a security controller that manages the HBF configured to: obtain the one or more tags from the SDN controller; receive one or more firewall policies expressed in terms of the one or more tags, wherein each of the one or more firewall policies specifies a function of the HBF; and configure the function of the HBF in accordance with the one or more firewall policies.

Abstract: Techniques are described for capturing dropped packets and creating modified dropped packets with drop information associated with the dropped packets to provide greater details of the dropped packets for further analysis and/or serviceability. For example, a computing device comprises an internal communication channel, a process executing in user space, and a virtual router. The virtual router comprises, for example, processing circuitry and a drop interface to the internal communication channel, wherein the virtual router is configured to: receive a packet; in response to determining the packet is to be dropped, creating a modified dropped packet to include drop information associated with the packet; and provide the modified dropped packet to the drop interface to communicate the modified dropped packet via the internal communication channel to the process.

Abstract: A container orchestration platform manages a plurality of instances of resources including a first custom resource and a second custom resource. An API server of the container orchestration platform receives a request to delete an instance of the second custom resource; determines whether instance data associated with the instance of the second custom resource has a backreference identifying an instance of the first custom resource, the backreference indicating the instance of the first custom resource is dependent on the instance of the second custom resource; and in response to determining that the instance data has the backreference to the instance of the first custom resource, bypasses deletion of the instance of the second custom resource.

Abstract: An example method comprises, receiving resource availability values from the plurality of Network Interface Cards (NICs); determining a data path for data packets of a flow transported using a protocol from a source NIC to a destination NIC via a NIC set that comprises at least one NIC, wherein: the plurality of NICs comprises the source NIC, the destination NIC, and the NIC set, and determining the data path comprises selecting the NIC set based on the resource availability values; and transmitting, to the source NIC and to each NIC in the NIC set, data path data to cause the source NIC and each NIC in the NIC set to identify the data packets of the flow using an identifier of the protocol and to transmit the data packets of the flow from the source NIC to the destination NIC via the data path.

Abstract: A system comprises an edge services controller configured to: compute, based on a physical topology of physical links that connect a plurality of network interface cards (NICs) that comprise embedded switches and processing units coupled to the embedded switches, a virtual topology comprising a strict subset of the physical links; and program the virtual topology into the respective processing units of the NICs to cause the processing units of the NICs to send data packets via physical links in the strict subset of the physical links.

Abstract: A system is configured to compute a latency between a first computing device and a second computing device. The system includes a network interface card (NIC) of a first computing device. The NIC includes a set of interfaces configured to receive one or more packets and send one or more packets. The processing unit is configured to identify information indicative of a forward packet, compute, based on a first time corresponding to the forward packet and a second time corresponding to a reverse packet associated with the forward packet, a latency between the first computing device and a second computing device, wherein the second computing device includes a destination of the forward packet and a source of the reverse packet, and output information indicative of the latency between the first computing device and the second computing device.

Abstract: Example techniques and computing devices are disclosed. An example computing device includes a first non-uniform memory access (NUMA) node and a second NUMA nod. The first NUMA node includes a first network interface card, a first virtual router for one or more virtual networks, the first virtual router comprising first processing circuitry and configured with a first virtual host interface having a first Internet Protocol (IP) address, and a first workload executing on the first NUMA node. The second NUMA node includes a second network interface card, a second virtual router for the one or more virtual networks, the second virtual router comprising second processing circuitry and configured with a second virtual host interface having a second IP address, and a second workload executing on the second NUMA node.

Abstract: Techniques are disclosed for redirecting network traffic of virtualized application workload to a host-based firewall. For example, a system comprises a software defined networking (SDN) controller of a multi-tenant virtualized data center configured to: receive a security policy expressed as one or more tags to redirect traffic of a virtualized application workload to a host-based firewall (HBF) of the multi-tenant virtualized data center; configure network connectivity to the HBF in accordance with the security policy; a security controller that manages the HBF configured to: obtain the one or more tags from the SDN controller; receive one or more firewall policies expressed in terms of the one or more tags, wherein each of the one or more firewall policies specifies a function of the HBF; and configure the function of the HBF in accordance with the one or more firewall policies.

Abstract: In general, this disclosure describes techniques for a containerized router operating within a cloud native orchestration framework. In an example, a virtualized cell site router comprises a computing device configured with a containerized router, the computing device comprising: a containerized virtual router configured to execute on the processing circuitry and configured to implement a data plane for the containerized router; a containerized routing protocol process configured to execute on the processing circuitry and configured to implement a control plane for the containerized router; and a pod comprising a containerized distributed unit, wherein the containerized routing protocol process is configured to advertise routing information comprising reachability information for the containerized distributed unit.

Abstract: An example virtual router includes a plurality of logical cores (“lcores”), where each lcore comprises a CPU core or hardware thread. The virtual router is configured to determine a latency profile, select, based at least in part on the latency profile, a packet processing mode from the plurality of packet processing modes. In response to a determination that the packet processing mode comprises the run-to-completion mode, an lcore of the plurality of lcores is configured to: read a network packet from a device queue, process the network packet to determine a destination virtual device for the network packet, the destination virtual device having a plurality of interface queues, and insert the network packet into an interface queue of the plurality of interface queues.

Abstract: A network system includes a server comprising a set of virtual routers configured to extend virtual networks to virtual machines. A virtual router of the set of virtual routers may receive a tunnel packet comprising a outer header and an inner packet that defines a first packet flow, and determine, based at least on the outer header, that the tunnel packet is associated with a first virtual network of the virtual networks. The virtual router may also associate, based on the inner packet, the tunnel packet to a layer three link of a plurality of layer three links coupling the virtual router to two or more top-of-rack switches in the virtual network, where the plurality of layer three links form a layer three multi-homing connection between the virtual router and the top-of-rack switches in the virtual network. The virtual router may transmit the tunnel packet via the layer three link.