Intent-based enterprise security using dynamic learning of network segment prefixes
Granted: February 27, 2024
Patent Number:
11916963
In an example, systems and methods enable automatic implementation of intent-based security policies in a network system, such as a software-defined wide area network system, in which network segment prefixes for network segments at one or more sites are dynamically learned. A service orchestrator controller translates an intent-based security policy input by a user to a security policy for a first site. The security policy for the first site specifies a segment-specific queryable…
Duplicate address detection for ranges of global IP addresses
Granted: February 20, 2024
Patent Number:
11909717
An example network device determines to assign a number of global Internet protocol (IP) addresses to respective network interfaces, determines a subnetwork for the network interfaces, determines a prefix corresponding to the subnetwork, determines a first global IP address having the prefix, determines a range value that is equal to or greater than the number of global IP addresses, generates a message according to Duplicate Address Detection Protocol (DAD) including data indicating…
Methods and apparatus for efficient use of link aggregation groups
Granted: February 20, 2024
Patent Number:
11909663
A non-transitory processor-readable medium storing code representing instructions to be executed by a processor can cause the processor to receive an indication to load balance a group of sessions associated with a network node and a switch across a group of links between a gateway device and the switch at a first time. The code causes the processor to calculate at a second time, a load based on the group of sessions and associated with a first set of links in an active configuration…
Internet protocol operations and management option
Granted: February 20, 2024
Patent Number:
11909650
A network device may receive an internet protocol (IP) packet that includes an IP packet header. The IP packet may include at least one extension header, which includes at least one of: a hop-by-hop options header, a first destination options header that precedes a routing header, or a second destination options header that precedes an upper-layer header. The network device may determine that: the hop-by-hop options header includes an Operations and Management capabilities (OAM) option,…
Hardware-assisted fast data path switchover for a network device with redundant forwarding components
Granted: February 20, 2024
Patent Number:
11909635
A network device may receive packets, wherein the network device includes a first routing component, a second routing component, a first forwarding component, a second forwarding component, and a physical interface card concentrator with multiple physical interface cards. The first routing component may provide, to the physical interface card concentrator, a signal indicating that the second forwarding component is to be an active forwarding component. The physical interface card…
Distributed label assignment for labeled routing protocol routes
Granted: February 20, 2024
Patent Number:
11909632
In general, various aspects of the techniques are described in this disclosure for distributed label assignment for labeled routes. In one example, a method includes obtaining, by a first thread of a plurality of execution threads for at least one routing protocol process executing on processing circuitry of a network device, an allocation of first labels drawn from a label space for a network service; adding, by the first thread, the first labels to a first local label pool for the…
Seamless segment routing for multiprotocol label switching (MPLS) interworking
Granted: February 20, 2024
Patent Number:
11909629
A network device may receive policy data identifying a first segment routing (SR) policy and a second SR policy. The first SR policy may be associated with a first path through a network and a first next hop, and the second SR policy may be associated with a second path through the network and a second next hop. The network device may advertise, to another device, reachability associated with the first next hop and the second next hop, and may receive, from the other device, a packet…
Resilient multiprotocol label switching (MPLS) rings using segment routing
Granted: February 20, 2024
Patent Number:
11909556
A ring node N belonging to a resilient MPLS ring (RMR) provisions and/or configures clockwise (CW) and anti-clockwise (AC) paths on the RMR by: (a) configuring two ring node segment identifiers (Ring-SIDs) on the ring node, wherein a first of the two Ring-SIDs (CW-Ring-SID) is to reach N in a clockwise direction on the ring and a second of the two Ring-SIDs (AC-Ring-SID) is to reach N in an anti-clockwise direction on the ring, and wherein the CW-Ring-SID and AC-Ring-SID are unique…
Reconfigurable optical router
Granted: February 20, 2024
Patent Number:
11909516
Embodiments of the invention describe apparatuses, optical systems, and methods for utilizing a dynamically reconfigurable optical transmitter. A laser array outputs a plurality of laser signals (which may further be modulated based on electrical signals), each of the plurality of laser signals having a wavelength, wherein the wavelength of each of the plurality of laser signals is tunable based on other electrical signals. An optical router receives the plurality of (modulated) laser…
Determining rate differential weighted fair output queue scheduling for a network device
Granted: February 13, 2024
Patent Number:
11902827
A network device may receive packets and may calculate, during a time interval, an arrival rate and a departure rate, of the packets, at one of multiple virtual output queues. The network device may calculate a current oversubscription factor based on the arrival rate and the departure rate, and may calculate a target oversubscription factor based on an average of previous oversubscription factors associated with the multiple virtual output queues. The network device may determine…
Weighted multicast join load balance
Granted: February 13, 2024
Patent Number:
11902148
In some examples, a method includes receiving, by an egress network device for a network, messages from each of a plurality of ingress network devices for the network, wherein each of the messages specifies a multicast source, a multicast group, and an upstream multicast hop weight value for multicast traffic for the multicast source and the multicast group; selecting, by the egress network device and based on the upstream multicast hop weight values specified by the received messages,…
Retaining key parameters after a transmission control protocol (TCP) session flap
Granted: February 13, 2024
Patent Number:
11902404
A network device may monitor a TCP session with another network device, and may identify ingress and/or egress packets, a TCP header, and a socket of the TCP session. The network device may inspect the ingress and/or egress packets, the TCP header, and the socket to identify a zero window advertisement, details of a last quantity of packets sent or received, synchronize, finish, or reset packets sent or received, negotiated TCP options, or buffer space utilization, and may temporarily…
Liveness detection for an authenticated client session
Granted: February 13, 2024
Patent Number:
11902380
A network node may determine parameters of an authenticated client session for a client device, wherein the parameters comprise a network address of the client device. The network node may determine inactivity of the client device in the authenticated client session. The network node may generate, based on determining the inactivity of the client device, an address resolution protocol (ARP) message or a neighbor solicitation (NS) message to send to the client device, wherein the ARP…
Regulating enqueueing and dequeuing border gateway protocol (BGP) update messages
Granted: February 13, 2024
Patent Number:
11902365
A network device, associated with peer network devices, may receive policy information for a protocol; and compute a first update message based on information regarding a route associated with the policy information. The network device may determine that an upper utilization threshold for one or more of peer queues, associated with the peer network devices, is not satisfied; and write the first update message to the peer queues based on determining that the upper utilization threshold is…
Generating a network security policy based on a user identity associated with malicious behavior
Granted: February 13, 2024
Patent Number:
11902330
A device may receive data identifying malicious behavior by a compromised endpoint device associated with a network and may receive user identity data identifying a user of the compromised endpoint device associated with the network. The device may receive endpoint device data identifying the compromised endpoint device and other endpoint devices associated with the network and may receive network device data identifying network devices associated with the network. The device may utilize…
Media access control security (MACsec) enabled links of a link aggregation group (LAG)
Granted: February 13, 2024
Patent Number:
11902256
A device may cause a Media Access Control Security (MACsec) session to be established on a first link of a link aggregation group (LAG) that includes a plurality of links with a different device. The device may cause a data structure to be updated to identify the first link as a MACsec enabled LAG link and may send traffic via the first link. The device may cause a MACsec session to be established on at least one additional link of the LAG and may cause the data structure to be updated…
EVPN host routed bridging (HRB) and EVPN cloud native data center
Granted: February 13, 2024
Patent Number:
11902160
Techniques for EVPN Host Routed Bridging (HRB) and EVPN cloud-native data center with Host Routed Bridging (HRB) are described. A host computing device of a data center includes one or more containerized user-level applications. A cloud native virtual router is configured for dynamic deployment by the data center application orchestration engine and operable in a user space of the host computing device. Processing circuitry is configured for execution of the containerized user-level…
Dynamic internet protocol translation for port-control-protocol communication
Granted: February 13, 2024
Patent Number:
11902159
A network device may receive, from a source device, an option request that includes a source address of the source device and a destination address of a destination device, wherein the network device is associated with an Internet protocol version 6 (IPv6) network. The network device may identify a map code that is associated with an address translation for traffic associated with the destination device and may determine, based on identifying the map code, a source prefix code and a…
High-availability switchover based on traffic metrics
Granted: February 13, 2024
Patent Number:
11902157
A node may be an active node associated with a high-availability service and may route session traffic communicated via a first route path between a first endpoint and a second endpoint. The node may determine a first measurement of a traffic metric of the first route path and may receive, from another node associated with the high-availability service, a second measurement of the traffic metric of a second route path. The node may compare the first measurement and the second measurement…
Compressed routing header
Granted: February 13, 2024
Patent Number:
11902153
A node receives an internet protocol (IP) payload packet that includes an IPv6 transport header that has been extended with a compressed routing header (CRH). The CRH includes a list of segment identifiers (SIDs) that identify nodes that the IP payload packet is to traverse. The node determines, by referencing the list of SIDs, a next segment for the IP payload packet. The node updates a destination IP address that is included in the IPv6 transport header to a particular destination IP…
