Systems, methods, and computer-readable media for managing compromised sensors in multi-tiered virtualized environments. In some embodiments, a system can receive, from a first capturing agent deployed in a virtualization layer of a first device, data reports generated based on traffic captured by the first capturing agent. The system can also receive, from a second capturing agent deployed in a hardware layer of a second device, data reports generated based on traffic captured by the second capturing agent. Based on the data reports, the system can determine characteristics of the traffic captured by the first capturing agent and the second capturing agent. The system can then compare the characteristics to determine a multi-layer difference in traffic characteristics. Based on the multi-layer difference in traffic characteristics, the system can determine that the first capturing agent or the second capturing agent is in a faulty state.

A node, in a first network, includes circuitry configured to determine a next hop as decided by Border Gateway Protocol (BGP) is an anycast prefix to a Route Reflector (RR) interconnecting the first network with a second network, responsive to the next hop being the anycast prefix to the RR, create a tunnel with a destination based on the anycast prefix, and utilize the tunnel for traffic having the next hop as the anycast prefix to the RR. The anycast prefix is assigned to two or more RRs interconnecting the first network and the second network. A first path is decided by BGP based on a BGP Path Selection Algorithm that is independent of a second path determined by Interior Gateway Protocol (IGP). The first path and the second path can be different, and wherein tunnel is utilized to ensure the traffic always follows the first path.

A system in which a mapping function specific to a given provider edge may provide value added services. Said provider edge already uses label distribution protocol, resource reservation protocol, or the like.

Various example embodiments for supporting an in-band control plane are presented. Various example embodiments for supporting an in-band control plane may be configured to support an in-band control plane in a Multiprotocol Label Switching (MPLS) network. Various example embodiments for supporting an in-band control plane in an MPLS network may be configured to support an in-band control plane in an MPLS network by supporting exchange of control protocol packets of control protocols as MPLS packets, such that the control protocol messaging is in-band along the MPLS data plane itself. Various example embodiments for supporting an in-band control plane in an MPLS network may be configured to support an in-band control plane in an MPLS network by supporting communication of MPLS packets that encapsulate control protocol messages of control protocols with an MPLS label which indicates that the payloads of the MPLS packets carry the control protocol messages of the control protocols.

This disclosure describes techniques for detecting and monitoring paths in a network. The techniques include causing a source node to generate probe packets to traverse a multi-protocol label switching (MPLS) network, for instance. In some examples, the probe packets include entropy values that correspond to individual equal-cost multi-path (ECMP) paths of the network. The probe packets may be received at an SDN controller from a sink node after traversing the network. Analysis of the probe packets allow path discovery and mapping of the entropy values to ECMP paths. The mapping of discovered paths may be used for optimization of network monitoring activities, including second subsequent probe packets over particular ECMP paths based on the mapped entropy values.

Systems and methods are provided for management of network segments that cross geographic regions and/or other types of network divisions in a cloud-based network environment. Gateway may manage traffic across regions using routing metadata that includes a segment identifier. The gateways may also signal their routes across regions based on segment data, and implement the signaled routes using segment-based routing policies. Route selection may be performed using optimization data.

A network node receives a data packet. In response to receiving the data packet, the network node performs a lookup on a label stack of the data packet to determine a next hop for the data packet. The network node scans the label stack to identify a Structured Entropy Label (SEL). The SEL includes a Path Tracing Indicator (PTI). The network node computes Midpoint Compressed Data (MCD) as a result of the PTI being set to a pre-defined value. The network node records the MCD in a MCD stack of the data packet by shifting the MCD stack and stamping the MCD on top of the MCD stack. The network node transmits the data packet to the next hop with the recorded MCD stack. The network sink node encapsulates the received data packet to generate an encapsulated data packet and transmits the data packet.

In general, various aspects of the techniques are described in this disclosure for distributed label assignment for labeled routes. In one example, a method includes obtaining, by a first thread of a plurality of execution threads for at least one routing protocol process executing on processing circuitry of a network device, an allocation of first labels drawn from a label space for a network service; adding, by the first thread, the first labels to a first local label pool for the first thread; generating, by the first thread, after obtaining the allocation of the first labels, a labeled route comprising a route for the network service and a label assigned by the first thread from the first local label pool; and outputting, by the network device, the labeled route.

In one embodiment, an offload platform is an compute platform, adjunct to a router or other packet switching device, that performs packet processing operations including determining an egress forwarding value corresponding to the next-hop node of the packet switching device to which to send an offload-platform processed packet. The offload platform downloads forwarding information from the router, and augments it, such as, but not limited to, representing interfaces of the router as identifiable virtual interface(s) on the offload platform, and including each of one or more next-hop nodes of the router represented as an identifiable virtual adjacency and identifiable tunnel (e.g., identified by the egress forwarding value). In one embodiment, the egress forwarding value is an Multiprotocol Label Switching (MPLS) label or Segment Routing Identifier. The router identifies packets of certain packet flows to send to the adjunct offload platform, rather than processing per its routing information base.

Systems and methods are provided herein for allocating the same ESI label on multihomed peers for a given ES. In some embodiments, each network device that provides multihoming to a host using an ES, advertises EVPN AD per ES routes to each other, wherein the EVPN AD per ES routes comprise an ESI label associated with the ES. Because the network devices advertise the same ESI label for the ES, a first network device generates a bitmap. The first network device uses the bitmap to include the advertised ESI label in replicated packets that the first network device forwards to the other network devices that provide multihoming to the host via the ES. The network devices that consider themselves non-DF devices will drop the packet. The network devices that consider themselves the DF device will not forward the packet to the host via the ES because of the ESI label.