Abstract: Techniques are described for providing session-aware, stateful network services to subscriber packet flows. Devices within a service provider network direct subscriber packets along service chains. Each tunnel is established to direct traffic according a particular ordered set of network services for the corresponding service chain. An ingress device for the tunnels encapsulate the subscriber packets and embed opaque session cookies that each uniquely identifies a collection of packet flows of a subscriber session amongst other packet flows transported by a given service tunnel. Each service node need only identify the tunnel on which a tunnel packet was received and the session cookie embedded within the tunnel packet to uniquely associate the encapsulated subscriber packet with a subscriber session, without needing to further inspect the encapsulated subscriber packet, and to index or otherwise retrieve state and statistics required to enforce the network service the service nod is programmed to deliver.

Abstract: Techniques are described for providing session-aware, stateful network services to subscriber packet flows. Devices within a service provider network direct subscriber packets along service chains. Each tunnel is established to direct traffic according a particular ordered set of network services for the corresponding service chain. An ingress device for the tunnels encapsulate the subscriber packets and embed opaque session cookies that each uniquely identifies a collection of packet flows of a subscriber session amongst other packet flows transported by a given service tunnel. Each service node need only identify the tunnel on which a tunnel packet was received and the session cookie embedded within the tunnel packet to uniquely associate the encapsulated subscriber packet with a subscriber session, without needing to further inspect the encapsulated subscriber packet, and to index or otherwise retrieve state and statistics required to enforce the network service the service nod is programmed to deliver.

Abstract: Techniques are described for providing session-aware, stateful network services to subscriber packet flows. Devices within a service provider network direct subscriber packets along service chains. Each tunnel is established to direct traffic according a particular ordered set of network services for the corresponding service chain. An ingress device for the tunnels encapsulate the subscriber packets and embed opaque session cookies that each uniquely identifies a collection of packet flows of a subscriber session amongst other packet flows transported by a given service tunnel. Each service node need only identify the tunnel on which a tunnel packet was received and the session cookie embedded within the tunnel packet to uniquely associate the encapsulated subscriber packet with a subscriber session, without needing to further inspect the encapsulated subscriber packet, and to index or otherwise retrieve state and statistics required to enforce the network service the service nod is programmed to deliver.

Abstract: A network device includes an internal policy engine that makes local policy decisions for packet flows and controls policies applied by service modules and forwarding components of the network device. The policy engine interacts with an external policy server to receive policies using software defined networking (SDN) protocol as if the data plane of the network device were directly exposed to the external policy server by the SDN protocol.

Abstract: A network device includes an internal policy engine that makes local policy decisions for packet flows and controls policies applied by service modules and forwarding components of the network device. The policy engine interacts with an external policy server to receive policies using software defined networking (SDN) protocol as if the data plane of the network device were directly exposed to the external policy server by the SDN protocol.

Abstract: Techniques are described for providing session-aware, stateful network services to subscriber packet flows. Devices within a service provider network direct subscriber packets along service chains. Each tunnel is established to direct traffic according a particular ordered set of network services for the corresponding service chain. An ingress device for the tunnels encapsulate the subscriber packets and embed opaque session cookies that each uniquely identifies a collection of packet flows of a subscriber session amongst other packet flows transported by a given service tunnel. Each service node need only identify the tunnel on which a tunnel packet was received and the session cookie embedded within the tunnel packet to uniquely associate the encapsulated subscriber packet with a subscriber session, without needing to further inspect the encapsulated subscriber packet, and to index or otherwise retrieve state and statistics required to enforce the network service the service nod is programmed to deliver.

Abstract: In general, the invention is directed to techniques for offloading mobile data traffic from a mobile core network to a broadband network. For example, as described herein, a breakout gateway forwards a service request from a mobile device and addressed to a service node. The service node designates an access point name (APN) for offload such that data traffic associated with service requests specifying the designated APN is to be offloaded to an offload network. The service node receives the service requests from the breakout gateway and, if the service request specifies the designated APN, the service node sends a request to the breakout gateway. The breakout gateway receives the request and assigns a routable PDP address to the mobile device. An offload module on the breakout gateway redirects mobile data traffic to the offload network when the source PDP address of the traffic is the previously assigned PDP address.

Abstract: Network devices, such as a router and a downstream multicast distribution device, may use multiple control channels when setting up a multicast stream for a multicast request. For example, first messages may be transmitted using a first protocol to an upstream device over a first channel, the first messages indicating when a first multicast media stream is being requested by at least one of a number of client devices. Second messages may be transmitted using a second protocol over a second channel, the second messages being transmitted on a per-client basis and each identifying a one of the client devices as requesting the first multicast media stream. By using two control channels to convey the multicast channel requests, the router may obtain visibility into the action of the subscriber and can consequently perform per-subscriber operations such as access-control, bandwidth based admission control, statistics, and QoS adjustment for multicast IPTV streams received by the subscriber.

Abstract: In general, the invention is directed to techniques for offloading mobile data traffic from a mobile core network to a broadband network. For example, as described herein, a breakout gateway forwards a service request from a mobile device and addressed to a service node. The service node designates an access point name (APN) for offload such that data traffic associated with service requests specifying the designated APN is to be offloaded to an offload network. The service node receives the service requests from the breakout gateway and, if the service request specifies the designated APN, the service node sends a request to the breakout gateway. The breakout gateway receives the request and assigns a routable PDP address to the mobile device. An offload module on the breakout gateway redirects mobile data traffic to the offload network when the source PDP address of the traffic is the previously assigned PDP address.

Abstract: Network devices, such as a router and a downstream multicast distribution device, may use multiple control channels when setting up a multicast stream for a multicast request. For example, first messages may be transmitted using a first protocol to an upstream device over a first channel, the first messages indicating when a first multicast media stream is being requested by at least one of a number of client devices. Second messages may be transmitted using a second protocol over a second channel, the second messages being transmitted on a per-client basis and each identifying a one of the client devices as requesting the first multicast media stream. By using two control channels to convey the multicast channel requests, the router may obtain visibility into the action of the subscriber and can consequently perform per-subscriber operations such as access-control, bandwidth based admission control, statistics, and QoS adjustment for multicast IPTV streams received by the subscriber.

Abstract: A network router includes a plurality of interfaces configured to send and receive packets, and a routing component comprising: (i) a routing engine that includes a control unit that executes a routing protocol to maintain routing information specifying routes through a network, and (ii) a forwarding plane configured by the routing engine to select next hops for the packets in accordance with the routing information. The forwarding plane comprises a switch fabric to forward the packets to the interfaces based on the selected next hops. The network router also includes a security plane configured to apply security functions to the packets. The security plane is integrated within the network router to share a streamlined forwarding plane of the routing component.

Abstract: A communication session over a network is facilitated. A signaling datagram from a source device having a source identity may be intercepted by a network device, and a response datagram may be generated for instructing the source device to send a subsequent datagram to the network device. The signaling datagram may be forwarded to a SIP server, where the SIP server associates the source identity with the network device acting on behalf of the source device, and where the SIP server operates to connect a destination device with the source device to establish a communication session over the network. The subsequent datagram may be received from the source device, and the subsequent datagram may be made available to the destination device via the network.

Abstract: The invention is directed towards techniques for forwarding subscriber frames through a Multi-Protocol Label Switching (MPLS) aggregation network using MPLS labels. Layer two (L2) network devices, such as access nodes, of a service provider (SP) network implement MPLS functionality in the data plane, but do not implement an MPLS signaling protocol in the control plane. The L2 network devices include an interface for configuring a static pool of labels applied in the data plane of the L2 network device to output MPLS communications to the MPLS network. The access nodes may be configured by an administrator to maintain static pools of subscriber labels and MPLS labels. The access nodes autonomously allocate the subscriber labels to subscriber devices that request broadband services from a Broadband Services Router (BSR), and distribute the subscriber labels and MPLS labels as upstream assigned labels.

Abstract: A communication session over a network is facilitated. A signaling datagram from a source device having a source identity may be intercepted by a network device, and a response datagram may be generated for instructing the source device to send a subsequent datagram to the network device. The signaling datagram may be forwarded to a SIP server, where the SIP server associates the source identity with the network device acting on behalf of the source device, and where the SIP server operates to connect a destination device with the source device to establish a communication session over the network. The subsequent datagram may be received from the source device, and the subsequent datagram may be made available to the destination device via the network.

Abstract: The invention is directed towards techniques for forwarding subscriber frames through a Multi-Protocol Label Switching (MPLS) aggregation network using MPLS labels. Layer two (L2) network devices, such as access nodes, of a service provider (SP) network implement MPLS functionality in the data plane, but do not implement an MPLS signaling protocol in the control plane. The L2 network devices include a pool of labels applied in the data plane of the L2 network device to output MPLS communications to the MPLS network, and a protocol that allows a layer three (L3) device to control provision of L2 functionality by the L2 device. The pool of labels is dynamically configured by the L3 device via the protocol. The access nodes distribute the subscriber labels and MPLS labels as upstream assigned labels.

Abstract: Techniques are described for dynamically building an Ethernet virtual local area network (VLAN) interface in a network device. The techniques allow dynamic building of a second VLAN interface over a first VLAN interface statically built over an Ethernet port configured to support dynamic VLANs in a network device. A network device may receive a plurality of Ethernet packets from subscriber devices and dynamically build a second VLAN interface over the first VLAN interface for each of the subscribers. Once the second VLAN interface is built, the network device dynamically builds interface columns over the second VLAN interface for each protocol associated with the Ethernet packets. The network device may then authenticate a user associated with the plurality of Ethernet packets. Once the user has logged out of the network device, the network device may tear down the interface columns while persistently maintaining the corresponding second VLAN interface.

Abstract: Multiple subscriber devices are connected to a network device via one or more network switches. The network device transmits multicast traffic to the subscriber devices. In particular, the network device may receive membership requests for a multicast group from the subscriber devices via the network switch on a first interface, i.e., a mapping interface. The network device sends a multicast stream associated with the multicast group to the network switch on a second interface, i.e. an outgoing interface (OIF). Upon receiving a membership request, the network device maps the membership request to an OIF dedicated to the multicast group. In this way, when multiple subscriber devices connected to the same switch request the same multicast stream, each membership request will map to the same OIF. The network device sends one copy of the multicast stream to the network switch on the dedicated OIF.

Abstract: Techniques are described that allow a network device, such as a router, to dynamically build VLAN interfaces based on subscriber information strings included within packets. In particular, the network device comprises an interface controller and a forwarding controller, where the forwarding controller receives the packet over an Ethernet port and forwards the received packet to the interface controller. The packet includes both Ethernet tagging information and a subscriber information string. The interface controller comprises an Ethernet module that dynamically builds a primary virtual local area network (VLAN) sub-interface (PVS) based on the Ethernet tagging information. The Ethernet module also dynamically builds a subscriber VLAN sub-interface (SVS) based on the subscriber information string. The SVS allows the network device to distinguish between subscribers residing on the same VLAN, and, therefore, to provide subscriber specific services.

Abstract: Techniques are described for dynamically building an Ethernet virtual local area network (VLAN) interface in a network device. The techniques allow dynamic building of a second VLAN interface over a first VLAN interface statically built over an Ethernet port configured to support dynamic VLANs in a network device. A network device may receive a plurality of Ethernet packets from subscriber devices and dynamically build a second VLAN interface over the first VLAN interface for each of the subscribers. Once the second VLAN interface is built, the network device dynamically builds interface columns over the second VLAN interface for each protocol associated with the Ethernet packets. The network device may then authenticate a user associated with the plurality of Ethernet packets. Once the user has logged out of the network device, the network device may tear down the interface columns while persistently maintaining the corresponding second VLAN interface.

Abstract: Techniques are described that allow a network device, such as a router, to dynamically build VLAN interfaces based on subscriber information strings included within packets. In particular, the network device comprises an interface controller and a forwarding controller, where the forwarding controller receives the packet over an Ethernet port and forwards the received packet to the interface controller. The packet includes both Ethernet tagging information and a subscriber information string. The interface controller comprises an Ethernet module that dynamically builds a primary virtual local area network (VLAN) sub-interface (PVS) based on the Ethernet tagging information. The Ethernet module also dynamically builds a subscriber VLAN sub-interface (SVS) based on the subscriber information string. The SVS allows the network device to distinguish between subscribers residing on the same VLAN, and, therefore, to provide subscriber specific services.