Abstract: A networking device uses multipath routing for paths designated as logical paths having associated physical interfaces, such that link down events are processed by remapping related logical paths to other physical links. The networking device includes a forwarding table that is generated according to a multipath algorithm, such as an equal-cost multipath (ECMP) algorithm. The forwarding table specifies different logical paths mapped to physical links, which may include different physical interfaces and related processing information. Packets are processed by selecting a logical path and applying the mapped profile information and/or physical egress interface of the selected logical path. When a link down monitor detects a link down event, a logical path mapped to the now-unavailable physical link is remapped to another physical link, enabling packets to be selected for the affected logical path and successfully processed before re-calculation of forwarding table to account for the unavailable physical link.

Abstract: A method and system for the post-adjustment (i.e., offline) of event timestamps to implement virtual time synchronization amongst detection node clocks. In existing methodologies with the goal of clock synchronization, clocks (and timestamps generated therefrom) are disciplined or adjusted at the recordation time of the events on a detection node (e.g., a switch/router, an Internet-of-Things (IoT) device, a wireless sensor, etc.). However, there is no particular reason for these clocks or timestamps to be accurate during the recordation time, but rather, should be accurate at their use or interpretation time. Further, through these recordation time adjustments, clock drifts and timing errors may be gradually introduced, leading to runaway inaccuracies. The disclosed method and system intentionally avoids the disciplining of clocks at event recordation times on the detection node and, instead, adjusts timestamps during interpretation times, to overcome the aforementioned issues.

Abstract: A method and system for maintaining persistent network policies for a virtual machine (VM) that includes determining a name of the VM executing on a first host connected to a first network device; binding the name of the VM to a network policy for the VM on the first network device; acquiring from VM management software, using the name of the VM, a universally unique identifier (UUID) of the VM; associating the UUID to the network policy on the first network device; applying the network policy for the VM on the first network device; subscribing to receive notifications from the VM management software of changes to the configuration of the VM corresponding to the UUID; receiving notification from the VM management software of a configuration change made to the VM corresponding to the UUID; and updating the network policy of the VM to reflect the configuration change of the VM.

Abstract: A network device may receive updated link-state information from a neighboring network device. The network device may omit processing of the received link-state information by ignoring the updates or differences if they are in portions of the link-state information that do not affect the processing or change output(s) of the processing.

Abstract: In general, embodiments relate to a method for establishing trust between supervisors in a network device, the method including obtaining, by a first supervisor, signed platform configuration register (PCR) values from a second supervisor, wherein the first supervisor and the second supervisor are located in the network device, comparing the signed PCR values with stored PCR values, where the stored PCR values were previously obtained by the first supervisor from the second supervisor, and establishing, based on the comparison, trust with the second supervisor.

Abstract: Systems, methods and products for associating arbitrary configuration tags to configuration item for a service so that items grouped by the tags can be unconfigured or manipulated as a group with minimal touchpoints. In one embodiment, a method is provided for managing the configuration of per-tenant features in a server system. The method includes identifying a configuration feature of the server system to be configured for a specific tenant. A configuration command is received to configure the configuration feature for the specific tenant, wherein the configuration command includes a configuration tag associated with the specific tenant. The configuration command is stored in a configuration of the server system and is applied to the server system. Tag-based commands are provided which are operable to modify a subset of configuration features corresponding to a designated configuration tag.

Abstract: Systems and methods for increasing the speed with which a network device can process “heartbeat” packets that are transmitted between the network device and its peers to verify that the communication links between them are active, or to detect when the communication links go down (i.e., are inactive). Received heartbeat packets are processed primarily by a switching application specific integrated circuit (ASIC) rather than a CPU of the network device. The switching ASIC identifies heartbeat sessions corresponding to received heartbeat packets and resets aging timers for these sessions if the timers have not already expired. The reduced processing and faster timing mechanism of the switching ASIC enables the network device to accommodate spikes in the received packet rate.

Abstract: A processing unit. The processing unit includes a printed circuit board (PCB) including a lidless integrated circuit, a heatsink, and a damper system. The heatsink is coupled to the PCB and in thermal communication with the lidless integrated circuit via a thermal interface material. The damper system is compressed between the PCB and the heatsink and surrounding the lidless integrated circuit to absorb a portion of kinetic energy imparted to the lidless integrated circuit by an impact to the processing unit.

Abstract: A network device may be coupled to a removable storage device. The network device may process redirect information stored on the removable storage device to connect to a device configuration server indicated by the redirect information. The network device may complete a device provisioning operation based on configuration information obtained from the device configuration server and report status of the device provisioning operation to the device configuration server.

Abstract: In general, one aspect, the disclosure relates to a method for sampling packets in a network. The method includes receiving, by a first network device, a packet, making a first determination, by the first network device, that the packet is to be sampled, in response to the first determination: sampling the packet to obtain sampling data, storing sampling metadata associated with the packet, encapsulating, after the sampling, the packet to obtain an encapsulated packet, where the encapsulated packet comprises a bit that is set in an encapsulation header, wherein the bit is set based on the presence of the sampling metadata, and transmitting the encapsulated packet to a second network device.

Abstract: Data taps are provided in a production network to mirror traffic flow through the network. Feeds from the data taps are provided to a monitoring fabric comprising a network of service nodes. A service node receives mirrored traffic and identifies packets in the mirrored traffic for further processing, for example to be forwarded to one or more monitoring/security tools. The packets are identified based on the contents of the packets. For example, packets at the beginning of a TCP session and at the end of the TCP session can be identified based on the TCP flags in the packets. The service node can cause these packets to be sent to one or more monitoring/security tools.

Abstract: In general, the disclosure relates to a method for redirecting a user to a captive portal. The method includes trapping an incoming frame originating from a host, where the incoming frame comprises a L2 header and a payload, wherein the payload specifies information associated with an external server, wherein the user of the host has not been authenticated by the captive portal at a time when the incoming frame is trapped, extracting the L2 header, an L3 header, and the payload from the incoming frame, forwarding the L3 header and the payload towards a redirection server executing on the network device, wherein the redirection server is configured to generate a redirection response based on the payload; encapsulating the redirection response to obtain an L3 response packet, encapsulating the L3 response packet using information from the L2 header to obtain an output frame, and transmitting the output frame towards the host.

Abstract: A network device may include a packet processing pipeline. The packet processing pipeline may include a parser configured to parse packet information in a transit packet received at an input interface of the network device. The packet processing pipeline may include packet sampling information storage circuitry configured to store sampled packet information obtained based on the parsed packet information. The packet processing pipeline may include a processing engine configured to modify a payload of a sampling information accumulation packet to include the sampled packet information for the transit packet. The payload of the sampling information accumulation packet may include the sampled packet information for multiple transit packets.

Abstract: A network device can include a main processor and a packet processor. A method is provided that includes storing a table of values in the packet processor, using the packet processor to receive from the main processor a value that can be used to update the table of values, and using acceleration hardware in the packet processor to update the table of values based on the value received from the main processor without any additional interaction with the software running on the main processor.

Abstract: A method of managing inter-branch communication is a network, including generating an end-to-end path, wherein the end-to-end path starts in a first computing device in a first branch and ends at a second computing device in a second branch, wherein the end-to-end path is generated using a plurality of flow records and a plurality of path records and the end-to-end path includes a wide area network (WAN) segment, and issuing, based on the generating, a notification to a network administrator, wherein the notification specifies the end-to-end path and a latency associated with at least one segment in the end-to-end path.

Abstract: In general, embodiments relates to a method for creating an on-demand tunnel (ODT) in a network between a first network device and a second network device, the method comprising: storing by the first network device, a potentially suboptimal path to the second network device, determining that a trigger condition to create the ODT between the first network device and the second network device is satisfied, in response to the determination: transmitting, by the first network device, an ODT signaling packet to the second network device via the potentially suboptimal path, receiving, from the second network device and in response to transmitting the ODT signaling packet, an ODT keepalive by first network device via the ODT, and transmitting, after receiving the ODT keepalive, a second packet to the second network device via the ODT.

Abstract: A method of allocating programmable memory in a network device includes receiving a set of desired features for the network device, and determining a plurality of constraints associated with the set of desired features. The plurality of constraints are converted into a plurality of Boolean representations of the constraints, and a feasibility is evaluated for the desired features based on the plurality of constraints.

Abstract: In general, in one aspect, embodiments relate to a network device for forwarding packets as part of a network comprising an adjacent device connected to the network device via a link. The network device includes a switching system for directing the packets between ports of the network device, wherein a port of the ports is operably connected to the adjacent device via the link, and a switching system manager programmed to: identify a failure of the link, in response to identifying the failure of the link, perform a multi-tiered next hop failover of the switching system based on the failure of the link to obtain an updated switching system that does not forward the packets using the failed link, and forward a portion of the packets using the updated switching system.

Abstract: A method for managing optical transceivers includes obtaining laser measurements for a laser operating in an optical transceiver in a network device, obtaining a failure profile for the laser, making a first determination that the laser measurements match the failure profile, and based on the first determination, initiating a remediation action for the optical transceiver.

Abstract: A method for transmitting network traffic across a wide area network (WAN) from a first site to a second site is provided. The method is executed by a first edge network device at the first site that further includes a second edge network device, and the method includes: receiving the network traffic from a client device at the first site; determining, using ipath characteristics and a classification of the network traffic, that the network traffic should be transmitted by the second edge network device to the second site; forwarding in response to the determination, the network traffic to the second edge network device using a local tunnel over a local area network (LAN) of the first site such that the network traffic is transmitted to the second site by the second edge network device.