Abstract: Functionality in a network device is specified by an application installation file that describes programmable devices used to implement the functionality. Profiles for programmable devices generated from the application installation file and stored on the network device. A profile database stores profiles associated with functionality specified in previously received application installation files. A profile associated with a selected functionality is selected to implement the selected functionality, including loading one or more bitfiles identified in the selected profile to program the programmable devices associated with the selected functionality.

Abstract: Disclosed methods and systems employ an agent to identify data paths between first and second networking devices, such that a data path connects an interface of the first networking device with an interface of the second networking device, each interface being uniquely identified by an associated Internet Protocol (IP) address. The agent establishes a secure connection as follows. First a connection is established between the first and second networking devices using respective first and second IP addresses. Next, security keys are negotiated to establish the secure connection, the security keys including encryption keys and decryption keys. Next, inbound and outbound security associations are established for each of the plurality of data paths, inbound and outbound security associations including IP addresses associated with respective data paths and respective decryption keys. Finally, the inbound and outbound security associations are established in a data plane of the first networking device.

Abstract: A networking device uses multipath routing for paths designated as logical paths having associated physical interfaces, such that link down events are processed by remapping related logical paths to other physical links. The networking device includes a forwarding table that is generated according to a multipath algorithm, such as an equal-cost multipath (ECMP) algorithm. The forwarding table specifies different logical paths mapped to physical links, which may include different physical interfaces and related processing information. Packets are processed by selecting a logical path and applying the mapped profile information and/or physical egress interface of the selected logical path. When a link down monitor detects a link down event, a logical path mapped to the now-unavailable physical link is remapped to another physical link, enabling packets to be selected for the affected logical path and successfully processed before re-calculation of forwarding table to account for the unavailable physical link.

Abstract: A method and system for the post-adjustment (i.e., offline) of event timestamps to implement virtual time synchronization amongst detection node clocks. In existing methodologies with the goal of clock synchronization, clocks (and timestamps generated therefrom) are disciplined or adjusted at the recordation time of the events on a detection node (e.g., a switch/router, an Internet-of-Things (IoT) device, a wireless sensor, etc.). However, there is no particular reason for these clocks or timestamps to be accurate during the recordation time, but rather, should be accurate at their use or interpretation time. Further, through these recordation time adjustments, clock drifts and timing errors may be gradually introduced, leading to runaway inaccuracies. The disclosed method and system intentionally avoids the disciplining of clocks at event recordation times on the detection node and, instead, adjusts timestamps during interpretation times, to overcome the aforementioned issues.

Abstract: Malformed VLAN packets can be detected by programming suitable rules in a TCAM in the packet processing pipeline. In some deployments, for example, the TCAM rule(s) can match on the parsed EtherType metadata. More specifically, the match can be based on the EtherType metadata being set to a value equal to known VLAN TPIDs, such as 0x8100, 0x88a8, rather than being set to a standard EtherType.

Abstract: A method and system for maintaining persistent network policies for a virtual machine (VM) that includes determining a name of the VM executing on a first host connected to a first network device; binding the name of the VM to a network policy for the VM on the first network device; acquiring from VM management software, using the name of the VM, a universally unique identifier (UUID) of the VM; associating the UUID to the network policy on the first network device; applying the network policy for the VM on the first network device; subscribing to receive notifications from the VM management software of changes to the configuration of the VM corresponding to the UUID; receiving notification from the VM management software of a configuration change made to the VM corresponding to the UUID; and updating the network policy of the VM to reflect the configuration change of the VM.

Abstract: A network device may receive updated link-state information from a neighboring network device. The network device may omit processing of the received link-state information by ignoring the updates or differences if they are in portions of the link-state information that do not affect the processing or change output(s) of the processing.

Abstract: In general, the invention relates to a method for programming a network device to perform routing of data packets between and/or within networks. More specifically, the method provides a more efficient process for updating the forwarding equivalence class (FEC) table with minimal impacting of the mappings in the forward information base (FIB) of the network device.

Abstract: In general, embodiments relate to a method for establishing trust between supervisors in a network device, the method including obtaining, by a first supervisor, signed platform configuration register (PCR) values from a second supervisor, wherein the first supervisor and the second supervisor are located in the network device, comparing the signed PCR values with stored PCR values, where the stored PCR values were previously obtained by the first supervisor from the second supervisor, and establishing, based on the comparison, trust with the second supervisor.

Abstract: Transmitting sampled flows in datagrams to a collector includes adding entropy to the headers of the UDP packets that encapsulate the datagrams. The entropy, for example, can be a timestamp associated with a sampled data packet contained in the datagram. Each UDP packet is transmitted on a data patch selected from among a plurality of data paths using at least the UDP header. The entropy in each UDP header serves to spread the transmission of UDP packets across the plurality of data paths.

Abstract: A centralized manager in a network deployment is configured to perform periodic automated rotation of secrets used in the network and customer devices in the deployment. The centralized manager is further configured with intelligence to automatically install the rotated secrets onto the deployed devices. The centralized controller can provide high frequency rotations to improve network security.

Abstract: Packet processing in a EVPN L2 MPLS deployment includes performing tag editing operations in the egress pipeline. More particularly, tag manipulation is based on the egress port. Packet processing further includes performing ESI label selection in the egress pipeline, and includes selecting the ESI label based on the ingress port where the ingress port can be a physical port or a subinterface configured on a physical port.

Abstract: A method for reverse path forwarding (RPF) selection by a network device connected to a network includes receiving an advertisement message from each of a plurality of neighbor devices within the network, parsing the advertisement message to determine a color identification (ID) of each of the neighbor devices, and selecting, from among the neighbor devices, a RPF device based on the color ID of each of the neighbor devices.

Abstract: Security Association (SA) rekeying between two endpoints of a network, is achieved without resorting to a central entity and a separate key management protocol. A packet sent from a first peer to a second peer is modified to add extra data to signal the rekey procedure, and to include cryptographic material to provide a new common keying material, which will be used to create new SAs. Since the rekey procedure is a multi-stage procedure, the peers are assigned (initiator/responder) roles in order to transition from one stage to another. Rekeying may be initiated by a timer present at one of the peers. Embodiments allow network peers to autonomously rekey without the help of a central controller, and each peer can rekey with only N?1 of its peers.

Abstract: Prefix compression routes provided via exact match using redirection and mirroring Forwarding Equivalence Class entries in hardware. In a network device, a first table is stored having a first entry, a second table is stored having a second entry, and a third table is stored having a third entry including routing information for routing data packets. The first entry references a first memory location in the second table, the second memory location stores the second entry, and the second entry referencing a second memory location in the third table. A data packet is received, and the first entry is accessed based on a destination address of the data packet. Routing information is obtained as a result of accessing the first entry. The data packet is sent by the network device according to the routing information.

Abstract: The precision time protocol (PTP) runs on the peer switches in an MLAG domain. PTP messages received by one peer switch on an MLAG interface is selectively peer-forwarded to the other peer switch on the same MLAG interface in order to coordinate a synchronization session with a PTP node. The peer-forwarded messages inform one peer switch to be an active peer and the other peer switch to be an inactive peer so that timestamped messages during the synchronization session are exchanged only between the PTP node the active peer, and hence take the same data path.

Abstract: Systems, methods and products for associating arbitrary configuration tags to configuration item for a service so that items grouped by the tags can be unconfigured or manipulated as a group with minimal touchpoints. In one embodiment, a method is provided for managing the configuration of per-tenant features in a server system. The method includes identifying a configuration feature of the server system to be configured for a specific tenant. A configuration command is received to configure the configuration feature for the specific tenant, wherein the configuration command includes a configuration tag associated with the specific tenant. The configuration command is stored in a configuration of the server system and is applied to the server system. Tag-based commands are provided which are operable to modify a subset of configuration features corresponding to a designated configuration tag.

Abstract: Methods and systems for modifying network traffic data. The method of modifying network traffic data may include receiving a network traffic data unit by a switching engine; performing an analysis on the network traffic data unit to obtain network tunnel information; generating encryption information based on the network tunnel information; and securing the network traffic data unit, by an encryption engine, based on the encryption information.

Abstract: Embodiments of the present disclosure include multiple DC-DC converters configured to generate multiple voltages based on one or more voltage sources. The DC-DC converters are configured to produce a first voltage and second voltage when a first power source is active, when a second power source is active, or when both the first and second power sources are active. In example embodiments, one voltage is used by a network device to power internal circuitry, and another voltage is coupled to tethered devices.

Abstract: A network switch device includes cooling fans to remove heat generated by its electronic circuitry during operation. Multiple cooling zones are provided in a network switch device to enable reduced cooling fan power consumption. The switch device includes a baffle positioned between a first zone and a second zone and across a circuit board. A first cooling fan provides a first airflow through the first zone and across a first portion of the circuit board positioned within the first zone. A second cooling fan provides a second airflow through a second zone of the housing and across a second portion of the circuit board positioned within the second zone. The baffle directs the first airflow away from the second zone and directs the second airflow away from the first zone. Fan speeds of fans in a cooling zone may be adjusted based on temperature sensors positioned in that zone.