Abstract: Implementations relate to authentication of end devices in networks. In some implementations, a method includes receiving identity information at an edge configuration device from an end device via a connection, where the identity information identifies the end device or one or more users associated with the end device. A request is sent from the edge configuration device to an access control server connected to the network in response to receiving the identity information, where the request requests authentication for the end device. Authentication is received at the edge configuration device from the access control server for the end device to connect to a network connected to the edge configuration device.

Abstract: Aspects of the present disclosure enable a router controller to maintain a default rules table indicating allocation of IP addresses (of GTP packets) to respective output ports. In an embodiment, the router controller receives information indicating the respective tunnel endpoint IP addresses of a control session and a data session of a user. The router controller is configured to determine whether such IP addresses of the control session and the data session(s) are allocated to the same output port. If the IP addresses of the control session and the data session are not allocated to the same output port, router controller is configured to generate a dynamic rule to force packets of both the control session and the data session to the same output port.

Abstract: Implementations relate to automatic configuration of endpoint communication devices to set up a communication network such as a VOIP network. In some implementations, a method includes a server receiving an extension request for device extension from an endpoint communications device connected to a communication network, mapping an identifier for the endpoint communications device to a device extension, and transmitting the device extension to the endpoint communications device.

Abstract: A method and apparatus for automated mirroring is presented. A network device running as a Fabric Attach (FA) server configured to mirror traffic to a Remote Switch Port Analyzer (RSPAN) Virtual Local Area Network (VLAN), issues an FA Type Length Value (TLV) on its uplink to the FA server. The TLV includes a request to associate said RSPAN VLAN with a Service Identifier (I-SID) used to carry mirror traffic in a network. The network device sends the mirrored traffic on the RSPAN VLAN on its uplink to the FA server. The network device signals the I-SID into the network, and detects receive interest in the I-SID. The network device delivers the mirrored traffic to devices that expressed a receive interest in the mirrored traffic.

Abstract: Techniques for implementing traffic deduplication in a visibility network are provided. According to one embodiment, a packet broker of the visibility network can receive a control or data packet replicated from a core network. The packet broker can then apply a first stage deduplication process in which the packet broker attempts to deduplicate the control or data packet based on one or more interfaces of the core network from which the control or data packet originated, and apply a second stage deduplication process in which the packet broker attempts to deduplicate the control or data packet based on the content (e.g., payload) of the control or data packet.

Abstract: Methods, systems and computer readable media for dynamic templates for virtualized systems are described. A method for initially deploying a virtualized can include receiving a selection indicating a dynamic template, and installing a base configuration using base configuration information obtained from the dynamic template. The method can also include traversing a hierarchy within the dynamic template and installing one or more sub-level configurations according to the hierarchy. The method can further include stopping the traversing and installing when a termination condition is reached.

Abstract: A self adapting driver for controlling datapath hardware elements uses a generic driver and a configuration library to create a set of data structures and methods to map information provided by applications to physical tables. A set of virtual tables is implemented as an interface between the applications and the generic driver. The generic driver uses the configuration library to determine a mapping from the virtual tables to the physical tables. A virtual table schema definition is parsed to create the configuration library, such that changes to the physical infrastructure may be implemented as changes to the virtual table schema definition without adjusting the driver code. Thus automatically generated creation of generic packet forwarding drivers is able to be implemented through the use of a configuration language that defines the meaning of the information stored in the virtual tables.

Abstract: A first login request of a user is received from a first login window. The first login request comprises a login name, a user identifier, and a challenge. The challenge is generated and received from a second login request to a product in a second login window. The user copies and pastes the challenge into the first login window. A central control system determines if the login name and the user identifier are valid. If the login name and user identifier are valid, a response to the challenge is generated based a private key and is displayed in the first login window. The response to the challenge is copied from the first login window and pasted as part of a second step the second login process. The second login process verifies the response to the challenge using a public key to allow the user access to the product.

Abstract: A technique for self-testing of services in an access point of a communication network includes providing a table that has a mapping between a service test, packets to be sent for testing, and packets that should be received in response to the testing, emulating and marking the test packets to be sent, placing the marked test packets in an Rx queue, processing the test packets normally by the access point to provide response packets and marking these response packets, delivering the marked response packets to a Rx queue, retrieving the marked response packets from the Rx queue, and comparing the service test response packets to the list of packets that should have been received in the response to the testing in order to validate that service on the access point.

Abstract: A method and apparatus for automated mirroring is presented. In a particular embodiment of a method for automated mirroring, a Network Device running as a Fabric Attach (FA) Server receives an FA Type Length Value (TLV) from an Access Device running as a FA proxy or client. The Access Device is configured to mirror traffic to a Remote Switch Port Analyzer (RSPAN) Virtual Local Area Network (VLAN). The TLV includes a request to associate the RSPAN VLAN with a Service Identifier (I-SID) used to carry mirror traffic in a network. The method includes wherein the FA server receives the mirrored traffic on the RSPAN VLAN. The FA Server signals the I-SID into the network, and detects receive interest in the I-SID. The FA Server delivers the mirrored traffic to devices that expressed a receive interest in the mirrored traffic.

Abstract: Using a hash function, an L2/L3 switch can produce an FID for a data packet. The L2/L3 switch can select, from among potentially several stored VLAN flooding tables, a particular VLAN flooding table that is associated with a particular VLAN on which the data packet is to be carried. The rows of the particular VLAN flooding table can specify different combinations of the particular VLAN's egress ports. The L2/L3 switch can locate, in the particular VLAN flooding table, a particular row that specifies the FID. The L2/L3 switch can read, from the particular row, a specified subset of the egress ports that are associated with the particular VLAN. The L2/L3 switch can transmit copies of the data packet out each of the egress ports specified in the subset, toward analytic servers connected to those egress ports.

Abstract: Disclosed herein are systems and methods for automatically grouping, authenticating, and provisioning access points using cloud-based management of wireless-local-area-network (WLAN) infrastructure. In an embodiment, a given site has a master access point that is manually configured with an organization-and-site-specific master-access-point configuration for providing service in a WLAN. Additional access points installed for operation transmit self-identifying messages to neighboring access points. Each access point compiles information about its neighbor access points in access-point neighbor lists. The access-point neighbor lists are received and used by a cloud-based WLAN-management service to identify the associated master access point and to provision unauthenticated access points using the correct organization-and-site-specific master-access-point configuration.

Abstract: A network visibility system provided according to an aspect of the present disclosure forms rules for routing of packets to appropriate analytic server, based on IP addresses discovered while processing packets. Due to such discovery and forming of rules based on discovery, manual configuration of the network visibility system can be avoided. In an embodiment, the network visibility system comprises a packet router and a router controller. The router controller receives the examined packets from the packet router and configures the packet router with the formed rules.

Abstract: Methods, systems and computer readable media for multi-device single network sign-on are described. For example, a method can include authenticating a first device for network access via a first authentication process, the first device being associated with a user account. The method can also include receiving an access request from a second device associated with the user account, and determining whether the second device is within an access perimeter of the first device. The method can further include permitting the second device to access the network without a second authentication process when the second device is within the access perimeter of the first device.

Abstract: Methods, systems and computer readable media for a captive portal having dynamic, context-based whitelisting are described.

Abstract: In virtualized environments a method of determining authorization to a resource cannot use a hardware specific identifier, such as a MAC address. As a result upgrading a virtual host may cause licenses associated with that host to be invalid, even though the upgraded virtual host should be authorized. Authentication methods and systems are disclosed such that a key may be shared with a second host along with a license file and, provided at least the second host has a key associated with its system identifier and a key associated with a license file, access to a licensed resource may be authorized.

Abstract: Embodiments generally relate to enabling encapsulation in networks. In one embodiment, a method includes receiving a message from an edge configuration device, wherein the message contains shortest path bridging (SPB) configuration information. The method also includes performing provider backbone bridge (MAC-in-MAC) encapsulation in response to receiving the message.

Abstract: A computer-implemented method, apparatus and software for debugging auto-attach entities is presented. A Continuity Fault Management (CFM) request for a service is received over a network at an Auto-Attach (AA) server. The AA server responds with a first response regarding the AA server on the service. The AA server also responds to the CFM request with a second response regarding any AA clients and any AA proxies on the service.

Abstract: Session Manager anti-looping creates a model that is an effective barrier to looping, efficiently identifying a loop condition by maintaining temporary individual call counters for header sets within temporal parameters and terminating the loop condition upon detection. The system provides an administrator with adjustable parameters for loop detection count and loop detection interval, thereby allowing protection against loop conditions, both inadvertent and intentional.

Abstract: Implementations generally relate to network services. In some implementations, a method includes providing a network service having a service mode and a service type. The method further includes generating a network service advertisement message including a service identifier, a service mode portion, and a service type portion. The method further includes-forwarding the network service advertisement message from a first system to one or more other systems via a network. The method further includes-incrementing a counter corresponding to a service mode and a service type pair of each network service advertisement message having a same service identifier. The method further includes, when the counter corresponding to a service mode and a service type pair reaches a predetermined value, blocking configuration of another service having the same service identifier value, service mode and service type as that corresponding to the counter that reached the predetermined value.