Abstract: An inline-bypass switch system includes: a first inline-bypass switch appliance having a first bypass component, a first switch coupled to the first bypass component, and a first controller; and a second inline-bypass switch appliance having a second bypass component, a second switch coupled to the second bypass component, and a second controller; wherein the first controller in the first inline-bypass switch appliance is configured to provide a state signal that is associated with a state of the first inline-bypass switch appliance; and wherein the second controller in the second inline-bypass switch appliance is configured to control the second bypass component based at least in part on the state signal.

Abstract: A method performed by a network device includes: receiving a first packet by the network device, wherein the first packet is tapped from a network; identifying a session to which the first packet belongs when the first packet has one or more values that at least partially match one or more terms, wherein the act of identifying the session is performed by the network device; receiving a second packet by the network device; determining whether the second packet belongs to the session; and performing a packet processing action by the network device based on the identified session; wherein the session is identified based on a first criterion, and the act of determining whether the second packet belongs to the session is performed based on a second criterion that is different from the first criterion.

Abstract: A packet broker deployed in a visibility fabric may intelligently assign identifiers to data packets that are routed through sequences of one or more network tools for monitoring and/or security purposes. Guiding techniques based on these identifiers offer flexible support for multiple network tool operational modes. For example, the packet broker may be able to readily address changes in the state of a network tool connected to the packet broker by modifying certain egress translation schemes and/or ingress translation schemes. The “state” of a network tool can be “up” (i.e., ready for service) or “down” (i.e., out of service) based on, for example, the network tool's ability to pass through health-probing data packets dispatched by the packet broker.

Abstract: A method performed by a network device that taps to a network having a routing device, includes: receiving a first packet tapped from the network; determining a first information regarding an input interface of the routing device based on a destination address of the first packet; receiving a second packet tapped from the network; determining a second information regarding an output interface of the routing device based on a source address of the second packet; determining a first CRC for the first packet; determining a second CRC for the second packet; and comparing the first CRC with the second CRC at the network device to determine whether the first packet and the second packet are the same.

Abstract: A laminate curtain can suppress electromagnetic radiation leakage from an electronic appliance, as well as assist in managing cables interconnected to the electronic appliance. More specifically, a laminate curtain can include a conductive elastomer panel that absorbs spurious electromagnetic radiation generated by the electronic appliance, a conductive adhesive film disposed along one side of the conductive elastomer panel, and a conductive support frame affixed to the conductive adhesive film. The laminate curtain can be installed within a mounting frame, which secures the laminate curtain to the electronic appliance. Electromagnetic radiation that is absorbed by the conductive elastomer panel can travel to the electronic appliance via the conductive adhesive film, the conductive support frame, and the mounting frame. Thus, the conductive elastomer panel can be used to form a ground plane that catches and shunts the spurious electromagnetic radiation to the electronic appliance, which is grounded.

Abstract: Techniques are disclosed for monitoring usage of network traffic rules applied by devices on a computer network. Operations in accordance with the disclosed techniques can be performed at one or more network visibility nodes that operate as part of a visibility fabric, for example for monitoring traffic on the network. In certain embodiments, packets associated with the traffic are received at a network visibility node communicatively coupled to the network that is operable to enable visibility across the network. The network visibility node can access network traffic rules that mirror the network traffic rules applied at devices on the network. The network visibility node can further process the received packets using the accessed network traffic rules to identify packets or flows of packets that satisfy criteria associated with the accessed network traffic rules.

Abstract: A network appliance may be coupled to a network tool configured to monitor the traffic within a computer network. Often, the network tool is operable in two modes (i.e., an inline mode and an out-of-band mode). Before the network tool is deployed as an inline device, however, it is desirable to verify that the network tool is secure. Described herein are systems and techniques for verifying network tools prior to deployment as inline devices. More specifically, the network appliance may be configured to modify the content of a data packet (e.g., by altering a bit) and transmit the modified data packet downstream to a network tool. The network appliance can monitor the network tool to make sure the network tool drops or returns the modified data packet. These techniques allow the network appliance to controllably simulate the receipt of malicious traffic by the network tool.

Abstract: A method performed by a network device includes: receiving an input indicating a change in an auxiliary network from a first configuration to a second configuration, wherein the auxiliary network is configured to obtain copies of packets from a traffic production network; determining a first network policy, wherein the first network policy is for application in the auxiliary network when the auxiliary network is in the first configuration; and determining a second network policy by the network device based on the received input and the first network policy, wherein the second network policy is for application in the auxiliary network when the auxiliary network is in the second configuration.

Abstract: A method for providing user access to a network switch appliance, includes: receiving from a user a request to access configuration item for the network switch appliance, the network switch appliance configured to pass packets received from a network to network monitoring instruments; and determining, using a processing unit, whether to allow the user to access the configuration item for the network switch appliance based on information regarding the user.

Abstract: A method for sampling packets for a network flow, includes: receiving a packet at a network port of a network switch appliance, the network switch appliance comprising an instrument port for communication with a network monitoring instrument; determining whether the packet belongs to a network flow that is desired to be monitored, wherein the act of determining is performed based at least in part on one or more information in a control plane using a processing unit; and passing the packet to the instrument port if the packet belongs to the network flow.

Abstract: A method of monitoring virtualized network includes receiving information regarding the virtualized network, wherein the information is received at a port of a network switch appliance, receiving a packet at a network port of the network switch appliance, and using the received information to determine whether to process the packet according to a first packet processing scheme or a second packet processing scheme, wherein the first packet processing scheme involves performing header stripping, and performing packet transmission to one of a plurality of instrument ports at the network switch appliance after the header stripping, each of the instrument ports configured for communicatively coupling to a network monitoring instrument, and wherein the second packet processing scheme involves performing packet transmission to one of the plurality of instrument ports at the network switch appliance without performing any header stripping.

Abstract: A method of packet processing, includes: providing a plurality of network appliances that form a cluster, wherein two or more of the plurality of network appliances in the cluster are located at different geographical locations, are communicatively coupled via a private network or an Internet, and are configured to collectively perform out-of-band packet processing; receiving a packet by one of the network appliances in the cluster; processing the packet using two or more of the plurality of the appliances in the cluster; and passing the packet to one or more network monitoring tools after the packet is processed.

Abstract: A packet broker deployed in a visibility fabric may intelligently assign identifiers to data packets that are routed through sequences of one or more network tools for monitoring and/or security purposes. However, in some instances, it may be desirable for data packets the one or more network tools in a load-balanced manner rather than a cascaded manner. Accordingly, the packet broker may initially form a trunk group (i.e., a predefined group of ports that are treated as one port) based on input provided by an administrator. A group of network tools that share a load (i.e., a traffic flow) through trunking facilitated by the packet broker are referred to as a “trunk group” of network tools.

Abstract: An inline-bypass switch system includes: a first inline-bypass switch appliance having a first bypass component, a first switch coupled to the first bypass component, and a first controller; and a second inline-bypass switch appliance having a second bypass component, a second switch coupled to the second bypass component, and a second controller; wherein the first controller in the first inline-bypass switch appliance is configured to provide a state signal that is associated with a state of the first inline-bypass switch appliance; and wherein the second controller in the second inline-bypass switch appliance is configured to control the second bypass component based at least in part on the state signal.

Abstract: A packet broker deployed in a visibility fabric may intelligently assign identifiers to data packets that are routed through sequences of one or more network tools for monitoring and/or security purposes. More specifically, the packet broker may apply packet-matching criteria to incoming data packets to determine a predetermined sequence of network tools through which the data packets are to be guided. For example, the packet broker may guide a data packet through a predetermined sequence of network tools by translating an internal identifier added to the data packet to an external identifier before transmission to each of the network tools, and translating the external identifier to a different internal identifier each time the data packet is received from each of the network tools.

Abstract: With exponential growth in virtualized traffic within physical data centers, many end users (e.g., individuals and enterprises) have begun moving work processes and data to cloud computing platforms. However, accessing virtualized traffic traversing the cloud computing platforms for application, network, and security analysis is a challenge. Introduced here, therefore, are visibility platforms for monitoring virtualized traffic traversing a cloud computing platform, such as Amazon Web Services, VMware, and OpenStack. A visibility platform can be integrated into a cloud computing platform to provide a coherent view of virtualized traffic in motion across the cloud computing platform for a given end user. Said another way, a visibility platform can intelligently select, filter, and forward virtualized traffic belonging to an end user to a monitoring infrastructure, thereby eliminating traffic blind sports.

Abstract: Ternary content-addressable memory (TCAM) of an ingress appliance in a visibility fabric may include rules for filtering traffic received by the ingress appliance. But the TCAM has limited space for rules and can become easily exhausted. By migrating rules to other visibility nodes in the visibility fabric, the techniques introduced here allow the TCAM to be virtually extended across multiple visibility nodes. More specifically, upon receiving a data packet at an ingress port, the ingress visibility node can tag the data packet with an identifier based on which ingress port received the data packet. The ingress visibility node can then determine, based on the identifier, whether the data packet should be filtered using a rule stored in the TCAM of the ingress visibility node or a rule stored in the TCAM of some visibility node in the visibility fabric.

Abstract: A network appliance may include a signal splitter that splits an incoming signal into multiple portions. The signal splitter can direct one portion of the incoming signal to a switching fabric and another portion of the incoming signal to an optical switch. By monitoring the power intensity of the portion of the incoming signal received by the switching fabric, the network appliance can seamlessly switch between a bypass traffic path and a pass-through traffic path without losing network traffic caused by gaps in network connectivity. Such a configuration also enables the network appliance to maintain an accurate record of the logical connectivity state even when the network appliance is in the bypass state (i.e., when network traffic bypasses the switching fabric of the network appliance).

Abstract: An inline-bypass switch system includes: a first inline-bypass switch appliance having a first bypass component, a second bypass component, a first switch coupled to the first bypass component and the second bypass component, and a first controller; and a second inline-bypass switch appliance having a third bypass component, a fourth bypass component, a second switch coupled to the third bypass component and the fourth bypass component, and a second controller; wherein the first controller in the first inline-bypass switch appliance is configured to provide one or more state signals that is associated with a state of the first inline-bypass switch appliance; and wherein the second controller in the second inline-bypass switch appliance is configured to control the second bypass component based at least in part on the one or more state signals.

Abstract: Embodiments are disclosed for monitoring the performance of an in-line tool without adding data to network traffic routed through the in-line tool. In some embodiments, performance of the in-line tool is based on a measured latency introduced by the processing of packets through the in-line tool. In some embodiments, network traffic is adaptively routed based on the measured latency at the in-line tool.