Abstract: The problem of being unable to run microBFD using an IPv6 address over any member links of a layer 2 LAG when the LAG is DOWN (and its IPv6 address becomes or is TENTATIVE), is solved by running DAD for the address configured for the microBFD once the individual link is in DISTRIBUTING or STANDBY state and triggering (or starting) microBFD once the DAD for that address completes successfully. Further, member links of the LAG may be permitted to continue running microBFD even if the LAG interface is DOWN and even if some other member links (but not all member links) of the LAG are DOWN.

Abstract: An apparatus includes a first port and a second port operably coupled to a format conversion module each of which is at least partially disposed within a housing. The first port is operably coupled to a cable configured to transfer a first data unit having a first format associated with a first communication medium to the first port. The format conversion module receives the first data unit from the first port and converts the first data unit from the first format to a second format associated with a second communication medium to produce a second data unit. The second port is operably coupled to a wireless access point that is physically distinct from the housing. The second port is configured to receive the second data unit and send the second data unit to the wireless access point.

Abstract: In general, techniques are described in which a plurality of network switches automatically configure themselves to operate as a single virtual network switch. A virtual switch is a collection of individual switch devices that operate like as single network switch. As described herein, network switches in a network that are capable of participating in a virtual switch may automatically discover one another. The participating network switches may then elect one of the participating switches as a master switch. The master switch may generate forwarding information and store the forwarding information in the participating switches, including the master switch. The forwarding information causes the participating switches to act like a single network switch.

Abstract: A network device initiates a transmission control protocol (TCP) connection to establish a TCP session with a management device, and performs, via the TCP session, a secure protocol client/server role reversal for the management device. The network device receives, from the management device, initiation of a secure connection over the TCP session in accordance with a secure protocol, and provides, to the management device, a trusted certificate with an embedded host key that is dynamically generated using a cryptographic processor of the network device, based on the initiation of the secure connection. The network device also establishes the secure connection with the management device based on an authentication of the host key by the management device via the trusted certificate.

Abstract: A security device may receive actual behavior information associated with an object. The actual behavior information may identify a first set of behaviors associated with executing the object in a live environment. The security device may determine test behavior information associated with the object. The test behavior information may identify a second set of behaviors associated with testing the object in a test environment. The security device may compare the first set of behaviors and the second set of behaviors to determine a difference between the first set of behaviors and the second set of behaviors. The security device may identify whether the object is an evasive malicious object based on the difference between the first set of behaviors and the second set of behaviors. The security device may provide an indication of whether the object is an evasive malicious object.

Abstract: Techniques are describe for establishing an overall label switched path (LSP) for dynamic load balancing of network traffic being sent across a network using the a resource reservation protocol such as Resource Reservation Protocol with Traffic Engineering (RSVP-TE). The tunnel may be a single RSVP-TE Label Switched Path (LSP) that is configured to automatically and dynamically load balance network traffic across different sub-paths of the RSVP-TE LSP over the network. The ingress device of the overall multi-path LSP can analyze traffic statistics to determine when a network traffic demand differs from a currently reserved bandwidth of the overall multi-path LSP by at least a threshold amount, and can automatically add or remove a sub-path from the overall multi-path LSP to adjust capacity of the overall multi-path LSP to correspond to the currently reserved bandwidth.

Abstract: The disclosed apparatus may include (1) at least one power interface that unites a plurality of power supplies that output electrical power for consumption by a network device that facilitates network traffic within a network and (2) a power-management unit communicatively coupled to the plurality of power supplies, wherein the power-management unit (A) detects an operating temperature of a power supply within the plurality of power supplies that output electrical power for consumption by the network device, (B) determines that the operating temperature of the power supply exceeds a temperature threshold, and then (C) modifies an amount of electrical power being output by the power supply to account for the operating temperature exceeding the temperature threshold. Various other apparatuses, systems, and methods are also disclosed.

Abstract: Techniques include quickly establishing a maximum transmission unit (MTU) for a network path, such as a network tunnel. In one example, data representative of the MTU is included in a header of a packet. If the MTU indicated in the packet is larger than a downstream network interface of a network device, the network device updates the data of the header to indicate the MTU of the downstream network interface, and an egress network device sends the packet back to an ingress network device. In another example, network devices fragment packets, if necessary, such that the fragments satisfy the MTU of the downstream network interface. The egress network device then determines the MTU for the path based on a largest received fragment, reassembles the fragments into a single packet, and returns the reassembled packet to the ingress network device. The packets may comprise echo packets of generic routing encapsulation (GRE).

Abstract: Techniques are described that enable local caching of content data within metro transport networks for delivery to subscribers of ISPs that are connected to metro transport networks. Routers within the metro transport network, including an access router, ISP-facing provider edge routers and one or more caching routers, establish an EVPN within the metro transport network. The access router outputs, within the EVPN and to the caching routers, EVPN route advertisements that advertise network address reachability information of the subscriber devices on behalf of the ISPs. Responsive to subscriber content requests that have been redirected from the ISPs and based on the EVPN route advertisements from the access routers, the caching routers of the metro transport network forward, by the EVPN, content from the local content cache to the access routers for efficient delivery to the one or more of the subscribers.

Abstract: In some embodiments, a non-transitory processor-readable medium stores code representing instructions configured to cause a processor to receive, from an access switch, a first signal including forwarding state information associated with a first peripheral processing device from a set of peripheral processing devices. The code can further represent instructions configured to cause the processor to receive, from the first peripheral processing device, a second signal including a data packet. The code can further represent instructions configured to cause the processor to send, to a replication engine associated with the set of peripheral processing devices, a third signal such that the replication engine (1) defines a copy of the data packet, which is included within the third signal, and (2) sends, to a second peripheral processing device from the set of peripheral processing devices, a fourth signal including the copy of the data packet.

Abstract: A network device may receive a packet flow, and may identify an application associated with the packet flow. The network device may determine that packets associated with the application are not to be encrypted using a security protocol. The network device may store a rule that indicates that the packets are not to be encrypted using the security protocol based on determining that the packets are not to be encrypted using the security protocol. The rule may include network layer information or transport layer information associated with the packet flow, and may exclude application layer information associated with the packet flow. The network device may transmit, based on the rule, the packets without using the security protocol to encrypt the packets.

Abstract: A device may receive a firewall filter entry that includes one or more match conditions associated with filtering network traffic. The device may identify an access control list (ACL) template associated with the firewall filter entry. The ACL template may be associated with a template type. The device may identify one or more rules, for verifying the firewall filter entry, based on the template type associated with the ACL template. The device may verify the firewall filter entry using the one or more rules. The device may determine a hardware resource, for storing the firewall filter entry, based on the template type and based on verifying the firewall filter entry. The device may store the firewall filter entry using the hardware resource of the device.

Abstract: A network device may receive network traffic, originating from an input component, via a first set of input ports of a first switching element. The first switching element may be included in a stage of a multi-stage switching fabric. The first set of input ports may be associated with the input component. The network device may determine, based on the input component, a first set of output ports of the first switching element that are reserved for the input component. The network device may route the network traffic, via the first set of output ports, to second switching elements included in another stage of the multi-stage switching fabric. The second switching elements may receive the network traffic via a second set of input ports of the second switching elements.

Abstract: In one embodiment, an apparatus can include a switch fabric. The apparatus can also include a first edge device operatively coupled to an edge of the switch fabric and having a plurality of ports. The apparatus can also include a second edge device operatively coupled to the edge of the switch fabric and having a plurality of ports, the switch fabric defining a plurality of single-hop paths between the first edge device and the second edge device. The first edge device configured to send to a peripheral processing device operatively coupled to the first edge device a representation of a mapping of a portion of the plurality of ports of the first edge device and a portion of the plurality of ports of the second edge device to a plurality of ports included in a non-edge device represented within a virtual multi-hop network topology.

Abstract: A method and apparatus for in-line processing a data packet while routing the packet through a router in a system transmitting data packets between a source and a destination over a network including the router. The method includes receiving the data packet and pre-processing layer header data for the data packet as the data packet is received and prior to transferring any portion of the data packet to packet memory. The data packet is thereafter stored in the packet memory. A routing through the router is determined including a next hop index describing the next connection in the network. The data packet is retrieved from the packet memory and a new layer header for the data packet is constructed from the next hop index while the data packet is being retrieved from memory. The new layer header is coupled to the data packet prior to transfer from the router.

Abstract: A publication exchange device may receive information that identifies a subscriber device, and may receive a set of subscription keys associated with subscribed-to network event information to be provided to the subscriber device. The publication exchange device may receive published network event information from one or more publisher devices, and may determine that the published network event information includes information that matches the set of subscription keys. The publication exchange device may identify the subscribed-to network event information, from the published network event information, using the set of subscription keys. The publication exchange device may provide the subscribed-to network event information to the subscriber device based on identifying the subscribed-to network event information.

Abstract: The disclosed computer-implemented method may include (1) detecting an online communication session established between a plurality of computing devices, (2) identifying at least one application involved in the online communication session established between the plurality of computing devices, (3) determining a security mode for a security proxy that inspects the online communication session based at least in part on the application involved in the online communication session, and then (4) configuring the security proxy to inspect the online communication session in accordance with the determined security mode. Various other systems, methods, and apparatuses are also disclosed.

Abstract: A device includes a master control card that performs control plane processing, a backup control card, where the backup control card takes over control plane processing if the master control card goes out of service, and a database card that connects to the master control card and the backup control card, where the database control card stores information relating to control plane processing. A method of achieving hitless failover in a network element includes detecting that a master control card of the network element has gone out of service, designating the backup control card as a new master control card of the network element, establishing communication with a database card of the network element, and retrieving protocol states information from the database card.

Abstract: In some embodiments, an apparatus includes a quadrature amplitude modulation (QAM) optical modulator which includes a first phase modulator (PM), a second PM, a tunable optical coupler (TOC), and an optical combiner (OC). The TOC is configured to split a light wave at an adjustable power splitting ratio to produce a first split light wave and a second split light wave. The first PM is configured to modulate the first split light wave in response to a first multi-level electrical signal to produce a first modulated light wave. The second PM is configured to modulate the second split light wave in response to a second multi-level electrical signal to produce a second modulated light wave. The OC is then configured to combine the first modulated light wave and the second modulated light wave to generate a QAM optical signal.

Abstract: In some embodiments, an apparatus includes an optical transceiver which includes a rate-adaptive forward error correction (FEC) encoder and a rate-adaptive FEC decoder. The rate-adaptive FEC encoder is configured to adjust a number of a set of known symbols associated with a codeword to achieve rate adaption. A length of the codeword is fixed. The rate-adaptive FEC encoder is configured to generate the codeword based on (1) a set of information symbols including the set of known symbols and a set of data symbols, and (2) a fixed number of a set of parity symbols generated using information symbols. The rate-adaptive FEC decoder is configured to receive a set of reliability values associated with a channel word, and expand the set of reliability values to produce an expanded set of reliability values. The rate-adaptive FEC decoder is further configured to decode the expanded set of reliability values.