Abstract: Network devices can use maximally redundant trees (MRTs) for delivering traffic streams across a network, and for transitioning traffic to a new set of MRTs after a topology change, without dropping traffic. The disclosure describes distributed computation of a set of MRTs from one or more ingress devices to one or more egress devices of the network. In one example, network devices in a network compute a set of MRTs, and establish a set of LSPs along the paths of the set of MRTs. After a change to the network topology, convergence sequencing is managed by a central controller, which centrally orchestrates the sequence for moving traffic from being sent on the old MRT paths to being sent on newly computed MRT paths after the controller determines that all new MRT forwarding state has been installed on the network devices.

Abstract: In some embodiments, an apparatus includes a management module configured to assign a unique set of identifiers to each network control entity from a set of network control entities. As a result, a network control entity from the set of network control entities can assign an identifier from its unique set of identifiers to a port in response to that network control entity receiving a login request from the port. The set of network control entities is associated with a distributed multi-stage switch. The management module is also configured to store a zone set database associated with the distributed multi-stage switch. The management module is configured to send an instance of an active zone set stored within the zone set database to each network control entity from the set of network control entities such that each network control entity can enforce the active zone set.

Abstract: A computer-implemented method for virtualizing customer-premises equipment may include (1) receiving, at a service provider's network, at least one flow of network traffic from a remote device included in a user's private network, (2) identifying, within the flow of network traffic, at least one potentially non-unique private address that represents the remote device with respect to the user's private network, (3) determining at least one unique routable address that represents the remote device with respect to the service provider's network based at least in part on a network interface assigned to the user's private network and the potentially non-unique private address, and then (4) translating the potentially non-unique private address to the unique routable address to facilitate routing return network traffic to the remote device in connection with the flow of network traffic. Various other systems, methods, and computer-readable media are also disclosed.

Abstract: The disclosed apparatus may include a storage device and a secure counter. The apparatus may also include a tamper-logging component that (1) detects an action that is associated with booting untrusted images from the storage device and, in response to detecting the action, (2) securely logs the action by incrementing the secure counter. Various other apparatuses, systems, and methods are also disclosed.

Abstract: In general, techniques are described for facilitating usage monitoring control in mobile networks. A mobile gateway comprising one or more processors and a memory may be configured to perform the techniques. The one or more processors may be configured to establish a session by which a mobile device is to access a service of a mobile access network, and in response to receiving an incomplete indication to activate usage monitoring with respect to the service provided via the session, configuring the usage monitoring without activating the usage monitoring. The memory may be configured to store the usage monitoring configuration.

Abstract: In some embodiments, an equipment unit has a set of visual indicators, a power switch, and a set of compute components. The power switch receives a signal representing a status such that when the status is in a first mode, the power switch provides power to the set of visual indicators and when the status is in a second mode the power switch does not provide power to the set of visual indicators. The compute components are configured to receive power when the power switch does not provide power to the set of visual indicators.

Abstract: A computer-implemented method for managing access to services provided by wireline service providers may include (1) receiving at least one request from a subscriber device to authorize access to at least one service, (2) authenticating the subscriber device with an access gateway of a wireline service provider based at least in part on the request, (3) generating a unique session identifier that uniquely identifies the subscriber device during a service-access session, (4) delivering the unique session identifier to a management server of the wireline service provider to enable the management server to authenticate the subscriber device with at least one network device that provides the service based at least in part on the unique session identifier, and then (5) facilitating access by the subscriber device to the service provided by the network device during the service-access session. Various other systems, methods, and computer-readable media are also disclosed.

Abstract: In some embodiments, a system includes a set of network control entities associated with a distributed multi-stage switch. Each network control entity from the set of network control entities is configured to manage at least one edge device having a set of ports and coupled to the distributed multi-stage switch. Each network control entity from the set of network control entities is associated with a unique set of identifiers. A network control entity from the set of network control entities is configured to assign a unique identifier from its unique set of identifiers to a port from the set of ports of the at least one edge device in response to the network control entity receiving a login request associated with the port.

Abstract: In some embodiments, an apparatus includes a first network control entity within a control plane of a switch fabric system. The first network control entity is configured to receive a first test signal including a test instruction to be implemented within the switch fabric system. The first network control entity is configured to send a second test signal including the test instruction to a second network control entity such that the second network control entity implements the test instruction for a predetermined amount of time.

Abstract: In some embodiments, an apparatus includes a first edge device that is operatively coupled to a second edge device via a switch fabric. The first edge device and the second edge device collectively define an edge device network operating with a network-address-based protocol. The first edge device communicates with the second edge device via a multiprotocol label switching (MPLS) tunnel through the switch fabric. Furthermore, the first edge device is operatively coupled to the switch fabric such that a node of the switch fabric can be modified without coordination of the edge device network. Additionally, the first edge device is operatively coupled to the second edge device to define the edge device network such that an edge device of the edge device network can be modified without coordination of the switch fabric.

Abstract: An apparatus includes a destination edge device configured to receive a first validation packet according to a switch fabric validation protocol. The destination edge device is configured to validate multiple data paths through a distributed switch fabric from a source edge device to the destination edge device based on the first validation packet. The destination edge device is configured to send, in response to receiving the first validation packet, a second validation packet to a peripheral processing device. The destination edge device is also configured to send the second validation packet according to a validation protocol different from the first validation protocol.

Abstract: In some embodiments, an apparatus includes a scheduler disposed at a control device of a switch fabric system. The scheduler is configured to receive a control plane request associated with the switch fabric system having a data plane and a control plane separate from the data plane. The scheduler is configured to designate a control plane entity based on the control plane request and state information of each control plane entity from a set of control plane entities associated with the control plane and instantiated as a virtual machine. The scheduler is configured to send a signal to a compute device of the switch fabric system in response to the control plane request such that the control plane entity is instantiated as a virtual machine at the compute device.

Abstract: A method may include obtaining a layer two identification of an endpoint that is seeking access to a network, the endpoint omitting an agent to communicate a layer three address of the endpoint to a policy node, applying one or more authentication rules based on the layer two identification of the endpoint, assigning the layer three address to the endpoint, learning, by the policy node, the layer three address of the endpoint, and provisioning layer three access for the endpoint to the network based on the learned layer three address.

Abstract: A computer-implemented method for load balancing multicast traffic may include (1) identifying a plurality of switches that include at least a first switch that is connected to a second switch by a first path and a second path, (2) calculating a plurality of multicast distribution trees for distributing multicast traffic among the plurality of switches that includes (i) a first tree that includes the first path and whose root is different than the root of a second tree and (ii) the second tree that includes the second path, (3) receiving a plurality of multicast packets ingress to the plurality of switches at the first switch, and (4) using at least two of the plurality of multicast distribution trees to transmit the plurality of multicast packets from the first switch to the second switch. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: In general, techniques are described to enable selective viewing of data output in response to a command. The techniques provide generic mechanisms to filter output solicited by commands supported by current and future implementations of an interface. An example device receives from a client device an input comprising an operational command a selection request that specifies a field identifier. A schema enumeration module of the device assigns a unique element number to each element of a class of elements defined by a schema, forming an enumerated schema. An interface of the device receives data conforming to a data description language, and a filtering module filters the textual output by mapping the field identifier specified in the selection request to a unique element number of the enumerated schema. A rendering module renders the filtered data into filtered textual output. The device transmits the filtered textual output to the client device.

Abstract: This disclosure describes techniques for proactively identifying possible attackers based on a profile of a device. For example, a device includes one or more processors and network interface cards to receive, from a remote device, network traffic directed to one or more computing devices protected by the device, determine, based on content of the network traffic, a first set of data points for the device, send a response to the remote device to ascertain a second set of data points for the device, and receive, from the remote device, at least a portion of the second set of data points. The device also includes a security module operable by the processors to determine a maliciousness rating, and selectively manage, based on the maliciousness rating, additional network traffic directed to the one or more computing devices protected by the security device and received from the remote device.

Abstract: A first device may receive a first password from a second device. The first password may be generated based on first time information and first location information identifying a geographic location of the second device. The first device may, determine a second password based on second time information and second location information identifying the geographic location of the second device. The first device may determine that the second device is located at the geographic location at a particular time when characters in the first password match characters in the second password, and may provide a service based on determining that the second device is located at the geographic location at the particular time.

Abstract: In one example, a network device includes one or more network interfaces configured to receive a message according to a protocol for reserving a public Internet protocol (IP) address and port for a network connection and to receive one or more packets of a packet flow associated with the public IP address and the port for the network connection, and one or more processors comprising a primary service device, wherein the processors are configured to determine whether the message includes an indication that the network connection is to be checkpointed for high availability, and wherein the primary service device is configured to, based on the indication, checkpoint data of at least one of the received packets to a backup service device. Accordingly, a message of a protocol for reserving a public network address and port may be used to indicate whether a network connection should be checkpointed for high availability.

Abstract: The disclosed apparatus may include a physical link that facilitates communication for a plurality of customer networks connected to a service provider network. The apparatus may also include a network device communicatively coupled to the physical link. The network device may identify first and second route-update messages that advertise a plurality of route targets representing the plurality of customer networks to at least one other network device within the service provider network. The network device may remove a route target from the first route-update message due at least in part to the physical link no longer facilitating communication for a customer network represented by the route target. The network device may then maintain the second route-update message intact despite the removal of the route target from the first route-update message. Various other apparatuses, systems, and methods are also disclosed.

Abstract: This application describes techniques for replicating data at a primary routing engine of a network device before processing the data at a transport layer of the primary routing engine, wherein the data is to be sent to a routing peer via a routing communication session, and sending the replicated data to a secondary routing engine of the network device to be processed at a transport layer of the secondary routing engine. The secondary routing engine, in response to detecting that a socket buffer for buffering the replicated data has reached a predefined high occupancy threshold, outputs a notification to the primary routing engine. In response to receiving the notification, an application-layer routing process of the primary routing engine refrains from sending at least some of a plurality of routing updates to the routing peer, and continues to send keepalive messages for the routing communication session to the routing peer.