Abstract: In some embodiments, a switch module is configured to receive from a first edge device a multicast data unit having a VLAN identifier. The switch module is configured to select a set of port modules based on the VLAN identifier. The switch module is configured to define an unmodified instance of the multicast data unit for each port module from the set of port modules. The switch module is configured to send the unmodified instance of the multicast data unit to each port module from the set of port modules, such that each port module applies a filter to the received instance of the multicast data unit to restrict that received instance of the multicast data unit from being sent to a second edge device via that port module if the second edge device is associated with a VLAN domain different than a VLAN domain of the first edge device.

Abstract: A virtual device includes multiple devices connected to operate as a single device. A first one of the devices is configured to determine that the first device connects to a second one of the devices via a first link; identify a second link; determine that the second link connects the first device to the second device; and automatically aggregate the first link and the second link to form a link aggregation with the second device based on determining that the first device connects to the second device via both the first and second links. The first device is further configured to transmit packets to the second device via the first and second links of the link aggregation.

Abstract: A computing device is configured to receive information for setting up a simulation of a device. The computing device is further configured to request one or more modules corresponding to one or more features associated with the simulation. The computing device is further configured to receive the one or more modules. The computing device is further configured to perform the simulation using the one or more modules and the different modules. The computing device is further configured to determine that the simulation requires debugging based on a result of the simulation. The computing device is configured to further debug the simulation based on determining that the simulation requires debugging, and provide the result of the simulation including information associated with the debugging of the simulation.

Abstract: An example method includes selecting, by a network device, a remote LFA next hop as an alternate next hop for forwarding network traffic from the network device to a destination, wherein the selected remote LFA next hop provides node protection to a primary next hop node on the shortest path from the network device to the destination. The method includes, for each candidate remote LFA next hop, performing a forward shortest path first (SPF) computation having the respective candidate remote LFA next hop as a root to compute a path segment between the respective candidate remote LFA next hop and the destination, wherein each of the candidate remote LFA next hops is the egress of a respective potential repair tunnel between the network device and candidate remote LFA next hop, and selecting the remote LFA next hop based at least in part on the computed path segments.

Abstract: A device may include an interface to send authentication information to a plug-in, where the authentication information is related to a client device. The interface may send a policy identifier to the plug-in, where the policy identifier identifies a policy, and may receive a policy result from the plug-in, where the policy result is produced using the authentication information and a policy requirement identified by the policy identifier, and where the policy result identifies whether the client device complies with the policy.

Abstract: Access switches in a switching system may use virtual aggregated links. When a link between an aggregation switch and an access switch fails, the link failure may be reflected in the virtual aggregated link and data traffic to another access switch may be switched away from the failed switch. A forwarding table in the access switch stores a number of entries that each define a correspondence between destination addresses and an output identifier for the switch. At least a first output identifier includes an aggregated link that represents a first set of possible output links. At least a second output identifier includes a virtual aggregated link, associated with a second network switch that represents a second set of possible output links. Destination addresses in the forwarding table for the virtual aggregated link correspond to network devices connected to the second network switch.

Abstract: In some embodiments, an apparatus includes a first controller configured to be operatively coupled within a network having a set of network nodes, a forwarding gateway and a configuration entity. The first controller is configured to manage session state and node state associated with the set of network nodes independent of the forwarding gateway. The first controller is configured to fail over to a second controller when the first controller fails, without the forwarding gateway failing over and without the configuration entity failing over.

Abstract: In general, techniques are described for ensuring the distribution of Virtual Private Network (VPN) routes in a service provider network configured with multiple VPN services. In some examples, a network device receives configuration data that defines a VPN service associated with a route target. The network device, responsive to receiving the configuration data, sends a request for routes that match a type of the VPN service to a routing protocol speaker. The network device receives routes that match the type of the VPN service and are associated with the route target, installs the routes that match the type of the VPN service and are associated with the route target to the routing information base. The network device forwards traffic for the VPN service in accordance with the installed routes.

Abstract: An apparatus includes an access switch having a set of ports and configured to be operatively coupled to a multicast router via a first port from the set of ports. The access switch is configured to be associated with a network associated with the multicast router, and designate the first port as a multicast-router interface during a time period. The access switch is configured to send a message to the multicast router via each port from the set of ports in response to an indication of a change in a topology of the network after the time period. The access switch is configured to designate a second port from the set of ports as the multicast-router interface and dedesignate the first port as the multicast-router interface in response to receiving, via the second port and in response to the message, a signal from the multicast router.

Abstract: A system may obtain a current bit error count that identifies a quantity of bit errors in a bit stream during a time interval. The system may determine that the current bit error count identifies one or more bit errors. The system may determine whether an estimated bit error rate (BER) for the bit stream is likely to satisfy a threshold. The system may select an approach for determining the estimated BER for the bit stream. The estimated BER may be determined based on combining the current bit error count with a quantity of bits received in the time interval when the estimated BER is likely to exceed the threshold, and the estimated BER may be determined based on the current bit error count and one or more past bit error counts when the estimated BER is unlikely to exceed the threshold. The system may determine the estimated BER.

Abstract: A security device may receive, from a server device, a response to a request. The request may be provided by an attacker device and may include a plurality of input values. The security device may determine the plurality of input values, included in the request, based on receiving the response. The security device may modify the response to form a modified response. The response may be modified to include information associated with the plurality of input values. The response may be modified in an attempt to prevent the attacker device from identifying a vulnerability, associated with the server device, based on the plurality of input values being included in the response. The security device may provide the modified response to the attacker device.

Abstract: A high-performance, scalable and drop-free data center switch fabric and infrastructure is described. The data center switch fabric may leverage low cost, off-the-shelf packet-based switching components (e.g., IP over Ethernet (IPoE)) and overlay forwarding technologies rather than proprietary switch fabric. In one example, host network accelerators (HNAs) are positioned between servers (e.g., virtual machines or dedicated servers) of the data center and an IPoE core network that provides point-to-point connectivity between the servers. The HNAs are hardware devices that embed virtual routers on one or more integrated circuits, where the virtual router are configured to extend the one or more virtual networks to the virtual machines and to seamlessly transport packets over the switch fabric using an overlay network. In other words, the HNAs provide hardware-based, seamless access interfaces to overlay technologies used for communicating packet flows through the core switching network of the data center.

Abstract: Techniques are described for determining whether power from a first power source is unavailable to a power supply module. In response to determining that power from the first power source is unavailable, the techniques de-couple the first power source from one or more components of an electronic device connected to an output of the power supply module with one or more de-coupling components of the power supply module that connect an automatic transfer switch (ATS) of the power supply module to an output of the power supply module. Subsequent to de-coupling the first power source from the one or more components of the electronic device, the techniques de-couple a power supply module from the first power source. The techniques couple the power supply module to a second power source for delivering power to the one or more components of the electronic device.

Abstract: A device includes a memory, flow table logic, sampling logic, and a processing unit. The memory is configured to store a flow table that stores, as a number of entries, statistics regarding a number of data flows. The flow table logic is configured to generate records corresponding to data flows for which entries are created in the flow table or removed from the flow table. The sampling logic is configured to select one of the data flows for sampling and sample initial data units for the one of the data flows. The processing unit is configured to receive the records generated by the flow table logic, receive the initial data units sampled by the sampling logic, analyze the initial data units to generate analysis results, correlate the records and the analysis results associated with a same one of the data flows, and store the correlated records and analysis results.

Abstract: In one example, a network device determines a set of candidate loop-free alternate (LFA) next hops for forwarding network traffic from the network device to a multi-homed network by taking into account a first cost associated with a second path from a first border router to the multi-homed network and a second cost associated with a second border router to the multi-homed network, wherein the multi-homed network is external to an interior routing domain in which the network device is located. The network device selects an LFA next hop from the set of candidate LFA next hops, to be stored as an alternate next hop for forwarding network traffic to the multi-homed network, and updates forwarding information stored by the network device to install the selected LFA next hop as the alternate next hop for forwarding network traffic from the network device to the multi-horned network.

Abstract: An intrusion detection system is described that is capable of applying a plurality of stacked (layered) application-layer decoders to extract encapsulated application-layer data from a tunneled packet flow produced by multiple applications operating at the application layer, or layer seven (L7), of a network stack. In this was, the IDS is capable of performing application identification and decoding even when one or more software applications utilize other software applications as for data transport to produce packet flow from a network device. The protocol decoders may be dynamically swapped, reused and stacked (layered) when applied to a given packet or packet flow.

Abstract: Techniques are described for managing network services deployed in a network using a rules engine with on-demand dependency insertion. A network service manager may use a rules engine to monitor a network service at network devices in order to detect a device-level event, and determine a service-level impact of the detected event based on network service rules and dependencies. The dependencies define links between the device-level event and actions triggered by the device-level event. According to the techniques, a rules engine is configured to detect a device-level event and, in response, insert only those dependencies associated with the detected device-level event into a working memory. Once the device-level event has been cleared, the dependencies related to the device-level event are removed from the working memory. The working memory, therefore, will include only the dependencies needed to determine service-level impacts of currently detected device-level events.

Abstract: A network device comprises one or more processors coupled to a memory, and a dynamic services module configured for execution by the one or more processors to receive, from a client device, a service request specifying a service. The dynamic service module is further configured for execution by the one or more processors to, in response to obtaining a negative indication for the service, send a representation of the service request to a honeypot to cause the honeypot to offer the service to the client device.

Abstract: In one example, a method includes receiving, by a service node, a request from an access node to establish a pseudowire to be used for sending subscriber traffic to the service node for application of services to the subscriber traffic at the service node, and, in response to receiving the request, sending a request message from the service node to a central server requesting both subscriber authentication and assignment of a forwarding component of the service node to which to anchor the pseudowire. The method also includes receiving, by the service node and from the central server, an authentication message in response to the request message, wherein the authentication message confirms subscriber authentication and indicates a forwarding component of the service node to which the service node should anchor the pseudowire.

Abstract: In general, techniques are described for dynamically controlling host-bound traffic by dynamically adding and updating, within the forwarding plane of a network device, network packet policers that each constrains, for one or more packet flows, an amount of host-bound traffic of the packet flows permitted to reach the control plane in accordance with available resources. In one example, a control plane of the network device detects internal congestion in the communication path from the forwarding plane to control plane (the “host-bound path”), identifies packet flows utilizing an excessive amount of host-bound path resources, computes limits for the identified packet flows, and adds “penalty-box policers” configured with the computed limits for the identified packet flows to the forwarding plane. The forwarding plane subsequently applies the policers to the identified packet flows to constrain the amount of traffic of the packet flows allowed to reach the control plane to the computed limits.