Abstract: Techniques are described for implementing one or more logical routers within a single physical routing device. These logical routers, as referred to herein, are logically isolated in the sense that they achieve operational and organizational isolation within the routing device without requiring the use of additional or redundant hardware, e.g., additional hardware-based routing controllers. The routing device may, for example, include a computing platform, and a plurality of software process executing within the computing platform, wherein the software processes operate as logical routers. The routing device may include a forwarding component shared by the logical routers to forward network packets received from a network in accordance with the forwarding tables.

Abstract: In general, techniques are described for steering data traffic for a subscriber session from a network interface of a wireless access gateway to an anchoring one of a plurality of forwarding units of the wireless access gateway using a layer 2 (L2) address of the data traffic. For example, a wireless access gateway for a wireless local area network (WLAN) access network is described as having a decentralized data plane that includes multiple forwarding units for implementing subscriber sessions. Each forwarding unit may present a network interface for sending and receiving network packets and includes packet processing capabilities to enable subscriber data packet processing to perform the functionality of the wireless access gateway. The techniques enable steering data traffic for a given subscriber session to a particular one of the forwarding units of the wireless access gateway using an L2 address of the data traffic.

Abstract: A device may receive information that identifies an attack signature for detecting an intrusion. The device may determine a device configuration that is vulnerable to the intrusion, may determine an endpoint device associated with the device configuration, and may determine a time period during which the endpoint device was associated with the device configuration. The device may determine an endpoint identifier associated with the endpoint device during the time period, and may identify network traffic information associated with the endpoint identifier during the time period. The device may apply the attack signature to the network traffic information, and may determine whether the endpoint device was subjected to the intrusion during the time period based on applying the attack signature to the network traffic information. The device may selectively perform an action based on determining whether the endpoint device was subjected to the intrusion.

Abstract: An apparatus includes a switch that has a module implemented in at least one of a processor or a memory, and multiple ports including a first port and a second port in a predefined sequence relative to the first port. The module is configured to automatically associate a first compute device with a first virtual local area network (VLAN) when the first compute device is coupled to the first port with a first cable. The module is configured to automatically associate a second compute device to the first VLAN when the second compute device is coupled to the second port with a second cable based on the second port being in a predefined sequence relative to the first port. The predefined sequence can include, for example, the second port being next in physical sequence after the first port.

Abstract: A switching device in a network system for transferring data includes one or more source line cards, one or more destination line cards and a switching fabric coupled to the source line cards and the destination line cards to enable data communication between any source line card and destination line card. Each source line card includes a request generator to generate a request signal to be transmitted in order to obtain an authorization to transmit data. Each destination line card includes a grant generator to generate and send back a grant signal to the source line card in response to the request signal received at the destination line card to authorize the source line card to transmit a data cell to the destination line card.

Abstract: In some embodiments, an apparatus includes a first core device configured to be disposed within a network. The network has a set of access nodes and a second core device. The first core device is configured to receive a signal designating the first core device as a master device for a virtual group identifier such that the second core device is designated as a back-up device for that virtual group identifier.

Abstract: A node is configured to receive, from a second node, a request to establish a session; perform, in response to the request, a network address translation (NAT) operation to establish the session, the NAT operation causing a first port block to be allocated to the session, the first port block including a first set of ports via which traffic, associated with the session, is transported; determine that the set of ports are no longer available for the session; determine whether a quantity of times that the first port block has been allocated to the session is greater than a threshold; and retain the first port block, for the session, when the quantity of times that the first port block has been allocated to the session is not greater than the threshold.

Abstract: In general, techniques are described for facilitating fine-grained charging control for multi-service subscriber sessions by configuring charging control actions for application to services at the rating group level. For example, a mobile network gateway includes configuration information that defines a plurality of rating groups for a subscriber session, wherein each of the plurality of rating groups is associated with at least one service, and wherein the configuration information defines an actionable event and a corresponding charging control action for a rating group of the plurality of rating groups. A subscriber management module establishes a bearer of the mobile network for the subscriber session and associates the plurality of rating groups with the bearer. A charging client determines the occurrence of the actionable event defined by the configuration information for the rating group and applies the corresponding charging control action for the actionable event to the rating group.

Abstract: A device determines a first received power via a first input feed of a circuit board, and determines a second received power via a second input feed of the circuit board. The device further determines whether the first input feed and the second input feed are receiving power based on the first received power and the second received power. The device opens a switch, of the circuit board, when the first input feed and the second input feed are receiving power.

Abstract: A network device may receive a request from a local device to establish a connection with a another device. The request may include an internal network identifier of the local device. The network device may evaluate a plurality of external network identifiers, associated with the network device based on selected criteria. The network device may also, or alternatively, evaluate the external network identifiers by identifying an external network identifier that is already mapped to, or paired with, the internal network identifier. The network device may select an external network identifier, of the plurality of external network identifiers, based on the evaluation and establish the connection requested by the local device using the internal network identifier and the external network identifier.

Abstract: A device may receive rule information, associated with a firewall policy, that includes a set of N rules. The device may add a rule, of the set of N rules, to a detector tree associated with the firewall policy. The device may identify other rules to which the rule is to be compared. The other rules may be included in the set of N rules, and may include a quantity of rules approximately equal to a result of a logarithm to base 2 of N. The device may compare the rule and the other rules, and may detect a rule anomaly based on comparing the rule to the other rules. The rule anomaly may be associated with a conflict between the rule and a particular rule of the other rules. The device may identify the rule anomaly within the detector tree, and may output information regarding the rule anomaly.

Abstract: A device may receive a control packet associated with a connection. The control packet may include a network address. The device may identify an application layer identifier that is associated with the network address. The device may identify a service rule associated with the application layer identifier. The service rule may identify a service to be applied to a data packet associated with the connection. The device may provide the control packet based on identifying the service rule. The control packet may be provided to permit the service to be applied to the data packet in accordance with the service rule.

Abstract: A network device may receive network traffic from a first device. The network device may identify, based on the network traffic and a service level agreement, stored by the network device, that a service is to be applied to the network traffic. The network device may send the network traffic to a second device, the second device using a service plane to apply the service to the network traffic. The network device may receive the network traffic from the second device, the network traffic having the service applied by the second device; and send the network traffic, having the service applied by the second device, to a third device.

Abstract: A method, computer readable medium, and system for automatically determining resource dependency includes automatically identifying with an application processing device one or more dependencies between two or more modules in an application. The application processing device determines one or more ordered lists of executing the modules based on the identified one or more dependencies. The application processing device provides the determined one or more ordered lists of executing the modules in the application.

Abstract: A first network device may determine a first auto-negotiation capability associated with the first network device. The first auto-negotiation capability may indicate whether the first network device is configured to establish a communication link with a second network device using auto-negotiation of transmission capabilities. The first network device may determine a second auto-negotiation capability associated with the second network device. The second auto-negotiation capability may indicate whether the second network device is configured to establish the communication link with the first network device using auto-negotiation of the transmission capabilities. The first network device may determine that an auto-negotiation process failed to establish the communication link between the first network device and the second network device.

Abstract: A device may receive an instruction to automatically install a program using a click area prediction model. The click area prediction model may be associated with predicting a click area of a user interface that, when selected, causes a program installation procedure to proceed. The device may identify an installation user interface associated with installing the program. The device may determine a group of regions included in the installation user interface. The device may identify sets of features associated with the group of regions. The device may determine, based on the sets of features and the click area prediction model, a group of scores associated with the group of regions. The device may identify a particular region as a predicted click area based on the group of scores. The device may select the predicted click area to attempt to cause the program installation procedure to proceed.

Abstract: A device may receive a file to be analyzed in a sandbox environment, and may determine configuration information for configuring the sandbox environment. The configuration information may be determined based on at least one of: file information associated with the file to be analyzed, or client device information associated with a client device for which the file is intended. The device may configure the sandbox environment using the configuration information. The configuration information may identify a system configuration for the sandbox environment. The device may analyze the file in the sandbox environment based on configuring the sandbox environment using the configuration information.

Abstract: A high-performance, scalable and drop-free data center switch fabric and infrastructure is described. The data center switch fabric may leverage low cost, off-the-shelf packet-based switching components (e.g., IP over Ethernet (IPoE)) and overlay forwarding technologies rather than proprietary switch fabric. In one example, host network accelerators (HNAs) are positioned between servers (e.g., virtual machines or dedicated servers) of the data center and an IPoE core network that provides point-to-point connectivity between the servers. The HNAs are hardware devices that embed virtual routers on one or more integrated circuits, where the virtual router are configured to extend the one or more virtual networks to the virtual machines and to seamlessly transport packets over the switch fabric using an overlay network. In other words, the HNAs provide hardware-based, seamless access interfaces to overlay technologies used for communicating packet flows through the core switching network of the data center.

Abstract: A method and apparatus for in-line processing a data packet while routing the packet through a router in a system transmitting data packets between a source and a destination over a network including the router. The method includes receiving the data packet and pre-processing layer header data for the data packet as the data packet is received and prior to transferring any portion of the data packet to packet memory. The data packet is thereafter stored in the packet memory. A routing through the router is determined including a next hop index describing the next connection in the network. The data packet is retrieved from the packet memory and a new layer header for the data packet is constructed from the next hop index while the data packet is being retrieved from memory. The new layer header is coupled to the data packet prior to transfer from the router.

Abstract: An endpoint integrity system controls access to resources of a protected network for endpoint devices attempting to access the protected network. The system may include a number of evaluation modules that communicate with an endpoint device. The evaluation modules generate policy results for the endpoint device, in which each of the policy results assume one of three or more states, called a multi-state policy result. The multi-state policy results are combined to produce a combined Boolean policy result.