Abstract: A rack system may include a first plurality of line cards, where a particular one of the first plurality of line cards receives or sends packets via ports; a plurality of fabric cards, where a particular one of the plurality of fabric cards includes a switching fabric; a second plurality of line cards, where a particular one of the second plurality of line cards receives or sends packets via ports; a first backplane that connects the first plurality of line cards to the plurality of fabric cards; and a second backplane that connects the second plurality of line cards to the plurality of fabric cards.

Abstract: A system is configured to determine a first power level of a first signal output from a first modulator, and determine a second power level of a second signal output from a second modulator. The first signal may include a first optical signal associated with a particular polarization orientation, and the second signal may include a second optical signal associated with the particular polarization orientation. The system is configured to determine a relationship between the first power level and the second power level, and to set, based on the relationship between the first power level and the second power level, a reverse bias voltage associated with the first modulator, where the reverse bias voltage may be used to control the first power level of the first signal.

Abstract: A security device may receive a request from an attacker device and intended for a server device. The security device may identify the request as being associated with a malicious activity. The malicious activity may include one or more undesirable tasks directed to the server device. The security device may generate an unsolvable challenge-response test based on identifying the request as being associated with the malicious activity. The unsolvable challenge-response test may be generated using at least one construction technique and may be configured in an attempt to block the attacker device without making the attacker device aware that the attacker device is being blocked. The security device may provide the unsolvable challenge-response test to the attacker device, and may receive a solution associated with the unsolvable challenge-response test. The security device may notify the attacker device that the solution is incorrect regardless of whether the solution is actually correct.

Abstract: A computer-implemented method for load balancing multicast traffic may include (1) identifying a plurality of switches that include at least a first switch that is connected to a second switch by a first path and a second path, (2) calculating a plurality of multicast distribution trees for distributing multicast traffic among the plurality of switches that includes (i) a first tree that includes the first path and whose root is different than the root of a second tree and (ii) the second tree that includes the second path, (3) receiving a plurality of multicast packets ingress to the plurality of switches at the first switch, and (4) using at least two of the plurality of multicast distribution trees to transmit the plurality of multicast packets from the first switch to the second switch. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: In general, techniques are described to dynamically refresh a timer for a communication session provided by a bidirectional forwarding detection (BFD) protocol. The techniques potentially mitigate network load by reducing the number of BFD packets required to maintain a BFD communication session. An example network device includes a memory, programmable processor(s), a network interface, and a control unit configured to establish a BFD communication session between the network device and a peer network device that is communicatively coupled to the network device via the network interface, determine whether a packet associated with a communication session other than the BFD communication session is a relevant packet to the BFD communication session, and in response to determining that the packet is the relevant packet, refresh a timer that executes on the network device and is associated with the BFD communication session.

Abstract: A first device may receive a content request from a second device. The content request may include a dynamic network address and a request for a content file. The first device may determine that the dynamic network address is not included in a first index; determine one or more response values associated with the content file; determine that the one or more response values are included in a second index when the one or more response values match one or more response values included in the second index; generate an association between the dynamic network address and the second index to map the dynamic network address to the second index and to the content file based on determining that the one or more response values are included in the second index; and provide the content file to the second device.

Abstract: A first server may receive, from a client device, an indication of a request for a content file via a network address; identify that the network address is a dynamic network address; establish a communication session with a second; receive a portion of the content file from the second server; determine an index parameter based on receiving the portion of the content file; determine whether the content file is being stored by the first server based on a cache index and based on the index parameter or based on information associated with the request for the content file; receive a remaining portion of the content file based on determining that the content file is not being stored by the first server; and provide the content file to the client device.

Abstract: A client device may provide, to a host device, a request to access a website associated with a host domain. The client device may receive, based on the request, verification code that identifies a verification domain and a resource, associated with the verification domain, to be requested to verify a public key certificate. The verification domain may be different from the host domain. The client device may execute the verification code, and may request the resource from the verification domain based on executing the verification code. The client device may determine whether the requested resource was received, and may selectively perform a first action or a second action based on determining whether the requested resource was received. The first action may indicate that the public key certificate is not valid, and the second action may indicate that the public key certificate is valid.

Abstract: A computer-implemented method for increasing the scalability of software-defined networks may include (1) maintaining a set of databases collectively configured to (i) store a set of flow entries that direct network traffic within a software-defined network and (ii) facilitate searching the set of flow entries based at least in part on at least one key whose size remains substantially constant irrespective of the number of flow entries within the set of flow entries, (2) detecting a request to perform an operation in connection with a flow of data packets within the software-defined network, (3) identifying at least one attribute of the flow of data packets in the request, and then (4) searching, using the attribute of the flow of data packets as a database key, at least one database within the set of databases to facilitate performing the operation. Various other methods, systems, and apparatuses are also disclosed.

Abstract: An apparatus and method are described for compensating for frequency and phase variations of electronic components by processing packet delay values. In one embodiment, a packet delay determination module determines packet delay values based on time values associated with a first and a second electronic component. A packet delay selection module selects a subset of the packet delay values based on the maximum frequency drift of the first electronic component. A statistical parameter determination module evaluates a first and a second parameter based on portions of the subset of packet delay values. A validation module validates the parameters when each portion the subset of packet delay values includes a minimum of at least two packet delay values. An adjustment module compensates for at least one of a frequency variation and a phase variation of the first electronic component based on the parameters if the parameters are both validated.

Abstract: In general, techniques are described for performing a mass withdrawal of media access control (MAC) addresses using a reduced number of route withdrawal messages within a singly-homed segment of an Ethernet Virtual Private Network (EVPN). The techniques may include determining a segment identifier of the segment and sending a route advertisement to advertise a route for the segment identifier to a provider edge network device. The techniques may include sending a route advertisement to advertise one or more media access control (MAC) routes for the layer two segment. The techniques may also include, responsive to determining a link failure between a first provider edge network device and a customer edge network device, sending a withdrawal message to the second provider edge network device for the route associated with the segment identifier to withdraw all of the plurality of MAC routes at the second provider edge network device.

Abstract: An intrusion detection system inspects encapsulated packet flows and, upon detecting a malicious encapsulated packet flow, may close an encapsulated network session corresponding to the malicious flow or drop sub-packets of the malicious flow without acting against non-malicious sub-packets and/or sessions.

Abstract: In general, techniques are described for performing packet loss measurement in a distributed data plane. In one example, a local router includes a plurality of forwarding units that implement a distributed data plane. First and second forwarding units may switch layer two (L2) packet data units (PDUs) between the local router and a remote router using a virtual path. The first and second forwarding may unit may increment, in response to processing any PDU of the PDUs for the virtual path, respective counters stored by the first and second forwarding units. The first and second forwarding units may update, based on the respective counters, a loss-measurement packet (LMP). For instance, the first forwarding unit, upon updating the LMP, may internally forward the LMP to the second forwarding unit. The second forwarding unit, upon updating the LMP, may send the LMP to the remote router.

Abstract: A system includes a storage device to store information associated with virtual nodes that correspond to network nodes. The system also includes a server to install a virtual node that corresponds to one of the network nodes, based on the information associated with the virtual node, where installing the virtual node includes creating a logical interface via which traffic is to be sent to, or received from, other virtual nodes; start the virtual node to create an operating virtual node based on a copy of an operating system that is run on the network node, where starting the virtual node causes the operational virtual node to execute the copy of the operating system; and cause the operating virtual node to communicate with a virtual network that includes the virtual nodes, where causing the operating virtual node to communicate with the virtual network enables the operating virtual node to receive or forward traffic associated with the virtual network.

Abstract: A router maintains routing information including (i) route data representing destinations within a computer network, (ii) next hop data representing interfaces to neighboring network devices, and (iii) indirect next hop data that maps a subset of the routes represented by the route data to a common one of the next hop data elements. In this manner, routing information is structured such that routes having the same next hop use indirect next hop data structures to reference common next hop data. In particular, in response to a change in network topology, the router need not change all of the affected routes, but only the common next hop data referenced by the intermediate data structures. This provides for increased efficiency in updating routing information after a change in network topology, such as link failure.

Abstract: In general, techniques are described for configuring a provider edge (PE) network device of an Ethernet virtual private network (EVPN) to use a common traffic engineering label (e.g., MPLS label) for different EVPN route types associated with the same EVPN. In some examples, the techniques include sending a first layer three (L3) control plane message that indicates a label-switched network protocol label that corresponds to a first EVPN route type, wherein the first L3 control plane message indicates that a first PE network device is reachable in the L2 segment. The techniques may include performing L2 address learning to determine at least one L2 address associated with the layer two segment of the EVPN. The techniques may include sending a second L3 control plane message that indicates the same label included in the first L3 control plane message corresponds to a second EVPN route type.

Abstract: In some embodiments, an apparatus includes a first Fiber Channel (FC) switch configured to be operatively coupled to an FC network device and a second FC switch. The first FC switch is configured to receive, from the FC network device, a first control packet. The first FC switch is further configured to send to the second FC switch, based on the first control packet, a second control packet defined based on a decentralized control plane protocol. The second control packet includes information associated with an FC route that is associated with the FC network device such that the second FC switch can route FC data packets to the FC network device using an FC data plane protocol.

Abstract: The disclosure describes techniques to pre-compute the effect of modifying components in a data center switch prior to actually modifying the components. A data center analyzer is configured to discover the topology of the switch and present an editable version of the topology to a data center administrator. The data center analyzer receives proposed modifications to the current topology, including removed, replaced or updated components, and applies a non-distributed copy of the traffic distribution algorithm to the modified topology to compute an expected traffic distribution and traffic metrics. The administrator may then determine whether to modify the components based on the expected traffic distribution and associated traffic metrics. When the administrator allows modification of the components, the data center analyzer may compute and install alternative routing paths for components in the data center switch to minimize data loss due to the modified components.

Abstract: A firewall device may include a forwarding component that includes a filter block. The filter block may obtain a first hardware-implemented filter, where a hardware implementation limits the first hardware-implemented filter to a maximum quantity of rules; determine whether a last rule associated with the accessed hardware-implemented filter includes a split-filter action, where the split-filter action identifies a second hardware-implemented filter; and link the second hardware-implemented filter to the first hardware-implemented filter to make the second hardware-implemented filter a logical continuation of the first hardware-implemented filter, in response to determining that the last rule includes the split-filter action.

Abstract: A device may detect an attack. The device may receive, from a client device, a request for a resource. The device may determine, based on detecting the attack, a computationally expensive problem to be provided to the client device, where the computationally expensive problem requires a computation by the client device to solve the computationally expensive problem. The device may instruct the client device to provide a solution to the computationally expensive problem. The device may receive, from the client device, the solution to the computationally expensive problem. The device may selectively provide the client device with access to the resource based on the solution.