Abstract: A router receives a packet at an ingress interface. The router classifies the received packet based on at least a first field value contained in the header of the packet. According to the classification of the received packet, the router associates one of the plurality of forwarding tables to the packet. The router then performs a lookup operation in the associated forwarding table according to at least a second field value contained in the header of the packet. Based on the lookup operation, the router determines an egress interface and transmits the received packet from the determined egress interface.

Abstract: This disclosure describes a global attacker database that utilizes device fingerprinting to uniquely identify devices. For example, a device includes one or more processors and network interface cards to receive network traffic directed to one or more computing devices protected by the device, send, to the remote device, a request for data points of the remote device, wherein the data points include characteristics associated with the remote device, and receive at least a portion of the requested data points. The device also includes a fingerprint module to compare the received portion of the data points to sets of data points associated with known attacker devices, and determine, based on the comparison, whether a first set of data points of a first known attacker device satisfies a similarity threshold. The device also includes an security module to selectively manage, based on the determination, additional network traffic directed to the computing devices.

Abstract: First in, first out (FIFO) queues may be used to transfer data between a producer clock domain and a number of consumer clock domains. In one implementation, a control component for the FIFO queues may include a number of counters, corresponding to each of the consumer clock domains, each of the counters maintaining a count value relating to an amount of data read by the corresponding consumer clock domain. The control component may additionally include a credit deduction component coupled to the count values of the counters, the credit deduction component determining whether any of the count values is above a threshold, and in response to the determination that any of the count values is above the threshold, reducing the count value of each of the counters and issuing a write pulse signal to the producer clock domain, the write pulse signal causing the producer clock domain to perform a write operation to the FIFO queues.

Abstract: In one embodiment, an apparatus includes a network management module configured to execute at a network device operatively coupled to a switch fabric. The network management module is configured to receive a first set of configuration information associated with a subset of network resources from a set of network resources, the set of network resources being included in a virtual local area network from a plurality of virtual local area networks, the plurality of virtual local area networks being defined within the switch fabric. The first set of configuration information dynamically includes at least a second set of configuration information associated with the set of network resources.

Abstract: A device is configured to receive first data of a media file. The first data is in a first type of format. The device is further configured to extract media data and metadata from the first data, to store the media data in a first cache, and to store the metadata in a second cache. The device is also configured to determine a second type of format that is supported by a client device. The second type of format is different from the first type of format. The device is configured to retrieve the media data from the first cache, to retrieve the metadata from the second cache, to construct second data that is in the second type of format based on the media data and the metadata, and to provide the second data to the client device.

Abstract: A system selectively drops data from queues. The system includes a drop table that stores drop probabilities. The system selects one of the queues to examine and generates an index into the drop table to identify one of the drop probabilities for the examined queue. The system then determines whether to drop data from the examined queue based on the identified drop probability.

Abstract: In one example, a network device determines a set of candidate loop-free alternate (LFA) next hops for forwarding network traffic from the network device to a multi-homed network by taking into account a first cost associated with a second path from a first border router to the multi-homed network and a second cost associated with a second border router to the multi-homed network, wherein the multi-homed network is external to an interior routing domain in which the network device is located. The network device selects an LFA next hop from the set of candidate LFA next hops, to be stored as an alternate next hop for forwarding network traffic to the multi-homed network, and updates forwarding information stored by the network device to install the selected LFA next hop as the alternate next hop for forwarding network traffic from the network device to the multi-horned network.

Abstract: A security device may receive an object destined for a user device. The object may be of an object type that does not describe a web page. The security device may determine that the user device is to be warned regarding the object. The security device may determine a warning object based on determining that the user device is to be warned. The warning object may include information associated with a reason for determining that the user device is to be warned regarding the object, and may include information that allows the user device to receive the object. The security device may provide the warning object. The security device may receive, after providing the warning object, an indication associated with the user device obtaining the object. The security device may allow the user device to obtain the object based on receiving the indication.

Abstract: A provider edge device, associated with a virtual private local area network service (VPLS) system, includes a memory to store instructions to implement a pseudowire mechanism to receive a first data frame from a source customer edge (CE) device associated with the VPLS system, incorporate the first data frame into a first VPLS packet, determine whether the source CE device is a single-homed CE device or a multi-homed CE device, and incorporate, into the first VPLS packet, a first pseudowire label, if the source CE device is a single-homed CE device, and incorporate, into the first VPLS packet, a second pseudowire label, different from the first pseudowire label, if the source CE device is a multi-homed CE device; and a processor to execute the instructions.

Abstract: A system receives discovery rule inputs that include addresses, verifies one or more device identifiers for one or more addresses, obtains device information from each verified device associated with the one or more verified device identifiers, determines whether each verified device is a discovered device based on the device information, and automatically adds each verified device as a discovered device to a management system without human intervention when it is determined that the verified device is discovered. The system further creates device configuration information, creates an identifier and password, provides device configuration information, the identifier, and the password, to each of the discovered devices based on the NETCONF or the Device Management Interface standards, waits for a connection from the discovered devices, imports device configuration information from the discovered devices when the connection has been established, and indicates that the discovered devices are managed devices.

Abstract: A device stores forwarding information associated with fragments of a first data unit, stores information common to the fragments of the first data unit, receives fragments of a second data unit, and forwards the fragments of the second data unit based on the forwarding information of the first data unit and the information common to the first data unit.

Abstract: A processor may include a conditional arithmetic logic unit and a main arithmetic logic unit. The conditional arithmetic logic unit may perform a first arithmetic logic operation to generate a first result, and output the result. The main arithmetic logic unit may select input buses among a plurality of data buses that carry the first result from the conditional arithmetic logic unit, perform a second arithmetic logic operation on data provided by the selected input buses to generate a second result, and write the second result in a storage component.

Abstract: A device receives traffic; identifies an address associated with the traffic; determines whether the address is associated with an aggregate interface, the aggregate interface being associated with a first port and a second port. The first port corresponds to a first node in a first state, that indicates that the first node is available to forward the traffic, and the second port corresponds to a second node in a second state, that indicates that that the second node is not available to forward the traffic. The device transmits the traffic to the first node via the first port and to the second node, via the second port, when the address is associated with the aggregate interface. Transmitting the traffic enables the second node to forward the traffic when the first node changes from the first state to the second state.

Abstract: Dynamic control channel establishment for an access network is described in which a centralized controller provides seamless end-to-end service from a core-facing edge of a network to access nodes. For example, a method includes receiving, by the centralized controller, a discover message originating from a network node, which includes an intermediate node list that specifies a plurality of network nodes the discover message traversed from the network node to an edge node, determining, based on the plurality of nodes specified by the discover message, a path from the edge node to the network node, allocating each of a plurality of Multi-protocol Label Switching (MPLS) labels to a respective outgoing interface of each of the plurality of network nodes, and outputting one or more control messages for configuring the network node, wherein the control messages are encapsulated within a label stack comprising the allocated plurality of labels.

Abstract: In one example, an intermediate network device sends packets that advertise a transmission control protocol (TCP) window size of zero bytes to a client device and a server device. The device, after sending the packets, receives a first zero-window probe packet from the client device including data representing a first current sequence number for a client-to-server packet flow of an established network session, and a second zero-window probe packet from the server device including data representing a second current sequence number for a server-to-client packet flow of the network session. The device also initializes a TCP state based on the first and second current sequence numbers, and acts as a TCP proxy for packets following the first zero-window probe packet of the client-to-server packet flow based on the TCP state and packets following the second zero-window probe packet of the server-to-client packet flow based on the TCP state.

Abstract: A configurable advertisement count and skew timer in a virtual router can be used to improve the speed with which a backup virtual router assumes the role of master upon the master router's failure. Enhanced VRRP packets having a type other than one may be used to cause MAC address movement from a failed master router to a backup router assuming the role of master router without placing an undue load on other routers in the network, such as by dropping the enhanced VRRP packets having a type other than one without processing the packets in the control plane of a receiving virtual router.

Abstract: In general, techniques are described for performing customer bandwidth profiling in computer networks. A network device intermediately positioned in a service provider network between a customer network and a centralized network device that provides a hierarchical arrangement of virtual local area networks (VLANs) located in the service provider network may perform the techniques. The network device determines a service profile based on authentication messages and associates the service profile with the hierarchical arrangement of VLANs used for delivering the traffic to and from the customer network and the service provider network. The service profile defines constraints on delivery of the traffic associated with the one or more services. The network device then applies the service profile to the traffic received via the associated hierarchical arrangement of VLANs to enforce the constraints on the delivery of the traffic received via the associated hierarchical arrangement of VLANs.

Abstract: A profiler may analyze processes being run by a processor. The profiler may include logic to periodically sample a value of an instruction pointer that indicates an instruction in the first process that is currently being executed by the processor and logic to update profile data based on the sampled value. The profiler may additionally include logic to determine, in response to a context switch that includes the operating system switching the active process from the first process to another of the plurality of processes, whether the first process executes for greater than a first length of time; logic to stop operation of the profiler when the first process executes for greater than the first length of time; and logic to clear the profile data when the first process fails to execute for greater than the first length of time.

Abstract: A provider edge bridge in a service provider network receives multiple media access control (MAC) Registration Protocol (MMRP) registration messages from customer networks via tunnels. The provider edge bridge snoops the MMRP registration messages to obtain multicast MAC addresses from the registration messages, and tunnels the MMRP registration messages toward one or more other bridges. The provider edge bridge constructs multicast forwarding tables based on the multicast addresses obtained from snooping the MMRP registrations, and uses the multicast forwarding tables for forwarding data units from the provider edge bridge towards destinations.

Abstract: A system that processes single stream multicast data includes multiple queues, a dequeue engine, and/or a queue control engine. The queues temporarily store data. At least one of the queues stores single stream multicast data. A multicast count is associated with the single stream multicast data and corresponds to a number of destinations to which the single stream multicast data is to be sent. The dequeue engine dequeues data from the queues. If the data corresponds to the single stream multicast data, the dequeue engine examines the multicast count associated with the single stream multicast data and dequeues the single stream multicast data based on the multicast count. The queue control engine examines one of the queues to determine whether to drop data from the queue and marks the data based on a result of the determination.