Abstract: Changes to a virtual system, such as a set of virtual machines in a data center, may be automatically synchronized with the corresponding physical system. In one implementation, an application may receive information regarding changes made to a virtual system. The application may determine whether the information regarding the changes necessitates a change in the configuration of one or more physical switches, and may reconfigure affected ones of the physical switches for compatibility with the changes made to the virtual system.

Abstract: This disclosure describes techniques for supporting an and Multi-Protocol Label Switching (MPLS)-based Virutal Private Network (VPN) service that provides layer two (L2) connectivity between the customer edge device. In particular, the techniques support a Border Gateway (BGP) MPLS-based MAC VPNs (“MAC-VPN” or “MAC VPN”). The techniques provide a MAC VPN in which L2 MAC address learning occurs in the control plane via inter-device BGP signaling in the control plane rather than the data plane, in response to VPN traffic, as may be typical with other VPN technologies.

Abstract: Techniques are described for separating control plane functions in a network device using virtual machines. The techniques include initializing multiple virtual machine instances in a control unit of a standalone router, and running different control processes for the router in each of the virtual machines. For example, in a root system domain (RSD)-protected system domain (PSD) system, a control unit of the standalone router may support a RSD virtual machine (VM) and one or more PSD VMs configured to form logical devices and execute logically separate control processes without requiring physically separate, hardware-independent routing engines to form the PSDs. Each of the RSD VM and PSD VMs includes a separate kernel, an operating system, and control processes for the logical device. When a software failure occurs in the PSD VM, the PSD VM may perform a software failover without affecting the operation of the RSD VM.

Abstract: A network device may receive information regarding a service set identifying service to apply to a data flow received via a particular interface of the network device; receive the data flow via the particular interface; identify a service to provide to the data flow based on the information regarding the service set; identify a processing device to process the data flow; and provide the data flow to the processing device. The processing device may be different than the network device and may process the data flow, on behalf of the network device, to form a processed data flow. The processed data flow may include the data flow with the service applied to the data flow. The network device may further receive the processed data flow from the processing device and transmit the processed data flow toward a destination device.

Abstract: In some embodiments, a non-transitory processor-readable medium includes code to cause a processor to receive, at a network management module, a request for data plane information associated with a set of access switches of a distributed switch. The non-transitory processor-readable medium includes code to cause the processor to send, in response to the request, an instruction to each access switch from the set of access switches such that a proxy module at each access switch accesses data plane information at at least one line card at that access switch. The non-transitory processor-readable medium includes code to cause the processor to receive, from each access switch from the set of access switches, the data plane information associated with that access switch, and then send a signal to output, on a single interface, the data plane information associated with each access switch from the set of access switches.

Abstract: A re-workable heat dissipation assembly may include a non-removable adhesive layer. A first interposer layer may be adhered to a device via the non-removable adhesive layer. A removable adhesive layer may be adhered to the first interposer layer. A heat dissipation assembly may be adhered to the removable adhesive layer. Use of an interposer layer and a removable adhesive layer in combination with a non-removable adhesive layer, provides a high performance heat dissipation assembly while enabling re-working of the assembly following initial manufacture.

Abstract: In one example, a network device includes a virtual network agent, and a network interface to send network packets to the virtual network controller using a default route for a physical network prior to establishing a communication session between a virtual network controller and the virtual network agent, wherein, after establishing the communication session between the virtual network controller device and the virtual network agent, the virtual network agent receives from the virtual network controller a command to install a new route at the network device, wherein the new route specifies encapsulation information to use for encapsulating network packets for sending the network packets to the virtual network controller over an overlay network, and wherein, responsive to detecting a failed link in the physical network, the virtual network agent sends packets to the virtual network controller on an alternate route in the overlay network.

Abstract: In general, techniques are described for dynamically generating attributes from routing topology information and assigning dynamically generated attributes to network map entries to further characterize PIDs described therein. For example, a provider or other entity assigns, within a network device, endpoint types to one or more address prefixes for which the network device originates or forwards route advertisements. For each typed prefix, the network device adds an endpoint type identifier for the assigned endpoint type to route advertisements that traverse or originate with the network device and specify the prefix. An ALTO server peers with router advertisers to receive route advertisements. When the ALTO server receives a route advertisement that includes an endpoint type identifier, the ALTO server maps the endpoint type identifier to a PID attribute and assigns the PID attribute to a PID that includes a prefix identified in the route advertisement.

Abstract: In one example, network device includes a control unit having one or more hardware-based microprocessors and an interface. The interface can receive a first time synchronization message from a master device that comprises a first TTL value. The first TTL value can be indicative of a number of hops traversed by the first time synchronization message. The interface can subsequently receive a second time synchronization message from the master device that comprises a second TTL value that is is indicative of a number of hops traversed by the second time synchronization message. The network device can also include a timing module that determines a time adjustment based at least in part on the determination that the first and second TTL values are different, and applies the time adjustment to update the time of the network device.

Abstract: In some embodiments, a printed circuit board, configured to be coupled to electronic components, includes a first material portion and any number of second material portions. Each second material portion is sized and spaced apart from an adjacent second material portion such that electromagnetic waves associated with the operation of the electronic components are substantially not reflected. The first material portion defines a first dielectric constant and the second material portion defines a second dielectric constant that is different than the value of the first dielectric constant.

Abstract: In general, techniques are described for providing high availability as a service. The techniques may be performed by a device that includes an interface and a control unit. The interface is configured to receive network traffic originating from a subscriber device operated by a subscriber. The control unit is configured to determine whether to provide a high availability service with respect to at least a portion of the network traffic based on a subscriber profile associated with the subscriber. The control unit may further be configured to provide the high availability service for at least the portion of the network traffic based on the determination of whether to provide the high availability service. The control unit may further be configured to process at least the portion of the network traffic with the network device, and forward at least the portion of the network traffic.

Abstract: A method includes receiving configuration data for configuring network devices; generating remote procedure calls (RPCs) for configuring the network devices, which include provisioning and reverse provisioning RPCs, where each reverse provisioning RPC reverse provisions a particular pseudowire; providing to the network devices the provisioning RPCs; determining a success with respect to each of the provisioning RPCs, where the success indicates that all endpoints of a pseudowire have been successfully configured; providing the reverse provisioning RPCs to the network devices, when it is determined that the success has not been achieved; and storing an indication of success when it is determined that the success has been achieved with respect to the provisioning RPCs.

Abstract: An MPLS-aware firewall allows firewall security policies to be applied to MPLS traffic. The firewall, which may be integrated within a routing device, can be configured into multiple virtual security systems. The routing device provides a user interface by which a user specifies one or more zones to be recognized by the integrated firewall when applying stateful firewall services to the packets. The user interface allows the user to define different zones and policies for different ones of the virtual security systems. In addition, the user interface supports a syntax that allows the user to define the zones for the firewall by specifying the customer VPNs as interfaces associated with the zones. The routing device generates mapping information for the integrated firewall to map the customer VPNs to specific MPLS labels for the MPLS tunnels carrying the customer's traffic.

Abstract: A method includes receiving one or more of user information, role information, or authorization information associated with a user accessing a network, selecting a traffic flow to monitor that is associated with the one or more of user information, role information, or authorization information, monitoring the traffic flow, determining whether an anomaly exists with respect to the traffic flow based on a traffic behavior pattern associated with the one or more of user information, role information, or authorization information, and performing a security response when it is determined that the anomaly exists.

Abstract: In one example, a network device includes computer-readable storage media configured to store information defining a default dictionary associated with one or more default services provided by the network service, one or more interfaces configured to receive configuration data defining a customer dictionary associated with one or more additional services beyond the one or more default services and a to receive a request to access one of the additional services from a subscriber device, and a control unit configured to determine whether an authentication, authorization, and accounting (AAA) server grants access to the requested one of the additional services to the subscriber device, and to configure forwarding information of the network device to cause network traffic associated with the subscriber device to be forwarded to a service unit to perform the one of the additional services when the AAA server grants access to the subscriber device based on the determination.

Abstract: This disclosure describes the Fast Chromatic Dispersion Estimation (FCDE) techniques which corrects for chromatic dispersion in high data rate optical communications systems such as some coherent optical communications systems. FCDE may utilize transform such as fast-Fourier transforms to estimate the chromatic dispersion. From an estimation of the chromatic dispersion, the techniques may determine filter tap coefficients for compensating the chromatic dispersion.

Abstract: In general, techniques are described for hierarchical application of security services with a network device. In particular, the network device receives security classification information that maps a security class to one or more computing devices. The security class identifies security capabilities of the computing devices. The network device also receives network traffic associated with the computing device and applies a set of patterns defined by a policy associated with the security class to the network traffic to detect a set of network attacks. Based on the application of the set of patterns, the network device forwards the network traffic. As a result of receiving security classification information, the network device may become aware of the security capabilities of the computing device and only apply those patterns required to augment these detected security capabilities, thereby preventing application of overlapping security services through application of these services in a hierarchical manner.

Abstract: A scheduler in a network element may include a dequeuer to dequeue packets from a set of scheduling nodes using a deficit weighted round robin process, where the dequeuer is to determine whether a subset of the set of scheduling nodes is being backpressured. The dequeuer may set a root rich most negative credits (MNC) value, associated with a root node, to a root poor MNC value, associated with the root node, and set the root poor MNC value to zero, when the subset is not being backpressured, and may set the rich MNC value to a maximum of the root poor MNC value and a root backpressured rich MNC value, associated with the subset, and set the root poor MNC value to a root backpressured poor MNC value, associated with the subset, when the subset is being backpressured.

Abstract: Techniques are described for providing encryption and authentication for different types of routing protocol communications based on a variety of factors. A method comprises configuring, on a network router, a set of logical interfaces for communicating routing protocol messages with one or more peer routing devices, maintaining a set of security associations that define corresponding authentication information and encryption information for the routing protocol messages, and maintaining one or more descriptor sets that each specify a set of criteria, wherein, for at least one of the descriptor sets, the set of criteria specifies one of the logical interfaces of the network router. The method further comprises selecting one of the descriptor sets having criteria that match an individual flow, selecting one of the security associations based on the selected descriptor set, and applying the selected security association to secure the outbound flow of the routing protocol messages.

Abstract: In general, techniques are described to dynamically refresh a timer for a communication session provided by a bidirectional forwarding detection (BFD) protocol. The techniques potentially mitigate network load by reducing the number of BFD packets required to maintain a BFD communication session. An example network device includes a memory, programmable processor(s), a network interface, and a control unit configured to establish a BFD communication session between the network device and a peer network device that is communicatively coupled to the network device via the network interface, determine whether a packet associated with a communication session other than the BFD communication session is a relevant packet to the BFD communication session, and in response to determining that the packet is the relevant packet, refresh a timer that executes on the network device and is associated with the BFD communication session.