Abstract: A VPN gateway is described that provides single sign-on (SSO) functionality with respect to remote users who have established tunneling sessions with the VPN gateway and who attempt to access a protected resource. The VPN gateway may receive, from a client device, a security assertion request that includes a request for a security assertion to be made by the VPN gateway with respect to a user of a private network associated with the VPN gateway, determine whether the security assertion request was received via a tunneling session established for the user between the client device and the VPN gateway, and issue a security assertion for the user in response to determining that the security assertion request was received via the tunneling session. In this way, a VPN gateway may act as an SSO identity provider for users that have an established tunneling session with the gateway.

Abstract: A device may include an interface to send authentication information to a plug-in, where the authentication information is related to a client device. The interface may send a policy identifier to the plug-in, where the policy identifier identifies a policy, and may receive a policy result from the plug-in, where the policy result is produced using the authentication information and a policy requirement identified by the policy identifier, and where the policy result identifies whether the client device complies with the policy.

Abstract: A method is provided for handling member link state changes in an aggregate interface. An aggregate interface may be established to include a number of member links. A mask may be associated with the aggregate interface, where the mask identifies a current state of each member link in the aggregate interface. The mask is retrieved and used to identify active links in the aggregate interface when packets are received for forwarding on the aggregate interface.

Abstract: Techniques are described for reducing unnecessary upstream traffic toward a rendezvous point (RP) of a network using Protocol Independent Multicast Bidirectional Mode. The RP may be either a router configured with the rendezvous point address (RPA) on its loopback interface, or one of several routers connected to an RP link with the RPA. The techniques include determining whether the RP needs to receive multicast traffic for a multicast group and, when the RP does not need to receive the multicast traffic, sending RP-prune control messages for the multicast group to downstream routers on non-RP links. Upon receiving an RP-prune control message, a downstream router may prune an outgoing interface for the multicast group to prevent the downstream router from forwarding multicast traffic for the multicast group toward the RP. The downstream router may terminate or propagate the RP-prune control message to a further downstream router.

Abstract: A network device may include a supplicant framework to generate a first 802.1x packet using a MAC address, associated with a first device as a first username and password in the first 802.1x packet; and generate a second 802.1x packet using a second username and password received from a second device via a captive-portal web page. The network device may further include an authenticator state machine to authenticate the first device with a Remote Authentication Dial In User Service (RADIUS) server using a first Extensible Authentication Protocol (EAP) packet that includes the first 802.1x packet; authenticate the second device with the RADIUS server using a second EAP packet that includes the second 802.1x packet; receive a third EAP packet from a third device; and authenticate the third device with the RADIUS server using the third EAP packet.

Abstract: In general, the invention is directed to techniques for establishing secure connections with devices residing behind a security device. In accordance with the techniques, a managed device initiates a transmission control protocol (TCP) session to establish a TCP session with a management device such that the management device acts as the TCP server and the managed device acts as a TCP client. Once established, the managed device sends a role reversal message specifying an identity of the managed device via the TCP session. Upon receiving the role reversal message, the management device initiates a secure connection over the TCP session in accordance with a secure protocol such that the management device acts as the secure protocol client and the managed device acts as the secure protocol server. By properly establishing the secure session, each of the devices assumes the proper roles and administrators may more easily configure the devices.

Abstract: The invention is directed toward techniques for Multi-Protocol Label Switching (MPLS) upstream label assignment for the Resource Reservation Protocol with Traffic Engineering (RSVP-TE). The techniques include extensions to the RSVP-TE that enable distribution of upstream assigned labels in Path messages from an upstream router to two or more downstream routers of tunnel established over a network. The tunnel may comprise a RSVP-TE P2MP Label Switched Path (LSP) or an Internet Protocol (IP) multicast tunnel. The techniques also include extensions to the RSVP-TE that enable a router to advertise upstream label assignment capability to neighboring routers in the network. The MPLS upstream label assignment using RSVP-TE described herein enables a branch router to avoid traffic replication on a Local Area Network (LAN) for RSVP-TE P2MP LSPs.

Abstract: A disaster response system receives location data and status data from participating devices in an area affected by a disaster. The disaster response system provides data to client devices outside the affected area. The data indicate statuses of people within the affected area. Disaster response system also instructs routers to perform actions to adjust bandwidth available for a particular use during and after the disaster.

Abstract: A system that processes single stream multicast data includes multiple queues, a dequeue engine, and/or a queue control engine. The queues temporarily store data. At least one of the queues stores single stream multicast data. A multicast count is associated with the single stream multicast data and corresponds to a number of destinations to which the single stream multicast data is to be sent. The dequeue engine dequeues data from the queues. If the data corresponds to the single stream multicast data, the dequeue engine examines the multicast count associated with the single stream multicast data and dequeues the single stream multicast data based on the multicast count. The queue control engine examines one of the queues to determine whether to drop data from the queue and marks the data based on a result of the determination.

Abstract: A system includes a storage device to store information associated with virtual nodes that correspond to network nodes. The system also includes a server to install a virtual node that corresponds to one of the network nodes, based on the information associated with the virtual node, where installing the virtual node includes creating a logical interface via which traffic is to be sent to, or received from, other virtual nodes; start the virtual node to create an operating virtual node based on a copy of an operating system that is run on the network node, where starting the virtual node causes the operational virtual node to execute the copy of the operating system; and cause the operating virtual node to communicate with a virtual network that includes the virtual nodes, where causing the operating virtual node to communicate with the virtual network enables the operating virtual node to receive or forward traffic associated with the virtual network.

Abstract: A method and apparatus for switching a data packet between a source and destination in a network. The data packet includes a header portion and a data portion. The header portion includes routing information for the data packet. The method includes defining a data path in the router comprising a path through the router along which the data portion of the data packet travels and defining a control path comprising a path through the router along which routing information from the header portion travels. The method includes separating the data path and control path in the router such that the routing information can be separated from the data portion allowing for the separate processing of each in the router. The data portion can be stored in a global memory while routing decisions are made on the routing information in the control path.

Abstract: A network device may include multiple interfaces, each including a local database to store, in a first group of local records, information associated with a first group of data units sent from or received by a first one of the group of interfaces; a global database to store, in a group of global records, information associated with the first group of data units and information associated with a second group of data units sent from or received by a second one of said group of interfaces. The device may include a processor, to manage the local database and the global database; broadcast at least one of the local records to the second one of the group of interfaces; and analyze each of the local records to identify potential anomalies in the first group of data units.

Abstract: Techniques are described for reducing unnecessary upstream traffic toward a rendezvous point (RP) of a network using Protocol Independent Multicast Bidirectional Mode. The techniques include determining whether the RP needs to receive multicast traffic for a multicast group and, when the RP does not need to receive the multicast traffic, sending RP-prune control messages for the multicast group to downstream routers. Upon receiving an RP-prune control message, a downstream router may prune an outgoing interface for the multicast group to prevent the downstream router from forwarding multicast traffic for the multicast group toward the RP. The downstream router may terminate the RP-prune control message or propagate the RP-prune control message to a further downstream router. Routers that send RP-prune control messages also create or update a RP-prune state for the multicast group that includes interfaces for the downstream routers to which the RP-prune control messages were sent.

Abstract: A router for switching data packets from a source to a destination in a network in which the router includes a distributed memory. The distributed memory includes two or more memory banks. Each memory bank is used for storing uniform portions of a data packet received from a source and linking information for each data packet to allow for the extraction of the uniform portions of a data packet from distributed locations in memory in proper order after a routing determination has been made by the router.

Abstract: A fair weighted-hashing technique may be used in load balancing among a group of modules. In one implementation, a device may maintain a table that relates how incoming client resource requests are to be distributed among the modules. The device may update the table, in response to an indication that an additional module, associated with a module identifier, is to be included in the group of modules. The updating may include determining a number of entries to add to the table for the additional module, calculating a first hash value for each of the number of entries, and modifying the table by writing the module identifier to one or more sequential entries of the table, beginning at an index into the table corresponding to the first hash value.

Abstract: Managing TCP anycast requests at content delivery network nodes is disclosed. In some embodiments, serving a request includes receiving a request at a node of a plurality of nodes comprising a content delivery network, wherein each of the plurality of nodes share a same anycast IP address to which the request is directed and servicing the request at the node.

Abstract: Multicast traffic received by a subnet that uses IGMP/PIM snooping may be efficiently processed so that only required multicast router interfaces are used. A router may, for example, receive a source-specific PIM join/prune message indicating that a multicast receiver of the multicast traffic is to join/leave a multicast group to receive/stop traffic from a multicast source; determine whether the router is a first hop router relative to a subnet of the multicast source; and forward, when the router is a first hop router relative to the subnet of the multicast source and is a non-designated router, the source-specific PIM join/prune message towards the subnet.

Abstract: A device may include two or more line interfaces. One of the line interfaces may include a component to buffer a packet that is received at the line interface, perform a lookup of information related to selecting a flow based on a header of the packet, apply a symmetric hash function to addresses in the header to obtain a hash when the information related to selecting the flow indicates the flow is to be selected based on a random method, compare the hash to a particular number using the information related to selecting the flow, the particular number being same for the line interfaces, sample a flow when the hash matches the particular number, create a flow record for the flow, and sample packets based on the flow record.

Abstract: A transport LAN segment service is provided over a transport network. Responsibilities for configuring, provisioning and forwarding over a transport LAN segment are divided between layer 2 and 3 service provider edge devices, where the layer 3 edge device handles discovery and tunneling responsibilities, the layer 2 edge device handles learning and flooding responsibilities, and information can be exchanged between the layer 2 and 3 edge devices. Configuration is simplified by advertising TLS-label information, layer 2 address learning, and flooding when the needed configuration information has not yet been learned or discovered.

Abstract: In one embodiment, an apparatus includes a switch core that has a multi-stage switch fabric physically distributed among a set of chassis. The multi-stage switch fabric has a set of input buffers and a set of output ports. The switch core can be configured to be coupled to a set of edge devices. The apparatus can also include a controller implemented in hardware without software during operation and with software during configuration and monitoring. The controller can be coupled to the set of input buffers and the set of output ports. The controller can be configured to send a flow control signal to an input buffer from the set of input buffers when congestion at an output port from the set of output ports is predicted and before congestion in the switch core occurs.