Abstract: A method and a network device for enabling communication between unnumbered interfaces are provided. A device level address may be assigned to a network device. The network device may announce the assigned device level address to a neighboring network device over a link. A corresponding device level address associated with the neighboring network device may be received over the link. A route may be stored including the received device level address associated with the neighboring network device and the link. In some implementations, the announcement of the assigned device level address is performed during protocol configuration.

Abstract: A network interface card may issue interrupts to a host in which the determination of when to issue an interrupt to the host may be based on the incoming packet rate. In one implementation, an interrupt controller of the network interface card may issue interrupts to that informs a host of the arrival of packets. The interrupt controller may issue the interrupts in response to arrival of a predetermined number of packets, where the interrupt controller re-calculates the predetermined number based on an arrival rate of the incoming packets.

Abstract: A method may include authenticating a device to a first server, where the device includes an agent; receiving a request, in the first server from a second server, to verify the authenticity of the device, where the device is not authenticated to the second server; sending a browser plug-in to the device to communicate with the agent for verifying the authenticity of the device; receiving, in the first server, a message from the agent verifying the authenticity of the device; and sending a message from the first server to the second server to authenticate the device to the second server.

Abstract: Techniques are described for selecting an alternate path for end-to-end service data traffic that traverses multi-homed routers that provide the service to customer networks. For example, as described herein, a router that is a member of a first multi-homing set connected to a layer two (L2) network with one of a plurality of first access links. The router advertises a status of one of the first access links to a second multi-homing set connected to the first multi-homing set with one or more core links. A core link database stores advertised status information for access links of the first and second multi-homing set. Upon a link failure, a path selector selects a core link to transport service data traffic and directs a switch module to switch to active a status a first access links that connects to a router in the first multi-homing set connected to the selected core link.

Abstract: Techniques are described for supporting metro Ethernet “E-TREE” service over a packet-switched MPLS network, including a VPLS core, in a manner that allows a service provide to easily integrate with different types of technologies deployed by its various customers. Moreover, the techniques described herein provide increased flexibility with respect to the topology of the roots and leafs of the E-TREE service and, in particular, allow roots and leaf nodes to be coupled to a common router that provides access to the VPLS core. An NNI port of a PE router may process network traffic to provide E-TREE service to a bridged network having both leaf nodes and root nodes process and direct traffic between logical interfaces as changed next hops.

Abstract: In some embodiments, an apparatus includes a switch module configured to receive an order identifier of a first data packet from a first stage of a multi-stage switch. The switch module is configured to receive an indicator of an available capacity of the first module of a second stage of the multi-stage switch fabric, and an indicator of an available capacity of a second module of the second stage of the multi-stage switch fabric. The switch module is configured, when the order identifier is assigned, to direct the first data packet to the first module of a second stage of the multi-stage switch fabric when the available capacity of the second module is lower than the available capacity of the first module. The switch module configured, when the order identifier is unassigned, to direct the first data packet to the second module when the available capacity of the second module is higher than the available capacity of the first module.

Abstract: Methods, computer program products and apparatus for processing data packets are described. Methods include receiving the data packet, examining the data packet, determining a single flow record associated with the packet and extracting flow instructions for two or more devices from the single flow record.

Abstract: In general, techniques are described for dynamic threat protection in mobile networks. A network system comprising a network security device and a management system may implement the techniques. The management system includes a network server having a shared database. A mobile device manager (MDM) of the management system receives a report message from a mobile device, specifying a threat to a mobile network. The MDM publishes the threat to the shared database. A network management system (NMS) of the management system receives data from the shared database identifying the threat and generates a security policy that specifies actions to address the threat. The NMS then installs the security policy in the network security device so that the network security device performs the actions of the security policy to address the threat.

Abstract: In some embodiments, an apparatus includes a validation engine configured to receive multiple validation packets from an edge device via multiple data paths from a set of data paths between the validation engine and the edge device. The validation engine is configured to compare a number of validation packets from the multiple validation packets received from the edge device to a number of data paths from the set of data paths to determine an error at a data path from the set of data paths. The validation engine is configured to send an indication of the error at the data path from the set of data paths to the edge device.

Abstract: A method and a network device are provided to transmit network packets through a network security device. The method, performed by the network device, receives a request to send a network packet from a first computing device to a second computing device over a network that includes the network device and the network security device. The network packet includes a first network interface identifier for identifying the first computing device and a second network interface identifier for identifying the second computing device. The method identifies third and fourth network interface identifiers that cause the network packet to be transmitted through the network security device. The method transmits the network packet over the network through the network security device using the third and fourth network interface identifiers. The method transmits the network packet to the second computing device using the first and second network interface identifiers.

Abstract: In one example, a controller device includes one or more network interfaces communicatively coupled to one or more devices of a virtual network, and a processor configured to determine, for the virtual network, a set of two or more related processes executed by respective devices in the virtual network, receive via the network interfaces data for the set of two or more related processes, and aggregate the data for the set of two or more related processes to form aggregated data for the set of two or more related processes.

Abstract: In some embodiments, an apparatus includes a first network device configured to receive, from a second network device, a first forwarding-state packet associated with a peripheral processing device and having a first generation identifier. The first network device is configured to receive, from a third network device, a second forwarding-state packet associated with the peripheral processing device and having a second generation identifier. The first network device is configured to implement forwarding-state information included in the first forwarding-state packet based on a comparison of the first generation identifier and the second generation identifier.

Abstract: A database enables versioning for objects stored in the database via a “snapshot” operation. In one implementation, a device performs a snapshot operation in which a snapshot object, representing a logical view of database objects at a time at which the snapshot operation is performed, is created and stored in the database. In response to a request to store a modified version of a database object, the modified version of the database object is written to replace the previous version of the database object when the database object was last modified after the most recent snapshot operation. Further, in response to the request to store the modified version of the database object, the modified version of the database object is inserted in the database when the previous version of the database object was last modified before the most recent snapshot operation.

Abstract: In some embodiments, an apparatus includes a route reflector implemented in at least one of a memory or a processing device. The route reflector is configured to be included within a switch fabric system. The route reflector is configured to receive, from a network management module, an instruction to install a route associated with a multi-stage switch, and send the instruction to install to a route target network control entity associated with the multi-stage switch. The route reflector is also configured to receive, from the route target network control entity, a first acknowledgement signal indicating that the route was successfully installed at the route target network control entity. The route reflector is configured to send a second acknowledgement signal to the network management module in response to receiving the first acknowledgement signal.

Abstract: In some embodiments, an apparatus includes a module within a first stage of a switch fabric, a module within a second stage of the switch fabric, and a module within a third stage of the switch fabric. The module within the first stage is configured to send data to the module within the second stage. The module within the second stage is configured to send data to the module within the third stage. The module within the second stage is configured to send a first suspension indicator to the module within the third stage. The module within the third stage is configured to send a second suspension indicator to the module within the first stage in response to the first suspension indicator. The module within the first stage is configured to stop sending data to the module within the second stage in response to the second suspension indicator.

Abstract: A network device may be configured to filter network traffic using multiple different filters bound to different interfaces of the network device. The network device may include logic to identify a relationship map that describes a topology of bind-points associated with the network device. Additionally, the network device may include logic to generate a merge graph based on the relationship map, the merge graph including one or more nodes, where each node represents a walk through the relationship map and includes one or more merge-points, where each merge-point is defined as a filter associated with a bind-point. The network device may also include a ternary content-addressable memory (TCAM) programmed to include entries based on the nodes of the merge graph.

Abstract: A multi-chassis network device may automatically detect whether cables connected between chassis devices are correctly inserted. The device may insert, into a first data stream output from a first port of the device, control information identifying the first port. The device may receive, from a second data stream received by the first port of the device, second control information identifying a second port, at another device connected to the device via a cable. The device may determine, based on the second control information, whether the connection of the first port to the second port, via the cable, is valid and cause, when the connection of the first port to the second port is determined to not be valid, the device to output an indication that the connection is not valid or to reconfigure the device to make the connection of the first port to the second port valid.

Abstract: A call admission control technique allowing flexible and reliable call admissions at an ATM switch in the case of an ATM network including both QoS-specified and QoS-unspecified virtual connections is disclosed. In the case where a QoS (Quality of Service) specified connection request occurs, an estimated bandwidth is calculated which is to be assigned to an existing QoS-unspecified traffic on the link associated with the QoS-specified connection request. A call control processor of the ATM switch determines whether the QoS-specified connection request is accepted, depending on whether a requested bandwidth is smaller than an available bandwidth that is obtained by subtracting an assigned bandwidth and the estimated bandwidth from a full bandwidth of the link.

Abstract: A network device includes a main storage memory and a queue handling component. The main storage memory includes multiple memory banks which store a plurality of packets for multiple output queues. The queue handling component controls write operations to the multiple memory banks and controls read operations from the multiple memory banks, where the read operations for at least one of the multiple output queues alternates sequentially between the each of the multiple memory banks, and where the read operations and the write operations occur during a same clock period on different ones of the multiple memory banks.

Abstract: In general, techniques are described for transmitting MPLS labels over a network. More specifically, a network device such a router receives a packet to be forwarded according to a label switching protocol, such as Multi-Protocol Label Switching (MPLS). The router may determine a service instance for the packet based on a client device from which the packet originated. The network device may determine one or more services to apply to the packet based on the service instance for the packet and generate a label which having a service instance portion and a service information portion. The network device may append the label to the packet to form an MPLS-encapsulated packet, and may forward the MPLS-encapsulated packet via an output interface according to the label switching protocol.