Abstract: In one example, a method includes by a first network device positioned on a border of a first area of a multi-area hierarchical network and a second area of the multi-area hierarchical network, determining a cost associated with sending network traffic from a client group to the first network device, wherein the client group is positioned in the first area, the first area and the second area being distinct routing domains of the multi-area hierarchical network; and outputting, by the first network device to a second network device positioned in the second area, a routing advertisement that specifies the determined cost as a reverse metric. In some examples, a route reflector receives the routing advertisement and based on the cost from the client group to the area border network device, selects an egress point from among a plurality of egress points of the multi-area hierarchical network.

Abstract: A security device may receive an object destined for a user device. The object may be of an object type that does not describe a web page. The security device may determine that the user device is to be warned regarding the object. The security device may determine a warning object based on determining that the user device is to be warned. The warning object may include information associated with a reason for determining that the user device is to be warned regarding the object, and may include information that allows the user device to receive the object. The security device may provide the warning object. The security device may receive, after providing the warning object, an indication associated with the user device obtaining the object. The security device may allow the user device to obtain the object based on receiving the indication.

Abstract: The disclosed system may include (1) receiving, at an ingress node within a network, a request to forward a packet along a label-switched path to an egress node within the network, (2) identifying a limit on the number of labels that the ingress node is capable of forwarding within a label stack of the packet, (3) determining that the number of hops within the label-switched path exceeds the limit on the number of labels that the ingress node is capable of forwarding, (4) selecting at least one of the hops within the label-switched path to act as a delegation node that imposes, onto the label stack of the packet, at least one label corresponding to a downstream hop within the label-switched path and (5) forwarding the packet from the ingress node to the delegation node to enable the delegation node to impose the label onto the label stack.

Abstract: A device may receive an instruction to classify software. The device may identify a group of one or more user interfaces associated with the software based on receiving the instruction to classify the software. The device may determine a group of one or more user interface signatures associated with the group of one or more user interfaces. A user interface signature may include information, associated with a user interface in the group of one or more user interfaces, that may be used to classify the software. The device may generate information that identifies a classification of the software based on the group of one or more user interface signatures and based on known signature information. The known signature information may include information that corresponds to a correct software classification. The device may output the information that identifies the classification of the software.

Abstract: A printed circuit board (PCB) may include a plurality of horizontally disposed signal layers. The PCB may include a first vertically disposed differential via electrically connected to a first horizontally disposed signal layer, of the plurality of horizontally disposed signal layers, and a second horizontally disposed signal layer of the plurality of horizontally disposed signal layers. The PCB may include a second vertically disposed differential via electrically connected to the first signal horizontally disposed layer and the second horizontally disposed signal layer. The PCB may include a first set of clearances encompassing the first vertically disposed differential via and the second vertically disposed differential via, a second set of clearances encompassing the first vertically disposed stub, and a third set of clearances encompassing the second vertically disposed stub.

Abstract: A device may receive a packet from a first endpoint that is destined for a second endpoint. The first endpoint may be hosted on the device. The device may determine whether a secure session exists between the first endpoint and the second endpoint. The secure session may permit encrypted traffic to be exchanged between the first endpoint and the second endpoint. The device may process the packet using a set of rules after determining whether the secure session exists between the first endpoint and the second endpoint. The device may encrypt the packet using security information associated with the secure session after determining that the secure session exists, or establishing the secure session when the secure session does not exist. The device may provide the packet toward the second endpoint after encrypting the packet.

Abstract: Techniques are described for performing subscriber-aware NAT functions. In one example, routers or other NAT-enabled devices deployed within a network are configured to auto-correlate subscriber information with NAT operations performed by the devices when forwarding network traffic. As such, the techniques offload the burden of correlating subscriber login activity with NAT operations as typically performed by offline NAT log archive systems.

Abstract: A device may receive encrypted traffic associated with a secure session. The device may determine, based on the encrypted traffic, information associated with an offload service to be applied to the encrypted traffic associated with the secure session. The information associated with the offload service may indicate whether the encrypted traffic is permitted to bypass inspection by one or more security services. The device may selectively permit the encrypted traffic, associated with the secure session, to bypass inspection by the one or more security services based on the information associated with the offload service.

Abstract: In general, techniques are described for reducing forwarding loops for layer (L2) traffic that traverses an EVPN or PBB-EVPN instance (EVI) by deterministically determining an access-facing logical interface to block from respective access-facing logical interfaces of PE devices that switch the L2 traffic using the EVI. A provider edge (PE) network device may detect an L2 forwarding loop on an L2 forwarding path that includes the access-facing logical interface. In response to detecting an L2 forwarding loop and based at least on comparing an identifier for the local PE device and an identifier for a remote PE device that implements the EVPN instance, the PE device may block the access-facing logical interface to block L2 traffic from the local customer network.

Abstract: The disclosed apparatus may include (1) providing a framework that enables a customer entity of a service provider to configure, via a customer portal, a network device of the service provider that directs network traffic of the customer entity, (2) creating, for the customer entity by way of the framework, a virtual network that includes at least a portion of the network device of the service provider, (3) detecting an attempt by the customer entity to configure at least a portion of the virtual network via the customer portal, and then in response to detecting the attempt by the customer entity, (4) performing a configuration operation that configures the portion of the virtual network as directed by the customer entity via the customer portal. Various other apparatuses, systems, and methods are also disclosed.

Abstract: In some embodiments, an apparatus includes a first controller configured to be operatively coupled within a network having a set of network nodes, a forwarding gateway and a configuration entity. The first controller is configured to manage session state and node state associated with the set of network nodes independent of the forwarding gateway. The first controller is configured to fail over to a second controller when the first controller fails, without the forwarding gateway failing over and without the configuration entity failing over.

Abstract: Techniques are described for dynamically adapting virtualized network functions (VNFs) to different target environments. A controller stores device profiles that include configuration data and workflows for resolving configuration parameters for instantiating and deploying a VNF package to form a network service. To support the resolution of VNF configuration parameters, a VNF descriptor for the VNF is extended to include a device family parameter that indicates a shared architecture and configuration parameters. The controller, when instantiating the VNF, may identify a device profile usable for resolving the configuration parameters for the VNF and obtain configuration data from the device profile for creating and configuring a VNF instance for the VNF descriptor. Extending the VNF descriptor to specify a device family allows the VNF to be flexibly adapted for different target environments and may avoid the use of numerous pre-defined VNF descriptors.

Abstract: In response to a connectivity disruption in an underlying optical transport ring supporting a routing and packet switching topology, one or more of optical devices of the optical transport ring are modified to establish connectivity between spine nodes in different data centers to reroute communication between at least a subset of the leaf network devices so as to traverse an inter-spine route via the optical modified optical transport ring. That is, in response to a connectivity disruption in a portion of underlying optical transport ring, one or more optical devices within the optical transport ring are modified such that packets between at least a portion of the leaf devices are rerouted along optical paths between at least two of the spine network devices.

Abstract: Techniques are described for dynamically distributing entity monitoring assignments to a plurality of monitoring agents. In one example, processors of a co-location facility execute a plurality of network services monitoring agents. A first monitoring agent of the plurality of monitoring agents transmits instructions to a messaging service, causing the messaging service to dequeue, from a queue, a first message of a plurality of messages, wherein the first message describes a first network services entity of a plurality of network service entities. The monitoring agent transmits, to the first monitoring agent, the first message. The first monitoring agent retrieves, from the first network services entity described by the first message, performance and health metrics for the first network services entity. The first monitoring agent transmits, to the messaging service and for transmission to a database of the co-location facility, the performance and health metrics for the first network services entity.

Abstract: An apparatus may include via pads and grid array pads associated with facilitating a connection through a package and to a component, and vias that are electrically connected to the via pads, wherein the vias are used to support high-speed differential signal pairs that are capable of causing crosstalk onto other high-speed differential signal pairs while propagating through the package. The apparatus may include interconnects that electrically connect the vias to the grid array pads, and that are capable of routing the high-speed differential signal pairs in a way that offsets the crosstalk that the high-speed differential signal pairs are capable of causing while propagating through the package. The apparatus may include additional interconnects that electrically connect the vias to additional vias that are to be used to facilitate routing the high-speed differential signal pairs to the component, without the high-speed differential signal pairs propagating through a printed circuit board.

Abstract: Techniques are described for selecting paths in accordance with service level agreements. For example, spoke and hub routers may advertise routes associated with virtual routing and forwarding (VRF) instances mapped to service level agreements (SLAs). A virtual route reflector of an intermediate router may receive route advertisements and may add respective path communities associated with particular links selected based on link state measurements in accordance with the SLAs. The hub or spoke routers may receive the route advertisements including a respective path community and install the selected path as a next-hop for a given SLA. In this way, spoke and hub routers may forward traffic on links that satisfy particular SLAs such that Quality of Experience (QoE) for an application may be restored or improved.

Abstract: The disclosed apparatus may include may include (1) an active power supply blank that (A) fits within a power supply slot of a network device that forwards network traffic and (B) generates airflow that cools the network device and (2) a power interface that electrically couples the active power supply blank to the network device, wherein the power interface enables the active power supply blank to (A) draw electrical power from the network device and (B) generate the airflow that cools the network device using the electrical power drawn from the network device. Various other apparatuses, systems, and methods are also disclosed.

Abstract: A device may perform dynamic load balancing to identify one or more service devices, of a group of service devices, that is to apply a set of network services to traffic associated with a session of a subscriber device. The device may provide outgoing traffic, associated with the session, to the one or more service devices based on identifying the one or more service devices. The outgoing traffic may be provided to cause the one or more service devices to apply the set of network services to the outgoing traffic. The device may provide, to another device, information that identifies the one or more service devices. The information that identifies the one or more service devices may be provided to cause the other device to provide incoming traffic, associated with the session, to the one or more service devices to apply the set of network services to the incoming traffic.

Abstract: The problem of processing an egress packet by a data forwarding device having (1) a first routing stack associated with a first namespace and a first interface, (2) a second routing stack associated with a second namespace and a second interface, wherein at least some forwarding information included in the second namespace is incompatible with the first routing stack, (3) a virtual routing and forwarding instance (VRF), and (4) a shared session layer socket associated with both the first and second routing stack, and bound to the VRF, where the VRF is associated with the second interface via the second routing stack, is solved by: adding the first interface to the VRF whereby the VRF is associated with both the first and second interfaces; and responsive to the adding of the first interface to the VRF, (1) adding routes from the second namespace to the first namespace such that network address prefixes of the second namespace are associated with a “special” next hop, and (2) flagging the shared session layer

Abstract: In one embodiment, edge devices can be configured to be coupled to a multi-stage switch fabric and peripheral processing devices. The edge devices and the multi-stage switch fabric can collectively define a single logical entity. A first edge device from the edge devices can be configured to be coupled to a first peripheral processing device from the peripheral processing devices. The second edge device from the edge devices can be configured to be coupled to a second peripheral processing device from the peripheral processing devices. The first edge device can be configured such that virtual resources including a first virtual resource can be defined at the first peripheral processing device. A network management module coupled to the edge devices and configured to provision the virtual resources such that the first virtual resource can be migrated from the first peripheral processing device to the second peripheral processing device.