Abstract: In some examples, a switching system includes a plurality of fabric endpoints and a multi-stage switching fabric having a plurality of fabric planes each having a plurality of stages to switch data units between any of the plurality of fabric endpoints. A fabric endpoint of the fabric endpoints is configured to send, to a switch of a first one of the stages and within a first fabric plane of the plurality of fabric planes, a self-ping message destined for the fabric endpoint. The fabric endpoint is configured to send, in response to determining the fabric endpoint has not received the self-ping message after a predetermined time, an indication of a connectivity fault for the first fabric plane.

Abstract: A network device may receive an instruction to update a data structure implemented by the network device and update the data structure based on receiving the instruction. The data structure may include a routing instruction to direct the network device to provide a data flow to a server device for processing. The network device may receive the data flow destined for a destination device; determine the routing instruction based on at least a portion of an internet protocol (IP) address associated with the data flow and based on the data structure; execute the routing instruction to provide the data flow to the server device and to cause the data flow to be processed by the server device to form a processed data flow; and receive the processed data flow and provide the processed data flow towards the destination device.

Abstract: An intrusion detection system is described that is capable of applying a plurality of stacked (layered) application-layer decoders to extract encapsulated application-layer data from a tunneled packet flow produced by multiple applications operating at the application layer, or layer seven (L7), of a network stack. In this way, the IDS is capable of performing application identification and decoding even when one or more software applications utilize other software applications as for data transport to produce packet flow from a network device. The protocol decoders may be dynamically swapped, reused and stacked (layered) when applied to a given packet or packet flow.

Abstract: In one example, an autonomous system boundary router (ASBR) forms part of a first autonomous system (AS). The ASBR is between a first provider edge (PE) router of the first AS and a second PE router of a second, different AS. The first PE router and the second PE router form a Multiprotocol Label Switching (MPLS) path. The ASBR includes an interface communicatively coupled to a routing device external to the first AS, a memory configured to store a forwarding table associated with the interface, and one or more processing units configured to receive a packet via the interface, determine that the packet is encapsulated by an MPLS label, select a forwarding table based on the interface by which the packet was received, and forward the packet according to forwarding information of the forwarding table when the forwarding table includes the MPLS label.

Abstract: The disclosed computer-implemented method for facilitating atomic delivery of bundled data sets to applications within distributed systems may include (1) receiving, at a queue of an application, a data set from at least one other application, (2) determining that the data set is incorporated in a bundle whose contents have yet to completely arrive at the queue, (3) gating the data set at the queue until the bundle's contents have completely arrived at the queue, (4) receiving, at the queue, another data set incorporated in the bundle, (5) determining that the bundle's contents have completely arrived at the queue based at least in part on receiving the other data set, and then (6) notifying the application that the bundle is ready for atomic delivery such that the application is able to consume the bundle's contents on an as-needed basis. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The techniques described herein may enable a particular PE router configured in an EVPN to share, rather than immediately discard, a CE router MAC address that is included in an IPv6 neighbor advertisement even though the particular PE router does not include a neighbor cache entry corresponding to the CE router. The techniques may include receiving, from a CE router that is locally coupled to the first PE router, an IPv6 neighbor advertisement from the CE router in response to an IPv6 neighbor solicitation from a second PE router that requested a MAC address of the CE router; determining whether an L2 destination addresses of the IPv6 neighbor advertisement match the L2 address of the bridging interface second PE router; and in response to determining a match, sending, to the second PE router, an EVPN route advertisement specifying at least the MAC address of the CE router.

Abstract: In general, techniques of this disclosure may enable a remote provider edge (PE) router to improve convergence time in response to a link failure in an Ethernet Virtual Private Network (EVPN) by establishing per-Ethernet Segment Identifier (ESI) Bidirectional Forwarding Detection (BFD) sessions with other PE routers that are coupled to the PE router in an EVPN. The remote PE may determine that at least two PE routers with the remote PE are locally connected to a multi-homed customer network by a particular Ethernet Segment. The remote PE may send, based on determining that the at least two PE routers are connected to the multi-homed customer network by the particular Ethernet Segment, an ESI Ping request packet through the intermediate network to one of the at least two PE routers, wherein the ESI Ping request packet includes at least a BFD discriminator and an ESI for the particular Ethernet Segment.

Abstract: Techniques are described for enhancements to Protocol Independent Multicast (PIM) to support multicast only fast re-route (MoFRR) over a remote loop free alternate (RLFA) backup path in a network. This disclosure describes a modified PIM control message having a new PIM message type and an additional field to indicate an address of a RLFA network device in the RLFA backup path. According to techniques of this disclosure, network devices along the RLFA backup path are configured to forward the modified PIM control message toward the RLFA network device instead of toward a source of a requested multicast group. When the RLFA network device receives the modified PIM control message, the RLFA network device is configured to forward a conventional PIM control message towards the source of the requested multicast group. In this way, PIM can be used to provide MoFRR over a RLFA backup path.

Abstract: In general, techniques are described for steering data traffic for a subscriber session from a network interface of a wireless access gateway to an anchoring one of a plurality of forwarding units of the wireless access gateway using a layer 2 (L2) address of the data traffic. For example, a wireless access gateway for a wireless local area network (WLAN) access network is described as having a decentralized data plane that includes multiple forwarding units for implementing subscriber sessions. Each forwarding unit may present a network interface for sending and receiving network packets and includes packet processing capabilities to enable subscriber data packet processing to perform the functionality of the wireless access gateway. The techniques enable steering data traffic for a given subscriber session to a particular one of the forwarding units of the wireless access gateway using an L2 address of the data traffic.

Abstract: An example method includes selecting, by a network device, a remote LFA next hop as an alternate next hop for forwarding network traffic from the network device to a destination, wherein the selected remote LFA next hop provides node protection to a primary next hop node on the shortest path from the network device to the destination. The method includes, for each candidate remote LFA next hop, performing a forward shortest path first (SPF) computation having the respective candidate remote LFA next hop as a root to compute a path segment between the respective candidate remote LFA next hop and the destination, wherein each of the candidate remote LFA next hops is the egress of a respective potential repair tunnel between the network device and candidate remote LFA next hop, and selecting the remote LFA next hop based at least in part on the computed path segments.

Abstract: In some embodiments, a non-transitory processor-readable medium includes code to cause a processor to receive at a tunnel server, a data unit addressed to a communication device, and define, a first instance of the data unit and a second instance of the data unit. The first instance of the data unit is sent to the communication device via a first tunnel defined between at least the tunnel server and a first base station associated with a first network. The second instance of the data unit is sent to the communication device via a second tunnel defined between at least the tunnel server and a second base station associated with a second network. The second instance of the data unit is dropped by the communication device when the first instance of the data unit is received before the second instance of the data unit.

Abstract: In general, techniques for dynamically provisioning service chains are described. In one example a network device comprises a control unit having at least one processor coupled to a memory, wherein the control unit is configured to receive a services list comprising an ordered list of services, the ordered list of services specifying at least a first service and a second service. The network device also comprises a forwarding unit coupled to the control unit and configured to receive a packet of a packet flow from a first service node that has applied the first service to the packet, wherein the forwarding unit is configured to send, based at least on the ordered list of services, the packet to a second service node that applies the second service.

Abstract: A device may receive information that identifies an attack signature for detecting an intrusion. The device may determine a device configuration that is vulnerable to the intrusion, may determine an endpoint device associated with the device configuration, and may determine a time period during which the endpoint device was associated with the device configuration. The device may determine an endpoint identifier associated with the endpoint device during the time period, and may identify network traffic information associated with the endpoint identifier during the time period. The device may apply the attack signature to the network traffic information, and may determine whether the endpoint device was subjected to the intrusion during the time period based on applying the attack signature to the network traffic information. The device may selectively perform an action based on determining whether the endpoint device was subjected to the intrusion.

Abstract: In one embodiment, an apparatus includes a switch core that has a multi-stage switch fabric. A first set of peripheral processing devices coupled to the multi-stage switch fabric by a set of connections that have a protocol. Each peripheral processing device from the first set of peripheral processing devices is a storage node that has virtualized resources. The virtualized resources of the first set of peripheral processing devices collectively define a virtual storage resource interconnected by the switch core. A second set of peripheral processing devices coupled to the multi-stage switch fabric by a set of connections that have the protocol. Each peripheral processing device from the first set of peripheral processing devices is a compute node that has virtualized resources. The virtualized resources of the second set of peripheral processing devices collectively define a virtual compute resource interconnected by the switch core.

Abstract: The disclosed system may include (1) a modular port concentrator that connects as a modular line card within a router to forward network packets, (2) a profile module, stored in memory, that stores an allowed port configuration profile that defines supported port configurations for the modular port concentrator, (3) a configuration module, stored in memory, that receives an attempted port configuration for the modular line card, (4) an enforcement module, stored in memory, that enforces the allowed port configuration profile by taking remedial action in response to determining that the allowed port configuration profile does not allow the attempted port configuration, and (5) at least one physical processor configured to execute the modular port concentrator, the profile module, the configuration module, and the enforcement module. Various other systems and methods are also disclosed.

Abstract: A computer-implemented method for increasing the scalability of software-defined networks may include (1) maintaining a set of databases collectively configured to (i) store a set of flow entries that direct network traffic within a software-defined network and (ii) facilitate searching the set of flow entries based at least in part on at least one key whose size remains substantially constant irrespective of the number of flow entries within the set of flow entries, (2) detecting a request to perform an operation in connection with a flow of data packets within the software-defined network, (3) identifying at least one attribute of the flow of data packets in the request, and then (4) searching, using the attribute of the flow of data packets as a database key, at least one database within the set of databases to facilitate performing the operation. Various other methods, systems, and apparatuses are also disclosed.

Abstract: This disclosure describes techniques for proactively identifying possible attackers based on a profile of a device. For example, a device includes one or more processors and network interface cards to receive, from a remote device, network traffic directed to one or more computing devices protected by the device, determine, based on content of the network traffic, a first set of data points for the device, send a response to the remote device to ascertain a second set of data points for the device, and receive, from the remote device, at least a portion of the second set of data points. The device also includes a security module operable by the processors to determine a maliciousness rating, and selectively manage, based on the maliciousness rating, additional network traffic directed to the one or more computing devices protected by the security device and received from the remote device.

Abstract: Techniques are described for reusing downstream-assigned labels when establishing a new instance of a label switched path (LSP) prior to tearing down an existing instance of the LSP using make-before-break (MBB) procedures for RSVP. The techniques enable a routing engine of any non-ingress router along a path of the new LSP instance to reuse a previously allocated label for the existing LSP instance as the downstream assigned label for the new LSP instance when the paths of the existing LSP instance and the new LSP instance overlap. In this way, the non-ingress router does not need to update a label route in its forwarding plane for the reused label. When the new LSP instance completely overlaps the existing LSP instance, an ingress router of the LSP may avoid updating an ingress route in its forwarding plane for applications that use the LSP.

Abstract: An example method includes exchanging targeted hello messages to establish a targeted neighbor connection between a first routing device and a second routing device, wherein one of the routing devices comprises a central routing device, and wherein another one of the routing devices comprises an ingress routing device. The example method further includes processing a source-active register message that specifies a source address and an identifier that are collectively associated with a multicast stream, and wherein the source-active register message further indicates whether the multicast stream is active or withdrawn.

Abstract: An example network device includes a set of physical network interfaces and a control unit that executes a routing protocol and a traffic impact prediction module. The traffic impact prediction module determines, prior to occurrence of a topology-changing device fault, that one or more operating characteristics of the network device are indicative of a possible fault, wherein the network device is one of a plurality of network devices in a network, determines a probability of traffic loss associated with the possible fault, and determines an adjusted routing metric for routes impacted by the possible fault based at least in part on the probability of the traffic loss. The routing protocol sends, via at least one of the set of physical network interfaces, one or more interior gateway protocol update messages specifying the adjusted routing metric to at least one other network device in the network.