Abstract: In general, techniques are described for programming a set of one or more pre-defined rules within the forwarding plane of a packet gateway of a mobile service provider network and caching, within control plane, a group identifier that identifies the set of programmed, pre-defined rules. The control plane may match quality of service (QoS) information of incoming subscriber service requests with the group identifier and respective subsets of the set of programmed, pre-defined rules to rapidly associate service requests with already-programmed PCC rules and thereafter install, to the forwarding plane, subscriber service-specific actions for the PCC rules.

Abstract: A device may identify a portion of a label-switched path (LSP) on which a simple hierarchical LSP (sH-LSP) is to be used for transferring traffic via a network. The device may determine attribute information associated with the sH-LSP. The attribute information may include information associated with one or more characteristics of the sH-LSP. The device may provide an indication associated with identifying an available sH-LSP or creating a sH-LSP. The indication may include the attribute information associated with the sH-LSP, and may be being provided to cause the sH-LSP to be created on the portion of the LSP or an available sH-LSP, associated with the portion of the LSP, to be identified. The device may receive, based on providing the indication, an identifier associated with the sH-LSP. The device may cause the LSP to be set up based on the identifier associated with the sH-LSP.

Abstract: Techniques are described for establishing a second label switched path (LSP) instance of an LSP having a first LSP instance. In one example, for each downstream router designated for the second LSP instance of the LSP, the router determines whether the router is part of the first instance of the LSP and, if so, whether the first and second LSP instances for that downstream router share a common link to a nexthop router. If the first and second LSP instances share a common link to a nexthop router, the downstream router transmits a first message to the nexthop router, wherein the first message includes a suggested label. The downstream router receives, from the nexthop router, a second message, wherein the second message includes the suggested label. In another example, a label reuse indicator flag in a message from the ingress router causes routers on the second LSP instance to reuse the label of the first LSP instance when the same link is used to the upstream router for both LSP instances.

Abstract: In general, techniques for facilitating a distributed network (L3) subnet by which multiple independent control planes of network devices connected to physically separate L2 networks provide L2 reachability to/from a single L3 subnet. In some examples, a shared L2 network physically situated to connect a plurality of physically separate L2 networks “stitches” the L2 networks together within the respective, independent control planes of switches such that the control planes bridge L2 traffic for a single bridge domain for the separate L2 networks to the shared L2 network and visa-versa. Each of the independent control planes may be configured with a virtual IRB instance associated with the bridge domain and with a common network subnet. Each of the virtual IRBs provides a functionally similar routing interface for the single bridge domain for the separate L2 networks and allows the shared network subnet to be distributed among the independent control planes.

Abstract: The disclosed apparatus may include (1) a reply-reception module, stored in memory, that receives, from a satellite device, an authentication reply that includes an original authentication message digitally signed by the aggregation device using a private key of the aggregation device and that is digitally signed by the satellite device using a private key of the satellite device, (2) a forwarding module, stored in memory, that forwards the authentication reply to a network management server, (3) a validation-reception module, stored in memory, that receives, from the network management server in response to forwarding the authentication reply, a validation message, and (4) an authentication module, stored in memory, that authenticates the satellite device based at least in part on receiving the validation message. Various other apparatuses, systems, and methods are also disclosed.

Abstract: Techniques are described for determining pre-compensation parameters to compensate for signal integrity degradation along a signal path. A processor generates a first digital signal and receives a second digital signal. The second digital signal is generated from an optical-to-electrical conversion of a feedback optical signal that is generated from an electrical-to-optical conversion of an electrical signal by an optical module. The processor determines the pre-compensation parameters based on the first and second digital signals.

Abstract: In general, techniques are described for atomically installing and withdrawing host routes along paths connecting network routers to attenuate packet loss for mobile nodes migrating among wireless LAN access networks and a mobile network. In some examples, whenever the mobile node moves from one attachment point to the next, it triggers the distribution of its host route from the new attachment point toward the service provider network hub provider edge (PE) router that anchors the mobile node on a service provider network. Routers participating in the Mobile VPN install the host route “atomically” from the attachment point to the mobile gateway so as to ensure convergence of the network forwarding plane with the host route toward the new attachment point prior to transitioning mobile node connectivity from a previous attachment point.

Abstract: A device may obtain information regarding firewall rules. The information, for a firewall rule of the firewall rules, may include one or more match condition values and a ranking value. The firewall rule may be applicable to packets that are associated with packet information that matches the match condition values. A match condition value may be associated with a match count that identifies a quantity of times that packets match the match condition value. The ranking value may identify a quantity of times that the firewall rule has been applied to the packets. The device may obtain a new firewall rule. The device may predict a ranking value of the new firewall rule based on match condition values of the new firewall rule and/or based on analyzing the information regarding the plurality of firewall rules. The device may perform an action based on the predicted ranking value.

Abstract: The disclosure describes techniques that enable a network device to determine a confidence level for a network alarm and provide information indicative of the confidence level to other devices. For example, a network device may experience any number of conditions that cause the network device to output an alarm. In addition to or instead of simply sending out the alarm, the network device may perform operations to determine a confidence level associated with the alarm. For instance, the network device may determine whether the conditions that caused the alarm continue or whether the conditions can be validated. The network device may output information indicative of the confidence level.

Abstract: In some examples, a control network for one or more network segments of a network comprises a plurality of controllers each including one or more processors. The plurality of controllers receive service requests that each comprises a definition for a service provided by the network to connect at least two endpoints over a path traversing at least one of the one or more network segments, wherein the control network operates according to a control model by which the plurality of controllers provision services in the one or more network segments to satisfy the service requests. The plurality of controllers dynamically adapt, based on network conditions including the service requests, the control model for the control network. The plurality of controllers provision, according to the adapted control model, services for the service requests.

Abstract: A network device comprises one or more processors coupled to a memory, and a dynamic services module configured for execution by the one or more processors to receive, from a client device, a service request specifying a service. The dynamic service module is further configured for execution by the one or more processors to, in response to obtaining a negative indication for the service, send a representation of the service request to a honeypot to cause the honeypot to offer the service to the client device.

Abstract: Techniques are described for automatic provisioning of virtual local area networks (VLANs) on server-facing ports of access switches included in a data center network. Conventionally, VLANs are pre-configured on all server-facing ports of access switches. The techniques described in this disclosure enable automatic provisioning of VLANs on server-facing ports of access switches triggered by traffic received on the ports. The techniques include a feature in a forwarding plane of an access switch that is configured to detect data packets received for an unknown VLAN on a port, and notify a control plane of the access switch of the unknown VLAN on the port. In response to the notification from the forwarding plane, the control plane may authorize and provision the VLAN on the port. The techniques described in this disclosure include hardware-assisted software provisioning of an unknown VLAN on a given port of an access switch.

Abstract: Techniques are described for enhancements to Protocol Independent Multicast (PIM) to enable a last hop router (LHR) to perform source discovery and directly build or join a source tree. According to the techniques of this disclosure, the LHR builds a communication channel with a rendezvous point (RP) router and requests source information for at least one multicast group for which the LHR has interested receivers. The RP responds to the request by looking into a register database maintained by the RP and sending source information indicating at least one source that is actively providing traffic for the at least one multicast group. Based on the response, the LHR initiates a (S,G) PIM Join message toward the at least one source for the at least one multicast group to directly build or join at least one source tree.

Abstract: A controller device is connected to a group of virtual machines and one or more network devices in a network. The controller device is configured to store policies relating to when to start up and when to shut down the virtual machines based on users logging into the network, users logging out of the network, users attempting to access the plurality of virtual machines, and/or particular types of traffic in the network; receive network activity data from a network device of the one or more network devices in the network; identify, based on the network activity data and the policies, a virtual machine, of the group of virtual machines, to start up or shut down; and cause the virtual machine to start up or shut down.

Abstract: In some embodiments, an apparatus includes a scheduler disposed at a control device of a switch fabric system. The scheduler is configured to receive a control plane request associated with the switch fabric system having a data plane and a control plane separate from the data plane. The scheduler is configured to designate a control plane entity based on the control plane request and state information of each control plane entity from a set of control plane entities associated with the control plane and instantiated as a virtual machine. The scheduler is configured to send a signal to a compute device of the switch fabric system in response to the control plane request such that the control plane entity is instantiated as a virtual machine at the compute device.

Abstract: A device receives capability information associated with a next hop device of a wireless local area network (WLAN). The device also determines, based on the capability information, whether the next hop device is capable of implementing security for traffic, where the security includes a media access control (MAC) security standard and a layer 2 link security standard. The device further creates, via the MAC security standard, a secure channel with the next hop device when the next hop device is capable of providing security for traffic.

Abstract: In general, techniques are described for reducing or otherwise preventing micro-loops in network using Source Packet Routing in Networking (SPRING). In some examples, a method includes detecting a failure of a communication by a network device that implements a Source Packet Routing in Networking (SPRING) protocol to forward network packets using node labels according to an initial network topology. Responsive to detecting the failure of the communication link, the network device may apply, for a defined time duration, one or more adjacency labels to network packets to define a set of one-hop tunnels corresponding to a backup sub-path that circumvents the failed communication link. Upon expiration of the defined time duration, the network device may forward, according to a new network topology that is not based on applying the one or more adjacency labels that define the set of one-hop tunnels, network packets destined for the destination network device.

Abstract: Techniques are described for providing robust control plane asserts in a network using Protocol Independent Multicast (PIM) or other routing protocols for controlling delivery of multicast traffic. In one example, a router includes a control unit having a hardware-based processor executing a Protocol Independent Multicast (PIM) protocol. The control unit, when executing the PIM protocol, initiates an election process for selecting, from a plurality of routers, a forwarding router to forward multicast traffic to a shared media computer network. In addition, the control unit determines whether the multicast traffic has been received by the router and outputs, in association with the election process, a PIM assert message that includes an indication as to whether the router has successfully received the multicast traffic.

Abstract: In general, techniques are generally described for reducing or preventing transient black-holing of network traffic in an overlay network. A method includes executing, by a network device included in a link state domain, an Interior Gateway Protocol (IGP) to exchange link-state messages with at least one remote network device in the link-state domain; generating, by the network device, an IGP link-state message that includes link overload information to overload a link in the link-state domain that couples the network device to the remote network device; and sending, by the network device and to the at least one other network device, the IGP link-state message that includes the link overload information to direct the remote network device to stop sending network traffic to the network device using the overloaded link.

Abstract: In general, techniques are described in which packet replicators of a network device cooperate to generate a distributed hierarchical forwarding structure that the packet replicators then use to replicate and forward multicast packets to multiple output interfaces. For example, packet forwarding engines (PFEs) of a router each receive a new list of interfaces for a multicast packet stream. The PFEs individually construct a hierarchical forwarding structure based on the interface list. The hierarchical forwarding structure specifies interrelationships among the PFEs, which occupy nodes within the hierarchy. Each child PFE determines from the hierarchical forwarding structure the identity of a parent PFE and issues a token, constituting forwarding state for the distributed hierarchical forwarding structure, to the parent PFE.