Abstract: In some embodiments, an apparatus includes a switch fabric having at least a first switch stage and a second switch stage, an edge device operatively coupled to the switch fabric and a management module. The edge device is configured to send a first portion of a data stream to the switch fabric such that the first portion of the data stream is received at a queue of the second switch stage of the switch fabric via the first switch stage of the switch fabric. The management module is configured to send a flow control signal configured to trigger the edge device to suspend transmission of a second portion of the data stream when a congestion level of the queue of the second switch stage of the switch fabric satisfies a condition in response to the first portion of the data stream being received at the queue.

Abstract: A device may receive a digital voucher, a customer certificate, and configuration information for automatically configuring the device. The digital voucher may include a first customer identifier that identifies a customer associated with the device and a device identifier that identifies the device. The customer certificate may include a second customer identifier that identifies the customer and a customer public key associated with the customer. The configuration information may include information that identifies a configuration for automatically configuring the device. The device may validate at least one of the digital voucher, the customer certificate, or the configuration information. The device may configure the device, using the configuration, based on validating at least one of the digital voucher, the customer certificate, or the configuration information.

Abstract: Embodiments of the invention describe flexible (i.e., elastic) data center architectures capable of meeting exascale, while maintaining low latency and using reasonable sizes of electronic packet switches, through the use of optical circuit switches such as optical time, wavelength, waveband and space circuit switching technologies. This flexible architecture enables the reconfigurability of the interconnectivity of servers and storage devices within a data center to respond to the number, size, type and duration of the various applications being requested at any given point in time.

Abstract: A device may receive a packet that includes a destination address. The device may analyze a first Bloom filter, based on the destination address, in order to identify a prefix range entry associated with the destination address and included in a set of prefix range entries associated with the first Bloom filter. The device may analyze a second Bloom filter, based on the destination address and the identified prefix range entry, in order to identify a prefix length entry associated with the destination address and included in a set of prefix length entries associated with the second Bloom filter. The device may determine routing information associated with the identified prefix length entry. The routing information may identify a longest prefix match associated with the destination address. The device may provide the packet based on the routing information.

Abstract: A security device may receive actual behavior information associated with an object. The actual behavior information may identify a first set of behaviors associated with executing the object in a live environment. The security device may determine test behavior information associated with the object. The test behavior information may identify a second set of behaviors associated with testing the object in a test environment. The security device may compare the first set of behaviors and the second set of behaviors to determine a difference between the first set of behaviors and the second set of behaviors. The security device may identify whether the object is an evasive malicious object based on the difference between the first set of behaviors and the second set of behaviors. The security device may an indication of whether the object is an evasive malicious object.

Abstract: A method may include obtaining a match vector that indicates one or more filter rules that are potentially applicable to a packet. The method may include partitioning the match vector into a plurality of segments. The method may include generating a summary vector that identifies one or more portions of the match vector that include one or more match bits. A match bit may indicate one of the one or more filter rules that is potentially applicable to the packet. The method may include obtaining a relevant segment of the match vector. The relevant segment may include at least one of the portions of the match vector identified by the summary vector. The method may include determining a filter rule to apply based on the match vector and based on the one or more match bits. The method may include applying the filter rule to the packet.

Abstract: A network device may receive information regarding a service set identifying service to apply to a data flow received via a particular interface of the network device; receive the data flow via the particular interface; identify a service to provide to the data flow based on the information regarding the service set; identify a processing device to process the data flow; and provide the data flow to the processing device. The processing device may be different than the network device and may process the data flow, on behalf of the network device, to form a processed data flow. The processed data flow may include the data flow with the service applied to the data flow. The network device may further receive the processed data flow from the processing device and transmit the processed data flow toward a destination device.

Abstract: An apparatus includes a network management module to store a network configuration file. The network configuration file having a binding association with an identifier of a port from a plurality of ports of a switch fabric when the network management module is in a first configuration. The network management module selects the network configuration file based on the binding association with the identifier if the port in response to an access switch being operatively coupled to the port. The network configuration file having a binding association with an identifier of the access switch when the network management module is in a second configuration. The network management module selects the network configuration file based on the binding association with the identifier of the access switch in response to the access switch being operatively coupled to the port.

Abstract: Network (cloud) based customer premises equipment may receive, over a broadband access circuit, layer 2 traffic from an access device at a customer premises; provide dynamic host configuration protocol (DHCP) services for computing devices at the customer premises, the DHCP services providing Internet Protocol (IP) addresses to the computing devices at the customer premises; and provide network address translation (NAT) services for the computing devices at the customer premises.

Abstract: An example router includes a control unit configured to receive virtual private network (VPN) routing and forwarding table (VRF) configuration data defining a VRF for a VPN and VPN address space for the VPN, receive configuration data defining a measurement endpoint for measuring performance of a layer 3 (L3) service and associating the measurement endpoint with a remote measurement endpoint of a remote router. The control unit is configured to encapsulate, to generate a flow measurement packet, a layer 2 (L2) measurement packet in a layer 4 (L4) header and an L3 header, where the L3 header includes a source L3 address within the VPN address space and associated with the measurement endpoint, and where the L3 header includes a destination L3 address within the VPN address space and associated with the remote measurement endpoint. The control unit is configured to output the flow measurement packet to the remote router.

Abstract: A device may receive a password-protected file to be accessed for analysis. The device may identify a contextual term, associated with the password-protected file, to be used as a password to attempt to access the password-protected file. The contextual term may be identified based on at least one of: metadata associated with the password-protected file, metadata associated with a source from which the password-protected file is received, or text associated with the source from which the password-protected file is received. The device may apply the contextual term as the password to attempt to access the password-protected file.

Abstract: Techniques are described for determining latency in a physical network that includes a number of network devices over which packets travel. A virtual network controller receives a plurality of messages from a plurality of network devices in a network, each of the messages including a packet signature comprising a hash of an invariant portion of an original packet that uniquely identifies the original packet, an identifier of one of the plurality of network devices from which the respective message was received, and a timestamp indicating a time an original packet was processed by the network device from which the respective message was received. The virtual network controller determines a latency of a physical network path in the network based on analysis of contents of the identified messages having a common packet signature.

Abstract: A device may receive configuration information for generating an application probe. The application probe may be used to request network information, associated with an application, from network devices. The device may determine, based on the configuration information, traffic parameters associated with the application. The device may determine a requested type of network information to be requested from the network devices. The device may generate the application probe by including, in the application probe, the traffic parameters and information identifying the requested type of network information. The device may transmit the application probe to a network device of the network devices. The device may receive, from the network device and based on transmitting the application probe, a value associated with the requested type of network information.

Abstract: A network device is provided in a private virtual local area network (VLAN). The network device receives a packet on one of multiple private VLAN ports of the network device, and assigns a classified VLAN signature to the packet. The network device also assigns a primary VLAN signature to the packet, and stores a media access control (MAC) address and the classified VLAN signature of the packet in a single MAC address table.

Abstract: The disclosed apparatus may include a set of router components that are consuming electrical power in connection with a router that facilitates network traffic within a network. The apparatus may also include a power-optimization unit communicatively coupled to the set of router components. The power-optimization unit may detect at least one router component included in the set of router components that is not currently being used by the router to facilitate the network traffic within the network. In response to detecting the router component that is not currently being used by the router, the power-optimization unit may shut off the router component such that the router component no longer consumes electrical power in connection with the router. Various other apparatuses, systems, and methods are also disclosed.

Abstract: A device may receive a trigger to determine whether one or more client devices, of a set of client devices, are infected by a malicious file. The device may generate file identification information associated with the malicious file based on receiving the trigger to determine whether the one or more client devices are infected by the malicious file. The device may obtain remote access to the one or more client devices using a connection tool based on receiving the trigger to determine whether the one or more client devices are infected by the malicious file. The device may obtain information, associated with the one or more client devices, using the remote access. The device may provide information indicating whether the one or more client devices are infected by the malicious file based on the file identification information and the information associated with the one or more client devices.

Abstract: A method includes receiving multicast traffic intended for host devices; identifying a flow associated with the multicast traffic; retrieving information associated with a group of multicast trees, where the group of multicast trees includes information associated with a group of I/O units, associated with a network node; identifying a particular tree that corresponds to the identified flow, where the particular tree includes information associated with a set of I/O units; and transferring the multicast traffic to an I/O unit, of the set of I/O units, based on the identification of the particular tree, where the transferring enables the I/O unit to send a copy of the multicast traffic to other I/O units of the set of I/O units, and the set of I/O units to process the multicast traffic in a manner that utilizes bandwidth or processing resources in a controlled manner and to send a copy of the multicast traffic to each of the host devices.

Abstract: A system includes a virtual machine (VM) server and a policy engine server. The VM server includes two or more guest operating systems and an agent. The agent is configured to collect information from the two or more guest operating systems. The policy engine server is configured to: receive the information from the agent; generate access control information for a first guest OS, of the two or more guest operating systems, based on the information; and configure an enforcer based on the access control information.

Abstract: Techniques are described for an electronic device in which a communication plane having a plurality of slots for receiving communication cards further includes an interface for receiving a pluggable module that operates to relay signals within the communication plane. The electronic device includes a plurality of removable communication cards and a communication plane having slots for receiving the plurality of removable communication cards. The electronic device also includes the pluggable module that is removably coupled to and external from the communication plane. The pluggable module receives a signal from a transmitting communication card from off of the communication plane, compensates for loss experienced by the signal or loss that will be experienced by the signal, and transmits the compensated signal back onto the communication plane and to a receiving communication card.

Abstract: Dynamic control channel establishment for an access network is described in which a centralized controller provides seamless end-to-end service from a core-facing edge of a network to access nodes. For example, a method includes receiving, by the centralized controller, a discover message originating from a network node, which includes an intermediate node list that specifies a plurality of network nodes the discover message traversed from the network node to an edge node, determining, based on the plurality of nodes specified by the discover message, a path from the edge node to the network node, allocating each of a plurality of Multi-protocol Label Switching (MPLS) labels to a respective outgoing interface of each of the plurality of network nodes, and outputting one or more control messages for configuring the network node, wherein the control messages are encapsulated within a label stack comprising the allocated plurality of labels.