Abstract: System and methods for deriving configuration information of network resources within a dynamically configured, distributed control plane are described. In one embodiment, the present invention can include a network management device that manages virtual network entities, such as virtual switch fabrics, where the network management device hosts a network management module. The network management module is configured to maintain identifiers for the virtual network entities and the control plane connectivity data of the network devices hosting the virtual network entities.

Abstract: In general, techniques are described for enhancing operations of virtual networks. In some examples, a network system includes a plurality of servers interconnected by a switch fabric comprising a plurality of switches interconnected to form a physical network. Each of the servers comprises an operating environment executing one or more virtual machines in communication via one or more virtual networks. The servers comprise a set of virtual routers configured to extend the virtual networks to the operating environments of the virtual machines. A virtual router of the set of virtual routers is configured to aggregate a plurality of inbound tunnel packets according to a same virtual network identifier in order to generate an aggregate tunnel packet. The virtual router is further configured to route the aggregate tunnel packet to a host associated with a virtual network identified by the same virtual network identifier.

Abstract: A device receives, from a client device, a request for a resource, and accesses a table that includes one or more items of information. The device compares information provided in the request to the one or more items of information provided in the table, and terminates a connection for the request at the device when the information provided in the request matches at least one of the one or more items of information provided in the table. The device forwards the request to a network when the connection is not terminated at the device, and selects a target device for the resource when the connection is terminated at the device.

Abstract: A device may be configured to store virtual identifier information indicating virtual identifiers associated with servers. The virtual identifier information may associate a quantity of virtual identifiers with each respective server of the servers based on a weight associated with the respective server. The device may receive an object identifier identifying an object to be processed by at least one of the servers. The device may calculate hash values for the virtual identifiers based on the object identifier. The device may determine a virtual identifier associated with a hash value that satisfies a particular condition. The device may select a server associated with the virtual identifier. The device may send an instruction to the server to process the object.

Abstract: In general, techniques are described for facilitating usage monitoring control in mobile networks. A mobile gateway comprising one or more processors may be configured to perform the techniques. The one or more processors are configured to establish a session by which a mobile device is to access a service, and in response to receiving an indication to activate a charging rule having an incomplete indication to activate usage monitoring with respect to the service provided via the session, rejecting the charging rule.

Abstract: A device may receive usage information, associated with a group of client networks, including particular usage information associated with a particular client network. The device may receive threat information, associated with the group of client networks, including particular threat information associated with the particular client network. The device may determine a baseline based on the usage information. The device may determine a normalization function, associated with the particular client network, based on the baseline and the particular usage information. The device may determine normalized threat information, associated with the particular client network, based on the normalization function and the particular threat information. The device may determine overall normalized threat information associated with the group of client networks. The device may compare the normalized threat information and the overall normalized threat information.

Abstract: A virtual private network (VPN) device is described that provides a strict anti-replay mechanism for packets in a group VPN. An example first VPN device includes one or more processors, one or more network interfaces configured to receive a packet having an encryption header that includes a group VPN member identifier association with a second VPN device and a sequence number, wherein the first and second VPN devices are members of a group VPN, a data repository configured to store a window of sequence numbers maintained by the first VPN device for the second VPN device, and a VPN session management module operable by the one or more processors to identify the window of sequence numbers based on the group VPN member identifier, determine whether the sequence number of the header is included in the window of sequence numbers, and process the packet based on the determination.

Abstract: This disclosure describes a more efficient and configurable power allocation scheme for redundant power supply (RPS) systems used in network switches. This allocation scheme allows the system owner to assign power from a shared RPS unit to higher priority devices in any network switch in the system. This permits more granularity in assigning the RPS with backup power available to devices such as ports residing within individual switches in a multiple switch network. An efficient power allocation scheme for RPS allows the user to define the system priority of various devices for backup power according to the user's preferences. The user may assign the RPS to user-defined high priority devices in any piece of equipment. This makes RPS power allocation more flexible by offering the user more setup options for backup power.

Abstract: A system may include receiving a packet, of a packet stream, including control tags in a header portion of the packet and classifying each of the control tags into a category selected from a set of possible categories. The set of possible categories may include an unambiguous interposable (UI) category that is assigned to a control tag that corresponds to an unambiguous parsing interpretation and that is interposable within a sequence of the control tags, and an ambiguous interposable (AI) category that is assigned to a control tag in which the control tag has an ambiguous parsing interpretation and in which the control tag is interposable within the sequence of the control tags. The method may further include determining parsing operations to perform for the packet based on the classified categories of the control tags and based on the packet stream of the packet.

Abstract: A device may include multiple power supplies that are cooled by a system fan. The power supplies may be cross-connected to supply power to one another and the device may monitor temperatures of the power supplies. Based on the temperatures of the power supplies, the device may determine whether any of the power supplies are likely to be on fire. The device may shut off the fan when a power supply is determined to be likely to be on fire.

Abstract: Techniques are described for separating control plane functions in a network device using virtual machines. The techniques include initializing multiple virtual machine instances in a control unit of a standalone router, and running different control processes for the router in each of the virtual machines. For example, in a root system domain (RSD)-protected system domain (PSD) system, a control unit of the standalone router may support a RSD virtual machine (VM) and one or more PSD VMs configured to form logical devices and execute logically separate control processes without requiring physically separate, hardware-independent routing engines to form the PSDs. Each of the RSD VM and PSD VMs includes a separate kernel, an operating system, and control processes for the logical device. When a software failure occurs in the PSD VM, the PSD VM may perform a software failover without affecting the operation of the RSD VM.

Abstract: A device may store, in a data structure, a set of link identifiers, that identifies a set of member links included in a link aggregation group, in association with a set of packet parameters. The device may receive a network packet. The device may determine a particular packet parameter, of the set of packet parameters, associated with the network packet. The device may route the network packet via a particular member link, of the set of member links, identified by the particular link identifier.

Abstract: Network devices can use maximally redundant trees (MRTs) for delivering traffic streams across a network, and for transitioning traffic to a new set of MRTs after a topology change, without dropping traffic. The disclosure describes distributed computation of a set of MRTs from one or more ingress devices to one or more egress devices of the network. In one example, network devices in a network compute a set of MRTs, and establish a set of LSPs along the paths of the set of MRTs. After a change to the network topology, convergence sequencing is managed by a central controller, which centrally orchestrates the sequence for moving traffic from being sent on the old MRT paths to being sent on newly computed MRT paths after the controller determines that all new MRT forwarding state has been installed on the network devices.

Abstract: A device may receive an instruction to classify software. The device may identify a group of one or more user interfaces associated with the software based on receiving the instruction to classify the software. The device may determine a group of one or more user interface signatures associated with the group of one or more user interfaces. A user interface signature may include information, associated with a user interface in the group of one or more user interfaces, that may be used to classify the software. The device may generate information that identifies a classification of the software based on the group of one or more user interface signatures and based on known signature information. The known signature information may include information that corresponds to a correct software classification. The device may output the information that identifies the classification of the software.

Abstract: In some embodiments, an apparatus includes a management module configured to assign a unique set of identifiers to each network control entity from a set of network control entities. As a result, a network control entity from the set of network control entities can assign an identifier from its unique set of identifiers to a port in response to that network control entity receiving a login request from the port. The set of network control entities is associated with a distributed multi-stage switch. The management module is also configured to store a zone set database associated with the distributed multi-stage switch. The management module is configured to send an instance of an active zone set stored within the zone set database to each network control entity from the set of network control entities such that each network control entity can enforce the active zone set.

Abstract: The disclosed apparatus may include a storage device and a secure counter. The apparatus may also include a tamper-logging component that (1) detects an action that is associated with booting untrusted images from the storage device and, in response to detecting the action, (2) securely logs the action by incrementing the secure counter. Various other apparatuses, systems, and methods are also disclosed.

Abstract: In general, techniques are described for facilitating usage monitoring control in mobile networks. A mobile gateway comprising one or more processors and a memory may be configured to perform the techniques. The one or more processors may be configured to establish a session by which a mobile device is to access a service of a mobile access network, and in response to receiving an incomplete indication to activate usage monitoring with respect to the service provided via the session, configuring the usage monitoring without activating the usage monitoring. The memory may be configured to store the usage monitoring configuration.

Abstract: A computer-implemented method for virtualizing customer-premises equipment may include (1) receiving, at a service provider's network, at least one flow of network traffic from a remote device included in a user's private network, (2) identifying, within the flow of network traffic, at least one potentially non-unique private address that represents the remote device with respect to the user's private network, (3) determining at least one unique routable address that represents the remote device with respect to the service provider's network based at least in part on a network interface assigned to the user's private network and the potentially non-unique private address, and then (4) translating the potentially non-unique private address to the unique routable address to facilitate routing return network traffic to the remote device in connection with the flow of network traffic. Various other systems, methods, and computer-readable media are also disclosed.

Abstract: In some embodiments, an equipment unit has a set of visual indicators, a power switch, and a set of compute components. The power switch receives a signal representing a status such that when the status is in a first mode, the power switch provides power to the set of visual indicators and when the status is in a second mode the power switch does not provide power to the set of visual indicators. The compute components are configured to receive power when the power switch does not provide power to the set of visual indicators.

Abstract: A computer-implemented method for managing access to services provided by wireline service providers may include (1) receiving at least one request from a subscriber device to authorize access to at least one service, (2) authenticating the subscriber device with an access gateway of a wireline service provider based at least in part on the request, (3) generating a unique session identifier that uniquely identifies the subscriber device during a service-access session, (4) delivering the unique session identifier to a management server of the wireline service provider to enable the management server to authenticate the subscriber device with at least one network device that provides the service based at least in part on the unique session identifier, and then (5) facilitating access by the subscriber device to the service provided by the network device during the service-access session. Various other systems, methods, and computer-readable media are also disclosed.