Abstract: In some embodiments, an apparatus includes a first network control entity within a control plane of a switch fabric system. The first network control entity is configured to receive a first test signal including a test instruction to be implemented within the switch fabric system. The first network control entity is configured to send a second test signal including the test instruction to a second network control entity such that the second network control entity implements the test instruction for a predetermined amount of time.

Abstract: In some embodiments, a system includes a set of network control entities associated with a distributed multi-stage switch. Each network control entity from the set of network control entities is configured to manage at least one edge device having a set of ports and coupled to the distributed multi-stage switch. Each network control entity from the set of network control entities is associated with a unique set of identifiers. A network control entity from the set of network control entities is configured to assign a unique identifier from its unique set of identifiers to a port from the set of ports of the at least one edge device in response to the network control entity receiving a login request associated with the port.

Abstract: In some embodiments, an apparatus includes a first edge device that is operatively coupled to a second edge device via a switch fabric. The first edge device and the second edge device collectively define an edge device network operating with a network-address-based protocol. The first edge device communicates with the second edge device via a multiprotocol label switching (MPLS) tunnel through the switch fabric. Furthermore, the first edge device is operatively coupled to the switch fabric such that a node of the switch fabric can be modified without coordination of the edge device network. Additionally, the first edge device is operatively coupled to the second edge device to define the edge device network such that an edge device of the edge device network can be modified without coordination of the switch fabric.

Abstract: An apparatus includes a destination edge device configured to receive a first validation packet according to a switch fabric validation protocol. The destination edge device is configured to validate multiple data paths through a distributed switch fabric from a source edge device to the destination edge device based on the first validation packet. The destination edge device is configured to send, in response to receiving the first validation packet, a second validation packet to a peripheral processing device. The destination edge device is also configured to send the second validation packet according to a validation protocol different from the first validation protocol.

Abstract: In some embodiments, an apparatus includes a scheduler disposed at a control device of a switch fabric system. The scheduler is configured to receive a control plane request associated with the switch fabric system having a data plane and a control plane separate from the data plane. The scheduler is configured to designate a control plane entity based on the control plane request and state information of each control plane entity from a set of control plane entities associated with the control plane and instantiated as a virtual machine. The scheduler is configured to send a signal to a compute device of the switch fabric system in response to the control plane request such that the control plane entity is instantiated as a virtual machine at the compute device.

Abstract: This disclosure describes techniques for proactively identifying possible attackers based on a profile of a device. For example, a device includes one or more processors and network interface cards to receive, from a remote device, network traffic directed to one or more computing devices protected by the device, determine, based on content of the network traffic, a first set of data points for the device, send a response to the remote device to ascertain a second set of data points for the device, and receive, from the remote device, at least a portion of the second set of data points. The device also includes a security module operable by the processors to determine a maliciousness rating, and selectively manage, based on the maliciousness rating, additional network traffic directed to the one or more computing devices protected by the security device and received from the remote device.

Abstract: A computer-implemented method for load balancing multicast traffic may include (1) identifying a plurality of switches that include at least a first switch that is connected to a second switch by a first path and a second path, (2) calculating a plurality of multicast distribution trees for distributing multicast traffic among the plurality of switches that includes (i) a first tree that includes the first path and whose root is different than the root of a second tree and (ii) the second tree that includes the second path, (3) receiving a plurality of multicast packets ingress to the plurality of switches at the first switch, and (4) using at least two of the plurality of multicast distribution trees to transmit the plurality of multicast packets from the first switch to the second switch. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method may include obtaining a layer two identification of an endpoint that is seeking access to a network, the endpoint omitting an agent to communicate a layer three address of the endpoint to a policy node, applying one or more authentication rules based on the layer two identification of the endpoint, assigning the layer three address to the endpoint, learning, by the policy node, the layer three address of the endpoint, and provisioning layer three access for the endpoint to the network based on the learned layer three address.

Abstract: In general, techniques are described to enable selective viewing of data output in response to a command. The techniques provide generic mechanisms to filter output solicited by commands supported by current and future implementations of an interface. An example device receives from a client device an input comprising an operational command a selection request that specifies a field identifier. A schema enumeration module of the device assigns a unique element number to each element of a class of elements defined by a schema, forming an enumerated schema. An interface of the device receives data conforming to a data description language, and a filtering module filters the textual output by mapping the field identifier specified in the selection request to a unique element number of the enumerated schema. A rendering module renders the filtered data into filtered textual output. The device transmits the filtered textual output to the client device.

Abstract: A computing device is configured to receive information for setting up a simulation of a device. The computing device is further configured to request one or more modules corresponding to one or more features associated with the simulation. The computing device is further configured to receive the one or more modules. The computing device is further configured to perform the simulation using the one or more modules and the different modules. The computing device is further configured to determine that the simulation requires debugging based on a result of the simulation. The computing device is configured to further debug the simulation based on determining that the simulation requires debugging, and provide the result of the simulation including information associated with the debugging of the simulation.

Abstract: In one example, a network device includes one or more network interfaces configured to receive a message according to a protocol for reserving a public Internet protocol (IP) address and port for a network connection and to receive one or more packets of a packet flow associated with the public IP address and the port for the network connection, and one or more processors comprising a primary service device, wherein the processors are configured to determine whether the message includes an indication that the network connection is to be checkpointed for high availability, and wherein the primary service device is configured to, based on the indication, checkpoint data of at least one of the received packets to a backup service device. Accordingly, a message of a protocol for reserving a public network address and port may be used to indicate whether a network connection should be checkpointed for high availability.

Abstract: This application describes techniques for replicating data at a primary routing engine of a network device before processing the data at a transport layer of the primary routing engine, wherein the data is to be sent to a routing peer via a routing communication session, and sending the replicated data to a secondary routing engine of the network device to be processed at a transport layer of the secondary routing engine. The secondary routing engine, in response to detecting that a socket buffer for buffering the replicated data has reached a predefined high occupancy threshold, outputs a notification to the primary routing engine. In response to receiving the notification, an application-layer routing process of the primary routing engine refrains from sending at least some of a plurality of routing updates to the routing peer, and continues to send keepalive messages for the routing communication session to the routing peer.

Abstract: The disclosed apparatus may include a physical link that facilitates communication for a plurality of customer networks connected to a service provider network. The apparatus may also include a network device communicatively coupled to the physical link. The network device may identify first and second route-update messages that advertise a plurality of route targets representing the plurality of customer networks to at least one other network device within the service provider network. The network device may remove a route target from the first route-update message due at least in part to the physical link no longer facilitating communication for a customer network represented by the route target. The network device may then maintain the second route-update message intact despite the removal of the route target from the first route-update message. Various other apparatuses, systems, and methods are also disclosed.

Abstract: A first device may receive a first password from a second device. The first password may be generated based on first time information and first location information identifying a geographic location of the second device. The first device may, determine a second password based on second time information and second location information identifying the geographic location of the second device. The first device may determine that the second device is located at the geographic location at a particular time when characters in the first password match characters in the second password, and may provide a service based on determining that the second device is located at the geographic location at the particular time.

Abstract: A virtual device includes multiple devices connected to operate as a single device. A first one of the devices is configured to determine that the first device connects to a second one of the devices via a first link; identify a second link; determine that the second link connects the first device to the second device; and automatically aggregate the first link and the second link to form a link aggregation with the second device based on determining that the first device connects to the second device via both the first and second links. The first device is further configured to transmit packets to the second device via the first and second links of the link aggregation.

Abstract: In some embodiments, a switch module is configured to receive from a first edge device a multicast data unit having a VLAN identifier. The switch module is configured to select a set of port modules based on the VLAN identifier. The switch module is configured to define an unmodified instance of the multicast data unit for each port module from the set of port modules. The switch module is configured to send the unmodified instance of the multicast data unit to each port module from the set of port modules, such that each port module applies a filter to the received instance of the multicast data unit to restrict that received instance of the multicast data unit from being sent to a second edge device via that port module if the second edge device is associated with a VLAN domain different than a VLAN domain of the first edge device.

Abstract: Access switches in a switching system may use virtual aggregated links. When a link between an aggregation switch and an access switch fails, the link failure may be reflected in the virtual aggregated link and data traffic to another access switch may be switched away from the failed switch. A forwarding table in the access switch stores a number of entries that each define a correspondence between destination addresses and an output identifier for the switch. At least a first output identifier includes an aggregated link that represents a first set of possible output links. At least a second output identifier includes a virtual aggregated link, associated with a second network switch that represents a second set of possible output links. Destination addresses in the forwarding table for the virtual aggregated link correspond to network devices connected to the second network switch.

Abstract: In some embodiments, an apparatus includes a first controller configured to be operatively coupled within a network having a set of network nodes, a forwarding gateway and a configuration entity. The first controller is configured to manage session state and node state associated with the set of network nodes independent of the forwarding gateway. The first controller is configured to fail over to a second controller when the first controller fails, without the forwarding gateway failing over and without the configuration entity failing over.

Abstract: An intrusion detection system is described that is capable of applying a plurality of stacked (layered) application-layer decoders to extract encapsulated application-layer data from a tunneled packet flow produced by multiple applications operating at the application layer, or layer seven (L7), of a network stack. In this was, the IDS is capable of performing application identification and decoding even when one or more software applications utilize other software applications as for data transport to produce packet flow from a network device. The protocol decoders may be dynamically swapped, reused and stacked (layered) when applied to a given packet or packet flow.

Abstract: In general, techniques are described for ensuring the distribution of Virtual Private Network (VPN) routes in a service provider network configured with multiple VPN services. In some examples, a network device receives configuration data that defines a VPN service associated with a route target. The network device, responsive to receiving the configuration data, sends a request for routes that match a type of the VPN service to a routing protocol speaker. The network device receives routes that match the type of the VPN service and are associated with the route target, installs the routes that match the type of the VPN service and are associated with the route target to the routing information base. The network device forwards traffic for the VPN service in accordance with the installed routes.