Abstract: A computer-implemented method for load balancing multicast traffic may include (1) identifying a plurality of switches that include at least a first switch that is connected to a second switch by a first path and a second path, (2) calculating a plurality of multicast distribution trees for distributing multicast traffic among the plurality of switches that includes (i) a first tree that includes the first path and whose root is different than the root of a second tree and (ii) the second tree that includes the second path, (3) receiving a plurality of multicast packets ingress to the plurality of switches at the first switch, and (4) using at least two of the plurality of multicast distribution trees to transmit the plurality of multicast packets from the first switch to the second switch. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A system may comprise a first device and a second device associated with a Clos architecture. The first device may include a first crossbar that comprises a first component, a second component, and a third component. The second device may include a second crossbar that comprises a fourth component, a fifth component, and a sixth component. The first component may connect to the second component and the fifth component. The second component may connect to the first component, the third component, the fourth component, and the sixth component. The third component may connect to the second component and the fifth component. The fourth component may connect to the second component and the fifth component. The fifth component may connect to the first component, the third component, the fourth component, and the sixth component. The sixth component may connect to the second component and the fifth component.

Abstract: A client device may provide, to a host device, a request to access a website associated with a host domain. The client device may receive, based on the request, verification code that identifies a verification domain and a resource, associated with the verification domain, to be requested to verify a public key certificate. The verification domain may be different from the host domain. The client device may execute the verification code, and may request the resource from the verification domain based on executing the verification code. The client device may determine whether the requested resource was received, and may selectively perform a first action or a second action based on determining whether the requested resource was received. The first action may indicate that the public key certificate is not valid, and the second action may indicate that the public key certificate is valid.

Abstract: A computer-implemented method for increasing the scalability of software-defined networks may include (1) maintaining a set of databases collectively configured to (i) store a set of flow entries that direct network traffic within a software-defined network and (ii) facilitate searching the set of flow entries based at least in part on at least one key whose size remains substantially constant irrespective of the number of flow entries within the set of flow entries, (2) detecting a request to perform an operation in connection with a flow of data packets within the software-defined network, (3) identifying at least one attribute of the flow of data packets in the request, and then (4) searching, using the attribute of the flow of data packets as a database key, at least one database within the set of databases to facilitate performing the operation. Various other methods, systems, and apparatuses are also disclosed.

Abstract: An apparatus and method are described for compensating for frequency and phase variations of electronic components by processing packet delay values. In one embodiment, a packet delay determination module determines packet delay values based on time values associated with a first and a second electronic component. A packet delay selection module selects a subset of the packet delay values based on the maximum frequency drift of the first electronic component. A statistical parameter determination module evaluates a first and a second parameter based on portions of the subset of packet delay values. A validation module validates the parameters when each portion the subset of packet delay values includes a minimum of at least two packet delay values. An adjustment module compensates for at least one of a frequency variation and a phase variation of the first electronic component based on the parameters if the parameters are both validated.

Abstract: In general, techniques are described for performing packet loss measurement in a distributed data plane. In one example, a local router includes a plurality of forwarding units that implement a distributed data plane. First and second forwarding units may switch layer two (L2) packet data units (PDUs) between the local router and a remote router using a virtual path. The first and second forwarding may unit may increment, in response to processing any PDU of the PDUs for the virtual path, respective counters stored by the first and second forwarding units. The first and second forwarding units may update, based on the respective counters, a loss-measurement packet (LMP). For instance, the first forwarding unit, upon updating the LMP, may internally forward the LMP to the second forwarding unit. The second forwarding unit, upon updating the LMP, may send the LMP to the remote router.

Abstract: In general, techniques are described for performing a mass withdrawal of media access control (MAC) addresses using a reduced number of route withdrawal messages within a singly-homed segment of an Ethernet Virtual Private Network (EVPN). The techniques may include determining a segment identifier of the segment and sending a route advertisement to advertise a route for the segment identifier to a provider edge network device. The techniques may include sending a route advertisement to advertise one or more media access control (MAC) routes for the layer two segment. The techniques may also include, responsive to determining a link failure between a first provider edge network device and a customer edge network device, sending a withdrawal message to the second provider edge network device for the route associated with the segment identifier to withdraw all of the plurality of MAC routes at the second provider edge network device.

Abstract: An intrusion detection system inspects encapsulated packet flows and, upon detecting a malicious encapsulated packet flow, may close an encapsulated network session corresponding to the malicious flow or drop sub-packets of the malicious flow without acting against non-malicious sub-packets and/or sessions.

Abstract: In general, techniques are described for configuring a provider edge (PE) network device of an Ethernet virtual private network (EVPN) to use a common traffic engineering label (e.g., MPLS label) for different EVPN route types associated with the same EVPN. In some examples, the techniques include sending a first layer three (L3) control plane message that indicates a label-switched network protocol label that corresponds to a first EVPN route type, wherein the first L3 control plane message indicates that a first PE network device is reachable in the L2 segment. The techniques may include performing L2 address learning to determine at least one L2 address associated with the layer two segment of the EVPN. The techniques may include sending a second L3 control plane message that indicates the same label included in the first L3 control plane message corresponds to a second EVPN route type.

Abstract: In some embodiments, an apparatus includes a first Fiber Channel (FC) switch configured to be operatively coupled to an FC network device and a second FC switch. The first FC switch is configured to receive, from the FC network device, a first control packet. The first FC switch is further configured to send to the second FC switch, based on the first control packet, a second control packet defined based on a decentralized control plane protocol. The second control packet includes information associated with an FC route that is associated with the FC network device such that the second FC switch can route FC data packets to the FC network device using an FC data plane protocol.

Abstract: A system includes a storage device to store information associated with virtual nodes that correspond to network nodes. The system also includes a server to install a virtual node that corresponds to one of the network nodes, based on the information associated with the virtual node, where installing the virtual node includes creating a logical interface via which traffic is to be sent to, or received from, other virtual nodes; start the virtual node to create an operating virtual node based on a copy of an operating system that is run on the network node, where starting the virtual node causes the operational virtual node to execute the copy of the operating system; and cause the operating virtual node to communicate with a virtual network that includes the virtual nodes, where causing the operating virtual node to communicate with the virtual network enables the operating virtual node to receive or forward traffic associated with the virtual network.

Abstract: A device may detect an attack. The device may receive, from a client device, a request for a resource. The device may determine, based on detecting the attack, a computationally expensive problem to be provided to the client device, where the computationally expensive problem requires a computation by the client device to solve the computationally expensive problem. The device may instruct the client device to provide a solution to the computationally expensive problem. The device may receive, from the client device, the solution to the computationally expensive problem. The device may selectively provide the client device with access to the resource based on the solution.

Abstract: A router maintains routing information including (i) route data representing destinations within a computer network, (ii) next hop data representing interfaces to neighboring network devices, and (iii) indirect next hop data that maps a subset of the routes represented by the route data to a common one of the next hop data elements. In this manner, routing information is structured such that routes having the same next hop use indirect next hop data structures to reference common next hop data. In particular, in response to a change in network topology, the router need not change all of the affected routes, but only the common next hop data referenced by the intermediate data structures. This provides for increased efficiency in updating routing information after a change in network topology, such as link failure.

Abstract: A firewall device may include a forwarding component that includes a filter block. The filter block may obtain a first hardware-implemented filter, where a hardware implementation limits the first hardware-implemented filter to a maximum quantity of rules; determine whether a last rule associated with the accessed hardware-implemented filter includes a split-filter action, where the split-filter action identifies a second hardware-implemented filter; and link the second hardware-implemented filter to the first hardware-implemented filter to make the second hardware-implemented filter a logical continuation of the first hardware-implemented filter, in response to determining that the last rule includes the split-filter action.

Abstract: The disclosure describes techniques to pre-compute the effect of modifying components in a data center switch prior to actually modifying the components. A data center analyzer is configured to discover the topology of the switch and present an editable version of the topology to a data center administrator. The data center analyzer receives proposed modifications to the current topology, including removed, replaced or updated components, and applies a non-distributed copy of the traffic distribution algorithm to the modified topology to compute an expected traffic distribution and traffic metrics. The administrator may then determine whether to modify the components based on the expected traffic distribution and associated traffic metrics. When the administrator allows modification of the components, the data center analyzer may compute and install alternative routing paths for components in the data center switch to minimize data loss due to the modified components.

Abstract: A non-transitory processor-readable medium storing code representing instructions to be executed by a processor includes code to cause the processor to receive from a wireless access point (WAP) device frequency-domain data associated with signals received at the WAP device from a wireless device during a time period. The code includes code to determine multiple frequency-domain magnitudes associated with the frequency-domain data for the time period to define a spectral magnitude signature associated with the frequency-domain data. Each frequency-domain magnitude from the multiple frequency-domain magnitudes is uniquely associated with a frequency bin from multiple mutually-exclusive frequency bins associated with the frequency domain data. The code also includes code to identify a spectral response deviation associated with the spectral magnitude signature and send a location identifier associated with a location of the wireless device based on the spectral response deviation.

Abstract: A device may receive, from a first device, a first message that includes a first random cookie and a session cookie. The device may provide the first message to a second device. The device may receive, from the second device, a second message that includes a response to the first message. The device may generate a second random cookie. The second random cookie may be different from the first random cookie. The device may provide, to the first device, the second random cookie, the session cookie, and the response.

Abstract: Methods and apparatus, including computer program products, implementing and using techniques for processing a data packet. An input port receives a data packet, a switching board classifies the data packet, determines whether the data packet should be accepted, and switches the data packet to a management board if the data packet is a first data packet in a session, and to a processing board if the data packet is not a first data packet in a session. A management board receives a data packet from the switching board, examines the data packet and forwards the data packet to one of the processing boards. One or more processing boards receives non-first data packets from the switching board and data packets from the management board and processes the data packets. A firewall and a secure gateway with firewall and virtual private network functionality for processing a data packet are also described.

Abstract: A network service database stores abstractions of services provided by network elements. The network elements may proactively initiate communication with the service database. Additionally, network elements may update the service database when the network element experiences a state change. Client applications may contact the service database to perform functions, such as provisioning network services, billing, and fault monitoring without having to be concerned with the underlying details of each of the network elements.

Abstract: In some embodiments, a method includes storing a set of data point values. Each data point value from the set of data point values is associated with a compute device from a set of compute devices that are included in a data center. The method also includes receiving a selection indicative of a region of the data center. A portion of the set of compute devices is disposed within the region of the data center. The method further includes sending a signal to display a topological map that includes a set of indicators. Each indicator from the set of indicators is associated with a compute device from the portion of the set of compute devices. A characteristic of an indicator from the set of indicators is based on a data point value of a respective compute device.