Abstract: In general, techniques are described for performing decentralized packet dispatch. A network device comprising one or more service processing units (SPUs) and an interface may implement the techniques. The interface receives a packet associated with a session and selects a first one of SPUs to dispatch the packet based on first information extracted from the packet. The first one of the SPUs dispatches the packet to a second one of the SPUs based on second information extracted from the packet. The second one of the SPUs performs first pass processing to configure the network security device to perform fast path processing of the packet such that second one of the SPUs applies one or more services to the packet and subsequent packets associated with the same session without application of services to the packets by the first one of the service processing units.

Abstract: A network device determines whether the network device has a local link for a link aggregation group (LAG), and identifies, when the network device has a local link for the LAG, the network device as a designated forwarder for the LAG. The network device also identifies, when the network device does not have a local link for the LAG, a closest network device to the network device, with a local link for the LAG, as the designated forwarder for the LAG.

Abstract: A firewall coordinates with devices in a network to create a distributed filtering system. The firewall detects an attack in the network, such as a distributed denial of service attack, and creates attack information defining characteristics of malicious packets used in the attack. The attack information is forwarded to the devices in the network. The devices use the attack information to configure themselves to detect packets having the characteristics of the malicious packets. After configuration, the devices detect and discard malicious packets.

Abstract: A network security appliance supports definition of a security policy to control access to a network. The security policy is defined by match criteria including a layer seven network application, a static port list of layer four ports for a transport-layer protocol, and actions to be applied to packet flows that match the match criteria. A rules engine dynamically identifies a type of layer seven network application associated with the received packet flow based on inspection of application-layer data within payloads of packets of the packet flow without basing the identification solely on a layer four port specified by headers within the packets. The rules engine is configured to apply the security policy to determine whether the packet flow matches the static port lists specified by the match criteria. The network security appliance applies the actions specified by the security policy to the packet flow.

Abstract: In general, techniques are described for atomically installing and withdrawing host routes along paths connecting network routers to attenuate packet loss for mobile nodes migrating among wireless LAN access networks and a mobile network. In some examples, whenever the mobile node moves from one attachment point to the next, it triggers the distribution of its host route from the new attachment point toward the service provider network hub provider edge (PE) router that anchors the mobile node on a service provider network. Routers participating in the Mobile VPN install the host route “atomically” from the attachment point to the mobile gateway so as to ensure convergence of the network forwarding plane with the host route toward the new attachment point prior to transitioning mobile node connectivity from a previous attachment point.

Abstract: A network device establishes a logical channel with each server device of multiple server devices, where each logical channel is not shared with another server device of the multiple server devices. The network device also determines a network loopback Internet protocol (IP) address for each server device of the multiple server devices, and associates each network loopback IP address with a corresponding logical channel. The network device further receives a packet destined for a particular server device, and provides the packet to the particular server device via the logical channel associated with the particular server device.

Abstract: This disclosure describes techniques for provisioning a CMTS to re-direct customer traffic into virtualized network functions (NFVs) service chains. This disclosure describes, in one example, techniques for providing linkage between DOCSIS service flows and NFV service chains in the DOCSIS provisioning system by embedding information within cable modem boot files used to configured cable modems within the broadband system. In one example, the techniques facilitate the definition of an NFV service-chain in the DOCSIS cable modem boot file provisioning system. A supported CMTS, CCAP or Edge Router intercepts and interprets the configuration to install packet classifiers that steer specific subscriber flows, as detailed in the DOCSIS cable modem boot file, through the service-chain.

Abstract: This disclosure describes a more efficient and configurable power allocation scheme for redundant power supply (RPS) systems used in network switches. This allocation scheme allows the system owner to assign power from a shared RPS unit to higher priority devices in any network switch in the system. This permits more granularity in assigning the RPS with backup power available to devices such as ports residing within individual switches in a multiple switch network. An efficient power allocation scheme for RPS allows the user to define the system priority of various devices for backup power according to the user's preferences. The user may assign the RPS to user-defined high priority devices in any piece of equipment. This makes RPS power allocation more flexible by offering the user more setup options for backup power.

Abstract: A network device may receive information regarding a service set identifying service to apply to a data flow received via a particular interface of the network device; receive the data flow via the particular interface; identify a service to provide to the data flow based on the information regarding the service set; identify a processing device to process the data flow; and provide the data flow to the processing device. The processing device may be different than the network device and may process the data flow, on behalf of the network device, to form a processed data flow. The processed data flow may include the data flow with the service applied to the data flow. The network device may further receive the processed data flow from the processing device and transmit the processed data flow toward a destination device.

Abstract: In some embodiments, a method includes installing at an access point that (1) includes a first software image and (2) is operatively coupled to a network controller via network, a second software image different from the first software image. The method includes defining in response to the installation, a virtual client disposed in the access point. The virtual client is configured to send to the network controller via the network a first validation data unit that causes the network controller to send a second validation data unit to the access point if the first validation data unit is received by the network controller. The method also includes installing at the access point that includes the second software image, the first software image and uninstalling the second software image if the access point does not receive the second validation data unit in response to the first validation data unit.

Abstract: Techniques are described for forwarding packets in a VPLS using multi-homing PE routers configured in an “active-active” link topology. As described herein, a PE router receives a packet from a multi-homed VPLS customer site, and processes the packet to determine a portion of a MAC domain to which the packet corresponds. When the packet is determined to correspond to a portion associated with the PE router, the PE router forwards the packet to the destination in accordance with forwarding protocols executing on the PE router. When the packet is determined to correspond to a portion associated with a second PE router, the PE router forwards the packet to the second PE router via a pseudowire that is external to the VPLS domain, and the second PE router forwards the packet to the destination in accordance with forwarding protocols executing on the second PE router.

Abstract: In general, techniques are described for facilitating usage monitoring control in mobile networks. A mobile gateway comprising one or more processors and a memory may be configured to perform the techniques. The one or more processors may be configured to establish a session by which a mobile device is to access a service of a mobile access network, and in response to receiving an incomplete indication to activate usage monitoring with respect to the service provided via the session, configuring the usage monitoring without activating the usage monitoring. The memory may be configured to store the usage monitoring configuration.

Abstract: In some embodiments, an apparatus includes a spectral scanning controller configured to interrupt service at a wireless access point (WAP) such that the WAP performs spectral scanning during service interruption. The spectral scanning controller is configured to interrupt service at the WAP at a first scanning frequency when the spectral scanning controller is in a first configuration. The spectral scanning controller is configured to interrupt service at the WAP at a second scanning frequency different from the first scanning frequency when the spectral scanning controller is in a second configuration. The spectral scanning controller is configured to move from the first configuration to the second configuration in response to a change in at least one of a service demand, a service quality, a spectral scanning demand or a spectral scanning quality.

Abstract: A device may include at least one processor which may access, using a lookup key, a ternary content addressable memory to acquire a lookup result that includes information identifying a group of addresses for accessing a group of static random access memories. The at least one processor may parse the lookup result to identify the group of addresses and may simultaneously access, using the group of addresses, the group of static random access memories, to simultaneously read data from the group of static random access memories. The at least one processor may process a group of packets based on the data.

Abstract: A method and a network device are provided to transmit network packets through a network security device. The method, performed by the network device, receives a request to send a network packet from a first computing device to a second computing device over a network that includes the network device and the network security device. The network packet includes a first network interface identifier for identifying the first computing device and a second network interface identifier for identifying the second computing device. The method identifies third and fourth network interface identifiers that cause the network packet to be transmitted through the network security device. The method transmits the network packet over the network through the network security device using the third and fourth network interface identifiers. The method transmits the network packet to the second computing device using the first and second network interface identifiers.

Abstract: In general, techniques are described for leveraging at least one of a policy control and charging or application detection architecture for an access network to dynamically control value-added services applied to packet flows. In some examples, a policy enforcement device receives a policy rule that defines at least one of policy control and application detection by an access network for a subscriber device. The policy rule includes a service chain identifier that identifies a service chain that defines one or more value-added services to be applied in a particular order to provide a composite service for application to packet flows associated to the service chain. The policy enforcement device receives a packet sourced by the subscriber device and destined to the packet data network, applies the policy rule to the packet to associate the packet to the service chain, and forwards the packet according to the service chain.

Abstract: In general, techniques are described to dynamically adjust a session detection time defined by a timer in accordance with a bidirectional forwarding detection (BFD) protocol. The techniques utilize existing hardware and BFD software infrastructure. An example network device includes a memory, programmable processor(s), and a control unit configured to execute a timer, receive one or more packets provided by the BFD protocol, detect, based on the received one or more packets, a congestion condition associated with a link via which the network device is coupled to a network, adjust, based on the detected congestion condition, a session detection time defined by the timer, and in response to a failure to receive a packet provided by the BFD protocol within the session detection time defined by the timer, detect a failure associated with the link.

Abstract: A centralized controller provides dynamic end-to-end network path setup across multiple network layers. In particular, the centralized controller manages end-to-end network path setup that provisions a path at both the transport network layer (e.g., optical) and the service network layer (e.g., IP/MPLS). The centralized controller performs path computation for an optical path at the transport network layer and for a path at the service network layer that transports network traffic on the underlying optical transport path, based on information obtained by the centralized controller from the underlying network components at both layers.

Abstract: In general, techniques are described for facilitating usage monitoring control in mobile networks. A mobile gateway comprising one or more processors may be configured to perform the techniques. The one or more processors are configured to establish a session by which a mobile device is to access a service, and in response to receiving an indication to activate a charging rule having an incomplete indication to activate usage monitoring with respect to the service provided via the session, rejecting the charging rule.

Abstract: A network device includes an internal policy engine that makes local policy decisions for packet flows and controls policies applied by service modules and forwarding components of the network device. The policy engine interacts with an external policy server to receive policies using software defined networking (SDN) protocol as if the data plane of the network device were directly exposed to the external policy server by the SDN protocol.