Abstract: A security device may receive information identifying a set of conditions for providing countermeasure code to a client device. The security device may receive information identifying an action to be performed when the countermeasure code is executed by the client device, and may determine the countermeasure code to be provided to the client device when the set of conditions is satisfied. The security device may receive a request from the client device, and may determine a response to the request. The response may include response code for serving content of a web page to the client device. The security device may determine that the set of conditions has been satisfied, and may insert the countermeasure code into the response code. The security device may provide the response code and the countermeasure code to the client device, and the countermeasure code may cause the client device to perform the action.

Abstract: A server device is configured to receive a request to identify a manner in which changed code propagates within an application; generate a group of blocks that correspond to code associated with a parent function corresponding to the application and which includes the changed code; perform an intra-procedural analysis on the group of blocks to identify a block that is affected by the changed code included within an epicenter block; perform an inter-procedural analysis on functions associated with the block, where, when performing the inter-procedural analysis, the server device is to generate another group of blocks associated with the functions, and identify another block that is affected by the changed code included within the epicenter block; and present, for display, information associated with the block or the other block that enables the application to be tested based on the block or the other block.

Abstract: In general, techniques are described to enable selective viewing of data output in response to a command. The techniques provide generic mechanisms to filter output solicited by commands supported by current and future implementations of an interface. An example device receives from a client device an input comprising an operational command a selection request that specifies a field identifier. A schema enumeration module of the device assigns a unique element number to each element of a class of elements defined by a schema, forming an enumerated schema. An interface of the device receives data conforming to a data description language, and a filtering module filters the textual output by mapping the field identifier specified in the selection request to a unique element number of the enumerated schema. A rendering module renders the filtered data into filtered textual output. The device transmits the filtered textual output to the client device.

Abstract: An aggregation node establishes a first session using a traffic-engineering label distribution protocol. The first session has a next hop adjacent to the aggregation node and positioned within a same network as the aggregation node. The aggregation node also establishes a second session using a traffic-engineering label distribution protocol, wherein the second session has a remote next hop positioned at a border between the network and a second network. The aggregation node sends a message destined for the remote next hop over the second session for establishing an end-to-end traffic engineered label switched path for a FEC specified in a label request message received from an access node, wherein the message includes the same the data indicating constraint information that was received by the aggregation node in the label request message.

Abstract: A device may be configured to receive information regarding one or more ports associated with a routing device; output, to the routing device, filter information associated with at least a particular port, of the one or more ports associated with the routing device, the filter information specifying one or more conditions associated with traffic of interest; receive, from the routing device, and based on the outputted filter information, information regarding traffic of interest received or sent by the routing device via the particular port, the traffic of interest being less than or equal to all traffic received or sent by the routing device via the particular port; and store or output a representation of at least a portion of the received information regarding the traffic of interest.

Abstract: Methods, systems, and apparatus, including computer program products for receiving a request for access to a first item of content stored on resources of a storage environment, the request for access being initiated by a first user, identifying an existing resource allocation arrangement associating elements of the first item of content with respective elements of the resources of the storage environment, performing an inquiry to determine whether an admission condition is satisfied, and upon satisfaction of the admission condition, generating a specification of an access operation, the access operation configured to enable a selected set of elements among the respective elements of the resources of the storage environment to be accessed.

Abstract: In general, techniques are described for automatically discovering services in computer networks. A service node comprising a control unit and an interface may implement the techniques. The control unit determines services provided by the service node and generates a routing protocol message that includes service discovery information related to the services. The interface transmits the routing protocol message to enable network devices of the network to discover the services provided by the service node based on the service discovery information. The interface then receives traffic via a path established based on the service discovery information included in the routing protocol message and configured so that the service node applies at least one of the services to the traffic received via the path. The control unit then applies the one or more services to the traffic received via the path.

Abstract: A method may include receiving a reconfiguration to a first Virtual Local Area Network (VLAN)/spanning tree table, where the first VLAN/spanning tree table has a first identifier and is associated with a region of a network; updating the first VLAN/spanning tree table to generate a second VLAN/spanning tree table based on the reconfiguration; determining a second identifier of the second VLAN/spanning tree table; and generating a list of identifiers associated with the region of the network, the list including the first identifier and the second identifier.

Abstract: The techniques of this disclosure provide local protection for network traffic in multipoint label switched paths (LSPs) due to link or node failure using loop-free alternate (LFA) next hops. The techniques include establishing a vanilla or point-to-point (P2P) LSP with LFA next hops between routers of a multipoint LSP for use in the event of link or node failure in the multipoint LSP. Upon a failure, the multicast traffic is tunneled between the routers using the P2P LSP with LFA to an alternate next hop with an associated label stack. The techniques of this disclosure define the label stack as including a P2P LSP label as well as a multipoint LSP label. In this way, the P2P LSP with LFA may be used for fast reroute (FRR) of traffic in the multipoint LSP until a convergence process completes for a new multipoint branch of the multipoint LSP.

Abstract: In one example, a stitching point routing device, which stitches a previous segment of an end-to-end label-switched path (LSP) to a next segment of the end-to-end LSP, includes network interfaces configured to receive packets via the previous segment and send packets via the next segment, and one or more processors configured to determine whether the next segment supports entropy labels, determine whether a packet received from the previous segment is encapsulated by a label stack including an entropy label, when the next segment does not support entropy labels and when the packet is encapsulated by the label stack including the entropy label, remove the entropy label from the label stack, when the next segment supports entropy labels and when the packet is not encapsulated by the label stack including the entropy label, add an entropy label to the label stack, and forward the packet along the next segment.

Abstract: A source network address and port translation (NAPT) mechanism is described that reduces or eliminates the need to log any NAT translations. As described herein, a mapping between a subscriber's private address to a public address and port range is determined algorithmically. Given a particular mapping rule, as specified by the service provider, a subscriber is repeatedly and deterministically mapped to the same public network address and a specific port range for that network address. Once the public address and port range for a subscriber are computed, the particular ports for each session for that subscriber are allocated dynamically within the computed NAT port range on per session basis.

Abstract: In general, techniques are described for providing a continuous feedback system that dynamically updates data collection criteria and subscriber policies based on aggregated subscriber-specific and network usage data. For example, a method includes applying one or more subscriber specific policy and charging control (PCC) rules to network traffic to collect network traffic data for a plurality of subscribers, aggregating the network traffic data, and determining, based on the aggregated traffic data, whether subscriber independent data collection criteria need to be updated.

Abstract: In general, techniques are described for providing control plane messaging in an active-active (or all-active) configuration of a multi-homed EVPN environment. In some examples, the techniques include receiving a control plane message comprising at least one address that identifies that second PE network device. The techniques may include configuring, based at least in part on the control plane message, a forwarding plane of a first PE network device to identify network packets having respective destination addresses that match the at least one address. The techniques may include determining that at least one address of the network packet matches the at least one address that identifies the second PE network device. The techniques may include, responsive to the determination, skipping a decrement of the Time-To-Live (TTL) value of the network packet, and forwarding the network packet to the second PE network device.

Abstract: A first device may receive a first password from a second device. The first password may be generated based on first time information and first location information identifying a geographic location of the second device. The first device may, determine a second password based on second time information and second location information identifying the geographic location of the second device. The first device may determine that the second device is located at the geographic location at a particular time when characters in the first password match characters in the second password, and may provide a service based on determining that the second device is located at the geographic location at the particular time.

Abstract: A device includes an input processing unit and an output processing unit. The input processing unit dispatches first data to one of a group of processing engines, records an identity of the one processing engine in a location in a first memory, reserves one or more corresponding locations in a second memory, causes the first data to be processed by the one processing engine, and stores the processed first data in one of the locations in the second memory. The output processing unit receives second data, assigns an entry address corresponding to a location in an output memory to the second data, transfers the second data and the entry address to one of a group of second processing engines, causes the second data to be processed by the second processing engine, and stores the processed second data to the location in the output memory.

Abstract: In general, techniques are described for selectively invoking graceful restart procedures when a route reflector member of a redundant route cluster fails. In one example, a method is provided that includes determining, by a provider edge router that supports graceful restart procedures, that a first router forms a redundant group with at least a second router. The method also includes detecting a failure of the first router and determining that at least the second router in the redundant group is operating approximately while the first router is failed. The method further includes overriding graceful restart procedures with respect to the failed first router when at least the second router is operating. The method also includes forwarding one or more data packets according to route information provided via the second router.

Abstract: A system is configured to receive traffic being transported via a network; obtain, as a result of receiving the traffic, content from one or more packets associated with the traffic; analyze the content to identify one or more attributes associated with the content, where the one or more attributes correspond to at least one of: a network address, information associated with an application with which the traffic is associated, information associated with message content, or information associated with software content; determining that at least one attribute, of the one or more attributes, matches an attribute, of a set of attributes that are stored within a memory, where the set of attributes corresponds to a set of categories of traffic; identify a category, of the set of categories, that corresponds to the attribute; associate the category and the traffic; and process the traffic based on the associated category.

Abstract: In some embodiments, an apparatus includes a switch module configured to receive an order identifier of a first data packet from a first stage of a multi-stage switch. The switch module is configured to receive an indicator of an available capacity of the first module of a second stage of the multi-stage switch fabric, and an indicator of an available capacity of a second module of the second stage of the multi-stage switch fabric. The switch module is configured, when the order identifier is assigned, to direct the first data packet to the first module of a second stage of the multi-stage switch fabric when the available capacity of the second module is lower than the available capacity of the first module. The switch module configured, when the order identifier is unassigned, to direct the first data packet to the second module when the available capacity of the second module is higher than the available capacity of the first module.

Abstract: In general, techniques are described in which a plurality of network switches automatically configure themselves to operate as a single virtual network switch. A virtual switch is a collection of individual switch devices that operate like as single network switch. As described herein, network switches in a network that are capable of participating in a virtual switch may automatically discover one another. The participating network switches may then elect one of the participating switches as a master switch. The master switch may generate forwarding information and store the forwarding information in the participating switches, including the master switch. The forwarding information causes the participating switches to act like a single network switch.

Abstract: In some embodiments, an apparatus includes a network management module. The network management module is configured to send a request for power output data from a first network element having a first power supply configured to be coupled to a first power outlet, and a second power supply configured to be coupled to a second power outlet. The network management module is configured to receive a first confirmation from the first network element that the first power supply and the second power supply are receiving power. The network management module is configured to send a request to disable a third power outlet and to receive, after sending the request to disable the third power outlet, a second confirmation from the first network element that the first power supply and the second power supply are receiving power. The network management module is configured to define a power distribution table after receiving the second confirmation, the power distribution table designating the third power outlet as unused.