Abstract: A network includes an egress node connected to an ingress node via a network path. The egress node is configured to receive, from the ingress node, a group of packets via the network path, where each packet includes an operations, administration, and management (OAM) field appended to the packet, and where the OAM field stores OAM information. The egress node is further configured to read the OAM information from the packets; analyze the OAM information, associated with one or more of the packets, to determine that a network condition exists on the network path; and notify the ingress node that the network condition exists to permit the ingress node to perform a rerouting operation.

Abstract: A centralized controller provides dynamic end-to-end network path setup across multiple network layers. In particular, the centralized controller manages end-to-end network path setup that provisions a path at both the transport network layer (e.g., optical) and the service network layer (e.g., IP/MPLS). The centralized controller performs path computation for an optical path at the transport network layer and for a path at the service network layer that transports network traffic on the underlying optical transport path, based on information obtained by the centralized controller from the underlying network components at both layers.

Abstract: This disclosure describes techniques for proactively identifying possible attackers based on a profile of a device. For example, a device includes one or more processors and network interface cards to receive, from a remote device, network traffic directed to one or more computing devices protected by the device, determine, based on content of the network traffic, a first set of data points for the device, send a response to the remote device to ascertain a second set of data points for the device, and receive, from the remote device, at least a portion of the second set of data points. The device also includes a security module operable by the processors to determine a maliciousness rating, and selectively manage, based on the maliciousness rating, additional network traffic directed to the one or more computing devices protected by the security device and received from the remote device.

Abstract: In some embodiments, an apparatus includes a first controller configured to be operatively coupled within a network having a set of network nodes, a forwarding gateway and a configuration entity. The first controller is configured to manage session state and node state associated with the set of network nodes independent of the forwarding gateway. The first controller is configured to fail over to a second controller when the first controller fails, without the forwarding gateway failing over and without the configuration entity failing over.

Abstract: A device may receive, from a first device, a first message that includes a first random cookie and a session cookie. The device may provide the first message to a second device. The device may receive, from the second device, a second message that includes a response to the first message. The device may generate a second random cookie. The second random cookie may be different from the first random cookie. The device may provide, to the first device, the second random cookie, the session cookie, and the response.

Abstract: In some embodiments, a system includes multiple access switches, a switch fabric having multiple switch fabric portions, and a control plane processor. Each switch fabric portion is coupled to at least one access switch by a cable from a first set of cables. Each switch fabric portion is configured to receive data from the at least one access switch via the cable from the first set of cables. The control plane processor is coupled to each switch fabric portion by a cable from a second set of cables. The control plane processor is configured to send control information to each access switch via a cable from the second set of cables, a switch fabric portion, and a cable from the first set of cables. The control plane processor is configured to determine control plane connections associated with each access switch and is configured to determine data plane connections associated with each access switch as a result of the control plane connections.

Abstract: In one embodiment, a method includes sending a first flow control signal to a first stage of transmit queues when a receive queue is in a congestion state. The method also includes sending a second flow control signal to a second stage of transmit queues different from the first stage of transmit queues when the receive queue is in the congestion state.

Abstract: A method performed by network devices that includes operating in a normal mode, where the network devices form a virtual chassis that corresponds to a single logical network device; detecting when a failure within the virtual chassis occurs; executing a splitting process to form one or more new virtual chassis in correspondence to the failure; determining whether one of the one or more new virtual chassis operates as a functioning virtual chassis based on whether at least one of a set of criteria is satisfied, where the functioning virtual chassis operates according to resources configured for the virtual chassis; and operating as a nonfunctioning virtual chassis when it is determined that the one of the one or more virtual chassis does not satisfy the at least one of the set of criteria, where the nonfunctioning virtual chassis operates in a pass-through mode.

Abstract: Control traffic in a virtual LAN (VLAN) may be reduced. In one implementation, a network device may implement one of a plurality of redundant gateway devices in a virtual router that includes one or more other network devices, where the network device and the one or more other network devices are associated with a first address that corresponds to the virtual router. The network device may filter egress traffic to drop egress traffic that includes a particular destination address and that is at an interface of the device that is not needed to deliver control traffic.

Abstract: Methods and apparatuses for inspecting packets are provided. A primary security system may be configured for processing packets. The primary security system may be operable to maintain flow information for a group of devices to facilitate processing of the packets. A secondary security system may be designated for processing packets upon a failover event. Flow records may be shared from the primary security system with the secondary security system.

Abstract: Using the ALTO Service, networking applications can request through the ALTO protocol information about the underlying network topology from the ISP or Content Provider. The ALTO Service provides information such as network resource preferences with the goal of modifying network resource consumption patterns while maintaining or improving application performance. This document describes, in one example, an ALTO server that implements enhancements to the ALTO service to assign a PID-type attribute to each of a set of one or more PIDs each associated with a subset of one or more endpoints of a network, wherein a PID-type attribute specifies a type for the subset of endpoints associated with the PID. The ALTO server generates an ALTO network map that includes a PID entry to describe each of the PIDs, wherein each PID entry includes a PID-type field that stores the assigned PID-type attribute for the PID described by the PID entry.

Abstract: A controller device is connected to a group of virtual machines and one or more network devices in a network. The controller device is configured to store policies relating to when to start up and when to shut down the virtual machines based on users logging into the network, users logging out of the network, users attempting to access the plurality of virtual machines, and/or particular types of traffic in the network; receive network activity data from a network device of the one or more network devices in the network; identify, based on the network activity data and the policies, a virtual machine, of the group of virtual machines, to start up or shut down; and cause the virtual machine to start up or shut down.

Abstract: In general, techniques are described for facilitating multi-tenancy of a server accessed by virtual networks of a data center. A device included within a data center comprising one or more processors may perform the techniques. The processors may be configured to execute a virtual switch that supports a number of virtual networks executing within the data center. The virtual switch may be configured to receive a request regarding data associated with an identifier that is unique within one of the virtual networks that originated the request. The virtual switch may then translate the identifier included within the request to generate a globally unique identifier that is unique within the plurality of virtual networks, update the request to replace the identifier included within the request with the globally unique identifier, and transmit the updated request to a server of the data center.

Abstract: A network device identifies an Open Shortest Path First (OSPF) link between the network device and a layer 2 network as one of a point-to-multipoint over broadcast interface or a point-to-multipoint over non-broadcast multi access (NBMA) interface, and performs database synchronization and neighbor discovery and maintenance using one of a broadcast model or a NBMA model. The network device also generates a link-state advertisement for the network device, where the link-state advertisement includes a separate link description for each point-to-point link within the layer 2 network; and sends the link-state advertisement to each fully adjacent neighbor in the layer 2 network.

Abstract: A system includes a virtual machine (VM) server and a policy engine server. The VM server includes two or more guest operating systems and an agent. The agent is configured to collect information from the two or more guest operating systems. The policy engine server is configured to: receive the information from the agent; generate access control information for a first guest OS, of the two or more guest operating systems, based on the information; and configure an enforcer based on the access control information.

Abstract: In some embodiments, an apparatus includes a gateway device configured to be operatively coupled to a Fiber Channel switch by a first data port and a second data port. The gateway device is configured to designate the first data port as a primary data port and the second data port as a secondary data port. The gateway device is configured to associate a set of virtual ports with the first data port and not the second data port when in the first configuration. The gateway device is configured to associate the set of virtual ports with the second data port when in the second configuration. The gateway device moves from the first configuration to the second configuration when an error associated with the first data port is detected.

Abstract: A network device determines whether the network device has a local link for a link aggregation group (LAG), and identifies, when the network device has a local link for the LAG, the network device as a designated forwarder for the LAG. The network device also identifies, when the network device does not have a local link for the LAG, a closest network device to the network device, with a local link for the LAG, as the designated forwarder for the LAG.

Abstract: Techniques are described for merging device schemas to manage different versions of network devices in the same device family. In one example, a computing device includes an interface to receive a first schema to be used for managing a first version of a device in a device family and a second, different schema to be used for managing a second version of the device, a computer-readable medium encoded with instructions for a schema merger module, and a processor to execute the schema merger module to merge the first schema and the second schema to produce a resulting merged schema to be used for managing both the first version of the device and the second version of the device, wherein the resulting merged schema expresses differences between the first schema and the second schema and includes a single instance of each common portion between the first schema and the second schema.

Abstract: In some embodiments, an apparatus includes a scheduler disposed at a control device of a switch fabric system. The scheduler is configured to receive a control plane request associated with the switch fabric system having a data plane and a control plane separate from the data plane. The scheduler is configured to designate a control plane entity based on the control plane request and state information of each control plane entity from a set of control plane entities associated with the control plane and instantiated as a virtual machine. The scheduler is configured to send a signal to a compute device of the switch fabric system in response to the control plane request such that the control plane entity is instantiated as a virtual machine at the compute device.

Abstract: In one embodiment, edge devices can be configured to be coupled to a multi-stage switch fabric and peripheral processing devices. The edge devices and the multi-stage switch fabric can collectively define a single logical entity. A first edge device from the edge devices can be configured to be coupled to a first peripheral processing device from the peripheral processing devices. The second edge device from the edge devices can be configured to be coupled to a second peripheral processing device from the peripheral processing devices. The first edge device can be configured such that virtual resources including a first virtual resource can be defined at the first peripheral processing device. A network management module coupled to the edge devices and configured to provision the virtual resources such that the first virtual resource can be migrated from the first peripheral processing device to the second peripheral processing device.