Abstract: A transport LAN segment service is provided over a transport network. Responsibilities for configuring, provisioning and forwarding over a transport LAN segment are divided between layer 2 and 3 service provider edge devices, where the layer 3 edge device handles discovery and tunneling responsibilities, the layer 2 edge device handles learning and flooding responsibilities, and information can be exchanged between the layer 2 and 3 edge devices. Configuration is simplified by advertising TLS-label information, layer 2 address learning, and flooding when the needed configuration information has not yet been learned or discovered.

Abstract: Network devices provide Internet Protocol (IP) and Label Distribution Protocol (LDP) fast reroute for unicast and multicast traffic. The approach described herein for fast reroute for IP and LDP uses maximally redundant trees (MRTs). MRTs are a pair of trees where the path from any node X to the root R along the first tree and the path from the same node X to the root along the second tree share the minimum number of nodes and the minimum number of links. A network device, such as a router, computes a pair of MRTs for each destination and installs one or more MRT alternate next-hops in its forwarding plane for use in forwarding network traffic to a destination in the event a failure occurs that renders a primary next-hop unusable for reaching the destination.

Abstract: Techniques are described for providing encryption and authentication for different types of routing protocol communications based on a variety of factors. A method comprises configuring, on a network router, a set of logical interfaces for communicating routing protocol messages with one or more peer routing devices, maintaining a set of security associations that define corresponding authentication information and encryption information for the routing protocol messages, and maintaining one or more descriptor sets that each specify a set of criteria, wherein, for at least one of the descriptor sets, the set of criteria specifies one of the logical interfaces of the network router. The method further comprises selecting one of the descriptor sets having criteria that match an individual flow, selecting one of the security associations based on the selected descriptor set, and applying the selected security association to secure the outbound flow of the routing protocol messages.

Abstract: A method includes receiving one or more of user information, role information, or authorization information associated with a user accessing a network, selecting a traffic flow to monitor that is associated with the one or more of user information, role information, or authorization information, monitoring the traffic flow, determining whether an anomaly exists with respect to the traffic flow based on a traffic behavior pattern associated with the one or more of user information, role information, or authorization information, and performing a security response when it is determined that the anomaly exists.

Abstract: In general, techniques of this disclosure relate to measuring scheduling performance of monitored threads in an operating system with improved precision. In one example, a method includes inserting, by an operating system kernel, a monitored thread into a queue comprising one or more threads and recording an insertion time that the monitored thread is inserted into the run queue; receiving, by the kernel, an event to remove the monitored thread from the run queue; responsive to receiving the event, determining, by the kernel, an amount of time that the monitored thread is stored on the run queue based on the insertion time and a removal time at which the monitored thread was removed from the run queue; and when the amount of time the monitored thread is stored on the run queue is greater than or equal to a specified threshold, sending a notification to a notification listener.

Abstract: In general, techniques are described to dynamically refresh a timer for a communication session provided by a bidirectional forwarding detection (BFD) protocol. The techniques potentially mitigate network load by reducing the number of BFD packets required to maintain a BFD communication session. An example network device includes a memory, programmable processor(s), a network interface, and a control unit configured to establish a BFD communication session between the network device and a peer network device that is communicatively coupled to the network device via the network interface, determine whether a packet associated with a communication session other than the BFD communication session is a relevant packet to the BFD communication session, and in response to determining that the packet is the relevant packet, refresh a timer that executes on the network device and is associated with the BFD communication session.

Abstract: A network service administration system including a plurality of service objects, a plurality of address objects; and a service configuration application for a multifunction appliance running on a client computer coupled to the appliance via a network. The service configuration application includes an interface allowing subscribers to configure at least a subset of application content services provided by the appliance and including a rule set implementing rules in ones of said application content services in said subset based on changes to configurations of any other of said application content services. Each of said service objects may comprise an individual network service definition.

Abstract: A switch fabric for a modular router may be tested without connecting the switch fabric portion of the router to the other modular portions of the router. The switch fabric may generate test data units and insert the test data units into one or more elements of the switch fabric. The switch fabric may operate with the inserted test data units. A control component may receive data units from the switch fabric after operation of the switch fabric and analyze the received data units to determine whether the received data units correspond to the inserted test data units.

Abstract: This disclosure describes the Fast Chromatic Dispersion Estimation (FCDE) techniques which corrects for chromatic dispersion in high data rate optical communications systems such as some coherent optical communications systems. FCDE may utilize transform such as fast-Fourier transforms to estimate the chromatic dispersion. From an estimation of the chromatic dispersion, the techniques may determine filter tap coefficients for compensating the chromatic dispersion.

Abstract: An MPLS-aware firewall allows firewall security policies to be applied to MPLS traffic. The firewall, which may be integrated within a routing device, can be configured into multiple virtual security systems. The routing device provides a user interface by which a user specifies one or more zones to be recognized by the integrated firewall when applying stateful firewall services to the packets. The user interface allows the user to define different zones and policies for different ones of the virtual security systems. In addition, the user interface supports a syntax that allows the user to define the zones for the firewall by specifying the customer VPNs as interfaces associated with the zones. The routing device generates mapping information for the integrated firewall to map the customer VPNs to specific MPLS labels for the MPLS tunnels carrying the customer's traffic.

Abstract: Techniques are described for establishing a point-to-multipoint (P2MP) label switched path (LSP) using a branch node-initiated signaling model in which branch node to leaf (B2L) sub-LSPs are signaled and utilized to form a P2MP LSP. The techniques described herein provides a scalable solution in which the number of sub-LSPs for which the source node or any given branch node need maintain state is equal to the number of physical data flows output from that node to downstream nodes, i.e., the number of output interfaces used for the P2MP LSP by that node to output data flows to downstream nodes. As such, unlike the conventional source node-initiated model in which each node maintains state for sub-LSPs that service each of the leaf nodes downstream from the device, the size and scalability of a P2MP LSP is no longer bound to the number of leaves that are downstream from that node.

Abstract: A router maintains routing information including (i) route data representing destinations within a computer network, (ii) next hop data representing interfaces to neighboring network devices, and (iii) indirect next hop data that maps a subset of the routes represented by the route data to a common one of the next hop data elements. In this manner, routing information is structured such that routes having the same next hop use indirect next hop data structures to reference common next hop data. In particular, in response to a change in network topology, the router need not change all of the affected routes, but only the common next hop data referenced by the intermediate data structures. This provides for increased efficiency in updating routing information after a change in network topology, such as link failure.

Abstract: In one example, a network device includes computer-readable storage media configured to store information defining a default dictionary associated with one or more default services provided by the network service, one or more interfaces configured to receive configuration data defining a customer dictionary associated with one or more additional services beyond the one or more default services and a to receive a request to access one of the additional services from a subscriber device, and a control unit configured to determine whether an authentication, authorization, and accounting (AAA) server grants access to the requested one of the additional services to the subscriber device, and to configure forwarding information of the network device to cause network traffic associated with the subscriber device to be forwarded to a service unit to perform the one of the additional services when the AAA server grants access to the subscriber device based on the determination.

Abstract: Techniques are described for separating control plane functions in a network device using virtual machines. The techniques include initializing multiple virtual machine instances in a control unit of a standalone router, and running different control processes for the router in each of the virtual machines. For example, in a root system domain (RSD)-protected system domain (PSD) system, a control unit of the standalone router may support a RSD virtual machine (VM) and one or more PSD VMs configured to form logical devices and execute logically separate control processes without requiring physically separate, hardware-independent routing engines to form the PSDs. Each of the RSD VM and PSD VMs includes a separate kernel, an operating system, and control processes for the logical device. When a software failure occurs in the PSD VM, the PSD VM may perform a software failover without affecting the operation of the RSD VM.

Abstract: In general, techniques are described for providing high availability as a service. The techniques may be performed by a device that includes an interface and a control unit. The interface is configured to receive network traffic originating from a subscriber device operated by a subscriber. The control unit is configured to determine whether to provide a high availability service with respect to at least a portion of the network traffic based on a subscriber profile associated with the subscriber. The control unit may further be configured to provide the high availability service for at least the portion of the network traffic based on the determination of whether to provide the high availability service. The control unit may further be configured to process at least the portion of the network traffic with the network device, and forward at least the portion of the network traffic.

Abstract: A network device receives a join request on a downstream interface, wherein the join request specifies a source device and multicast group, wherein the network device is positioned within a core network of a multicast virtual private network (MVPN) that transmits multicast traffic between the source device and a plurality of receivers associated with customer sites. The network device selects an upstream router to which to send the join request from among a plurality of upstream routers on paths leading to the source device, so as to avoid creating a join request loop in the core network. At least one of the upstream routers is positioned on an Exterior Border Gateway Protocol (EBGP) path toward the source device, and at least one of the upstream routers is positioned on an Interior BGP (IBGP) path toward the source device. The network device sends the join request to the selected upstream device.

Abstract: In general, techniques are described for hierarchical application of security services with a network device. In particular, the network device receives security classification information that maps a security class to one or more computing devices. The security class identifies security capabilities of the computing devices. The network device also receives network traffic associated with the computing device and applies a set of patterns defined by a policy associated with the security class to the network traffic to detect a set of network attacks. Based on the application of the set of patterns, the network device forwards the network traffic. As a result of receiving security classification information, the network device may become aware of the security capabilities of the computing device and only apply those patterns required to augment these detected security capabilities, thereby preventing application of overlapping security services through application of these services in a hierarchical manner.

Abstract: In some embodiments, a printed circuit board, configured to be coupled to electronic components, includes a first material portion and any number of second material portions. Each second material portion is sized and spaced apart from an adjacent second material portion such that electromagnetic waves associated with the operation of the electronic components are substantially not reflected. The first material portion defines a first dielectric constant and the second material portion defines a second dielectric constant that is different than the value of the first dielectric constant.

Abstract: A network device that includes a first memory to store packets in segments; a second memory to store pointers associated with the first memory; a third memory to store summary bits and allocation bits, where the allocation bits correspond to the segments. The network device also includes a processor to receive a request for memory resources; determine whether a pointer is stored in the second memory, where the pointer corresponds to a segment that is available to store a packet; and send the pointer when the pointer is stored in the second memory. The processor is further to perform a search to identify other pointers when the pointer is not stored in the second memory, where performing the search includes identifying a set of allocation bits, based on an unallocated summary bit, that corresponds to the other pointers; identify another pointer, of the other pointers, based on an unallocated allocation bit of the set of allocation bits; and send the other pointer in response to the request.

Abstract: In one example, a network device includes a virtual network agent, and a network interface to send network packets to the virtual network controller using a default route for a physical network prior to establishing a communication session between a virtual network controller and the virtual network agent, wherein, after establishing the communication session between the virtual network controller device and the virtual network agent, the virtual network agent receives from the virtual network controller a command to install a new route at the network device, wherein the new route specifies encapsulation information to use for encapsulating network packets for sending the network packets to the virtual network controller over an overlay network, and wherein, responsive to detecting a failed link in the physical network, the virtual network agent sends packets to the virtual network controller on an alternate route in the overlay network.