Abstract: In general, techniques are described for allocating virtual output queue (VOQ) buffer space to ingress forwarding units of a network device based on drain rates at which network packets are forwarded from VOQs of the ingress forwarding units. For example, a network device includes multiple ingress forwarding units that each forward network packets to an output queue of an egress forwarding unit. Ingress forwarding units each include a VOQ that corresponds to the output queue. The drain rate at any particular ingress forwarding unit corresponds to its share of bandwidth to the output queue, as determined by the egress forwarding unit. Each ingress forwarding unit configures its VOQ buffer size in proportion to its respective drain rate in order to provide an expected delay bandwidth buffering for the output queue of the egress forwarding unit.

Abstract: A method may include receiving a request to establish a quality of service (QoS) policy that identifies a desired QoS associated with traffic being transported by a network; generating a QoS model based on the identified desired QoS, where the QoS model includes a class of service (CoS) and corresponding forwarding priorities associated with the traffic; retrieving a service level agreement (SLA), associated with a client device that is interconnected to a network node associated with the network, where the SLA includes a particular CoS and corresponding other forwarding priorities for packets associated with the client device; creating a QoS provisioning policy based on the QoS model and the SLA, where the creating includes mapping the CoS to the particular CoS or mapping the forwarding priorities to the other forwarding priorities; and transmitting, to the network node, the QoS provisioning policy that permits the network node to process the packets in a manner that complies with the QoS model or the SLA.

Abstract: The control plane of a network device comprises a plurality of software processes that manage routing control operations of the device. Through a hypervisor in the control plane, a managing virtual machine controls access to a first virtual machine running a first software system to control a routing communication session between the network device and other network devices. In response to an in-service software upgrade request, the managing virtual machine initializes a second virtual machine. On the second virtual machine, the second software system is loaded. State data maintained by the managing virtual machine can be transferred to the second virtual machine, and the second virtual machine takes control of the routing communication session. During the transfer of control from the first virtual machine to the second virtual machine, techniques of “non-stop forwarding” and “graceful restart” can be implemented to minimize the effect the switchover has on the network.

Abstract: Techniques are described for verifying a status of a set of paths through a computer network for two or more connectivity protocols. For example, a node uses a first connectivity protocol to concurrently learn information that will cause packets conforming to the first connectivity protocol and packet conforming to a second connectivity protocol to traverse a set of paths through a computer network. After learning this information, the node may verify a status of each of the paths using the first connectivity protocol. In addition, the node may verify a status of each of the paths using the second connectivity protocol. By verifying the status of the paths using both the first and the second connectivity protocols, the node may be able to quickly and accurately determine whether a path has failed.

Abstract: In some embodiments, an apparatus includes a first switch having an egress port configured to be coupled to a second switch to collectively to define a single logical entity having a set of virtual identifiers. A first set of virtual identifiers from the set of virtual identifiers is associated with the first switch, a second set of virtual identifiers from the set of virtual identifiers is associated with the second switch. The first switch is configured to receive a forwarding table associating a first set of destination addresses with a set of identifiers local to the first switch and associating a second set of destination addresses with a set of identifiers local to the second switch. Each identifier from the first set of identifiers is uniquely associated the first set of virtual identifiers. Each identifier from the set of identifiers is uniquely associated the second set of virtual identifiers.

Abstract: In one embodiment, an apparatus can include a filter module operatively coupled to a switching module. The filter module can be configured to define a filter to be applied to a Fiber Channel over Ethernet (FCoE) frame received from any port from multiple ports instantiated at a network device. The filter can be defined based at least in part on a first logical address associated with a first port from the multiple ports. The first logical address can be based at least in part on (1) a first identifier associated with a switch fabric to which the apparatus is operatively coupled and (2) a second identifier associated with a first port from the multiple ports. The filter module can be configured to define the filter such that a switching module sends the FCoE frame to a Fiber Channel device when a second logical address included in the FCoE frame matches the first logical address and the filter module is operatively coupled to the switching module.

Abstract: Using the ALTO Service, networking applications can request through the ALTO protocol information about the underlying network topology from the ISP or Content Provider. The ALTO Service provides information such as preferences of network resources with the goal of modifying network resource consumption patterns while maintaining or improving application performance. This document describes, in one example, an ALTO server that intersects network and cost maps for a first network with network and cost maps for a second network to generate a master cost map that includes one or more master cost entries that each represent a cost to traverse a network from an endpoint in the first network to an endpoint in the second network. Using the master cost map, a redirector may select a preferred node in the first network with which to service a content request received from a host in the second network.

Abstract: An access network is described in which a centralized controller provides seamless end-to-end service from a core-facing edge of a service provider network through aggregation and access infrastructure out to access nodes located proximate the subscriber devices. The controller operates to provide a central configuration point for configuring aggregation nodes (AGs) of a network of the service provider so as to provide transport services to transport traffic between access nodes (AXs) and edge routers on opposite borders of the network.

Abstract: A method includes receiving multicast traffic intended for host devices; identifying a flow associated with the multicast traffic; retrieving information associated with a group of multicast trees, where the group of multicast trees includes information associated with a group of I/O units, associated with a network node; identifying a particular tree that corresponds to the identified flow, where the particular tree includes information associated with a set of I/O units; and transferring the multicast traffic to an I/O unit, of the set of I/O units, based on the identification of the particular tree, where the transferring enables the I/O unit to send a copy of the multicast traffic to other I/O units of the set of I/O units, and the set of I/O units to process the multicast traffic in a manner that utilizes bandwidth or processing resources in a controlled manner and to send a copy of the multicast traffic to each of the host devices.

Abstract: Methods and apparatus for transferring packets in a packet switched communication system. A system is provided that includes an L2 device including a controller determining for each packet received whether the received packet is to be inspected, an inspection device operable to inspect and filter packets identified by the controller including using a zone specific policy and an L2 controller for transferring inspected packets in accordance with L2 header information using L2 protocols.

Abstract: An access network includes an access device having an optical interface module that outputs a plurality of pairs of optical communication signals, each of the pairs of optical communication signals comprising a modulated optical transmit signal and an unmodulated optical receive signal, each of the pairs of optical communication signals having a different wavelength. A customer premise equipment (CPE) comprises an optical interface module to receive the modulated optical transmit signal and the unmodulated optical receive signal for any of the plurality of pairs of optical communication signals. The optical interface module includes a receive module to demodulate the modulated optical transmit signal into inbound symbols and a transmit module having an optical modulator and reflective optics to modulate the unmodulated optical receive signal in accordance with a data signal and reflect a modulated optical receive signal to communicate outbound data symbols to the access device.

Abstract: Methods and apparatus, including computer program products, implementing and using techniques for processing a data packet. An input port receives a data packet, a switching board classifies the data packet, determines whether the data packet should be accepted, and switches the data packet to a management board if the data packet is a first data packet in a session, and to a processing board if the data packet is not a first data packet in a session. A management board receives a data packet from the switching board, examines the data packet and forwards the data packet to one of the processing boards. One or more processing boards receives non-first data packets from the switching board and data packets from the management board and processes the data packets. A firewall and a secure gateway with firewall and virtual private network functionality for processing a data packet are also described.

Abstract: Techniques are described for forwarding packets in a VPLS using multi-homing PE routers configured in an “active-active” link topology. A router includes a control unit that forms a customer-facing multi-chassis link aggregation group (LAG) to include a plurality of active access links that couple the router and a second router to a multi-homed customer site associated with the VPLS domain. The control unit also forms a core-facing multi-chassis LAG within the VPLS domain to include a plurality of pseudowires that connect the router and other member routers of the core-facing LAG to a common remote router of the VPLS domain. The router receives layer two (L2) packets from the multi-homed customer site on one or more of the active access links and forwards the L2 packets to the remote router over one or more of the pseudowires using the core-facing multi-chassis LAG.

Abstract: In some embodiments, a system includes a first switch fabric device, a second switch fabric device, a first access switch operatively coupled to the first switch fabric device by a first cable, and a second access switch operatively coupled to the second switch fabric device by a second cable. The second access switch is operatively coupled to the first access switch by a third cable. The first access switch is configured to send data to the first switch fabric device via the first cable. The first access switch is configured to send data to the second switch fabric device via the third cable, the second access switch, and the second cable.

Abstract: In general, techniques are described for flexible packet processing. A network device for processing a data packet comprise a packet processing engine and a special handling unit external from the packet processing engine. The packet processing engine includes one or more of a plurality of pipelined packet processing units that, when processing the data packet, generate one or more events and determine whether to associate a trap and/or a sampling class with the data packet based on the generated events. The pipelined packet processing units then set bits of a vector that is passed between the pipelined packet processing units to associate the packet with the determined trap and/or sampling class, and processes the packet based on the set one or more bits of the vector.

Abstract: In one embodiment, a method includes receiving a configuration request and a first key from a network device, granting a first class of access to the network device, sending a configuration instruction to the network device, receiving an association request from the network device, and granting a second class of access to the network device. The configuration request and the first key are received at a first time. The network device is outside a secure network segment at a first time. The first class of access is granted based on the first key. The configuration instruction is send in response to granting the first class of access. The association request includes a second key. The granting the second class of access is based on the second key.

Abstract: In general, techniques are described for using a light-weight protocol to synchronize layer two (L2) addresses that identify routable traffic to multiple L3 devices, such as PE routers, that cooperatively employ an active-active redundancy configuration using a multi-chassis LAG to provide an L2 network with redundant connectivity. In one example, a network device establishes a multi-chassis LAG with a peer network device to provide redundant connectivity to a layer three (L3) network. A synchronization module of the network device receives a synchronization message that specifies an L2 address of the peer network device. When the network device receives an L2 packet data unit (PDU) from the L2 network, a routing instance of the network device routes an L3 packet encapsulated therein when the PDU has an L2 destination address that matches the L2 address of the peer network device.

Abstract: Routers balance network traffic among multiple paths through a network according to an amount of bandwidth that can be sent on an outgoing interface computed for each of the paths. For example, a router receives a link bandwidth for network links that are positioned between the first router and a second router of the network, and selects a plurality of forwarding paths from the first router to the second router. Upon determining that one of the network links is shared by multiple of the plurality of forwarding paths, the router computes a path bandwidth for each of the plurality of outgoing interfaces so as to account for splitting of link bandwidth of the shared network link across the multiple forwarding paths that share the network link. The router assigns packet flows to the forwarding paths based at least on the computed amount of bandwidth for each of the outgoing interfaces.

Abstract: The invention relates to information exchange when a design organization sends a design document to a manufacturer. The design documents may have errors and, once detected, the errors may not be corrected by the design organization. The documents may be resent with a small number of changes or perhaps no changes at all, but may have errors that have been seen before. The documents may have many items that are not important to the receiving organization. A dictionary is used to validate and correct the documents. Changes in the dictionary may require changes in the information used by the manufacturer.

Abstract: An intrusion detection system is described that is capable of applying a plurality of stacked (layered) application-layer decoders to extract encapsulated application-layer data from a tunneled packet flow produced by multiple applications operating at the application layer, or layer seven (L7), of a network stack. In this was, the IDS is capable of performing application identification and decoding even when one or more software applications utilize other software applications as for data transport to produce packet flow from a network device. The protocol decoders may be dynamically swapped, reused and stacked (layered) when applied to a given packet or packet flow.