Abstract: Techniques are described for supporting metro Ethernet “E-TREE” service over a packet-switched MPLS network, including a VPLS core, in a manner that allows a service provide to easily integrate with different types of technologies deployed by its various customers. Moreover, the techniques described herein provide increased flexibility with respect to the topology of the roots and leafs of the E-TREE service and, in particular, allow roots and leaf nodes to be coupled to a common router that provides access to the VPLS core. An NNI port of a PE router may process network traffic to provide E-TREE service to a bridged network having both leaf nodes and root nodes process and direct traffic between logical interfaces as changed next hops.

Abstract: In some embodiments, an apparatus includes a switch module configured to receive an order identifier of a first data packet from a first stage of a multi-stage switch. The switch module is configured to receive an indicator of an available capacity of the first module of a second stage of the multi-stage switch fabric, and an indicator of an available capacity of a second module of the second stage of the multi-stage switch fabric. The switch module is configured, when the order identifier is assigned, to direct the first data packet to the first module of a second stage of the multi-stage switch fabric when the available capacity of the second module is lower than the available capacity of the first module. The switch module configured, when the order identifier is unassigned, to direct the first data packet to the second module when the available capacity of the second module is higher than the available capacity of the first module.

Abstract: Methods, computer program products and apparatus for processing data packets are described. Methods include receiving the data packet, examining the data packet, determining a single flow record associated with the packet and extracting flow instructions for two or more devices from the single flow record.

Abstract: Techniques are described for selecting an alternate path for end-to-end service data traffic that traverses multi-homed routers that provide the service to customer networks. For example, as described herein, a router that is a member of a first multi-homing set connected to a layer two (L2) network with one of a plurality of first access links. The router advertises a status of one of the first access links to a second multi-homing set connected to the first multi-homing set with one or more core links. A core link database stores advertised status information for access links of the first and second multi-homing set. Upon a link failure, a path selector selects a core link to transport service data traffic and directs a switch module to switch to active a status a first access links that connects to a router in the first multi-homing set connected to the selected core link.

Abstract: In some embodiments, an apparatus includes a validation engine configured to receive multiple validation packets from an edge device via multiple data paths from a set of data paths between the validation engine and the edge device. The validation engine is configured to compare a number of validation packets from the multiple validation packets received from the edge device to a number of data paths from the set of data paths to determine an error at a data path from the set of data paths. The validation engine is configured to send an indication of the error at the data path from the set of data paths to the edge device.

Abstract: In general, techniques are described for dynamic threat protection in mobile networks. A network system comprising a network security device and a management system may implement the techniques. The management system includes a network server having a shared database. A mobile device manager (MDM) of the management system receives a report message from a mobile device, specifying a threat to a mobile network. The MDM publishes the threat to the shared database. A network management system (NMS) of the management system receives data from the shared database identifying the threat and generates a security policy that specifies actions to address the threat. The NMS then installs the security policy in the network security device so that the network security device performs the actions of the security policy to address the threat.

Abstract: A method and a network device are provided to transmit network packets through a network security device. The method, performed by the network device, receives a request to send a network packet from a first computing device to a second computing device over a network that includes the network device and the network security device. The network packet includes a first network interface identifier for identifying the first computing device and a second network interface identifier for identifying the second computing device. The method identifies third and fourth network interface identifiers that cause the network packet to be transmitted through the network security device. The method transmits the network packet over the network through the network security device using the third and fourth network interface identifiers. The method transmits the network packet to the second computing device using the first and second network interface identifiers.

Abstract: In one example, a controller device includes one or more network interfaces communicatively coupled to one or more devices of a virtual network, and a processor configured to determine, for the virtual network, a set of two or more related processes executed by respective devices in the virtual network, receive via the network interfaces data for the set of two or more related processes, and aggregate the data for the set of two or more related processes to form aggregated data for the set of two or more related processes.

Abstract: In some embodiments, an apparatus includes a module within a first stage of a switch fabric, a module within a second stage of the switch fabric, and a module within a third stage of the switch fabric. The module within the first stage is configured to send data to the module within the second stage. The module within the second stage is configured to send data to the module within the third stage. The module within the second stage is configured to send a first suspension indicator to the module within the third stage. The module within the third stage is configured to send a second suspension indicator to the module within the first stage in response to the first suspension indicator. The module within the first stage is configured to stop sending data to the module within the second stage in response to the second suspension indicator.

Abstract: A database enables versioning for objects stored in the database via a “snapshot” operation. In one implementation, a device performs a snapshot operation in which a snapshot object, representing a logical view of database objects at a time at which the snapshot operation is performed, is created and stored in the database. In response to a request to store a modified version of a database object, the modified version of the database object is written to replace the previous version of the database object when the database object was last modified after the most recent snapshot operation. Further, in response to the request to store the modified version of the database object, the modified version of the database object is inserted in the database when the previous version of the database object was last modified before the most recent snapshot operation.

Abstract: A network device may be configured to filter network traffic using multiple different filters bound to different interfaces of the network device. The network device may include logic to identify a relationship map that describes a topology of bind-points associated with the network device. Additionally, the network device may include logic to generate a merge graph based on the relationship map, the merge graph including one or more nodes, where each node represents a walk through the relationship map and includes one or more merge-points, where each merge-point is defined as a filter associated with a bind-point. The network device may also include a ternary content-addressable memory (TCAM) programmed to include entries based on the nodes of the merge graph.

Abstract: In some embodiments, an apparatus includes a route reflector implemented in at least one of a memory or a processing device. The route reflector is configured to be included within a switch fabric system. The route reflector is configured to receive, from a network management module, an instruction to install a route associated with a multi-stage switch, and send the instruction to install to a route target network control entity associated with the multi-stage switch. The route reflector is also configured to receive, from the route target network control entity, a first acknowledgement signal indicating that the route was successfully installed at the route target network control entity. The route reflector is configured to send a second acknowledgement signal to the network management module in response to receiving the first acknowledgement signal.

Abstract: In some embodiments, an apparatus includes a first network device configured to receive, from a second network device, a first forwarding-state packet associated with a peripheral processing device and having a first generation identifier. The first network device is configured to receive, from a third network device, a second forwarding-state packet associated with the peripheral processing device and having a second generation identifier. The first network device is configured to implement forwarding-state information included in the first forwarding-state packet based on a comparison of the first generation identifier and the second generation identifier.

Abstract: A multi-chassis network device may automatically detect whether cables connected between chassis devices are correctly inserted. The device may insert, into a first data stream output from a first port of the device, control information identifying the first port. The device may receive, from a second data stream received by the first port of the device, second control information identifying a second port, at another device connected to the device via a cable. The device may determine, based on the second control information, whether the connection of the first port to the second port, via the cable, is valid and cause, when the connection of the first port to the second port is determined to not be valid, the device to output an indication that the connection is not valid or to reconfigure the device to make the connection of the first port to the second port valid.

Abstract: A method may include obtaining a layer two identification of an endpoint that is seeking access to a network, the endpoint omitting an agent to communicate a layer three address of the endpoint to a policy node, applying one or more authentication rules based on the layer two identification of the endpoint, assigning the layer three address to the endpoint, learning, by the policy node, the layer three address of the endpoint, and provisioning layer three access for the endpoint to the network based on the learned layer three address.

Abstract: A device identifies, based on a program code instruction, an attempted write access operation to a fenced memory slab, where the fenced memory slab includes an alternating sequence of data buffers and guard buffers. The device assigns read-only protection to the fenced slab and invokes, based on the attempted write access operation, a page fault operation. When a faulting address of the attempted write operation is not an address for one of the multiple data buffers, the device performs a panic routine. When the faulting address of the attempted write operation is an address for one of the multiple data buffers, the device removes the read-only protection for the fenced slab and performs a single step processing routine for the program code instruction.

Abstract: A data processing architecture includes multiple processors connected in series between a load balancer and reorder logic. The load balancer is configured to receive data and distribute the data across the processors. Appropriate ones of the processors are configured to process the data. The reorder logic is configured to receive the data processed by the processors, reorder the data, and output the reordered data.

Abstract: A multicast-capable firewall allows firewall security policies to be applied to multicast traffic. The multicast-capable firewall may be integrated within a routing device, thus allowing a single device to provide both routing functionality, including multicast support, as well as firewall services. The routing device provides a user interface by which a user specifies one or more zones to be recognized by the integrated firewall when applying stateful firewall services to multicast packets. The user interface supports a syntax that allows the user to define subsets of the plurality of interfaces associated with the zones, and define a single multicast policy to be applied to multicast sessions associated with a multicast group. The multicast policy identifies common services to be applied pre-replication, and exceptions specifying additional services to be applied post-replication to copies of the multicast packets for the one or more zones.

Abstract: A call admission control technique allowing flexible and reliable call admissions at an ATM switch in the case of an ATM network including both QoS-specified and QoS-unspecified virtual connections is disclosed. In the case where a QoS (Quality of Service) specified connection request occurs, an estimated bandwidth is calculated which is to be assigned to an existing QoS-unspecified traffic on the link associated with the QoS-specified connection request. A call control processor of the ATM switch determines whether the QoS-specified connection request is accepted, depending on whether a requested bandwidth is smaller than an available bandwidth that is obtained by subtracting an assigned bandwidth and the estimated bandwidth from a full bandwidth of the link.

Abstract: First in, first out (FIFO) queues may be used to transfer data between a producer clock domain and a number of consumer clock domains. In one implementation, a control component for the FIFO queues may include a number of counters, corresponding to each of the consumer clock domains, each of the counters maintaining a count value relating to an amount of data read by the corresponding consumer clock domain. The control component may additionally include a credit deduction component coupled to the count values of the counters, the credit deduction component determining whether any of the count values is above a threshold, and in response to the determination that any of the count values is above the threshold, reducing the count value of each of the counters and issuing a write pulse signal to the producer clock domain, the write pulse signal causing the producer clock domain to perform a write operation to the FIFO queues.