Abstract: A chassis may include a front section that contains a first electronic circuit board oriented in a first plane, a rear section that contains a second electronic circuit board oriented in a second plane, where the first plane and the second plane are substantially orthogonal, a midplane dividing the front and the rear sections, and a fan tray assembly including a plurality of fans to cool both the first electronic circuit board of the front section and the second electronic circuit board of the rear section.

Abstract: A server device initiates a traffic encapsulation key (TEK) re-key sequence for a group virtual private network (VPN), based on an upcoming expiration time for an existing TEK. The server device sends, via a push message during a first time period immediately after the initiating, a new TEK to members of the group VPN. The server device receives, during a second time period that immediately follows the first time period, a pull request, for the new TEK, from one of the members of the group VPN, and sends, to the one of the members, the new TEK, where the re-key sequence transitions all the members of the group VPN from the existing TEK key to the new TEK key before the expiration time for the existing TEK.

Abstract: In general, techniques are described for providing extended administrative groups in networks. A network device comprising an interface and a control unit may implement the techniques. The interface receives a routing protocol message that advertises a link. This message includes a field for storing first data associated with the link in accordance with the routing protocol. The field is defined by the routing protocol as a field having a different function from an administrative group field defined by the same routing protocol. The control unit determines that this field has been repurposed to store second data, wherein this second data specifies an extended administrative group for the link different from those that may be specified by the administrative group field. The control unit then updates routing information to associate the advertised link with the extended administrative group and performs path selection to select paths based on the updated routing information.

Abstract: In general, techniques are described for aggregating, within a network device, internal forwarding routes for multiple control protocols and allocating next hops for the routes among individual service units of a decentralized control plane for the network device. The techniques may also include aggregating internal forwarding routes for data protocols and allocating next hops for the routes among individual forwarding units of a decentralized data plane for the network device. In one example, a mobile gateway includes a plurality of subscriber management service units that present a uniform interface to nodes within a mobile service provider network. An allocation manager apportions a control protocol session identifier namespace into a plurality of contiguous, non-overlapping protocol session identifier ranges and allocates the ranges among the service units.

Abstract: Techniques are described for providing QoS guarantees when coupling layer two (L2) networks via an intermediate Multi-protocol Label Switching (MPLS) network. A network device, such as a router, receives a request to transport data from an L2 connection. The request specifies one of more characteristics of the L2 connection, such as bandwidth, color, end-to-end delay, jitter, a security requirement, or a classification of traffic for the L2 connection. The network device selects a label switched path (LSP) through the MPLS network based on the characteristics of the L2 connection, and forwards the data from the L2 connection via the selected LSP. In this manner, an LSP and, in particular, one or more forwarding next hops for the LSP, is selected that provides a “virtual” L2 connection, or pseudo-wire, that more closely emulates a direct L2 connection between the L2 networks.

Abstract: Methods and apparatuses for inspecting packets are provided. A primary security system may be configured for processing packets. The primary security system may be operable to maintain flow information for a group of devices to facilitate processing of the packets. A secondary security system may be designated for processing packets upon a failover event. Flow records may be shared from the primary security system with the secondary security system.

Abstract: A method for cooling a system having a midplane design in which the midplane includes holes to allow air to flow via the midplane. Cards connected to the midplane have a front face that includes holes to allow the air to flow. The air flows from front to back or back to front to cool the cards connected to the midplane. A multi-slot chassis includes rails to support the cards. The rails form spaces to permit access to sockets associated with the cards to which cables may be connected. Platforms associated with the cards may permit a user to manage cables connected to the cards.

Abstract: An example computing device includes a prefix lookup module, and a Bloom filter that includes a set of queues. The prefix lookup module is configured to receive policy configuration information, examine a state of a queue of the set of queues, and determine whether to bypass the first Bloom filter based on the policy configuration information and the state of the queue. In one example, the prefix lookup module may be configured to, using the policy configuration information, determine to bypass the Bloom filter when the queue is full. In another example, the prefix lookup module may be configured to, using the policy configuration information, determine not to bypass the Bloom filter and send a lookup request to the Bloom filter upon determining that the queue is no longer full.

Abstract: In general, techniques are described for automatic assignment of hardware addresses within computer networks. As one example, a network device comprising a physical network interface and a control unit may implement these techniques. The network interface receives a first message from a client device requesting a layer three (L3) network address. The first message also includes a layer two (L2) hardware address currently assigned to a network interface of the client device. The control unit selects a replacement L2 hardware address for use by the network interface of the client device as a replacement for the L2 hardware address included in the first message and generates a second message having a field that specifies the replacement L2 hardware address. The network interface outputs the second message to the client device so as to automatically assign the replacement L2 hardware address for use by the network interface of the client device.

Abstract: A router maintains routing information including (i) route data representing destinations within a computer network, (ii) next hop data representing interfaces to neighboring network devices, and (iii) indirect next hop data that maps a subset of the routes represented by the route data to a common one of the next hop data elements. In this manner, routing information is structured such that routes having the same next hop use indirect next hop data structures to reference common next hop data. In particular, in response to a change in network topology, the router need not change all of the affected routes, but only the common next hop data referenced by the intermediate data structures. This provides for increased efficiency in updating routing information after a change in network topology, such as link failure.

Abstract: A method may include authenticating a device to a first server, where the device includes an agent; receiving a request, in the first server from a second server, to verify the authenticity of the device, where the device is not authenticated to the second server; sending a browser plug-in to the device to communicate with the agent for verifying the authenticity of the device; receiving, in the first server, a message from the agent verifying the authenticity of the device; and sending a message from the first server to the second server to authenticate the device to the second server.

Abstract: A data read/write system includes a system clock, a single port memory, a cache memory that is separate from the single port memory, and a controller coupled to an instruction pipeline. The controller receives, via the instruction pipeline, first data to write to an address of the single port memory, and further receives, via the instruction pipeline, a request to read second data from the single port memory. The controller stores the first data in the cache memory, and retrieves the second data from either the cache memory or the single port memory during one or more first clock cycles of the system clock. The controller copies the first data from the cache memory and stores the first data at the address in the single port memory during a second clock cycle of the system clock that is different than the one or more first clock cycles.

Abstract: A system allocates resources in a network. The system receives an allocation request for a first flow and a second flow from an application and identifies the application based on the allocation request. The system schedules resources for the first flow based on the identification of the application and the second flow.

Abstract: A resource recovery system may maintain a counter in memory that indicates a number of times one or more threads of execution, which use shared resources, have crashed. The system may associate a first value of the counter with a resource allocated to a thread of the one or more threads, and may set an indicator associated with the thread to indicate whether the thread has crashed. The system may determine whether to re-allocate the resource to the thread based on the first value of the counter associated with the resource and based on the indicator associated with the thread.

Abstract: A method may include obtaining a layer two identification of an endpoint that is seeking access to a network, the endpoint omitting an agent to communicate a layer three address of the endpoint to a policy node, applying one or more authentication rules based on the layer two identification of the endpoint, assigning the layer three address to the endpoint, learning, by the policy node, the layer three address of the endpoint, and provisioning layer three access for the endpoint to the network based on the learned layer three address.

Abstract: Principles of the invention are described for providing multicast virtual private networks (MVPNs) across a public network that are capable of carrying high-bandwidth multicast traffic with increased scalability. In particular, the MVPNs may transport layer three (L3) multicast traffic, such as Internet Protocol (IP) packets, between remote sites via the public network. The principles described herein may reduce the overhead of protocol independent multicast (PIM) neighbor adjacencies and customer control information maintained for MVPNs. The principles may also reduce the state and the overhead of maintaining the state in the network by removing the need to maintain at least one dedicated multicast tree per each MVPN.

Abstract: A multi-chassis network device may automatically detect whether cables connected between chassis devices are correctly inserted. The device may insert, into a first data stream output from a first port of the device, control information identifying the first port. The device may receive, from a second data stream received by the first port of the device, second control information identifying a second port, at another device connected to the device via a cable. The device may determine, based on the second control information, whether the connection of the first port to the second port, via the cable, is valid and cause, when the connection of the first port to the second port is determined to not be valid, the device to output an indication that the connection is not valid or to reconfigure the device to make the connection of the first port to the second port valid.

Abstract: A laser system includes an array of lasers that emit light at a number of different, fixed wavelengths. A group of optical transport systems connect to the laser system. Each of the optical transport systems is configured to modulate data signals onto the light from the laser system to create optical signals and transmit the optical signals on one or more optical fibers.

Abstract: A method includes receiving one or more of user information, role information, or authorization information associated with a user accessing a network, selecting a traffic flow to monitor that is associated with the one or more of user information, role information, or authorization information, monitoring the traffic flow, determining whether an anomaly exists with respect to the traffic flow based on a traffic behavior pattern associated with the one or more of user information, role information, or authorization information, and performing a security response when it is determined that the anomaly exists.

Abstract: In general, techniques are described for selectively invoking graceful restart procedures when a route reflector member of a redundant route cluster fails. In one example, a method is provided that includes determining, by a provider edge router that supports graceful restart procedures, that a first router forms a redundant group with at least a second router. The method also includes detecting a failure of the first router and determining that at least the second router in the redundant group is operating approximately while the first router is failed. The method further includes overriding graceful restart procedures with respect to the failed first router when at least the second router is operating. The method also includes forwarding one or more data packets according to route information provided via the second router.