Abstract: A network controls provision of access functionality by an access node to provide a network service to a subscriber device. For example, the network device may control the queuing and forwarding of packets by the access node to facilitate packet transmission according to, for example, a Quality of Service class. The network device may send control messages to the access node to dynamically configure a control object stored by the access node, such as a Quality of Service profile. The network device may be a router, and the access node may be a base station that wireless communicates with a subscriber device, e.g., a cellular phone. The access node may then delivery the packets in accordance with the dynamically configured control object.

Abstract: A device may include first logic configured to receive a data unit and to receive a network policy. The device may include second logic configured to identify how the data unit will be handled by the network policy and to generate a result that includes information about how the data unit will be handled by the network policy.

Abstract: A method performed by a Dynamic Host Configuration Protocol (DHCP) server comprising receiving a DHCP DISCOVER message from a DHCP client; generating a challenge in response to the DHCP DISCOVER message; sending the challenge to an authentication device; receiving a first challenge response from the authentication device; generating a DHCP OFFER message; sending the challenge to the DHCP client in the DHCP OFFER message; receiving a DHCP REQUEST message that includes a second challenge response from the DHCP client; comparing the first challenge response with the second challenge response; and authenticating the DHCP client when the first challenge response and the second challenge response match.

Abstract: In some embodiments, an apparatus includes a network device configured to receive an anomaly database of a first image that stores a set of differences between the first image and a base image. The network device is configured to compare the anomaly database of the first image with an anomaly database of a second image storing a set of differences between the second image and the base image to determine if the first and second images include at least one incompatible critical feature or incompatible non-critical feature. The network device is configured to send a signal associated with a first action if the first and second images include the at least one incompatible critical feature. The network device is configured to send a signal associated with a second action different from the first action if the first and second images include the at least one incompatible non-critical feature.

Abstract: In some embodiments, an apparatus includes a spectral scanning controller configured to interrupt service at a wireless access point (WAP) such that the WAP performs spectral scanning during service interruption. The spectral scanning controller is configured to interrupt service at the WAP at a first scanning frequency when the spectral scanning controller is in a first configuration. The spectral scanning controller is configured to interrupt service at the WAP at a second scanning frequency different from the first scanning frequency when the spectral scanning controller is in a second configuration. The spectral scanning controller is configured to move from the first configuration to the second configuration in response to a change in at least one of a service demand, a service quality, a spectral scanning demand or a spectral scanning quality.

Abstract: A system provides congestion control and includes multiple queues that temporarily store data and a drop engine. The system associates a value with each of the queues, where each of the values relates to an amount of memory associated with the queue. The drop engine compares the value associated with a particular one of the queues to one or more programmable thresholds and selectively performs explicit congestion notification or packet dropping on data in the particular queue based on a result of the comparison.

Abstract: This disclosure describes techniques to sample electrical data streams in coherent receivers. For instance, an analog-to-digital converter (ADC) samples the received electrical data stream at a sampling rate that is nominally twice or greater than twice the symbol rate of the electrical data stream that the ADC receives. A digital filter receives the digital data stream from the ADC, and digitally filters the digital data streams to output a filtered digital electrical data stream at an effective sampling rate that is less than the sampling rate and less than twice the symbol rate, and greater than or equal to the symbol rate.

Abstract: This disclosure describes techniques to reduce traffic loss for a Border Gateway Protocol (BGP) session by delaying re-advertisement of routes received from a newly re-established multi-homed router by a primary router until all the routes are installed in a forwarding plane of the primary router. The techniques of this disclosure make use of a BGP marker received from the multi-homed router that indicates the end of a route download for an address family. Upon receiving the BGP marker, a control plane of the primary router requests a route acknowledgement message (Route-ACK) from the forwarding plane for only the last route of the address family received before the BGP marker. When the control plane receives the Route-ACK indicating that the last route has been installed in the forwarding plane, the primary router initiates re-advertisement of the routes to other BGP peer routers.

Abstract: In response to receiving a reply message for reserving bandwidth along a primary path for a first label switched path (LSP) for carrying data traffic from an ingress network device to an egress network device, a point of local repair (PLR) network device establishes a second LSP from the PLR to a merge point (MP) network device along a subset of the primary path. The second LSP is dedicated to carrying operations, administration and management (OAM) messages to verify connectivity of the subset of the primary path, and is not used for sending data traffic. The PLR sends an OAM message to verify connectivity of at least one protected resource along the subset of the primary path to a next hop along the second LSP, wherein the OAM message is encapsulated by a second label associated with the second LSP.

Abstract: In general, the invention is directed to techniques for enabling single sign-on (SSO) for a client seeking access to multiple resources protected by a certificate-based authentication scheme. For example, as described herein, a secure gateway comprises a certificate repository to store a digital certificate as well as a policy that includes one or more policy rules. A network interface of the secure gateway receives a message from a client device, wherein the message comprises a request to access a protected resource and an identifier for the requesting agent. The secure gateway also comprises a resource authentication module to map the identifier and the protected resource to the digital certificate based on the policy. The resource authentication module retrieves the digital certificate from the certificate repository and sends the digital certificate to the protected resource to authenticate the secure gateway to the protected resource.

Abstract: An example network management device includes a network management module, and a reconstruction module. The network management module is configured to generate a data retrieval command to direct a managed device to retrieve a set of management variables stored within a database within the managed network device and send the data retrieval command to the managed device. The reconstruction module is configured to receive a plurality of partial responses generated by a deconstruction module of the managed device in response to receiving the data retrieval command and determining that the set of management variables does not fit in a single response, and combine the received plurality of partial responses into the requested set of management variables, wherein each of the plurality of partial responses is received as a separate message from the managed network device and includes a different portion of the requested set of management variables.

Abstract: In some embodiments, an apparatus includes a register having a first portion and a second portion. The first portion of the register has multiple bits and the second portion of the register has multiple bits. Each bit from the multiple bits of the first portion of the register is associated with a bit from the multiple bits of the second portion of the register such that a bit from the multiple bits of the first portion of the register is set for its associated bit from the multiple bits of the second portion of the register to be written.

Abstract: A device receives topology and capability information associated with an access point, access devices, and aggregation devices of a wireless local area network (WLAN), and determines, based on the topology and capability information, a nearest capable access device or aggregation device to the access point. The device also provides an instruction that instructs the access point or the nearest capable access device or aggregation device to create a tunnel between the access point and the nearest capable access device or aggregation device. The access point or the nearest capable access device or aggregation device creates the tunnel between the access point and the nearest capable access device or aggregation device based on the instruction.

Abstract: The invention is directed to techniques for initiating lawful intercept of packets associated with subscriber sessions on a network device of a service provider network based on identification triggers. A law enforcement agency may send an intercept request for a subscriber to an administration device of the service provider network. The administration device may then configure one or more identification triggers for the subscriber based on the intercept request. The techniques described herein initiate lawful intercept when one or more subscriber sessions on a network device match the one or more identification triggers. The techniques described herein include configuring trigger rules that include identification triggers for subscribers on a network device via a command line interface (CLI) of the network device. In addition, the techniques described herein include configuring identification triggers in a subscriber profile on an authentication device connected to a network device.

Abstract: An integrated, multi-service virtual private network (VPN) network client for cellular mobile devices is described. The multi-service network client can be deployed as a single software package on cellular mobile network devices to provide integrated services including secure enterprise VPN connectivity, acceleration, security management including monitored and enforced endpoint compliance, and collaboration services. The multi-service client integrates with an operating system of the device to provide a VPN handler to establish a VPN connection with a remote VPN security device. The VPN network client includes to data acceleration module exchange network packets with the VPN handler and apply at least one acceleration service to the network packets, and a VPN control application that provides a unified user interface that allows a user to configure both the VPN handler and the data acceleration module.

Abstract: In some embodiments, a method includes calculating, at a wireless access point (WAP) from a set of WAPs within a network, an interference value for each channel from a set of channels of the WAP. The method includes calculating, based on the interference value for each channel, a total move weight of the WAP. The method includes receiving, at the WAP, a total move weight from each remaining WAP. The method includes selecting one WAP from the set of WAPs based on a random number, the total move weight of the WAP, the total move weights from the remaining WAPs, and a rank of the WAPs. The method further includes changing, if the WAP is selected, a designated channel of the WAP to one of the remaining channels; and sending a signal to modify an active channel of the WAP to correspond with the designated channel.

Abstract: Techniques for classifying and managing network flows associated with a network service using application classification information and active signaling relay are described. A network device, for example, includes a signaling interceptor and a network flow interface. The signaling interceptor monitors a communication between a customer device and an application server, and identifies a network flow associated with a network service provided to the customer device by the application server. The network flow interface applies a policy to the identified network flow. An active signaling relay module communicates with the application server using data injected within the signaling communications, and utilizes the injected data to further control the network flows and the delivery of the network service.

Abstract: A communication network design circuit can derive a path and a necessary link capacity for multiple point communication service permitting arbitrary communication within a predetermined range of communication amount by providing traffic amount of data in-flowing through an ingress node and traffic amount of data flowing out through an egress node. The communication network designing circuit has setting means for setting a mathematical programming problem for deriving the multiple point communication service and optimizing means for solving the mathematical programming problem set by the setting means and obtaining the path for the multiple point communication service.

Abstract: In one embodiment, an apparatus includes a first access point within a wireless network. The first access point is configured to identify a communication device within a radio frequency (RF) range of the first access point. The first access point is also configured to request a session key associated with the communication device from a first network controller associated with the first access point in response to the communication device being identified. The first access point is further configured to receive the session key associated with the communication device from a second network controller associated with a second access point having an RF range partially overlapping the RF range of the first access point.

Abstract: Access switches in a switching system may use virtual aggregated links. When a link between an aggregation switch and an access switch fails, the link failure may be reflected in the virtual aggregated link and data traffic to another access switch may be switched away from the failed switch. A forwarding table in the access switch stores a number of entries that each define a correspondence between destination addresses and an output identifier for the switch. At least a first output identifier includes an aggregated link that represents a first set of possible output links. At least a second output identifier includes a virtual aggregated link, associated with a second network switch that represents a second set of possible output links. Destination addresses in the forwarding table for the virtual aggregated link correspond to network devices connected to the second network switch.