Abstract: In general, techniques are described for dynamically redirecting session requests received with a mobile network gateway to another gateway of the mobile network. Heterogeneous static and dynamic capabilities among gateways of the mobile network lead some gateways unable to service a particular session requested by a wireless device attached to the mobile network. A set of policies configured within the gateways by a mobile network operator and applied by the gateway enable the gateway to identify and offload session requests to another gateway of the mobile network that has the present capability to service the session. The policies may define conditions and actions to provide flexible routing of the user session to an appropriate gateway.

Abstract: Methods and apparatus for transferring packets in a packet switched communication system. A system is provided that includes an L2 device including a controller determining for each packet received whether the received packet is to be inspected, an inspection device operable to inspect and filter packets identified by the controller including using a zone specific policy and an L2 controller for transferring inspected packets in accordance with L2 header information using L2 protocols.

Abstract: A router may be tested using a packet-based testing technique in which the test packets are generated by the router. In one implementation, a forwarding plane in a router may include a first component to process header information of packets to determine forwarding information, and a memory component to store payload data for the packets. A control plane of the router may generate test packets, insert the test packets into the forwarding plane, receive a second set of packets from the forwarding plane, analyze the second set of packets to determine whether the second set of packets correspond to the inserted plurality of test packets, and output, based on the analysis, test results, relating to the operation of the routing device.

Abstract: A network device having a distributed, multi-stage forwarding architecture uses a two-stage process for planned orderly offlining of switch fabric components. The process includes a prepare stage in which preparations are made from downstream components to upstream components for offlining and new spray weights are calculated but not applied, and a commit stage in which new spray weights are committed and applied to traffic from upstream components to downstream components.

Abstract: The present invention provides systems and methods for maintaining stateful interactions between clients and servers. Furthermore, the invention provides systems and methods for maintaining stateful interactions between clients and load balancers. In one embodiment, the present invention provides systems and methods for maintaining statefulness without the need for the server to query and/or store information on the client.

Abstract: A method may include establishing a first Point-to-Point Protocol (PPP) session on an interface, receiving an indication of a layer one failure, omitting for a period of time, an indication that the first PPP session on the interface is down, based on the indication of the layer one failure, establishing a layer one switchover to another interface based on the indication of the layer one failure, and attempting during the period of time, to establish a second PPP session on the other interface.

Abstract: A method may include authenticating a node over layer 2 in a network based on authentication rules; sending a node authentication code to the node; and providing layer 3 network access based on the node authentication code.

Abstract: A network router includes a plurality of interfaces configured to send and receive packets, and a routing component comprising: (i) a routing engine that includes a control unit that executes a routing protocol to maintain routing information specifying routes through a network, and (ii) a forwarding plane configured by the routing engine to select next hops for the packets in accordance with the routing information. The forwarding plane comprises a switch fabric to forward the packets to the interfaces based on the selected next hops. The network router also includes a security plane configured to apply security functions to the packets. The security plane is integrated within the network router to share a streamlined forwarding plane of the routing component.

Abstract: A system includes a memory and a controller. The controller may include a group of pads and an allocation register. The controller is configured to receive input signals corresponding to the group and allocate each one of the pads to output one of the input signals based on a configuration of pins of the memory. The controller is also configured to redirect the input signals, within the controller, based on the allocation of the pads and output the input signals from the controller into the pads.

Abstract: In one embodiment, an apparatus can include a first edge device that can have a packet processing module. The first edge device can be configured to receive a packet. The packet processing module of the first edge device can be configured to produce cells based on the packet. A second edge device can have a packet processing module configured to reassemble the packet based on the cells. A multi-stage switch fabric can be coupled to the first edge device and the second edge device. The multi-stage switch fabric can define a single logical entity. The multi-stage switch fabric can have switch modules. Each switch module from the switch modules can have a shared memory device. The multi-stage switch fabric can be configured to switch the cells so that the cells are sent to the second edge device.

Abstract: Techniques are described for blocking unidentified encrypted communication sessions. In one embodiment, a device includes an interface to receive a packet, an application identification module to attempt to identify an application associated with the packet, an encryption detection module to determine whether the packet is encrypted when the application identification module is unable to identify an application associated with the packet, and an attack detection module to determine whether the packet is associated with a network attack, to forward the packet when the packet is not associated with a network attack, and to take a response when the packet is associated with a network attack, wherein the encryption detection module sends a message to the attack detection module that indicates whether the packet is encrypted, wherein when the message indicates that packet is encrypted, the attack detection module determines that the packet is associated with a network attack.

Abstract: A network device includes an interface (105), a TCP/IP protocol fast processing path (115), and a TCP/IP protocol slow processing path (110). The interface (105) receives a packet and parses the packets to determine a characteristic of the packet. The TCP/IP protocol fast processing path (115) processes the packet if the characteristic of the packet includes a first characteristic. The TCP/IP protocol slow processing path (110) processes the packet if the characteristic of the packet includes a second characteristic.

Abstract: The subject matter of this specification can be implemented in, among other things, a method that includes receiving, at a first network device that is associated with an MVPN, an mtrace message that identifies a source device that is associated with the MVPN and that is separated from the first network device by an MPLS network. The method further includes determining an LSP from the first network device to a second network device that is associated with the MVPN and that is separated from the first network device by the MPLS network. The method further includes adding an IP header to the mtrace message, the IP header including a destination address set to a localhost loopback IP address. The method further includes encapsulating the mtrace message with an MPLS label stack that causes the encapsulated mtrace message to reach an instance of the MVPN on the second network device.

Abstract: A method for transferring a packet that is capable of permitting address resolution based on layer 3 packet filter information and that is further capable of preventing establishing an undesirable short cut path is provided. In a network, a server that receives an address resolution request packet from a client determines if the address resolution request packet should be forwarded to another server or another client based on a layer 3 packet filter information.

Abstract: A device receives, from a client device, a request for a resource, and determines, based on information provided in the request, whether to terminate a connection for the request at the device. The device forwards the request to a network when the connection is not terminated at the device, and selects a target device for the resource when the connection is terminated at the device. The device also provides the request to the selected target device, receives the resource from the selected target device, and provides the resource to the client device.

Abstract: A device receives, from a client device, a request for a resource, where the request provides an identifier of the client device. The device selects a target device for the resource, connects with the selected target device, and provides a proxy of the request to the selected target device, where the proxy of the request hides the identifier of the client device. The device receives the resource from the selected target device, where the resource provides an identifier of the target device. The device provides a proxy of the resource to the client device, where the proxy of the resource hides the identifier of the target device.

Abstract: In some embodiments, an apparatus includes a module within a first stage of a switch fabric, a module within a second stage of the switch fabric, and a module within a third stage of the switch fabric. The module within the first stage is configured to send data to the module within the second stage. The module within the second stage is configured to send data to the module within the third stage. The module within the second stage is configured to send a first suspension indicator to the module within the third stage. The module within the third stage is configured to send a second suspension indicator to the module within the first stage in response to the first suspension indicator. The module within the first stage is configured to stop sending data to the module within the second stage in response to the second suspension indicator.

Abstract: In one embodiment, a method includes receiving a provisioning instruction including a device identifier from an external management entity, receiving the device identifier from a network device, associating the provisioning instruction the network device, and sending a portion of the provisioning instruction to the network device. The device identifier being associated with a virtual resource. The associating is based on the device identifier of the virtual resource and a device identifier of a network device. The portion of the provisioning instruction is sent to the network device based on the associating.

Abstract: A device receives, from a client device, a request for a resource, and accesses a table that includes one or more items of information. The device compares information provided in the request to the one or more items of information provided in the table, and terminates a connection for the request at the device when the information provided in the request matches at least one of the one or more items of information provided in the table. The device forwards the request to a network when the connection is not terminated at the device, and selects a target device for the resource when the connection is terminated at the device.

Abstract: A number of wireless networks are established by a network device, each wireless network having an identifier. Requests are received from client devices to establish wireless network sessions via the wireless networks using the identifiers. Network privileges of the client devices are segmented into discrete security interfaces based on the identifier used to establish each wireless network session.