Abstract: In general, techniques are described for distributing traffic engineering (TE) link information across network routing protocol domain boundaries using a routing protocol. In one example, a network device logically located within a first routing protocol domain includes a routing protocol module executing on a control unit to execute an exterior gateway routing protocol. The routing protocol module of the network device receives an exterior gateway routing protocol advertisement from a router logically located within a second routing protocol domain and decodes traffic engineering information for a traffic engineering link from the exterior gateway routing protocol advertisement. A path computation module of the network device computes a traffic engineered path by selecting the traffic engineering link for inclusion in the traffic engineered path based on the traffic engineering information.

Abstract: A header conversion device allowing reduced amount of hardware and memory and high-speed line switching is disclosed. In an ATM switching device having redundant incoming line systems, a header conversion table stores a set of header conversion information for one of the redundant incoming line systems. A header converter converts the header of an ATM cell received from each of the redundant incoming line systems by referring the same set of header conversion information.

Abstract: A first network device creates a protection path to a second network device associated with a first service site, and creates a pseudowire between the first service site and a second service site via the first network device and the second network device. The first network device also detects a failure between the first network device and the first service site, and forwards traffic, provided by the pseudowire between the first service site and the second service site, via the protection path. The second network device uses the traffic on the protection path as a trigger to activate a link between the second network device and the first service site.

Abstract: A method includes receiving a data unit, determining whether a current state, associated with a deterministic finite automata (DFA) that includes a portion of states in a bitmap and a remaining portion of states in a DFA table, is a bitmap state or not, and determining whether a value corresponding to the data unit is greater than a threshold value, when it is determined that the current state is not a bitmap state. The method further includes determining whether the current state is insensitive, when it is determined that the value corresponding to the data unit is greater than the threshold value, where insensitive means that each next state is a same state for the current state, and selecting a default state, as a next state for the current, when it is determined that the current state is insensitive.

Abstract: A network device is described that load-balances network traffic among a set of network servers based on electrical power consumption of the network servers. The network device may measure electrical power consumption in a variety of ways, and may generate and maintain a power consumption profile for each of the network server. The power consumption profile may describe the respective server power consumption in increasing granularity. For instance, each power consumption profile may specify electrical power consumption according to watts consumed by a server per average transaction, watts consumed per transaction for a specific type of software application, watts consumed per transaction for a software application for individual network resources, and so on. Furthermore, the profiles may be maintained for individual servers or aggregated for groups or sequences of servers.

Abstract: In general, this disclosure describes techniques of selecting routes for network packets through a computer network based, at least in part, on electrical power procurement arrangements of devices in the computer network. As described herein, there may be a plurality of routes through a computer network from a first device to a second device. Each of these routes may include one or more devices that consume electrical power. A route selection device may make a determination regarding how network packets are to be routed among these routes based, at least in part, on arrangements made to procure the electrical power consumed by the devices along the routes. After the route selection device makes this determination, the route selection device may cause network packets to be routed among these routes in accordance with this determination.

Abstract: A security device may be interconnected, via multiple links, between multiple network devices in a network. The firewall device may include multiple input interfaces that receive data units from a first network device destined for a second network device of the multiple network devices, identify a session associated with each of the data units, and process the data units in accordance with the identified sessions and a security policy.

Abstract: A method of maintaining multiple firewalls on multiple host nodes. Each host node runs one or more virtual machines. For at least a first host node, the method maintains multiple sets of policies for multiple virtual machines that run on the first host node. The method, upon detecting that a particular virtual machine has been moved from the first host node to a second host node, removes a set of policies associated with the particular virtual machine from the first host node and supplies the set of policies to the second host node.

Abstract: A device may include a donor to maintain a pool of addresses; a group of borrowers to obtain addresses from the donor; a daemon that has registered an interest in one or more borrowers in the group of borrowers; and a library to maintain first relationships between donors and borrowers that have obtained addresses from the donors, maintain second relationships between daemons and borrowers in which the daemons have registered an interest, receive a notification regarding an incident associated with the donor, identify, in response to the notification, the group of borrowers based on the first relationships, determine that the daemon has registered an interest in the one or more borrowers in the group of borrowers based on the second relationships, and output, to the daemon, a notification regarding the incident associated with the donor.

Abstract: A network router includes interfaces to receive packets, a routing engine that executes a routing protocol to maintain routing information specifying routes through a network, a packet forwarding engine forward the packets to the interfaces in accordance with the routing information, one or more advertising engine service cards comprising a packet inspection engine and an advertising engine control unit, and a set of dynamic filters that identify packets for inspection by the packet inspection engine based on characteristics of the packet. The filters direct any matching ones of the packets from the packet forwarding engine to the packet inspection engine within the advertising engine service card, and the packet inspection engine analyzes the packets to extract information from the packets based on configured advertising engine policies. The advertising engine control unit outputs commands to dynamically add and delete filters from the set of dynamic filters.

Abstract: A system protects database operations performed on a shared resource. The system may chunk memory to form a set of memory chunks which have memory blocks, at least some of the memory blocks including database objects. The system may configure at least one binary search tree using the memory chunks as nodes and buffer a set of pointers corresponding to the memory blocks. The system may further validate the buffered pointers and dereference validated buffered pointers.

Abstract: An example network device includes network interfaces and a control unit that receives a network configuration request from a client device and sends a network configuration response to the client device.

Abstract: Techniques are described for load balancing packet flows across parallel data paths. For example, a network device includes a plurality of parallel network interfaces and a control unit that applies each of a first set of hash functions to a packet and one of a second set of hash functions to the packet. Bins of each of the first set of hash functions are mapped to bits of a bit vector. Bins of each of the second set of hash functions are mapped to the plurality of parallel network interfaces. The control unit selects the one of the second set of hash functions to apply to the packet based on values of the bits of the bit vector. The control unit forwards the packet through the network interface that is identified by applying the selected one of the second set of hash functions to the packet.

Abstract: This disclosure describes techniques for protecting an endpoint of a label switched path. In one embodiment, a system includes an ingress router, a primary egress router, backup router, and a point of local repair (PLR) router. The ingress router, the PLR router, and the first egress router form a first label switched path. The backup router provides protection for the primary egress router such that the backup router provides routing services for the first egress router when the first egress router is not available. The primary egress router and the backup router share an anycast IP address. The backup router advertises a route to reach the primary egress router, but upon receiving a packet intended for the primary egress router, the backup router identifies the destination of the packet and forwards the packet to the destination instead of the primary egress router along a different route.

Abstract: A system includes a first device connected to a second device The first device includes a second node connected to a first node and the second device via a link, and includes a backup second node connected to the first node and the second device via another link. The first node is configured to receive, via the link or the other link, a group of packets (i.e., “packets”), from the second device; display a first notification that the second node can be removed when the packets are received via only the other link; display a second notification indicating that the backup second node can be removed when the packets are received via only the link; and display a third notification indicating that neither the second node nor the backup second node can be removed when the packets are not received via only the link and via only the other link.

Abstract: A method and apparatus for switching a data packet between a source and destination in a network. The data packet includes a header portion and a data portion. The header portion includes routing information for the data packet. The method includes defining a data path in the router comprising a path through the router along which the data portion of the data packet travels and defining a control path comprising a path through the router along which routing information from the header portion travels. The method includes separating the data path and control path in the router such that the routing information can be separated from the data portion allowing for the separate processing of each in the router. The data portion can be stored in a global memory while routing decisions are made on the routing information in the control path.

Abstract: In one embodiment, a method includes receiving a provisioning instruction including a device identifier from an external management entity, receiving the device identifier from a network device, associating the provisioning instruction the network device, and sending a portion of the provisioning instruction to the network device. The device identifier being associated with a virtual resource. The associating is based on the device identifier of the virtual resource and a device identifier of a network device. The portion of the provisioning instruction is sent to the network device based on the associating.

Abstract: A network device provides a selector list that includes indices of child nexthops associated with the network device, where each of the child nexthops is associated with a corresponding child link provided in an aggregated bundle of child links. The network device also receives an indication of a failure of a child link in the aggregated bundle of child links, and removes, from the selector list, an index of a child nexthop associated with the failed child link. The network device further receives probabilities associated with the child links of the aggregated bundle of child links. Each of the probabilities indicates a probability of a packet exiting the network device on a child link. The network device also creates a distribution table based on the probabilities associated with the child links, and rearranges values provided in the distribution table.

Abstract: A system includes a gateway node that contains modular cards that separately implement control and data planes of a network protocol. The separate data and control cards provide for improved system reliability and improved flexibility in managing bandwidth. Control or data cards can be added to the gateway node as needed based on system load.

Abstract: Systems and methods are provided for analyzing policy rules defined for a subscriber and determining packet treatment in a network. Definitions are retrieved pertaining to policy rules for a subscriber. At least one policy point in a network is determined based on the retrieved definitions. The packet treatment is determined at each of the at least one policy point. The packet treatment is shown for each of the at least one policy point. Packets may be injected into the network at injection points and statistics may be collected. The statistics may be compared with results of analyzing policy rules for the subscriber.