Abstract: Techniques are described for configuring a one or more perimeter firewalls positioned on the perimeter of a data center based on security group information associated with an internal virtual firewall operating within one or more software defined networks (SDN) within the data center. For example, a Security Management System (SMS) may access a centralized network controller (CNC) for an SDN within the data center to obtain security group information for a virtual firewall of the SDN, wherein the security group information specifies a cluster of virtual machines of the software defined network that is protected by the virtual firewall; and automatically configuring, with the SMS, a perimeter firewall positioned on the edge of the data center with one or more security policies based on the security group information from the virtual firewall of the SDN.

Abstract: A disclosed method may include (1) detecting, on a primary node within a network, a change made to an object replicated across the primary node and a backup node within the network, (2) modifying a state-update message destined for the backup node to account for the change made to the object on the primary node, (3) inspecting a status flag of the state-update message destined for the backup node, (4) determining, based at least in part on the status flag of the state-update message, that the state-update message is ready for transmission to the backup node, and then in response to determining that the state-update message is ready for transmission, (5) transmitting the state-update message to the backup node to facilitate replicating the change to the object on the backup node. Various other apparatuses, systems, and methods are also disclosed.

Abstract: Techniques are described for providing a controller to configure, within a given namespace, a virtual network for a pod and an application service address for an application service to enable access to the pod. For example, the controller may configure in each namespace a virtual network for a logically-related group of one or more containers (“pod”) and application service address for an application service that is an abstraction which defines a logical set of pods and a policy by which to access the pods (e.g., load balancing). Techniques are also described for providing a controller to configure controller configures the service chain by configuring the left interface of a service node with a virtual routing and forwarding instance (VRF) identifying the pod of a first namespace and the right interface of the service node with a VRF identifying the application service of a second namespace.

Abstract: A disclosed method may include (1) receiving, at a node within a network, an MPLS echo request from an additional node adjacent to the node, (2) determining that a FEC query is included in a FEC stack of the MPLS echo request and then, in response to determining that the FEC query is included in the FEC stack of the MPLS echo request, (3) determining at least one FEC that corresponds to a label included in a label stack of the MPLS echo request, and then (4) notifying the additional node of the FEC that corresponds to the label included in the label stack by sending, to the additional node, an MPLS echo reply that identifies the FEC that corresponds to the label. Various other systems, methods, and computer-readable media are also disclosed.

Abstract: The disclosed apparatus may include (1) a shoulder bolt that includes (A) a head and (B) a shank, (2) a retention barrel that envelops at least a portion of the shank of the shoulder bolt, (3) a coil spring that envelops at least a portion of the shank of the shoulder bolt and resides between the head of the shoulder bolt and a heatsink, and (4) a travel-limiting component (such as a set screw or a sleeve) that (A) is coupled to the retention barrel and (B) limits the heatsink from travelling linearly beyond a travel threshold via the coil spring. Various other apparatuses, systems, and methods are also disclosed.

Abstract: A co-packaged optical-electrical chip can include an application-specific integrated circuit (ASIC) and a plurality of optical modules, such as optical transceivers. The ASIC and each of the optical modules can exchange electrical signaling via integrated electrical paths. The ASIC can include Ethernet switch, error correction, bit-to-symbol mapping/demapping, and digital signal processing circuits to pre-compensate and post-compensate channel impairments (e.g., inter-channel/intra-channel impairments) in electrical and optical domains. The co-packaged inter-chip interface can be scaled to handle different data rates using spectral efficient signaling formats (e.g., QAM-64, PAM-8) without adding additional data lines to a given design and without significantly increasing the power consumption of the design.

Abstract: Graphical user interfaces are generated that, when displayed, provide a visual and interactive representation of one or more aspects associated with the execution of one or more applications on a computer network. The graphical user interfaces may in include graphical depictions representation policy objects, each policy object assigned one or more tags, each tag assigned to a category or a sub-category. The tags, when taken in combination, may identify an application, and one or more other characteristics associated with each of the policy objects. The graphical elements representing the policy objects may be displayed in the graphical user interfaces so that the policy objects assigned to tags in a category are positioned in an outer ring, and policy objects assigned to sub-category tags are positioned in a inner ring surrounded by the outer ring, with interconnection elements representing communications between policy objects extending within an interior area.

Abstract: In one example, a network management system discovers a plurality of network devices behind a network address translation device, such as a firewall. The network management system may receive a model of a seed network device, generate a first activation configuration and commit the first activation configuration on the seed network device. The network management system may connect to the seed network device and discover neighboring devices from information in the seed network device. The network management system may connect to the neighboring devices, automatically create a model of the neighboring network devices, generate s activation configurations for the neighboring network devices and commit the activation configurations on the neighboring network devices. The network management system may iterative perform these steps until it discovers all the discoverable network devices behind the network address translation device.

Abstract: Disclosed is an attachment mechanism for attaching a wireless access point to a vertical structure, such as a wall. The attachment mechanism includes a bracket that is mounted to the vertical structure. The attachment mechanism also includes at least two engagement members positioned on opposing sides of the access point. The two engagement members are horizontally aligned, in some embodiments, when the access point is engaged with a bracket. The two engagement members engage with receptacles that are part of the bracket. One of the receptacles includes a tab which prevents its corresponding engagement member from fully engaging with the receptacle, allowing the attachment mechanism to disengage via disengagement of only one of the engagement members.

Abstract: A broadband network gateway (BNG) controller is described that includes a network subscriber database (NSDB) and one or more core applications. The NSDB is configured to store vBNG instance information for one or more subscriber devices. The vBNG instance information specifies vBNG instances operable by one or more edge routers. The vBNG instances are configured to receive requests to access service provider services from the one or more subscriber devices and to selectively authenticate the one or more subscriber devices for network services based on authentication information included in the requests to access services provider services. The one or more core applications include a network instance and configuration manager (NICM). The NICM is configured to modify the vBNG instance information at the NSDB to include an additional vBNG instance and to output, to an edge router, an instruction to generate the additional vBNG instance at the edge router.

Abstract: Techniques are described for a method for detecting a fault. The method includes receiving, by a receiving electronic device, via a differential pair transmission line, from a transmitting electronic device, an electrical signal. The method further includes converting, by a receiving (Rx) serializer/deserializer (SerDes) operating at the receiving electronic device, the received electrical signal into a received digital electrical signal. The method further includes, determining, by one or more processors, an electrical signature of the received electrical signal from the received digital electrical signal when the received electrical signal is received by the receiving electronic device. The method further includes determining, by the one or more processors, based on the electrical signature, a position of a fault between the receiving electronic device and the transmitting electronic device. The fault causes the received electrical signal to be different than the transmitted electrical signal.

Abstract: A disclosed method may include (1) identifying a child process that spawned from a parent process running on a computing device, (2) receiving, from the child process, a request to execute an unsigned script on the computing device, (3) determining, in response to the request, whether to override a restriction against executing unsigned scripts by (A) checking an access-control label referenced by the parent process and (B) determining that the access-control label indicates that the parent process has a privilege to override the restriction, (4) imputing, to the child process, the privilege of the parent process to override the, and then (5) executing, on the computing device, the unsigned script despite the restriction due at least in part to the privilege of the parent process having been imputed to the child process. Various other apparatuses, systems, and methods are also disclosed.

Abstract: The disclosed apparatus may include (1) a cold plate base that (A) is thermally coupled to a component and (B) includes a set of heatsink fin structures that facilitate absorbing heat generated by the component and (2) a cold plate cover that (A) sits atop the cold plate base and (B) directs a cooling fluid across the set of heatsink fin structures to cool the cold plate base despite the heat absorbed by the cold plate base from the component. Various other apparatuses, systems and methods are also disclosed.

Abstract: An example controller device that manages a plurality of network devices includes one or more processors implemented in circuitry and configured to: determine that configuration of one or more network devices of the plurality of network devices is to be updated; determine dependencies between types of resources provided by the network devices; construct a directed acyclic graph (DAG) representing the dependencies, the DAG having nodes representing the corresponding types of resources of the network devices of the plurality of network devices; sort the nodes of the DAG according to a grouped topological sort into a plurality of hierarchical levels according to the dependencies; and submit queries for two or more resources of the network devices at a common level of the plurality of hierarchical levels in parallel to determine resources of the determined types of resources of the two or more resources to configure the two or more network devices.

Abstract: Techniques for avoiding single points of failure in routing components of an SDN are disclosed. In some aspects, control nodes that provide routing management services are assigned zone identifiers. The control nodes having one zone identifier can be on separate processes and/or physical hardware from control nodes having a different zone identifier. Workloads, such as virtual machines or containers, can establish routing sessions such as Border Gateway Protocol as a Service (BGPaaS) routing sessions using different zone identifiers to ensure that separate control nodes provide routing management services for the primary and secondary compute nodes associated with a high availability service. These techniques in this way facilitate high availability by ensuring that a control node is not a single point of failure for the high availability service provided by the primary and secondary compute nodes.

Abstract: An optical device such as an optical transceiver can include a cascaded built-in self-test structure that can be configured in testing mode using an active power mode and can sufficiently attenuate light away from a loopback path in an inactive power mode. The optical device can include a wafer top emitter that can be used to tune a light source for testing and calibration of optical components while the built-in self-test structure is in active mode.

Abstract: An example controller node may, responsive to receiving a resource request from a client device, deploy a compute node for execution on a particular data center selected from data centers within a distributed computing system, and store at least one address assigned to the compute node in a node inventory data store. After storing the at least one address, and responsive to determining that the compute node is not accessible using the at least one address the controller node may determine, based on information received from the particular data center, that the compute node is still available for execution on the particular data center, and receive, from the particular data center, at least one updated address assigned to the compute node. The controller node may then update the node inventory data store to store the at least one updated address that is assigned to the compute node.

Abstract: The disclosed method may include (1) determining a size of a packet received at a network device, (2) identifying, within a plurality of packet policers that track rates of packets with various sizes received at the network device, a packet policer that tracks rates of packets whose sizes are within a range that includes the size of the packet, (3) determining a current rate of packets tracked by the packet policer, and then (4) handling the packet based at least in part on whether the current rate exceeds a threshold rate. Various other apparatuses, systems, and methods are also disclosed.

Abstract: In some embodiments, an apparatus includes an automatic integrated circuit (IC) handler having a change kit. The change kit has a plunger moveably disposable onto an automatic test equipment (ATE). In such embodiments, the ATE is configured to receive an integrated circuit having an optical interface. The plunger has a first position and a second position. In such embodiments, the plunger is out of contact with the integrated circuit when the plunger is in the first position. The plunger includes an optical connector operatively coupled to the optical interface of the integrated circuit when the plunger is in the second position.

Abstract: A device may receive a file that has been downloaded, or is to be downloaded, to a user device, and that is to be subject to a malware detection procedure. The device may obtain, based on one or more file identification properties of the file, metadata identifying user interactions associated with the file. The metadata may include a first group of user interactions performed when the file was accessed on the user device or a second group of user interactions performed when the file was accessed on one or more other user devices. The device may test the file in a sandbox environment to obtain a result by performing the user interactions identified by the metadata and executing the malware detection procedure to determine whether the file is malware. The device may provide a notification to cause the user device to perform actions when the file is malware.