Abstract: A cloud network may include a distributed security switch (DSS). The DSS may be to receive configuration information from the hypervisor. The configuration information may include a set of access mode attributes and a security policy. The DSS may be to determine that a packet is to be directed from a source virtual machine to a target virtual machine. The DSS may be to identify an egress interface of the source virtual machine and an ingress interface of the target virtual machine. The egress interface may be associated with a first access mode attribute and the ingress interface being associated with a second access mode attribute. The DSS may be to selectively route the packet, using the shared memory, based on the first access mode attribute, the second access mode attribute, and the security policy.

Abstract: An apparatus includes a finite impulse response (FIR) filter to receive a digital signal and a transmitter, operatively coupled to the FIR filter, to transmit an analog signal, converted from the digital signal, to a communication channel. The FIR filer is configured to change at least one operating parameter based on a bandwidth of the analog signal after transmission in the communication channel. The bandwidth of the analog signal is estimated, using an estimator, based at least in part on raw sampling data generated by an analog-to-digital converter (ADC) operatively coupled to the transmitter.

Abstract: A device may determine that a file of a client device is a malicious file. The device may obtain remote access to the client device using a connection tool. The connection tool may provide access and control of the client device. The remote access may include access to a file location of the malicious file. The device may determine file information associated with the malicious file using the remote access to the client device. The device may select one or more remediation actions based on the file information. The device may cause the one or more remediation actions to be executed using the remote access to the client device.

Abstract: Described are various configurations of reduced crosstalk optical switches. Various embodiments can reduce or entirely eliminate crosstalk using a coupler that has a power-splitting ratio that compensates for amplitude imbalance caused by phase modulator attenuation. Some embodiments implement a plurality of phase modulators and couplers as part of a dilated switch network to increase overall bandwidth and further reduce potential for crosstalk.

Abstract: A network node may include one or more processors. The one or more processors may receive a message that is associated with one or more signatures and one or more second signatures. The one or more signatures may have been validated by a particular node. The one or more processors may determine that the particular node is a trusted node. The network node may be configured not to validate signatures that have been validated by a trusted node. The one or more processors may determine that the one or more signatures have been validated by the particular node. The one or more processors may sign or provide the message, without validating the one or more signatures, based on determining that the one or more signatures have been validated by the particular node.

Abstract: A device may configure a state of a data plane to test the state of the data plane using a set of components. The device may provide a set of packets from a first virtual component of the device to a first port of the device. The first virtual component may include a first virtual representation of a first device. The first virtual component may be included in the set of components. The device may loop back the set of packets at the first port of the device based on providing the set of packets to the first port. The device may perform an action based on the state of the data plane in association with looping back the set of packets at the first port. The device may determine whether a test of the state of the data plane is associated with a pass status or a fail status.

Abstract: A network device may identify a configuration of resources that are to support attachable line cards. The configuration may include a power supply configuration that is used to provide power to packet processing components that are supported by the line cards, and a resource distribution configuration indicating whether resources in the line cards are shared between the packet processing components. The network device may determine whether to modify a power state of a packet processing component based on whether one or more power modification conditions are satisfied. The network device may modify the power state of the packet processing component based on determining that the power modification condition is satisfied. The power state of the packet processing component may be able to be modified to a particular power state based on the configuration of resources.

Abstract: The disclosed computer-implemented method for classifying uplink and downlink traffic in networks may include (1) maintaining a routing table that includes a plurality of routes that define paths to a plurality of network destinations in connection with a network, (2) receiving a packet to be routed toward a network destination based at least in part on a route that defines a path to the network destination in connection with the MPLS network, (3) identifying, within the routing table, the route that defines the path to the network destination, (4) determining, based at least in part on the route identified within the routing table, whether the packet represents uplink or downlink traffic, and then (5) classifying the packet as uplink or downlink traffic based at least in part on the determination. Various other methods, systems, and apparatuses are also disclosed.

Abstract: A network device is configured to receive information regarding a group of content streams and determine a buffer size for each of the content streams. The network device is further configured to receive the content streams from one or more encoding devices. The network device is further configured to buffer an amount of each of the content streams based on the respective buffer size. The network device is further configured to send a first content stream to a user device. The network device is further configured to determine that the first content stream has a quality of experience issue and send the second content stream to the user device.

Abstract: Techniques are described for facilitating the inclusion of a non-flexible-algorithm router to be included in flexible-algorithm path computations. For example, a flexible-algorithm router advertises information associated with a non-flexible-algorithm router to other flexible-algorithm routers in the network such that the flexible-algorithm routers may include the non-flexible-algorithm router when computing a path based on flexible-algorithm. During path computation, if the router determines that its next-hop router is the non-flexible-algorithm router, the router may configure additional forwarding information to cause the router to steer traffic to the non-flexible-algorithm router.

Abstract: A device may include one or more processors to establish a media access control security (MACsec) key agreement (MKA) session between a first network device and a second network device via a MACsec link; establish a fast heartbeat session via the MACsec communication link, between a first packet processing engine of the first network device and a second packet processing engine of the second network device, to permit the first packet processing engine and the second packet processing engine to exchange fast heartbeat messages via the fast heartbeat session and the MACsec communication link; determine, based on the fast heartbeat session, that the MKA session has ended; and/or perform an action based on the MKA session ending.

Abstract: The disclosed computer-implemented method may include (1) identifying a plurality of network paths within a network, (2) identifying a plurality of network services offered via the network, (3) creating a virtual path topology that represents a select grouping of the network paths that (A) originate from a single ingress node within the network and (B) lead to a plurality of egress nodes within the network, (4) mapping at least one of the network services to the virtual path topology, and (5) providing the at least one of the network services to at least one computing device via at least one of the network paths included in the select grouping represented by the virtual path topology. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A device may receive information associated with a service chain to be implemented in association with a flow. The information associated with the service chain may include a source network address associated with the flow, a destination network address associated with the flow, a set of protocols associated with the flow, and a set of network services, of the service chain, to be implemented in association with the flow. The device may implement the service chain in association with the flow. The device may receive network traffic information associated with the flow based on implementing the service chain in association with the flow. The device may modify the service chain based on the network traffic information associated with the flow to permit a modified service chain to be implemented in association with the flow.

Abstract: In one embodiment, a processor-readable medium storing code representing instructions that when executed by a processor cause the processor to update, at a memory location, a first flow state value associated with a data flow to a second flow state value when at least one of a packet from the data flow is received or the memory location is selected after a time period has expired. At least a portion of the packet is analyzed when the second flow state value represents a flow rate of a network data flow anomaly.

Abstract: In one embodiment, a method includes receiving a first identifier and a private key after a network device has been included in a data center switch fabric control plane, authenticating the network device based on the private key, sending a second identifier to the network device, and sending a control signal to the network device based on the second identifier. The first identifier is associated with the network device and unique within a segment of the data center switch fabric control plane. The second identifier is unique within the segment of the data center switch fabric control plane.

Abstract: An apparatus includes an aggregation module that is associated with a first network core and that is operatively coupled to a second network core and a third network core. The aggregation module is configured to receive a first copy of an access point license that authorizes access to a network via an access point and the second network core. The aggregation module receives the first copy of the access point license from the second network core in response to an installation and validation of the access point license on the second network core. The aggregation module is configured to send a second copy of the access point license to the third network core that authorizes a device to access the network via the access point and via the third network core in accordance with the access point license and in response to a failure of the second network core.

Abstract: For use in an Ethernet Virtual Private Network (EVPN) in which a site including at least one MAC-addressable device is multihomed, via a customer edge device (CE), to at least two provider edge devices (PE1 and PE2), the potential problem of one of the at least two provider edge devices (PE2) dropping or flooding packets designed for a MAC-addressable device of the multihomed site is solved by controlling advertisements of an auto-discovery per EVPN instance (A-D/EVI) route (or an auto-discovery per Ethernet segment identifier (A-D/ESI) route) to a remote provider edge device (PE3), belonging to the EVPN but not directly connected with the CE.

Abstract: In general, techniques are described for reporting dynamic tunnels to a path computation element (PCE) of a network to inform path computation by the PCE for traffic engineering within the network. In some examples, a method comprises generating, by a network device configured to route network packets within a network, a dynamic tunnel report message that includes dynamic tunnel description data for a dynamic tunnel that transports the network packets through the network, wherein the network packets transported by the dynamic tunnel each comprises an outer header that does not include a multiprotocol label switching (MPLS) transport label; and sending, by the network device, the dynamic tunnel report message to a path computation element (PCE) for a path computation domain to report the dynamic tunnel to the PCE for inclusion in path computation by the PCE for label switched paths of the network.

Abstract: In some embodiments, an apparatus includes a memory and a processor operatively coupled to the memory. The processor is configured to be operatively coupled to a first optical transponder and a second optical transponder. The processor is configured to receive, from the second optical transponder, a signal representing a skew value of an optical signal and a signal representing a bit-error-rate (BER) value of the optical signal. The skew value is associated with a skew between an in-phase component of the optical signal and a quadrature component of the optical signal. The processor is configured to determine, based on at least one of the skew value or the BER value, if a performance degradation of the first optical transponder satisfies a threshold. The processor is configured to send a control signal to the first optical transponder to adjust a pulse shaping or a data baud rate of the first optical transponder.

Abstract: The techniques describe forwarding multicast traffic using a multi-level cache in a network device forwarding plane for determining a set of outgoing interfaces of the network device on which to forward the multicast traffic. For example, a multi-level cache is configured to store a multicast identifier of a multicast packet and multicast forwarding information associated with the multicast identifier, such as identification of one or more egress packet processors of the network device to which the multicast packet is to be sent for forwarding to the set of one or more egress network devices, and/or outgoing interfaces of the network device toward each egress network device of the set of one or more egress network devices. The multi-level cache is also configured to store respective multicast identifiers that are to be encapsulated with outgoing multicast packets that are forwarded to the set of one or more egress network devices.