Abstract: A network device may receive user datagram protocol (UDP) packets associated with an internet protocol (IP) session. The network device may apply a first firewall filter by setting one or more bits of each UDP packet to particular bit values to allow each UDP packet to be identified in association with the first firewall filter. The network device may update, each time a UDP packet is received, a first packet counter to account for a total number of UDP packets to which the first firewall filter has been applied. The network device may provide each UDP packet to another network device. The other network device may update a second packet counter. The network device and the other network device may provide the first packet counter and the second packet counter to a server device to cause the server device to determine packet loss information for the IP session.

Abstract: A device may receive a control packet associated with a connection. The control packet may include a network address. The device may identify an application layer identifier that is associated with the network address. The device may identify a service rule associated with the application layer identifier. The service rule may identify a service to be applied to a data packet associated with the connection. The device may provide the control packet based on identifying the service rule. The control packet may be provided to permit the service to be applied to the data packet in accordance with the service rule.

Abstract: A device may receive first information identifying multiple server devices and second information identifying multiple flows. The device may assign the multiple flows to the multiple server devices in a first order. The device may store the second information in multiple data structures to record the assignment of the multiple flows to the multiple server devices. A data structure, of the multiple data structures, may correspond to a respective server device of the multiple server devices. The device may receive an indication that a server device has been added to, or removed from, the multiple server devices after storing the second information. The device may reassign a subset of the multiple flows in a second order using third information identifying an order in which the multiple flows were assigned to the multiple server devices. The second order may be different from the first order.

Abstract: A device may receive a first portion of network traffic associated with a flow. The device may perform a first upper layer inspection of the first portion of network traffic associated with the flow. The device may identify a set of parameters of the flow based on performing the first upper layer inspection of the first portion of network traffic associated with the flow. The device may determine, based on the set of parameters, a sampling rate at which to perform a second upper layer inspection of a second portion of network traffic associated with the flow. The device may instruct a lower layer to use the sampling rate to provide the second portion of network traffic associated with the flow for the second upper layer inspection. The device may perform the second upper layer inspection of the second portion of network traffic associated with the flow based on receiving the second portion of network traffic associated with the flow from the lower layer.

Abstract: In some embodiments, an apparatus includes a memory and a processor operatively coupled to the memory. The processor is configured to be operatively coupled to a first optical transponder and a second optical transponder. The processor is configured to receive, from the second optical transponder, a signal representing a skew value of an optical signal and a signal representing a bit-error-rate (BER) value of the optical signal. The skew value is associated with a skew between an in-phase component of the optical signal and a quadrature component of the optical signal. The processor is configured to determine, based on at least one of the skew value or the BER value, if a performance degradation of the first optical transponder satisfies a threshold. The processor is configured to send a control signal to the first optical transponder to adjust a pulse shaping or a data baud rate of the first optical transponder.

Abstract: A device may identify a portion of a label-switched path (LSP) on which a simple hierarchical LSP (sH-LSP) is to be used for transferring traffic via a network. The device may determine attribute information associated with the sH-LSP. The attribute information may include information associated with one or more characteristics of the sH-LSP. The device may provide an indication associated with identifying an available sH-LSP or creating a sH-LSP. The indication may include the attribute information associated with the sH-LSP, and may be being provided to cause the sH-LSP to be created on the portion of the LSP or an available sH-LSP, associated with the portion of the LSP, to be identified. The device may receive, based on providing the indication, an identifier associated with the sH-LSP. The device may cause the LSP to be set up based on the identifier associated with the sH-LSP.

Abstract: A device may receive encrypted traffic associated with a secure session. The device may determine, based on the encrypted traffic, information associated with an offload service to be applied to the encrypted traffic associated with the secure session. The information associated with the offload service may indicate whether the encrypted traffic is permitted to bypass inspection by one or more security services. The device may selectively permit the encrypted traffic, associated with the secure session, to bypass inspection by the one or more security services based on the information associated with the offload service.

Abstract: In one example, a method includes by a first network device positioned on a border of a first area of a multi-area hierarchical network and a second area of the multi-area hierarchical network, determining a cost associated with sending network traffic from a client group to the first network device, wherein the client group is positioned in the first area, the first area and the second area being distinct routing domains of the multi-area hierarchical network; and outputting, by the first network device to a second network device positioned in the second area, a routing advertisement that specifies the determined cost as a reverse metric. In some examples, a route reflector receives the routing advertisement and based on the cost from the client group to the area border network device, selects an egress point from among a plurality of egress points of the multi-area hierarchical network.

Abstract: In general, techniques are described for reducing forwarding loops for layer (L2) traffic that traverses an EVPN or PBB-EVPN instance (EVI) by deterministically determining an access-facing logical interface to block from respective access-facing logical interfaces of PE devices that switch the L2 traffic using the EVI. A provider edge (PE) network device may detect an L2 forwarding loop on an L2 forwarding path that includes the access-facing logical interface. In response to detecting an L2 forwarding loop and based at least on comparing an identifier for the local PE device and an identifier for a remote PE device that implements the EVPN instance, the PE device may block the access-facing logical interface to block L2 traffic from the local customer network.

Abstract: The disclosed apparatus may include (1) providing a framework that enables a customer entity of a service provider to configure, via a customer portal, a network device of the service provider that directs network traffic of the customer entity, (2) creating, for the customer entity by way of the framework, a virtual network that includes at least a portion of the network device of the service provider, (3) detecting an attempt by the customer entity to configure at least a portion of the virtual network via the customer portal, and then in response to detecting the attempt by the customer entity, (4) performing a configuration operation that configures the portion of the virtual network as directed by the customer entity via the customer portal. Various other apparatuses, systems, and methods are also disclosed.

Abstract: A device may receive an instruction to classify software. The device may identify a group of one or more user interfaces associated with the software based on receiving the instruction to classify the software. The device may determine a group of one or more user interface signatures associated with the group of one or more user interfaces. A user interface signature may include information, associated with a user interface in the group of one or more user interfaces, that may be used to classify the software. The device may generate information that identifies a classification of the software based on the group of one or more user interface signatures and based on known signature information. The known signature information may include information that corresponds to a correct software classification. The device may output the information that identifies the classification of the software.

Abstract: A device may receive a packet from a first endpoint that is destined for a second endpoint. The first endpoint may be hosted on the device. The device may determine whether a secure session exists between the first endpoint and the second endpoint. The secure session may permit encrypted traffic to be exchanged between the first endpoint and the second endpoint. The device may process the packet using a set of rules after determining whether the secure session exists between the first endpoint and the second endpoint. The device may encrypt the packet using security information associated with the secure session after determining that the secure session exists, or establishing the secure session when the secure session does not exist. The device may provide the packet toward the second endpoint after encrypting the packet.

Abstract: A security device may receive an object destined for a user device. The object may be of an object type that does not describe a web page. The security device may determine that the user device is to be warned regarding the object. The security device may determine a warning object based on determining that the user device is to be warned. The warning object may include information associated with a reason for determining that the user device is to be warned regarding the object, and may include information that allows the user device to receive the object. The security device may provide the warning object. The security device may receive, after providing the warning object, an indication associated with the user device obtaining the object. The security device may allow the user device to obtain the object based on receiving the indication.

Abstract: In some embodiments, an apparatus includes a first controller configured to be operatively coupled within a network having a set of network nodes, a forwarding gateway and a configuration entity. The first controller is configured to manage session state and node state associated with the set of network nodes independent of the forwarding gateway. The first controller is configured to fail over to a second controller when the first controller fails, without the forwarding gateway failing over and without the configuration entity failing over.

Abstract: The disclosed system may include (1) receiving, at an ingress node within a network, a request to forward a packet along a label-switched path to an egress node within the network, (2) identifying a limit on the number of labels that the ingress node is capable of forwarding within a label stack of the packet, (3) determining that the number of hops within the label-switched path exceeds the limit on the number of labels that the ingress node is capable of forwarding, (4) selecting at least one of the hops within the label-switched path to act as a delegation node that imposes, onto the label stack of the packet, at least one label corresponding to a downstream hop within the label-switched path and (5) forwarding the packet from the ingress node to the delegation node to enable the delegation node to impose the label onto the label stack.

Abstract: Techniques are described for performing subscriber-aware NAT functions. In one example, routers or other NAT-enabled devices deployed within a network are configured to auto-correlate subscriber information with NAT operations performed by the devices when forwarding network traffic. As such, the techniques offload the burden of correlating subscriber login activity with NAT operations as typically performed by offline NAT log archive systems.

Abstract: In response to a connectivity disruption in an underlying optical transport ring supporting a routing and packet switching topology, one or more of optical devices of the optical transport ring are modified to establish connectivity between spine nodes in different data centers to reroute communication between at least a subset of the leaf network devices so as to traverse an inter-spine route via the optical modified optical transport ring. That is, in response to a connectivity disruption in a portion of underlying optical transport ring, one or more optical devices within the optical transport ring are modified such that packets between at least a portion of the leaf devices are rerouted along optical paths between at least two of the spine network devices.

Abstract: In one example, techniques of this disclosure may enable a point of local repair (PLR) network device to signal availability of link protection or node protection to a merge point (MP) network device and enable a network device to actively determine whether or not it is a merge point router. Based on whether or not the network device determines it is a MP, the network device may selectively clean up LSP states when there is an upstream link or node failure. The RSVP-TE protocol may be extended to enable a network device to send a tear down message to a downstream router, which may enable the downstream router to conditionally delete locale LSP state information. In some instances, a PLR network device may directly send a tear down message to a MP network device even though the PLR network device may not have a working bypass LSP.

Abstract: A printed circuit board (PCB) may include a plurality of horizontally disposed signal layers. The PCB may include a first vertically disposed differential via electrically connected to a first horizontally disposed signal layer, of the plurality of horizontally disposed signal layers, and a second horizontally disposed signal layer of the plurality of horizontally disposed signal layers. The PCB may include a second vertically disposed differential via electrically connected to the first signal horizontally disposed layer and the second horizontally disposed signal layer. The PCB may include a first set of clearances encompassing the first vertically disposed differential via and the second vertically disposed differential via, a second set of clearances encompassing the first vertically disposed stub, and a third set of clearances encompassing the second vertically disposed stub.

Abstract: Techniques are described for dynamically adapting virtualized network functions (VNFs) to different target environments. A controller stores device profiles that include configuration data and workflows for resolving configuration parameters for instantiating and deploying a VNF package to form a network service. To support the resolution of VNF configuration parameters, a VNF descriptor for the VNF is extended to include a device family parameter that indicates a shared architecture and configuration parameters. The controller, when instantiating the VNF, may identify a device profile usable for resolving the configuration parameters for the VNF and obtain configuration data from the device profile for creating and configuring a VNF instance for the VNF descriptor. Extending the VNF descriptor to specify a device family allows the VNF to be flexibly adapted for different target environments and may avoid the use of numerous pre-defined VNF descriptors.