Abstract: In one example, a merge point network device (MP) receives a plurality of resource reservation request messages for establishing a plurality of label switched paths (LSPs), wherein each of the plurality of LSPs has a common point of local repair network device (PLR) and has the MP as a common MP, wherein each of the resource reservation request messages identifies a common bypass tunnel that extends between the PLR and the MP and avoids a protected resource. The MP stores an association between the bypass tunnel and each of the plurality of LSPs. The MP receives a single message to trigger creation at the merge point network device of backup LSP state information for all of the plurality of LSPs. In response to receiving the single message, the MP installs state information for all of the LSPs that correspond to the bypass tunnel according to the stored association.

Abstract: Techniques are described for extending a two-way active measurement protocol (TWAMP) to enable measurement of service key performance indicators (KPIs) in a software defined network (SDN) and network function virtualization (NFV) architecture. The TWAMP extensions enable control messaging to be handled by a TWAMP control client executed on a centralized controller, and data messaging to be handled by a TWAMP session initiator executed on a separate network device. Techniques are also described for extending TWAMP to enable measurement of any of a plurality of service KPIs for a given service supported at a TWAMP server. The service KPIs may include one or more of keepalive measurements, round trip time measurements, path delay measurements, service latency measurements, or service load measurements. The TWAMP extensions for the service KPIs may be used in both conventional network architectures and in SDN and NFV architectures.

Abstract: Techniques are described for optimizing the placement of automatically generated rules within security policies. An administrator may, for example, interact with the graphical representation of rules rendered by the threat control module and, responsive to the interaction, the system may determine an optimal placement for the created rule in the list of rules for the identified security device based on either the existence of anomalies or threat IP data and/or advanced security parameters. In this way, the system allows administrators to configure rules with the most optimal sequence to detect threats.

Abstract: A method may include receiving a first network traffic flow that is associated with a first private network address. The first network traffic flow may be destined to a first external network address. The method may include determining that the first external network address is not identified by a data structure. The data structure may identify external network addresses and private network addresses of network traffic flows to which a single public network address has been assigned. The method may include assigning the single public network address to the first network traffic flow based on determining that the first external network address is not identified by the data structure. The method may include storing the first external network address and the first private network address. The method may include outputting the first network traffic flow with the first external network address and the single public network address.

Abstract: In general, techniques are described for emulating mobile authentication methods to establish authenticated connectivity between a mobile service provider gateway and a wireless device attached to an alternate access network. For example, a system operating according to the described techniques includes a mobile service provider network, an alternate access network having an access gateway, and an authentication server of the mobile service provider network that receives a network access request. A subscriber database responds to the network access request with virtual mobility information, wherein the network access request does not include an International Mobile Subscriber Identity (IMSI), and wherein the virtual mobility information comprises a virtual IMSI.

Abstract: An example network access device (NAD) includes a network interface to send and receive packets with an authentication, authorization, and accounting (AAA) server, and a subscriber management service unit (SMSU). The SMSU is configured to, responsive to determining that the AAA server is not reachable by the NAD, send a message from the NAD to the AAA server using the network interface, wherein the message directs the AAA server to send a discovery request message to the NAD, receive the discovery request message from the AAA server using the network interface, wherein the discovery request message includes a request for information about a plurality of subscriber sessions, and generate a discovery response message that includes information about at least a portion of the plurality of subscriber sessions, and send the discovery response message to the network access device using the network interface.

Abstract: Techniques are described for operating a network switch device associated with a virtual layer two (L2) network instance according to a protocol independent multicast (PIM) relay mode. The PIM relay mode enables the network switch device to receive a PIM control message, i.e., a PIM join and/or prune request, for a multicast group on a downstream port of the network switch device associated with a virtual L2 network instance, determine an upstream neighbor port of the network switch device associated with the instance, and relay the PIM control message on the upstream neighbor port of the network switch device without flooding the PIM control message on all ports of the switch device associated with the instance. In the PIM relay mode, the network switch device avoids triggering join suppression in downstream PIM neighbor devices with receivers, and avoids maintaining upstream states and setting a PIM periodic message timer.

Abstract: An optical transmitter may generate a first optical signal having a first wavelength and a second optical signal having a second wavelength. The optical transmitter may output the first and second optical signals to a link without performing a multiplexing operation. The optical transmitter may output part of the first optical signal to the link while part of the second optical signal is being output to the link. An optical receiver may receive the first and second optical signals, via the link, as separate optical signals. The optical receiver may receive part of the first optical signal from the link while part of the second optical signal is being received from the link. The optical receiver may provide the first and second optical signals to a photodetector array that includes a first photodetector to detect the first optical signal and a second photodetector to detect the second optical signal.

Abstract: A device may detect an attack. The device may receive, from a client device, a request for a resource. The device may determine, based on detecting the attack, a computationally expensive problem to be provided to the client device, where the computationally expensive problem requires a computation by the client device to solve the computationally expensive problem. The device may instruct the client device to provide a solution to the computationally expensive problem. The device may receive, from the client device, the solution to the computationally expensive problem. The device may selectively provide the client device with access to the resource based on the solution.

Abstract: A device may receive rule information, associated with a firewall policy, that includes a set of N rules. The device may add a rule, of the set of N rules, to a detector tree associated with the firewall policy. The device may identify other rules to which the rule is to be compared. The other rules may be included in the set of N rules, and may include a quantity of rules approximately equal to a result of a logarithm to base 2 of N. The device may compare the rule and the other rules, and may detect a rule anomaly based on comparing the rule to the other rules. The rule anomaly may be associated with a conflict between the rule and a particular rule of the other rules. The device may identify the rule anomaly within the detector tree, and may output information regarding the rule anomaly.

Abstract: In some embodiments, an apparatus includes a first optical transceiver. The first optical transceiver includes a set of optical transmitters, an optical multiplexer operatively coupled to the set of optical transmitters, and a variable optical attenuator operatively coupled to the optical multiplexer. The variable optical attenuator is configured to receive a control signal from a controller of the first optical transceiver and modulate a signal representing control information with an output from the optical multiplexer. The control information is associated with the control signal and for a second optical transceiver operatively coupled to the first optical transceiver.

Abstract: Fan trays and components thereof are described herein. In some embodiments, a removable, compact fan tray is configured to be disposed within a slot of a chassis. The fan tray can be latchably coupled to the chassis, and/or can include a light source, such as an LED operable to depict the status of the fan tray. Leads of the light source can be disposed within an sleeve operable to contain and/or insulate the leads. The fan tray can, in some embodiments, be configured to be keyed to a particular type of chassis slot, for example, a slot associated with an air flow direction.

Abstract: The disclosed apparatus may include a secure storage device that securely stores an initial geographic location of a network device that facilitates network traffic within a network. This apparatus may also include a processing unit communicatively coupled to the secure storage device. The processing unit may determine a current geographic location of the network device. The policy-enforcement unit may then detect evidence of theft of the network device by (1) comparing the current geographic location of the network device with the initial geographic location of the network device and (2) determining, based at least in part on the comparison, that the current geographic location of the network device does not match the initial geographic location of the network device. Finally, the processing unit may perform at least one security action in response to detecting the evidence of theft of the network device.

Abstract: In some embodiments, an apparatus includes a network node operatively coupled within a network. The network node is configured to send a first authentication message upon boot up, and receive, in response to the first authentication message, a second authentication message configured to be used to authenticate the network node. The network node is configured to send a first discovery message, and receive, based on the first discovery message, a second discovery message configured to be used by the network node to identify an address of the network node and an address of a core network node within the network. The network node is configured to set up a control-plane tunnel to the core network node based on the address of the network node and the address for the core network node and receive configuration information from the core network node through the control-plane tunnel.

Abstract: A device receives traffic; identifies an address associated with the traffic; determines whether the address is associated with an aggregate interface, the aggregate interface being associated with a first port and a second port. The first port corresponds to a first node in a first state, that indicates that the first node is available to forward the traffic, and the second port corresponds to a second node in a second state, that indicates that that the second node is not available to forward the traffic. The device transmits the traffic to the first node via the first port and to the second node, via the second port, when the address is associated with the aggregate interface. Transmitting the traffic enables the second node to forward the traffic when the first node changes from the first state to the second state.

Abstract: A device may receive, via a first optical supervisory channel, a first timing signal from a first network node. The first timing signal may be generated by a first clock, of the first network node, and may be used to synchronize the first clock, of the first network node, and a second clock of a second network node. The device may determine a parameter value based on the first timing signal, and may determine whether the parameter value satisfies a threshold value. The device may selectively transmit, via a second optical supervisory channel, a second timing signal to the second network node based on determining whether the parameter value satisfies the threshold value. The second timing signal may be used to synchronize the second clock, of the second network node, with the first clock of the first network node.

Abstract: In general, techniques are described for extending routing protocol advertisements to include respective attributes of constituent links of an aggregation group. In one example, a network device includes a management interface that receives configuration information that specifies first and second constituent links for a layer two (L2) aggregated interface. The first and second constituent links are physical links connected to respective physical interfaces of forwarding units of the network device. A routing protocol daemon of the control unit generates a link state message that specifies layer three (L3) routing information associated with the aggregated interface and further specifies an attribute of the first constituent link and an attribute of the second constituent link. The routing protocol daemon sends the link state message from the network device to another network device of the network in accordance with a routing protocol.

Abstract: A system and method of transferring cells through a router includes writing one or more of the plurality of cells, including a first cell, of a packet from an ingress stream of an ingress writer to a central buffer, storing a packet identifier entry in the first egress reader scoreboard in each of the plurality of egress readers, the packet identifier entry including a packet identifier, a valid bit, a hit bit and a write cell count, wherein the valid bit is configured to indicate that the packet identifier entry is valid, the hit bit is configured to indicate that no cells in the packet have been read from the central buffer and the write cell count equals the number of cells in the packet written to the central buffer, and reading the packet from the central buffer as a function of the packet identifier entry.

Abstract: In one example, a method includes performing L2 learning of a C-MAC address included in a first L2 data message by a first provider edge (PE) router included in an Ethernet Segment of a Provider-Backbone Bridging Ethernet Virtual Private Network (PBB-EVPN); sending to a second PE router within the Ethernet Segment an L2 control message comprising the C-MAC address and a B-MAC address corresponding to the Ethernet Segment of the PBB-EVPN, wherein the L2 control message informs the second PE router of the reachability of the C-MAC address through the first PE router; receiving, by the first PE router and from the second PE router, a second L2 data message as unicast traffic destined for the C-MAC address; and forwarding the second L2 data message to the first CE router.

Abstract: An apparatus includes a first edge device configured to receive a data unit destined to a peripheral processing device that is operatively coupled to a network interconnect via a LAG associated with a second edge device and a third edge device. The first edge device is configured to select an edge device set that includes the third edge device and excludes the second edge device, from a group of edge device sets. Each edge device set from the group of edge device sets is directly coupled to the peripheral processing device. The first edge device is configured to send an instance of the data unit to each edge device from the edge device set such that the third edge device sends an instance of the data unit to the peripheral processing device based on a selection method that omits ports on the second edge device as potential selections.