Abstract: In one example, a method includes performing L2 learning of a C-MAC address included in a first L2 data message by a first provider edge (PE) router included in an Ethernet Segment of a Provider-Backbone Bridging Ethernet Virtual Private Network (PBB-EVPN); sending to a second PE router within the Ethernet Segment an L2 control message comprising the C-MAC address and a B-MAC address corresponding to the Ethernet Segment of the PBB-EVPN, wherein the L2 control message informs the second PE router of the reachability of the C-MAC address through the first PE router; receiving, by the first PE router and from the second PE router, a second L2 data message as unicast traffic destined for the C-MAC address; and forwarding the second L2 data message to the first CE router.

Abstract: In some embodiments, a switch module is configured to receive from a first edge device a multicast data unit having a VLAN identifier. The switch module is configured to select a set of port modules based on the VLAN identifier. The switch module is configured to define an unmodified instance of the multicast data unit for each port module from the set of port modules. The switch module is configured to send the unmodified instance of the multicast data unit to each port module from the set of port modules, such that each port module applies a filter to the received instance of the multicast data unit to restrict that received instance of the multicast data unit from being sent to a second edge device via that port module if the second edge device is associated with a VLAN domain different than a VLAN domain of the first edge device.

Abstract: A device may receive a packet associated with a flow and may identify a capacity indicator associated with a flow table. The capacity indicator may indicate an available storage capacity associated with the flow table. The flow table may be stored by another device and may include entries for one or more flows and one or more corresponding actions to be taken in association with the one or more flows. The device may determine a service indicator that indicates a priority associated with the flow and may compare the capacity indicator and the service indicator. The device may selectively provide a message to the other device based on comparing the capacity indicator and the service indicator. The message may include an instruction for the other device to store an entry, associated with the flow, in the flow table.

Abstract: A server device receives, from a member device, a registration request for a group virtual private network (VPN) and provides an initial firewall security policy for the group VPN. The server device receives instructions for a policy configuration change and sends, to the member device, a push message that includes dynamic policies to implement the policy configuration change. The dynamic policies are implemented as a subset of a template policy. The member device receives the push message with the dynamic policies, associates the dynamic policies with the template policy, and applies the initial security policy data and the dynamic policies to incoming traffic without the need for a reboot of the member device.

Abstract: A device may determine that a route is inactive. Information identifying the route may be stored in a forwarding plane portion of a forwarding table and a control plane portion of the forwarding table. The route may be associated with directing network traffic toward an endpoint network device. The device may remove the information identifying the route from the forwarding plane portion of the forwarding table without removing the information identifying the route from the control plane portion of the forwarding table based on determining that the route is inactive. The device may route network traffic based on the forwarding table after removing the information identifying the route from the forwarding plane portion of the forwarding table without removing the information identifying the route from the control plane portion of the forwarding table.

Abstract: In one embodiment, an apparatus includes a switch core that has a multi-stage switch fabric. A first set of peripheral processing devices coupled to the multi-stage switch fabric by a set of connections that have a protocol. Each peripheral processing device from the first set of peripheral processing devices is a storage node that has virtualized resources. The virtualized resources of the first set of peripheral processing devices collectively define a virtual storage resource interconnected by the switch core. A second set of peripheral processing devices coupled to the multi-stage switch fabric by a set of connections that have the protocol. Each peripheral processing device from the first set of peripheral processing devices is a compute node that has virtualized resources. The virtualized resources of the second set of peripheral processing devices collectively define a virtual compute resource interconnected by the switch core.

Abstract: In some embodiments, a non-transitory processor-readable medium includes code to cause a processor to receive at a tunnel server, a data unit addressed to a communication device, and define, a first instance of the data unit and a second instance of the data unit. The first instance of the data unit is sent to the communication device via a first tunnel defined between at least the tunnel server and a first base station associated with a first network. The second instance of the data unit is sent to the communication device via a second tunnel defined between at least the tunnel server and a second base station associated with a second network. The second instance of the data unit is dropped by the communication device when the first instance of the data unit is received before the second instance of the data unit.

Abstract: Techniques are described for providing traffic-aware sampling rate adjustment within network devices. As inbound packets are received at an interface, a sampling unit of a forwarding circuit of the network device samples the inbound packets at a current sampling rate and directs a subset of the inbound packets to a service card of the network device. A flow controller within the service card of the network device processes the subset of the inbound packets to generate flow records. When changes in the rate at which the inbound packets are received exceed a defined threshold, the flow controller adjusts the current sampling rate at which the forwarding circuit samples the inbound packets received at the interface. Moreover, the flow controller adaptively adjusts the sampling rate such that the flow sampling resources the device are being utilized in accordance with the utilization thresholds.

Abstract: An apparatus includes a first port and a second port operably coupled to a format conversion module each of which is at least partially disposed within a housing. The first port is operably coupled to a cable configured to transfer a first data unit having a first format associated with a first communication medium to the first port. The format conversion module receives the first data unit from the first port and converts the first data unit from the first format to a second format associated with a second communication medium to produce a second data unit. The second port is operably coupled to a wireless access point that is physically distinct from the housing. The second port is configured to receive the second data unit and send the second data unit to the wireless access point.

Abstract: In general, techniques are provided for described herein that extend existing Ethernet Virtual Private Network (EVPN) protocol signaling mechanisms so that local, multi-homing PEs couple to an Ethernet segment can definitively convey their primary/backup designated forwarder (DF) status to any remote PE of the EVPN. In one example, this is accomplished by utilizing a new extended community attribute to each Ethernet A-D per EVI route advertised by each of the multi-homing PEs to specifically carry the advertising PE's primary or backup status. As such, any receiving remote PE need not rely on the arrival of individual MAC routes from a new primary PE and withdrawal of MAC routes from a former primary PE to update its forwarding information.

Abstract: The problem of being unable to run microBFD using an IPv6 address over any member links of a layer 2 LAG when the LAG is DOWN (and its IPv6 address becomes or is TENTATIVE), is solved by running DAD for the address configured for the microBFD once the individual link is in DISTRIBUTING or STANDBY state and triggering (or starting) microBFD once the DAD for that address completes successfully. Further, member links of the LAG may be permitted to continue running microBFD even if the LAG interface is DOWN and even if some other member links (but not all member links) of the LAG are DOWN.

Abstract: In general, techniques are described for transmitting context information defining contexts for packet labels in a network. More specifically, a network device, e.g., a router, implements the context transmission techniques to facilitate debugging or troubleshooting of the network. The network device may comprise an interface card that receives a Multi-Protocol Label Switching (MPLS) data unit from another network device in accordance with a label switching protocol. The data unit may include a label stack affixed to a payload. The label stack may include one or more MPLS labels and context information associated with at least one of these labels, The interface card may, when forwarding the data unit, parse the data unit to determine the context information and then forward the data unit in accordance with these MPLS labels. A control unit included within the network device may record the forwarding of the data unit and the determined context information.

Abstract: In general, techniques are described in which a plurality of network switches automatically configure themselves to operate as a single virtual network switch. A virtual switch is a collection of individual switch devices that operate like as single network switch. As described herein, network switches in a network that are capable of participating in a virtual switch may automatically discover one another. The participating network switches may then elect one of the participating switches as a master switch. The master switch may generate forwarding information and store the forwarding information in the participating switches, including the master switch. The forwarding information causes the participating switches to act like a single network switch.

Abstract: The disclosed apparatus may include (1) at least one power interface that unites a plurality of power supplies that output electrical power for consumption by a network device that facilitates network traffic within a network and (2) a power-management unit communicatively coupled to the plurality of power supplies, wherein the power-management unit (A) detects an operating temperature of a power supply within the plurality of power supplies that output electrical power for consumption by the network device, (B) determines that the operating temperature of the power supply exceeds a temperature threshold, and then (C) modifies an amount of electrical power being output by the power supply to account for the operating temperature exceeding the temperature threshold. Various other apparatuses, systems, and methods are also disclosed.

Abstract: A security device may receive actual behavior information associated with an object. The actual behavior information may identify a first set of behaviors associated with executing the object in a live environment. The security device may determine test behavior information associated with the object. The test behavior information may identify a second set of behaviors associated with testing the object in a test environment. The security device may compare the first set of behaviors and the second set of behaviors to determine a difference between the first set of behaviors and the second set of behaviors. The security device may identify whether the object is an evasive malicious object based on the difference between the first set of behaviors and the second set of behaviors. The security device may provide an indication of whether the object is an evasive malicious object.

Abstract: Techniques include quickly establishing a maximum transmission unit (MTU) for a network path, such as a network tunnel. In one example, data representative of the MTU is included in a header of a packet. If the MTU indicated in the packet is larger than a downstream network interface of a network device, the network device updates the data of the header to indicate the MTU of the downstream network interface, and an egress network device sends the packet back to an ingress network device. In another example, network devices fragment packets, if necessary, such that the fragments satisfy the MTU of the downstream network interface. The egress network device then determines the MTU for the path based on a largest received fragment, reassembles the fragments into a single packet, and returns the reassembled packet to the ingress network device. The packets may comprise echo packets of generic routing encapsulation (GRE).

Abstract: Techniques are describe for establishing an overall label switched path (LSP) for dynamic load balancing of network traffic being sent across a network using the a resource reservation protocol such as Resource Reservation Protocol with Traffic Engineering (RSVP-TE). The tunnel may be a single RSVP-TE Label Switched Path (LSP) that is configured to automatically and dynamically load balance network traffic across different sub-paths of the RSVP-TE LSP over the network. The ingress device of the overall multi-path LSP can analyze traffic statistics to determine when a network traffic demand differs from a currently reserved bandwidth of the overall multi-path LSP by at least a threshold amount, and can automatically add or remove a sub-path from the overall multi-path LSP to adjust capacity of the overall multi-path LSP to correspond to the currently reserved bandwidth.

Abstract: A network device initiates a transmission control protocol (TCP) connection to establish a TCP session with a management device, and performs, via the TCP session, a secure protocol client/server role reversal for the management device. The network device receives, from the management device, initiation of a secure connection over the TCP session in accordance with a secure protocol, and provides, to the management device, a trusted certificate with an embedded host key that is dynamically generated using a cryptographic processor of the network device, based on the initiation of the secure connection. The network device also establishes the secure connection with the management device based on an authentication of the host key by the management device via the trusted certificate.

Abstract: Techniques are described that enable local caching of content data within metro transport networks for delivery to subscribers of ISPs that are connected to metro transport networks. Routers within the metro transport network, including an access router, ISP-facing provider edge routers and one or more caching routers, establish an EVPN within the metro transport network. The access router outputs, within the EVPN and to the caching routers, EVPN route advertisements that advertise network address reachability information of the subscriber devices on behalf of the ISPs. Responsive to subscriber content requests that have been redirected from the ISPs and based on the EVPN route advertisements from the access routers, the caching routers of the metro transport network forward, by the EVPN, content from the local content cache to the access routers for efficient delivery to the one or more of the subscribers.

Abstract: In some embodiments, a non-transitory processor-readable medium stores code representing instructions configured to cause a processor to receive, from an access switch, a first signal including forwarding state information associated with a first peripheral processing device from a set of peripheral processing devices. The code can further represent instructions configured to cause the processor to receive, from the first peripheral processing device, a second signal including a data packet. The code can further represent instructions configured to cause the processor to send, to a replication engine associated with the set of peripheral processing devices, a third signal such that the replication engine (1) defines a copy of the data packet, which is included within the third signal, and (2) sends, to a second peripheral processing device from the set of peripheral processing devices, a fourth signal including the copy of the data packet.