Abstract: A network device comprises one or more processors coupled to a memory, and a dynamic services module configured for execution by the one or more processors to receive, from a client device, a service request specifying a service. The dynamic service module is further configured for execution by the one or more processors to, in response to obtaining a negative indication for the service, send a representation of the service request to a honeypot to cause the honeypot to offer the service to the client device.

Abstract: In some embodiments, an apparatus includes a first controller configured to be operatively coupled within a network having a set of network nodes, a forwarding gateway and a configuration entity. The first controller is configured to manage session state and node state associated with the set of network nodes independent of the forwarding gateway. The first controller is configured to fail over to a second controller when the first controller fails, without the forwarding gateway failing over and without the configuration entity failing over.

Abstract: Techniques are described for managing network services deployed in a network using a rules engine with on-demand dependency insertion. A network service manager may use a rules engine to monitor a network service at network devices in order to detect a device-level event, and determine a service-level impact of the detected event based on network service rules and dependencies. The dependencies define links between the device-level event and actions triggered by the device-level event. According to the techniques, a rules engine is configured to detect a device-level event and, in response, insert only those dependencies associated with the detected device-level event into a working memory. Once the device-level event has been cleared, the dependencies related to the device-level event are removed from the working memory. The working memory, therefore, will include only the dependencies needed to determine service-level impacts of currently detected device-level events.

Abstract: Access switches in a switching system may use virtual aggregated links. When a link between an aggregation switch and an access switch fails, the link failure may be reflected in the virtual aggregated link and data traffic to another access switch may be switched away from the failed switch. A forwarding table in the access switch stores a number of entries that each define a correspondence between destination addresses and an output identifier for the switch. At least a first output identifier includes an aggregated link that represents a first set of possible output links. At least a second output identifier includes a virtual aggregated link, associated with a second network switch that represents a second set of possible output links. Destination addresses in the forwarding table for the virtual aggregated link correspond to network devices connected to the second network switch.

Abstract: Techniques are described for determining whether power from a first power source is unavailable to a power supply module. In response to determining that power from the first power source is unavailable, the techniques de-couple the first power source from one or more components of an electronic device connected to an output of the power supply module with one or more de-coupling components of the power supply module that connect an automatic transfer switch (ATS) of the power supply module to an output of the power supply module. Subsequent to de-coupling the first power source from the one or more components of the electronic device, the techniques de-couple a power supply module from the first power source. The techniques couple the power supply module to a second power source for delivering power to the one or more components of the electronic device.

Abstract: An apparatus includes an access switch having a set of ports and configured to be operatively coupled to a multicast router via a first port from the set of ports. The access switch is configured to be associated with a network associated with the multicast router, and designate the first port as a multicast-router interface during a time period. The access switch is configured to send a message to the multicast router via each port from the set of ports in response to an indication of a change in a topology of the network after the time period. The access switch is configured to designate a second port from the set of ports as the multicast-router interface and dedesignate the first port as the multicast-router interface in response to receiving, via the second port and in response to the message, a signal from the multicast router.

Abstract: A device may include an interface to send authentication information to a plug-in, where the authentication information is related to a client device. The interface may send a policy identifier to the plug-in, where the policy identifier identifies a policy, and may receive a policy result from the plug-in, where the policy result is produced using the authentication information and a policy requirement identified by the policy identifier, and where the policy result identifies whether the client device complies with the policy.

Abstract: Techniques are described for implementing one or more logical routers within a single physical routing device. These logical routers, as referred to herein, are logically isolated in the sense that they achieve operational and organizational isolation within the routing device without requiring the use of additional or redundant hardware, e.g., additional hardware-based routing controllers. The routing device may, for example, include a computing platform, and a plurality of software process executing within the computing platform, wherein the software processes operate as logical routers. The routing device may include a forwarding component shared by the logical routers to forward network packets received from a network in accordance with the forwarding tables.

Abstract: In general, techniques are described for dynamically controlling host-bound traffic by dynamically adding and updating, within the forwarding plane of a network device, network packet policers that each constrains, for one or more packet flows, an amount of host-bound traffic of the packet flows permitted to reach the control plane in accordance with available resources. In one example, a control plane of the network device detects internal congestion in the communication path from the forwarding plane to control plane (the “host-bound path”), identifies packet flows utilizing an excessive amount of host-bound path resources, computes limits for the identified packet flows, and adds “penalty-box policers” configured with the computed limits for the identified packet flows to the forwarding plane. The forwarding plane subsequently applies the policers to the identified packet flows to constrain the amount of traffic of the packet flows allowed to reach the control plane to the computed limits.

Abstract: In general, techniques are described for steering data traffic for a subscriber session from a network interface of a wireless access gateway to an anchoring one of a plurality of forwarding units of the wireless access gateway using a layer 2 (L2) address of the data traffic. For example, a wireless access gateway for a wireless local area network (WLAN) access network is described as having a decentralized data plane that includes multiple forwarding units for implementing subscriber sessions. Each forwarding unit may present a network interface for sending and receiving network packets and includes packet processing capabilities to enable subscriber data packet processing to perform the functionality of the wireless access gateway. The techniques enable steering data traffic for a given subscriber session to a particular one of the forwarding units of the wireless access gateway using an L2 address of the data traffic.

Abstract: A system may obtain a current bit error count that identifies a quantity of bit errors in a bit stream during a time interval. The system may determine that the current bit error count identifies one or more bit errors. The system may determine whether an estimated bit error rate (BER) for the bit stream is likely to satisfy a threshold. The system may select an approach for determining the estimated BER for the bit stream. The estimated BER may be determined based on combining the current bit error count with a quantity of bits received in the time interval when the estimated BER is likely to exceed the threshold, and the estimated BER may be determined based on the current bit error count and one or more past bit error counts when the estimated BER is unlikely to exceed the threshold. The system may determine the estimated BER.

Abstract: An example method includes selecting, by a network device, a remote LFA next hop as an alternate next hop for forwarding network traffic from the network device to a destination, wherein the selected remote LFA next hop provides node protection to a primary next hop node on the shortest path from the network device to the destination. The method includes, for each candidate remote LFA next hop, performing a forward shortest path first (SPF) computation having the respective candidate remote LFA next hop as a root to compute a path segment between the respective candidate remote LFA next hop and the destination, wherein each of the candidate remote LFA next hops is the egress of a respective potential repair tunnel between the network device and candidate remote LFA next hop, and selecting the remote LFA next hop based at least in part on the computed path segments.

Abstract: In one example, a network device determines a set of candidate loop-free alternate (LFA) next hops for forwarding network traffic from the network device to a multi-homed network by taking into account a first cost associated with a second path from a first border router to the multi-homed network and a second cost associated with a second border router to the multi-homed network, wherein the multi-homed network is external to an interior routing domain in which the network device is located. The network device selects an LFA next hop from the set of candidate LFA next hops, to be stored as an alternate next hop for forwarding network traffic to the multi-homed network, and updates forwarding information stored by the network device to install the selected LFA next hop as the alternate next hop for forwarding network traffic from the network device to the multi-horned network.

Abstract: In one example, a method includes receiving, by a service node, a request from an access node to establish a pseudowire to be used for sending subscriber traffic to the service node for application of services to the subscriber traffic at the service node, and, in response to receiving the request, sending a request message from the service node to a central server requesting both subscriber authentication and assignment of a forwarding component of the service node to which to anchor the pseudowire. The method also includes receiving, by the service node and from the central server, an authentication message in response to the request message, wherein the authentication message confirms subscriber authentication and indicates a forwarding component of the service node to which the service node should anchor the pseudowire.

Abstract: A high-performance, scalable and drop-free data center switch fabric and infrastructure is described. The data center switch fabric may leverage low cost, off-the-shelf packet-based switching components (e.g., IP over Ethernet (IPoE)) and overlay forwarding technologies rather than proprietary switch fabric. In one example, host network accelerators (HNAs) are positioned between servers (e.g., virtual machines or dedicated servers) of the data center and an IPoE core network that provides point-to-point connectivity between the servers. The HNAs are hardware devices that embed virtual routers on one or more integrated circuits, where the virtual router are configured to extend the one or more virtual networks to the virtual machines and to seamlessly transport packets over the switch fabric using an overlay network. In other words, the HNAs provide hardware-based, seamless access interfaces to overlay technologies used for communicating packet flows through the core switching network of the data center.

Abstract: A device may receive information that identifies an attack signature for detecting an intrusion. The device may determine a device configuration that is vulnerable to the intrusion, may determine an endpoint device associated with the device configuration, and may determine a time period during which the endpoint device was associated with the device configuration. The device may determine an endpoint identifier associated with the endpoint device during the time period, and may identify network traffic information associated with the endpoint identifier during the time period. The device may apply the attack signature to the network traffic information, and may determine whether the endpoint device was subjected to the intrusion during the time period based on applying the attack signature to the network traffic information. The device may selectively perform an action based on determining whether the endpoint device was subjected to the intrusion.

Abstract: In some embodiments, an apparatus includes a first core device configured to be disposed within a network. The network has a set of access nodes and a second core device. The first core device is configured to receive a signal designating the first core device as a master device for a virtual group identifier such that the second core device is designated as a back-up device for that virtual group identifier.

Abstract: A high-performance, scalable and drop-free data center switch fabric and infrastructure is described. The data center switch fabric may leverage low cost, off-the-shelf packet-based switching components (e.g., IP over Ethernet (IPoE)) and overlay forwarding technologies rather than proprietary switch fabric. In one example, host network accelerators (HNAs) are positioned between servers (e.g., virtual machines or dedicated servers) of the data center and an IPoE core network that provides point-to-point connectivity between the servers. The HNAs are hardware devices that embed virtual routers on one or more integrated circuits, where the virtual router are configured to extend the one or more virtual networks to the virtual machines and to seamlessly transport packets over the switch fabric using an overlay network. In other words, the HNAs provide hardware-based, seamless access interfaces to overlay technologies used for communicating packet flows through the core switching network of the data center.

Abstract: A device may receive a control packet associated with a connection. The control packet may include a network address. The device may identify an application layer identifier that is associated with the network address. The device may identify a service rule associated with the application layer identifier. The service rule may identify a service to be applied to a data packet associated with the connection. The device may provide the control packet based on identifying the service rule. The control packet may be provided to permit the service to be applied to the data packet in accordance with the service rule.

Abstract: An endpoint integrity system controls access to resources of a protected network for endpoint devices attempting to access the protected network. The system may include a number of evaluation modules that communicate with an endpoint device. The evaluation modules generate policy results for the endpoint device, in which each of the policy results assume one of three or more states, called a multi-state policy result. The multi-state policy results are combined to produce a combined Boolean policy result.