Abstract: Methods and devices for processing packets are provided. The processing device may Include an input interface for receiving data units containing header information of respective packets; a first module configurable to perform packet filtering based on the received data units; a second module configurable to perform traffic analysis based on the received data units; a third module configurable to perform load balancing based on the received data units; and a fourth module configurable to perform route lookups based on the received data units.

Abstract: In some embodiments, an apparatus includes an optical detector that can sample asynchronously an optical signal from an optical component that can be either an optical transmitter or an optical receiver. In such embodiments, the apparatus also includes a processor operatively coupled to the optical detector, where the processor can calculate a metric value of the optical signal without an extinction ratio of the optical signal being measured. The metric value is proportional to the extinction ratio of the optical signal. In such embodiments, the processor can define an error signal based on the metric value of the optical signal and the processor can send the error signal to the optical transmitter such that the optical transmitter modifies an output optical signal.

Abstract: A network device establishes a logical channel with each server device of multiple server devices, where each logical channel is not shared with another server device of the multiple server devices. The network device also determines a network loopback Internet protocol (IP) address for each server device of the multiple server devices, and associates each network loopback IP address with a corresponding logical channel. The network device further receives a packet destined for a particular server device, and provides the packet to the particular server device via the logical channel associated with the particular server device.

Abstract: A network security appliance supports definition of a security policy to control access to a network. The security policy is defined by match criteria including a layer seven network application, a static port list of layer four ports for a transport-layer protocol, and actions to be applied to packet flows that match the match criteria. A rules engine dynamically identifies a type of layer seven network application associated with the received packet flow based on inspection of application-layer data within payloads of packets of the packet flow without basing the identification solely on a layer four port specified by headers within the packets. The rules engine is configured to apply the security policy to determine whether the packet flow matches the static port lists specified by the match criteria. The network security appliance applies the actions specified by the security policy to the packet flow.

Abstract: In general, techniques are described for atomically installing and withdrawing host routes along paths connecting network routers to attenuate packet loss for mobile nodes migrating among wireless LAN access networks and a mobile network. In some examples, whenever the mobile node moves from one attachment point to the next, it triggers the distribution of its host route from the new attachment point toward the service provider network hub provider edge (PE) router that anchors the mobile node on a service provider network. Routers participating in the Mobile VPN install the host route “atomically” from the attachment point to the mobile gateway so as to ensure convergence of the network forwarding plane with the host route toward the new attachment point prior to transitioning mobile node connectivity from a previous attachment point.

Abstract: This disclosure describes techniques for provisioning a CMTS to re-direct customer traffic into virtualized network functions (NFVs) service chains. This disclosure describes, in one example, techniques for providing linkage between DOCSIS service flows and NFV service chains in the DOCSIS provisioning system by embedding information within cable modem boot files used to configured cable modems within the broadband system. In one example, the techniques facilitate the definition of an NFV service-chain in the DOCSIS cable modem boot file provisioning system. A supported CMTS, CCAP or Edge Router intercepts and interprets the configuration to install packet classifiers that steer specific subscriber flows, as detailed in the DOCSIS cable modem boot file, through the service-chain.

Abstract: A firewall coordinates with devices in a network to create a distributed filtering system. The firewall detects an attack in the network, such as a distributed denial of service attack, and creates attack information defining characteristics of malicious packets used in the attack. The attack information is forwarded to the devices in the network. The devices use the attack information to configure themselves to detect packets having the characteristics of the malicious packets. After configuration, the devices detect and discard malicious packets.

Abstract: A device may include at least one processor which may access, using a lookup key, a ternary content addressable memory to acquire a lookup result that includes information identifying a group of addresses for accessing a group of static random access memories. The at least one processor may parse the lookup result to identify the group of addresses and may simultaneously access, using the group of addresses, the group of static random access memories, to simultaneously read data from the group of static random access memories. The at least one processor may process a group of packets based on the data.

Abstract: A method and a network device are provided to transmit network packets through a network security device. The method, performed by the network device, receives a request to send a network packet from a first computing device to a second computing device over a network that includes the network device and the network security device. The network packet includes a first network interface identifier for identifying the first computing device and a second network interface identifier for identifying the second computing device. The method identifies third and fourth network interface identifiers that cause the network packet to be transmitted through the network security device. The method transmits the network packet over the network through the network security device using the third and fourth network interface identifiers. The method transmits the network packet to the second computing device using the first and second network interface identifiers.

Abstract: A network device may receive information regarding a service set identifying service to apply to a data flow received via a particular interface of the network device; receive the data flow via the particular interface; identify a service to provide to the data flow based on the information regarding the service set; identify a processing device to process the data flow; and provide the data flow to the processing device. The processing device may be different than the network device and may process the data flow, on behalf of the network device, to form a processed data flow. The processed data flow may include the data flow with the service applied to the data flow. The network device may further receive the processed data flow from the processing device and transmit the processed data flow toward a destination device.

Abstract: This disclosure describes a more efficient and configurable power allocation scheme for redundant power supply (RPS) systems used in network switches. This allocation scheme allows the system owner to assign power from a shared RPS unit to higher priority devices in any network switch in the system. This permits more granularity in assigning the RPS with backup power available to devices such as ports residing within individual switches in a multiple switch network. An efficient power allocation scheme for RPS allows the user to define the system priority of various devices for backup power according to the user's preferences. The user may assign the RPS to user-defined high priority devices in any piece of equipment. This makes RPS power allocation more flexible by offering the user more setup options for backup power.

Abstract: In some embodiments, a method includes installing at an access point that (1) includes a first software image and (2) is operatively coupled to a network controller via network, a second software image different from the first software image. The method includes defining in response to the installation, a virtual client disposed in the access point. The virtual client is configured to send to the network controller via the network a first validation data unit that causes the network controller to send a second validation data unit to the access point if the first validation data unit is received by the network controller. The method also includes installing at the access point that includes the second software image, the first software image and uninstalling the second software image if the access point does not receive the second validation data unit in response to the first validation data unit.

Abstract: Techniques are described for forwarding packets in a VPLS using multi-homing PE routers configured in an “active-active” link topology. As described herein, a PE router receives a packet from a multi-homed VPLS customer site, and processes the packet to determine a portion of a MAC domain to which the packet corresponds. When the packet is determined to correspond to a portion associated with the PE router, the PE router forwards the packet to the destination in accordance with forwarding protocols executing on the PE router. When the packet is determined to correspond to a portion associated with a second PE router, the PE router forwards the packet to the second PE router via a pseudowire that is external to the VPLS domain, and the second PE router forwards the packet to the destination in accordance with forwarding protocols executing on the second PE router.

Abstract: A centralized controller provides dynamic end-to-end network path setup across multiple network layers. In particular, the centralized controller manages end-to-end network path setup that provisions a path at both the transport network layer (e.g., optical) and the service network layer (e.g., IP/MPLS). The centralized controller performs path computation for an optical path at the transport network layer and for a path at the service network layer that transports network traffic on the underlying optical transport path, based on information obtained by the centralized controller from the underlying network components at both layers.

Abstract: In general, techniques are described for facilitating usage monitoring control in mobile networks. A mobile gateway comprising one or more processors and a memory may be configured to perform the techniques. The one or more processors may be configured to establish a session by which a mobile device is to access a service of a mobile access network, and in response to receiving an incomplete indication to activate usage monitoring with respect to the service provided via the session, configuring the usage monitoring without activating the usage monitoring. The memory may be configured to store the usage monitoring configuration.

Abstract: In general, techniques are described for leveraging at least one of a policy control and charging or application detection architecture for an access network to dynamically control value-added services applied to packet flows. In some examples, a policy enforcement device receives a policy rule that defines at least one of policy control and application detection by an access network for a subscriber device. The policy rule includes a service chain identifier that identifies a service chain that defines one or more value-added services to be applied in a particular order to provide a composite service for application to packet flows associated to the service chain. The policy enforcement device receives a packet sourced by the subscriber device and destined to the packet data network, applies the policy rule to the packet to associate the packet to the service chain, and forwards the packet according to the service chain.

Abstract: In some embodiments, an apparatus includes a spectral scanning controller configured to interrupt service at a wireless access point (WAP) such that the WAP performs spectral scanning during service interruption. The spectral scanning controller is configured to interrupt service at the WAP at a first scanning frequency when the spectral scanning controller is in a first configuration. The spectral scanning controller is configured to interrupt service at the WAP at a second scanning frequency different from the first scanning frequency when the spectral scanning controller is in a second configuration. The spectral scanning controller is configured to move from the first configuration to the second configuration in response to a change in at least one of a service demand, a service quality, a spectral scanning demand or a spectral scanning quality.

Abstract: In general, techniques are described to dynamically adjust a session detection time defined by a timer in accordance with a bidirectional forwarding detection (BFD) protocol. The techniques utilize existing hardware and BFD software infrastructure. An example network device includes a memory, programmable processor(s), and a control unit configured to execute a timer, receive one or more packets provided by the BFD protocol, detect, based on the received one or more packets, a congestion condition associated with a link via which the network device is coupled to a network, adjust, based on the detected congestion condition, a session detection time defined by the timer, and in response to a failure to receive a packet provided by the BFD protocol within the session detection time defined by the timer, detect a failure associated with the link.

Abstract: In some embodiments, an apparatus includes a first core device configured to be disposed within a network. The network has a set of access nodes and a second core device. The first core device is configured to receive a signal designating the first core device as a master device for a virtual group identifier such that the second core device is designated as a back-up device for that virtual group identifier.

Abstract: An example network access device (NAD) includes a network interface to send and receive packets with an authentication, authorization, and accounting (AAA) server, and a subscriber management service unit (SMSU). The SMSU is configured to, responsive to determining that the AAA server is not reachable by the NAD, send a message from the NAD to the AAA server using the network interface, wherein the message directs the AAA server to send a discovery request message to the NAD, receive the discovery request message from the AAA server using the network interface, wherein the discovery request message includes a request for information about a plurality of subscriber sessions, and generate a discovery response message that includes information about at least a portion of the plurality of subscriber sessions, and send the discovery response message to the network access device using the network interface.