Abstract: In general, techniques are described for ensuring the distribution of Virtual Private Network (VPN) routes in a service provider network configured with multiple VPN services. In some examples, a network device receives configuration data that defines a VPN service associated with a route target. The network device, responsive to receiving the configuration data, sends a request for routes that match a type of the VPN service to a routing protocol speaker. The network device receives routes that match the type of the VPN service and are associated with the route target, installs the routes that match the type of the VPN service and are associated with the route target to the routing information base. The network device forwards traffic for the VPN service in accordance with the installed routes.

Abstract: In one embodiment, an apparatus includes a network management module configured to execute at a network device operatively coupled to a switch fabric. The network management module is configured to receive a first set of configuration information associated with a subset of network resources from a set of network resources, the set of network resources being included in a virtual local area network from a plurality of virtual local area networks, the plurality of virtual local area networks being defined within the switch fabric. The first set of configuration information dynamically includes at least a second set of configuration information associated with the set of network resources.

Abstract: In general, this disclosure describes a high-level forwarding path description language (FPDL) for describing internal forwarding paths within a network device. The FPDL enables developers to create a template that describes a section of an internal forwarding path within the forwarding plane of a network device. The FPDL provides syntactical elements for specifying the allocation of forwarding path structures as well as enabling the run-time construction of internal forwarding paths to interconnect the forwarding path structures in a manner specific to packet, packet flow, and/or interface properties, for example. In conjunction with late binding techniques, whereby the control plane of the network device provides arguments to template parameters that drive allocation by the packet forwarding engines of forwarding path structures specified by the FPDL, the techniques provide control plane processes a unified interface with which to manage the operation of the packet forwarding engines.

Abstract: A system and method for detecting malware optimized for mobile platforms. The system and method compares hashed portions of one or more malware signatures to hashes hashed from a suspect application, to determine whether the suspect application is malware-free. A second stage robust hash and splatter set of pseudorandomly selected blocks of the malware signatures reduce false positives allowing for improved detection of malware.

Abstract: First in, first out (FIFO) queues may be used to transfer data between a producer clock domain and a number of consumer clock domains. In one implementation, a control component for the FIFO queues may include a number of counters, corresponding to each of the consumer clock domains, each of the counters maintaining a count value relating to an amount of data read by the corresponding consumer clock domain. The control component may additionally include a credit deduction component coupled to the count values of the counters, the credit deduction component determining whether any of the count values is above a threshold, and in response to the determination that any of the count values is above the threshold, reducing the count value of each of the counters and issuing a write pulse signal to the producer clock domain, the write pulse signal causing the producer clock domain to perform a write operation to the FIFO queues.

Abstract: A security device may receive an object destined for a user device. The object may be of an object type that does not describe a web page. The security device may determine that the user device is to be warned regarding the object. The security device may determine a warning object based on determining that the user device is to be warned. The warning object may include information associated with a reason for determining that the user device is to be warned regarding the object, and may include information that allows the user device to receive the object. The security device may provide the warning object. The security device may receive, after providing the warning object, an indication associated with the user device obtaining the object. The security device may allow the user device to obtain the object based on receiving the indication.

Abstract: In one example, a network device determines a set of candidate loop-free alternate (LFA) next hops for forwarding network traffic from the network device to a multi-homed network by taking into account a first cost associated with a second path from a first border router to the multi-homed network and a second cost associated with a second border router to the multi-homed network, wherein the multi-homed network is external to an interior routing domain in which the network device is located. The network device selects an LFA next hop from the set of candidate LFA next hops, to be stored as an alternate next hop for forwarding network traffic to the multi-homed network, and updates forwarding information stored by the network device to install the selected LFA next hop as the alternate next hop for forwarding network traffic from the network device to the multi-horned network.

Abstract: In general, techniques are described for performing customer bandwidth profiling in computer networks. A network device intermediately positioned in a service provider network between a customer network and a centralized network device that provides a hierarchical arrangement of virtual local area networks (VLANs) located in the service provider network may perform the techniques. The network device determines a service profile based on authentication messages and associates the service profile with the hierarchical arrangement of VLANs used for delivering the traffic to and from the customer network and the service provider network. The service profile defines constraints on delivery of the traffic associated with the one or more services. The network device then applies the service profile to the traffic received via the associated hierarchical arrangement of VLANs to enforce the constraints on the delivery of the traffic received via the associated hierarchical arrangement of VLANs.

Abstract: A provider edge device, associated with a virtual private local area network service (VPLS) system, includes a memory to store instructions to implement a pseudowire mechanism to receive a first data frame from a source customer edge (CE) device associated with the VPLS system, incorporate the first data frame into a first VPLS packet, determine whether the source CE device is a single-homed CE device or a multi-homed CE device, and incorporate, into the first VPLS packet, a first pseudowire label, if the source CE device is a single-homed CE device, and incorporate, into the first VPLS packet, a second pseudowire label, different from the first pseudowire label, if the source CE device is a multi-homed CE device; and a processor to execute the instructions.

Abstract: A configurable advertisement count and skew timer in a virtual router can be used to improve the speed with which a backup virtual router assumes the role of master upon the master router's failure. Enhanced VRRP packets having a type other than one may be used to cause MAC address movement from a failed master router to a backup router assuming the role of master router without placing an undue load on other routers in the network, such as by dropping the enhanced VRRP packets having a type other than one without processing the packets in the control plane of a receiving virtual router.

Abstract: A device receives traffic; identifies an address associated with the traffic; determines whether the address is associated with an aggregate interface, the aggregate interface being associated with a first port and a second port. The first port corresponds to a first node in a first state, that indicates that the first node is available to forward the traffic, and the second port corresponds to a second node in a second state, that indicates that that the second node is not available to forward the traffic. The device transmits the traffic to the first node via the first port and to the second node, via the second port, when the address is associated with the aggregate interface. Transmitting the traffic enables the second node to forward the traffic when the first node changes from the first state to the second state.

Abstract: A processor may include a conditional arithmetic logic unit and a main arithmetic logic unit. The conditional arithmetic logic unit may perform a first arithmetic logic operation to generate a first result, and output the result. The main arithmetic logic unit may select input buses among a plurality of data buses that carry the first result from the conditional arithmetic logic unit, perform a second arithmetic logic operation on data provided by the selected input buses to generate a second result, and write the second result in a storage component.

Abstract: A provider edge bridge in a service provider network receives multiple media access control (MAC) Registration Protocol (MMRP) registration messages from customer networks via tunnels. The provider edge bridge snoops the MMRP registration messages to obtain multicast MAC addresses from the registration messages, and tunnels the MMRP registration messages toward one or more other bridges. The provider edge bridge constructs multicast forwarding tables based on the multicast addresses obtained from snooping the MMRP registrations, and uses the multicast forwarding tables for forwarding data units from the provider edge bridge towards destinations.

Abstract: In one example, an intermediate network device sends packets that advertise a transmission control protocol (TCP) window size of zero bytes to a client device and a server device. The device, after sending the packets, receives a first zero-window probe packet from the client device including data representing a first current sequence number for a client-to-server packet flow of an established network session, and a second zero-window probe packet from the server device including data representing a second current sequence number for a server-to-client packet flow of the network session. The device also initializes a TCP state based on the first and second current sequence numbers, and acts as a TCP proxy for packets following the first zero-window probe packet of the client-to-server packet flow based on the TCP state and packets following the second zero-window probe packet of the server-to-client packet flow based on the TCP state.

Abstract: Network devices provide Internet Protocol (IP) and Label Distribution Protocol (LDP) fast reroute for unicast and multicast traffic. The approach described herein for fast reroute for IP and LDP uses maximally redundant trees (MRTs). MRTs are a pair of trees where the path from any node X to the root R along the first tree and the path from the same node X to the root along the second tree share the minimum number of nodes and the minimum number of links. A network device, such as a router, computes a pair of MRTs for each destination and installs one or more MRT alternate next-hops in its forwarding plane for use in forwarding network traffic to a destination in the event a failure occurs that renders a primary next-hop unusable for reaching the destination.

Abstract: In one example, a controller device includes one or more network interfaces communicatively coupled to one or more devices of a virtual network, and a processor configured to determine, for the virtual network, a set of two or more related processes executed by respective devices in the virtual network, receive via the network interfaces data for the set of two or more related processes, and aggregate the data for the set of two or more related processes to form aggregated data for the set of two or more related processes.

Abstract: In general techniques are described for applying differentiated services with a customer-aware network device. A network device comprising a control unit and an interface may implement the techniques. The interface receives a network packet that is associated with first and second labels. The first label uniquely identifies a Cable Modem Termination System (CMTS) within a plurality of CMTSs. The second label uniquely identifies one of a plurality of CPE devices coupled to the CMTS. The control unit determines at least one subscriber-specific service associated with the one of the plurality of CPE devices based at least in part on the first and second labels associated with the labeled network packet. The at least one subscriber-specific service comprises a service associated with the one of the plurality of CPE devices. The control unit applies the at least one subscriber-specific service to the labeled network packet received from the CMTS.

Abstract: In general, the invention is directed to techniques for reducing deadlocks that may arise when performing fabric replication. For example, as described herein, a network device includes packet replicators that each comprises a plurality of resource partitions. A replication data structure for a packet received by the network device includes packet replicator nodes that are arranged hierarchically to occupy one or more levels of the replication data structure. Each of the resource partitions in each of the plurality of packet replicators is associated with a different level of the replication data structure. The packet replicators replicate the packet according to the replication data structure, and each of the packet replicators handles the packet using the one of the resource partitions of the packet replicator that is associated with the level of the replication data structure occupied by the node that corresponds to that particular packet replicator.

Abstract: A system that processes single stream multicast data includes multiple queues, a dequeue engine, and/or a queue control engine. The queues temporarily store data. At least one of the queues stores single stream multicast data. A multicast count is associated with the single stream multicast data and corresponds to a number of destinations to which the single stream multicast data is to be sent. The dequeue engine dequeues data from the queues. If the data corresponds to the single stream multicast data, the dequeue engine examines the multicast count associated with the single stream multicast data and dequeues the single stream multicast data based on the multicast count. The queue control engine examines one of the queues to determine whether to drop data from the queue and marks the data based on a result of the determination.

Abstract: A system receives discovery rule inputs that include addresses, verifies one or more device identifiers for one or more addresses, obtains device information from each verified device associated with the one or more verified device identifiers, determines whether each verified device is a discovered device based on the device information, and automatically adds each verified device as a discovered device to a management system without human intervention when it is determined that the verified device is discovered. The system further creates device configuration information, creates an identifier and password, provides device configuration information, the identifier, and the password, to each of the discovered devices based on the NETCONF or the Device Management Interface standards, waits for a connection from the discovered devices, imports device configuration information from the discovered devices when the connection has been established, and indicates that the discovered devices are managed devices.