Abstract: A system receives discovery rule inputs that include addresses, verifies one or more device identifiers for one or more addresses, obtains device information from each verified device associated with the one or more verified device identifiers, determines whether each verified device is a discovered device based on the device information, and automatically adds each verified device as a discovered device to a management system without human intervention when it is determined that the verified device is discovered. The system further creates device configuration information, creates an identifier and password, provides device configuration information, the identifier, and the password, to each of the discovered devices based on the NETCONF or the Device Management Interface standards, waits for a connection from the discovered devices, imports device configuration information from the discovered devices when the connection has been established, and indicates that the discovered devices are managed devices.

Abstract: An optical system may include: a demultiplexer to receive an optical signal and to demultiplex the optical signal into a plurality of optical channels; a detector circuit to: receive the plurality of optical channels, and identify a predetermined channel identification trace tone frequency for an optical channel of the plurality of optical channels; and a receiver to: receive the optical channel with the identified predetermined channel identification trace tone frequency from the detector circuit, and process the optical channel.

Abstract: A configurable advertisement count and skew timer in a virtual router can be used to improve the speed with which a backup virtual router assumes the role of master upon the master router's failure. Enhanced VRRP packets having a type other than one may be used to cause MAC address movement from a failed master router to a backup router assuming the role of master router without placing an undue load on other routers in the network, such as by dropping the enhanced VRRP packets having a type other than one without processing the packets in the control plane of a receiving virtual router.

Abstract: Techniques are described for supporting PIM (Protocol Independent Multicast) Dense Mode (PIM-DM) and PIM Bootstrap Router (PIM-BSR) between different VPN sites of an IP VPN. A system includes a plurality of customer sites connected to a service provider network by provider edge (PE) routers that provide an IP VPN. A first one of the PE routers receives multicast traffic from a first one of the customer sites, wherein the multicast traffic is PIM (Protocol Independent Multicast) Dense Mode (PIM-DM) traffic for which no PIM join messages have been received by the first PE router from the other PE routers via BGP messages. A tunnel setup module of the first PE router is configured to automatically signal a provider tunnel through the service provider network upon receiving the PIM-DM multicast traffic without maintaining multicast state data for a multicast group associated with the PIM-DM multicast traffic.

Abstract: In general, techniques are described for performing customer bandwidth profiling in computer networks. A network device intermediately positioned in a service provider network between a customer network and a centralized network device that provides a hierarchical arrangement of virtual local area networks (VLANs) located in the service provider network may perform the techniques. The network device determines a service profile based on authentication messages and associates the service profile with the hierarchical arrangement of VLANs used for delivering the traffic to and from the customer network and the service provider network. The service profile defines constraints on delivery of the traffic associated with the one or more services. The network device then applies the service profile to the traffic received via the associated hierarchical arrangement of VLANs to enforce the constraints on the delivery of the traffic received via the associated hierarchical arrangement of VLANs.

Abstract: In general, the invention is directed to techniques for reducing deadlocks that may arise when performing fabric replication. For example, as described herein, a network device includes packet replicators that each comprises a plurality of resource partitions. A replication data structure for a packet received by the network device includes packet replicator nodes that are arranged hierarchically to occupy one or more levels of the replication data structure. Each of the resource partitions in each of the plurality of packet replicators is associated with a different level of the replication data structure. The packet replicators replicate the packet according to the replication data structure, and each of the packet replicators handles the packet using the one of the resource partitions of the packet replicator that is associated with the level of the replication data structure occupied by the node that corresponds to that particular packet replicator.

Abstract: This disclosure describes techniques by which power demand requests from an electronic component are synchronized by a power manager within the electronic component with control algorithms internally used by a power supply to deliver power. Timing characteristics from an internal control signal for the power supply, such as a pulse width modulated (PWM) signal, may be provided to one or more electronic components that receive power from the power supply. A power manager within an electronic component may synchronize the timing of power change requests based on timing characteristics of the control signal. This may reduce the energy and time needed to respond to dynamic load changes required by the electronic component. The faster response time may allow larger power changes from the electronic component to be processed.

Abstract: A network device is described that parses configuration data of the network device in accordance with a schema, for candidate configuration parameters. The device outputs a parameter identifier of each candidate configuration parameter, and in response, receives an indication of a selection of the candidate configuration parameters and corresponding labels. Both the selected parameters and the labels conform to a platform-independent interface for a remote procedure call for provisioning a service on any one of a plurality of different devices within a network. The device generates a device-specific configuration script for modifying the configuration data of the device in accordance with the schema of the device. The device-specific configuration script can receive, via the platform-independent interface for the remote procedure call, parameterized information associated with the selected parameters and update the configuration data based on the parameterized information.

Abstract: Systems and methods for detecting and preventing network security breaches are described. The systems and methods present a gateway-based packet-forwarding network security solution to not only detect security breaches but also prevent them by directly dropping suspicious packets and connections. The systems and methods employ multiple techniques to detect and prevent network security breaches, including stateful signature detection, traffic signature detection, and protocol anomaly detection.

Abstract: Techniques are described for determining latency in a physical network that includes a number of network devices over which packets travel. A virtual network controller receives a plurality of messages from a plurality of network devices in a network, each of the messages including a packet signature comprising a hash of an invariant portion of an original packet that uniquely identifies the original packet, an identifier of one of the plurality of network devices from which the respective message was received, and a timestamp indicating a time an original packet was processed by the network device from which the respective message was received. The virtual network controller determines a latency of a physical network path in the network based on analysis of contents of the identified messages having a common packet signature.

Abstract: A line card includes a metal frame that includes a front section, and a bottom section connected to the front section via an angled section, where the angled section results in an opening between the line card and a second line card, when the line card is installed above the second line card in a rack, and where the opening allows directed air to enter the rack from a front direction; a printed circuit board attached to the metal frame; and a group of front panel connectors attached to the front section of the metal frame.

Abstract: In one example, a network device receives a packet to be forwarded according to a label switching protocol, determines a service to be performed on the packet by a service network device, sends a label request message to the service network device, wherein the label request message indicates support for labels having a particular length, wherein the particular length is larger than twenty bits (e.g., forty bits), and wherein the label request message specifies the service to be performed on the packet, receives, in response to the label request message, a label mapping message defining a label of the particular length, appends the label to the packet to form a Multi-Protocol Label Switching (MPLS)-encapsulated packet, and forwards the MPLS-encapsulated packet according to the label switching protocol.

Abstract: A computer-implemented method for detecting rogue client devices connected to wireless hotspots may include maintaining at least one illegitimate authentication identifier that appears to rogue client devices to facilitate authentication with an external network via a wireless hotspot. The method may also include providing the illegitimate authentication identifier to one or more client devices connected to the wireless hotspot. The method may further include receiving an authentication request to authenticate the client device with at least one external network via the wireless hotspot. The method may additionally include determining that the authentication request includes the illegitimate authentication identifier. Finally, the method may include determining that the client device is a rogue device based at least in part on the illegitimate authentication identifier being included in the authentication request. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: In general, techniques are described for improving network path computation for requested paths that include a chain of service points that provide network services to traffic flows traversing the requested path through a network along the service chain. In some examples, a controller network device receives a request for network connectivity between a service entry point and a service exit point for a service chain for application to packet flows associated to the service chain. The device, for each pair of the service points in the particular order and using the active topology information, computes at least one end-to-end sub-path through the sub-network connecting the pair of the service points according to a constraint and computes, using the at least one end-to-end sub-path for each pair of the service points, a service path between the service entry point and the service exit point for the service chain.

Abstract: A network content service apparatus includes a set of compute elements adapted to perform a set of network services; and a switching fabric coupling compute elements in said set of compute elements. The set of network services includes firewall protection, Network Address Translation, Internet Protocol forwarding, bandwidth management, Secure Sockets Layer operations, Web caching, Web switching, and virtual private networking. Code operable on the compute elements enables the network services, and the compute elements are provided on blades which further include at least one input/output port.

Abstract: In general, techniques are described for network traffic pattern matching using adaptive deterministic finite automata (DFA). A network device may implement the techniques to promote pattern matching. The network device comprises a control unit that stores first and second data defining first and second portions of a DFA, respectively. The first data defines first states of the DFA in an uncompressed format. The second data defines second states of the DFA in a compressed format. The network device also includes an interface that receives network packets. The control unit processes the network packets to traverse the first and second states. The control unit then compares a number of times the first and second states have been traversed. Based on the comparison, the control unit dynamically reallocates the first states of the DFA in the uncompressed format and the second states of the DFA in the compressed format.

Abstract: A security device may receive a request from a client device and intended for a server device. The security device may identify the request as being associated with a malicious activity. The malicious activity may include one or more undesirable tasks directed to the server device. The security device may generate a challenge-response test based on identifying the request as being associated with the malicious activity. The challenge-response test may be generated using one or more construction techniques. The security device may provide the challenge-response test to the client device. The security device may receive, from the client device, a proposed solution to the challenge-response test. The security device may identify the proposed solution as being generated using an optical character recognition (OCR) program. The security device may protect the server device from the client device based on identifying the solution as being generated using an OCR program.

Abstract: A forwarding node decapsulates and encapsulates data. The decapsulation may be performed using pattern matching techniques and the encapsulation may be performed using pattern insertion techniques. The decapsulation and encapsulation are preferably performed by hardware devices such as application specific integrated circuits (ASICs) to enhance the speed of such operations. The decapsulation and encapsulation may be independent of each other and performed on a per virtual circuit basis.

Abstract: In response to receiving a reply message for reserving bandwidth along a primary path for a first label switched path (LSP) for carrying data traffic from an ingress network device to an egress network device, a point of local repair (PLR) network device establishes a second LSP from the PLR to a merge point (MP) network device along a subset of the primary path. The second LSP is dedicated to carrying operations, administration and management (OAM) messages to verify connectivity of the subset of the primary path, and is not used for sending data traffic. The PLR sends an OAM message to verify connectivity of at least one protected resource along the subset of the primary path to a next hop along the second LSP, wherein the OAM message is encapsulated by a second label associated with the second LSP.

Abstract: Techniques are described for wavelength and spectrum assignment within a packet-optical transport system. A controller, for example, dynamically controls wavelength and spectrum assignment to suppress or generally avoid optical effects that can degrade communication performance. For example, the controller provides closed-loop control over dynamic partitioning of the spectral range of an optical transport system into channel groups and assignment of the groups to respective packet-optical transport devices based on current or future bandwidth requirements at each device. Moreover, for each packet-optical transport device, the controller controls assignment of individual wavelengths within each channel group so as to balance channel utilization around a center of the spectral range associated with each channel group and to maintain spectral separation of the channels within the channel group.