Abstract: In some embodiments, a non-transitory processor-readable medium includes code to cause a processor to receive, at a network management module, a request for data plane information associated with a set of access switches of a distributed switch. The non-transitory processor-readable medium includes code to cause the processor to send, in response to the request, an instruction to each access switch from the set of access switches such that a proxy module at each access switch accesses data plane information at at least one line card at that access switch. The non-transitory processor-readable medium includes code to cause the processor to receive, from each access switch from the set of access switches, the data plane information associated with that access switch, and then send a signal to output, on a single interface, the data plane information associated with each access switch from the set of access switches.

Abstract: A scheduler in a network element may include a dequeuer to dequeue packets from a set of scheduling nodes using a deficit weighted round robin process, where the dequeuer is to determine whether a subset of the set of scheduling nodes is being backpressured. The dequeuer may set a root rich most negative credits (MNC) value, associated with a root node, to a root poor MNC value, associated with the root node, and set the root poor MNC value to zero, when the subset is not being backpressured, and may set the rich MNC value to a maximum of the root poor MNC value and a root backpressured rich MNC value, associated with the subset, and set the root poor MNC value to a root backpressured poor MNC value, associated with the subset, when the subset is being backpressured.

Abstract: Systems, methods, and apparatus, including computer program products for receiving a content transfer request that includes a first set of provisioning attributes that characterizes one or more operational objectives of a first item of content; and processing the content transfer request to allocate resources of a storage environment to store the first item of content.

Abstract: In general, techniques are described for hierarchical application of security services with a network device. In particular, the network device receives security classification information that maps a security class to one or more computing devices. The security class identifies security capabilities of the computing devices. The network device also receives network traffic associated with the computing device and applies a set of patterns defined by a policy associated with the security class to the network traffic to detect a set of network attacks. Based on the application of the set of patterns, the network device forwards the network traffic. As a result of receiving security classification information, the network device may become aware of the security capabilities of the computing device and only apply those patterns required to augment these detected security capabilities, thereby preventing application of overlapping security services through application of these services in a hierarchical manner.

Abstract: A router maintains routing information including (i) route data representing destinations within a computer network, (ii) next hop data representing interfaces to neighboring network devices, and (iii) indirect next hop data that maps a subset of the routes represented by the route data to a common one of the next hop data elements. In this manner, routing information is structured such that routes having the same next hop use indirect next hop data structures to reference common next hop data. In particular, in response to a change in network topology, the router need not change all of the affected routes, but only the common next hop data referenced by the intermediate data structures. This provides for increased efficiency in updating routing information after a change in network topology, such as link failure.

Abstract: A network device receives a join request on a downstream interface, wherein the join request specifies a source device and multicast group, wherein the network device is positioned within a core network of a multicast virtual private network (MVPN) that transmits multicast traffic between the source device and a plurality of receivers associated with customer sites. The network device selects an upstream router to which to send the join request from among a plurality of upstream routers on paths leading to the source device, so as to avoid creating a join request loop in the core network. At least one of the upstream routers is positioned on an Exterior Border Gateway Protocol (EBGP) path toward the source device, and at least one of the upstream routers is positioned on an Interior BGP (IBGP) path toward the source device. The network device sends the join request to the selected upstream device.

Abstract: A switch fabric for a modular router may be tested without connecting the switch fabric portion of the router to the other modular portions of the router. The switch fabric may generate test data units and insert the test data units into one or more elements of the switch fabric. The switch fabric may operate with the inserted test data units. A control component may receive data units from the switch fabric after operation of the switch fabric and analyze the received data units to determine whether the received data units correspond to the inserted test data units.

Abstract: In general, techniques are described for informing services nodes of private network address information in order to apply subscriber-aware services with the services node. In some examples, a services node includes an Authentication, Authorization, and Accounting (AAA) interface to receive a AAA message, wherein the AAA message has been extended from a AAA protocol to specify a private network address of a subscriber device authenticated to an access network by the AAA server and assigned the private network address that is not routable external to the access network. A mapping module associates the public network address of subscriber data traffic with the private network address received by the AAA message. One or more service modules select one or more of a plurality of subscriber policies using the associated private network address and apply services to the subscriber data traffic in accordance with the selected subscriber policies.

Abstract: In general, techniques are described for performing load balancing across resources of a network device. In one example, upon receiving an initial packet, a load balancer module of the network device is configured to perform a lookup in a routing table based on a subscriber identifier associated with the initial packet, and determine whether a line card is pre-assigned to process the initial packet based at least in part on the lookup result. A packet forwarding engine is configured to when one of the line cards is pre-assigned, direct the initial packet to the pre-assigned line card, and, when one of the line cards is not pre-assigned, dynamically identify one of the line cards to process the initial packet based at least in part on header information of the initial packet, and direct the initial packet to the dynamically identified line card.

Abstract: In general, techniques are described for performing a graceful restart for a computing network utilizing downstream on demand (DOD) label distribution. In one example, a method is provided that includes establishing a communication session for Label Distribution Protocol (LDP) that uses a downstream on demand label distribution mechanism for distributing labels. A first label mapping message is exchanged between two routers that defines at least a first label to be applied by an upstream router when forwarding one or more of the data packets to a destination. When the communication session fails, a forwarding state comprising the first label is preserved, and one or more data packets are forwarded based on the first label. The communication session is gracefully restarted. Once the communication session is reestablished, a second label mapping message is exchanged between the routers.

Abstract: A network device may receive information regarding a service set identifying service to apply to a data flow received via a particular interface of the network device; receive the data flow via the particular interface; identify a service to provide to the data flow based on the information regarding the service set; identify a processing device to process the data flow; and provide the data flow to the processing device. The processing device may be different than the network device and may process the data flow, on behalf of the network device, to form a processed data flow. The processed data flow may include the data flow with the service applied to the data flow. The network device may further receive the processed data flow from the processing device and transmit the processed data flow toward a destination device.

Abstract: A method includes receiving configuration data for configuring network devices; generating remote procedure calls (RPCs) for configuring the network devices, which include provisioning and reverse provisioning RPCs, where each reverse provisioning RPC reverse provisions a particular pseudowire; providing to the network devices the provisioning RPCs; determining a success with respect to each of the provisioning RPCs, where the success indicates that all endpoints of a pseudowire have been successfully configured; providing the reverse provisioning RPCs to the network devices, when it is determined that the success has not been achieved; and storing an indication of success when it is determined that the success has been achieved with respect to the provisioning RPCs.

Abstract: Techniques are described for providing encryption and authentication for different types of routing protocol communications based on a variety of factors. A method comprises configuring, on a network router, a set of logical interfaces for communicating routing protocol messages with one or more peer routing devices, maintaining a set of security associations that define corresponding authentication information and encryption information for the routing protocol messages, and maintaining one or more descriptor sets that each specify a set of criteria, wherein, for at least one of the descriptor sets, the set of criteria specifies one of the logical interfaces of the network router. The method further comprises selecting one of the descriptor sets having criteria that match an individual flow, selecting one of the security associations based on the selected descriptor set, and applying the selected security association to secure the outbound flow of the routing protocol messages.

Abstract: In some embodiments, an apparatus comprises a first switch configured to define an initialization packet that has a header value associated with a port from a set of ports associated with a link aggregation group. The first switch is configured to send the initialization packet to a second switch via the port based on the header value. The first switch is configured to receive an acknowledgement packet including the header value from the second switch in response to the second switch receiving the initialization packet. The first switch is configured to retrieve the header value from the acknowledgement packet such that the first switch defines, in response to the first switch receiving the acknowledgement packet, a response packet having the header value. The first switch is configured to send the response packet to the second switch via the port based on the header value.

Abstract: Changes to a virtual system, such as a set of virtual machines in a data center, may be automatically synchronized with the corresponding physical system. In one implementation, an application may receive information regarding changes made to a virtual system. The application may determine whether the information regarding the changes necessitates a change in the configuration of one or more physical switches, and may reconfigure affected ones of the physical switches for compatibility with the changes made to the virtual system.

Abstract: A network device that includes a first memory to store packets in segments; a second memory to store pointers associated with the first memory; a third memory to store summary bits and allocation bits, where the allocation bits correspond to the segments. The network device also includes a processor to receive a request for memory resources; determine whether a pointer is stored in the second memory, where the pointer corresponds to a segment that is available to store a packet; and send the pointer when the pointer is stored in the second memory. The processor is further to perform a search to identify other pointers when the pointer is not stored in the second memory, where performing the search includes identifying a set of allocation bits, based on an unallocated summary bit, that corresponds to the other pointers; identify another pointer, of the other pointers, based on an unallocated allocation bit of the set of allocation bits; and send the other pointer in response to the request.

Abstract: In general, techniques are described to dynamically refresh a timer for a communication session provided by a bidirectional forwarding detection (BFD) protocol. The techniques potentially mitigate network load by reducing the number of BFD packets required to maintain a BFD communication session. An example network device includes a memory, programmable processor(s), a network interface, and a control unit configured to establish a BFD communication session between the network device and a peer network device that is communicatively coupled to the network device via the network interface, determine whether a packet associated with a communication session other than the BFD communication session is a relevant packet to the BFD communication session, and in response to determining that the packet is the relevant packet, refresh a timer that executes on the network device and is associated with the BFD communication session.

Abstract: In general, techniques are described for dynamically generating attributes from routing topology information and assigning dynamically generated attributes to network map entries to further characterize PIDs described therein. For example, a provider or other entity assigns, within a network device, endpoint types to one or more address prefixes for which the network device originates or forwards route advertisements. For each typed prefix, the network device adds an endpoint type identifier for the assigned endpoint type to route advertisements that traverse or originate with the network device and specify the prefix. An ALTO server peers with router advertisers to receive route advertisements. When the ALTO server receives a route advertisement that includes an endpoint type identifier, the ALTO server maps the endpoint type identifier to a PID attribute and assigns the PID attribute to a PID that includes a prefix identified in the route advertisement.

Abstract: In one example, a network device includes computer-readable storage media configured to store information defining a default dictionary associated with one or more default services provided by the network service, one or more interfaces configured to receive configuration data defining a customer dictionary associated with one or more additional services beyond the one or more default services and a to receive a request to access one of the additional services from a subscriber device, and a control unit configured to determine whether an authentication, authorization, and accounting (AAA) server grants access to the requested one of the additional services to the subscriber device, and to configure forwarding information of the network device to cause network traffic associated with the subscriber device to be forwarded to a service unit to perform the one of the additional services when the AAA server grants access to the subscriber device based on the determination.

Abstract: A method includes receiving one or more of user information, role information, or authorization information associated with a user accessing a network, selecting a traffic flow to monitor that is associated with the one or more of user information, role information, or authorization information, monitoring the traffic flow, determining whether an anomaly exists with respect to the traffic flow based on a traffic behavior pattern associated with the one or more of user information, role information, or authorization information, and performing a security response when it is determined that the anomaly exists.