Abstract: A network device allocates a particular number of memory blocks in a ternary content-addressable memory (TCAM) of the network device to each database of multiple databases, and creates a list of additional memory blocks in an external TCAM of the network device. The network device also receives, by the external TCAM, a request for an additional memory block to provide one or more rules from one of the multiple databases, and allocates, by the external TCAM and to the requesting database, an additional memory block from the list of additional memory blocks.

Abstract: A device includes a master control card that performs control plane processing, a backup control card, where the backup control card takes over control plane processing if the master control card goes out of service, and a database card that connects to the master control card and the backup control card, where the database control card stores information relating to control plane processing. A method of achieving hitless failover in a network element includes detecting that a master control card of the network element has gone out of service, designating the backup control card as a new master control card of the network element, establishing communication with a database card of the network element, and retrieving protocol states information from the database card.

Abstract: A method and an apparatus for rapidly resuming, at times of failures, network traffic in a connection-oriented network by using an alternative route pre-computed and stored locally in nodes along an initial route without requiring signaling of upstream nodes or a master server.

Abstract: A network device provides a selector list that includes indices of child nexthops associated with the network device, where each of the child nexthops is associated with a corresponding child link provided in an aggregated bundle of child links. The network device also receives an indication of a failure of a child link in the aggregated bundle of child links, and removes, from the selector list, an index of a child nexthop associated with the failed child link. The network device further receives probabilities associated with the child links of the aggregated bundle of child links. Each of the probabilities indicates a probability of a packet exiting the network device on a child link. The network device also creates a distribution table based on the probabilities associated with the child links, and rearranges values provided in the distribution table.

Abstract: A network device initiates a transmission control protocol (TCP) connection to establish a TCP session with a management device, and performs, via the TCP session, a secure protocol client/server role reversal for the management device. The network device receives, from the management device, initiation of a secure connection over the TCP session in accordance with a secure protocol, and provides, to the management device, a trusted certificate with an embedded host key that is dynamically generated using a cryptographic processor of the network device, based on the initiation of the secure connection. The network device also establishes the secure connection with the management device based on an authentication of the host key by the management device via the trusted certificate.

Abstract: A method and apparatus for in-line processing a data packet while routing the packet through a router in a system transmitting data packets between a source and a destination over a network including the router. The method includes receiving the data packet and pre-processing layer header data for the data packet as the data packet is received and prior to transferring any portion of the data packet to packet memory. The data packet is thereafter stored in the packet memory. A routing through the router is determined including a next hop index describing the next connection in the network. The data packet is retrieved from the packet memory and a new layer header for the data packet is constructed from the next hop index while the data packet is being retrieved from memory. The new layer header is coupled to the data packet prior to transfer from the router.

Abstract: Network devices provide Internet Protocol (IP) and Label Distribution Protocol (LDP) fast reroute for unicast and multicast traffic. The approach described herein for fast reroute for IP and LDP uses maximally redundant trees (MRTs). MRTs are a pair of trees where the path from any node X to the root R along the first tree and the path from the same node X to the root along the second tree share the minimum number of nodes and the minimum number of links. A network device, such as a router, computes a pair of MRTs for each destination and installs one or more MRT alternate next-hops in its forwarding plane for use in forwarding network traffic to a destination in the event a failure occurs that renders a primary next-hop unusable for reaching the destination.

Abstract: A translation data center (TDC) is described that provides cloud-based network protocol translation services. In an example system, the TDC is coupled to a first public network that includes client devices and operates according to a first network-layer protocol (NLP) and a second public network that includes content providers and operates according to a second NLP. Domain name servers within the first public network are updated to include records that resolve respective domain names for each of a plurality of content providers of the second public network to different, globally-routable network destination addresses assigned to the TDC. The TDC receives packets from the first network, transforms the packets from the first NLP to the second NLP and replaces network-layer destination addresses of the TDC with the network-layer destination addresses for the content providers.

Abstract: In general, techniques are described for handling errors in subscriber session management within mobile networks. A downstream mobile gateway comprising a forwarding unit and a service unit may implement the techniques. The forwarding unit receives a packet that includes a destination address for a subscriber and a tunnel endpoint identifier (TEID). The service unit determines whether the TEID is associated with one of a number of subscriber records that store session data for current sessions associated with subscriber devices to communicate with the mobile network. In response to determining that the TEID is not associated with one of the subscriber records, the service unit generates a message that includes the TEID and the destination address and indicates that the downstream mobile gateway has determined that the TEID is not associated with one of the subscriber records. The forwarding unit then sends the message to the upstream mobile gateway.

Abstract: The invention is directed to techniques for dynamic policy provisioning. A network security device may comprise a memory that stores a first policy that identifies a first set of patterns that correspond to a first set of network attacks and a second policy, and a control unit that applies the first policy to the network traffic to detect the first set of network attacks. The control unit, while applying the first policy, monitors parameters corresponding to one or more resources and dynamically determines whether to apply a second policy to the network traffic based on the parameters. The control unit, based on the dynamic determination, applies the second policy to the network traffic to detect a second set of network attacks and forwards the network traffic based on the application of the second policy. In this manner, the network security device may implement the dynamic policy provisioning techniques.

Abstract: A device may obtain a flow signature, identify a destination collector to which packets bearing the flow signature are sent, obtain a list of potential source collectors that may have sent the packets bearing the flow signature to the destination collector, and identify a source collector, among the potential source collectors, that sent the packets to the destination collector. In addition, the device may output information related to a path from the source collector the destination collector.

Abstract: A method may include receiving a request from an endpoint to access a network; granting access to the network; and subscribing to an IF-MAP server for updates relating to the endpoint. The method may also include receiving an update pertaining to the endpoint, from the IF-MAP server; and transmitting the update to the endpoint. Additionally, a method may include receiving a request from an endpoint to access a resource in a network; denying the request from the endpoint based on a security policy; and subscribing or querying to an IF-MAP server for IF-MAP data pertaining to the endpoint. The method may also include receiving from the IF-MAP server the IF-MAP data; and publishing, by the device, to the IF-MAP server, IF-MAP data pertaining to the endpoint, where the IF-MAP data includes security policy parameters that comply with the security policy for accessing the resource.

Abstract: In some embodiments, an equipment unit has a set of visual indicators, a power switch, and a set of compute components. The power switch receives a signal representing a status such that when the status is in a first mode, the power switch provides power to the set of visual indicators and when the status is in a second mode the power switch does not provide power to the set of visual indicators. The compute components are configured to receive power when the power switch does not provide power to the set of visual indicators.

Abstract: Methods and systems consistent with the present invention provide dynamic buffer allocation to a plurality of queues of differing priority levels. Each queue is allocated fixed minimum number of buffers that will not be de-allocated during buffer reassignment. The rest of the buffers are intelligently and dynamically assigned to each queue depending on their current need. The system then monitors and learns the incoming traffic pattern and resulting drops in each queue due to traffic bursts. Based on this information, the system readjusts allocation of buffers to each traffic class. If a higher priority queue does not need the buffers, it gradually relinquishes them. These buffers are then assigned to other queues based on the input traffic pattern and resultant drops. These buffers are aggressively reclaimed and reassigned to higher priority queues when needed.

Abstract: A device may include multiple power supplies that are cooled by a system fan. The power supplies may be cross-connected to supply power to one another and the device may monitor temperatures of the power supplies. Based on the temperatures of the power supplies, the device may determine whether any of the power supplies are likely to be on fire. The device may shut off the fan when a power supply is determined to be likely to be on fire.

Abstract: A method includes receiving network information for calculating weighted round-robin (WRR) weights, calculating WRR weights associated with queues based on the network information, and determining whether a highest common factor (HCF) exists in relation to the calculated WRR weights. The method further includes reducing the calculated WRR weights in accordance with the HCF, when it is determined that the HCF exists, and performing a WRR scheduling of packets, stored in the queues, based on the reduced WRR weights.

Abstract: In general, techniques are described for efficiently and transparently partitioning a physical address space of a DRAM part lacking dedicated error protection circuitry to supply addressable error protection bytes for use in detecting and/or correcting bit errors elsewhere present in the physical address space. In one example, a network device includes a DRAM and a memory controller that receives a write command to write data to the DRAM. An address translation module of the memory controller logically partitions the DRAM to define a plurality of physically addressable sections that includes an error protection section for storing error protection bits and one or more data storage sections. The memory controller defines a contiguous logical address space representing the data storage sections. A DRAM controller of the network device communicates with the DRAM to store the data to one of the data storage sections in accordance with the contiguous logical address space.

Abstract: Multicast traffic received by a subnet that uses IGMP/PIM snooping may be efficiently processed so that only required multicast router interfaces are used. A router may, for example, receive a source-specific PIM join/prune message indicating that a multicast receiver of the multicast traffic is to join/leave a multicast group to receive/stop traffic from a multicast source; determine whether the router is a first hop router relative to a subnet of the multicast source; and forward, when the router is a first hop router relative to the subnet of the multicast source and is a non-designated router, the source-specific PIM join/prune message towards the subnet.

Abstract: A packet-forwarding integrated circuit includes a control logic module and a selector block configured to produce a value indicating an incoming interface associated with a multicast data stream that meets stream health requirements, wherein the multicast data stream is one of a plurality of redundant multicast data streams each received on different incoming interfaces, wherein based on the value produced by the selector block the control logic module outputs data packets of the multicast data stream that meets stream health requirements received on the incoming interface, and discards data packets of other multicast data streams received on other incoming interfaces not indicated by the selector block. In response to detecting that a quality of one of the redundant multicast data streams has fallen below a configured threshold, the control logic automatically rewrites the selector block to forward a different one of the redundant multicast data streams.

Abstract: A security device may be interconnected, via multiple links, between multiple network devices in a network. The firewall device may include multiple input interfaces that receive data units from a first network device destined for a second network device of the multiple network devices, identify a session associated with each of the data units, and process the data units in accordance with the identified sessions and a security policy.