Abstract: An example network device includes a control plane and a filter lookup module that includes a Bloom filter that supports parallel lookup of a maximum number of different prefix lengths. The filter lookup module accesses the Bloom filter to determine a longest length prefix that matches an entry in a set of prefixes. The control plane receives prefix lengths that include more than the maximum number of different prefix lengths supported by the Bloom filter, wherein the set of prefix lengths is associated with one application, generates, based on the received set of prefix lengths, two or more groups of different prefix lengths, wherein each of the two or more groups of different prefix lengths includes no more than the maximum number of different prefix lengths, and programs the filter lookup module with the two or more groups of different prefix lengths associated with the one application.

Abstract: A method performed by a network device may include assembling a multiprotocol label switching (MPLS) echo request, the echo request including an instruction for a transit node to forward the echo request via a bypass path associated with the transit node, and an instruction for an egress node to send an echo reply indicating that the echo request was received on the bypass path. The method may also include sending the MPLS echo request over a functioning label switched path (LSP).

Abstract: Techniques described in this disclosure relate to configuration updates, such as performing an in-service software upgrade on a device, using virtual machines. In a routing device, a routing engine utilizes a virtual machine executing on a hypervisor to provide control plane functions. In one example, an in-service software upgrade may be performed between a first virtual machine and a second virtual machine without a managing virtual machine. More specifically, a first virtual machine in the control plane of the router may control the upgrade process, including requesting initialization of the second virtual machine, installing a new software system on the second virtual machine, and replicating state data from the first virtual machine to the second virtual machine. In this example, the first virtual machine may operate as a master virtual machine and the second virtual machine may operate as a slave virtual machine that synchronizes with the master virtual machine.

Abstract: A device may include logic configured to receive a packet, identify a flow associated with the packet in a flow table, and identify a rate limit associated with the flow in the flow table. A current rate associated with the flow may be calculated based on the packet. It may be determined whether the current rate associated with the flow exceeds the rate limit associated with the flow. If so, the packet may be discarded or tagged as “over limit.

Abstract: Packet processing is provided in a multiple processor system including a first processor to processing a packet and to create a tag associated with the packet. The tag includes information about the processing of the packet. A second processor receives the packet subsequent to the first processor and processes the packet using the tag information.

Abstract: Wireless devices that are attempting to connect to a packet data network may be blocked from issuing connection requests to the network during periods in which, due to the failure of other network devices, the connections requests will fail. A device may particularly determine when a connection request to access a network, from a machine to machine (M2M) device, will fail or has failed. The device may create, in response to the connection request, a response to the connection request, the response including an indication that the M2M device is to be blocked, by other network devices, from accessing the network. The device may transmit the response to the connection request to the other network devices, the response to the other network devices including one or more parameters that identify a duration for which the M2M device is to be blocked and an identification of the M2M device.

Abstract: In general, techniques are described for allocating virtual output queue (VOQ) buffer space to ingress forwarding units of a network device based on drain rates at which network packets are forwarded from VOQs of the ingress forwarding units. For example, a network device includes multiple ingress forwarding units that each forward network packets to an output queue of an egress forwarding unit. Ingress forwarding units each include a VOQ that corresponds to the output queue. The drain rate at any particular ingress forwarding unit corresponds to its share of bandwidth to the output queue, as determined by the egress forwarding unit. Each ingress forwarding unit configures its VOQ buffer size in proportion to its respective drain rate in order to provide an expected delay bandwidth buffering for the output queue of the egress forwarding unit.

Abstract: In some embodiments, an apparatus includes a first switch having an egress port configured to be coupled to a second switch to collectively to define a single logical entity having a set of virtual identifiers. A first set of virtual identifiers from the set of virtual identifiers is associated with the first switch, a second set of virtual identifiers from the set of virtual identifiers is associated with the second switch. The first switch is configured to receive a forwarding table associating a first set of destination addresses with a set of identifiers local to the first switch and associating a second set of destination addresses with a set of identifiers local to the second switch. Each identifier from the first set of identifiers is uniquely associated the first set of virtual identifiers. Each identifier from the set of identifiers is uniquely associated the second set of virtual identifiers.

Abstract: An example network device includes one or more network interface cards and a control unit. The network interface cards are configured to send and receive messages with a first network operating in accordance with a first network-layer protocol and a second network operating in accordance with a second network-layer protocol and a control unit. The control unit is configured to receive a message via the one or more network interface cards, transform the message from conforming to a first transitioning protocol to conforming to a second transitioning protocol, and forward the message via the second network.

Abstract: A method may include receiving a request to establish a quality of service (QoS) policy that identifies a desired QoS associated with traffic being transported by a network; generating a QoS model based on the identified desired QoS, where the QoS model includes a class of service (CoS) and corresponding forwarding priorities associated with the traffic; retrieving a service level agreement (SLA), associated with a client device that is interconnected to a network node associated with the network, where the SLA includes a particular CoS and corresponding other forwarding priorities for packets associated with the client device; creating a QoS provisioning policy based on the QoS model and the SLA, where the creating includes mapping the CoS to the particular CoS or mapping the forwarding priorities to the other forwarding priorities; and transmitting, to the network node, the QoS provisioning policy that permits the network node to process the packets in a manner that complies with the QoS model or the SLA.

Abstract: In some embodiments, a system includes multiple access switches, a switch fabric having multiple switch fabric portions, and a control plane processor. Each switch fabric portion is coupled to at least one access switch by a cable from a first set of cables. Each switch fabric portion is configured to receive data from the at least one access switch via the cable from the first set of cables. The control plane processor is coupled to each switch fabric portion by a cable from a second set of cables. The control plane processor is configured to send control information to each access switch via a cable from the second set of cables, a switch fabric portion, and a cable from the first set of cables. The control plane processor is configured to determine control plane connections associated with each access switch and is configured to determine data plane connections associated with each access switch as a result of the control plane connections.

Abstract: A network management system is described for assuring that a network device complies with a device-specific configuration policy. One example of the network management system contains one or more business rules that describe a business policy regarding a computer network in a network-independent form. In general, the business rules refer to high-level business requirements and not to device-specific configuration information. The network management system uses the business rule to determine which business policies are currently in force. In addition, the network management system contains one or more network design rules that describe relationship between the business policy and one or more device-specific configuration policies. The network management server uses the network design rules to determine whether to deploy a device-specific configuration policies.

Abstract: A non-transitory processor-readable medium storing code representing instructions to be executed by a processor includes code to cause the processor to receive from a wireless access point (WAP) device frequency-domain data associated with signals received at the WAP device from a wireless device during a time period. The code includes code to determine multiple frequency-domain magnitudes associated with the frequency-domain data for the time period to define a spectral magnitude signature associated with the frequency-domain data. Each frequency-domain magnitude from the multiple frequency-domain magnitudes is uniquely associated with a frequency bin from multiple mutually-exclusive frequency bins associated with the frequency domain data.

Abstract: A network device associates a first node prefix with first network devices provided in a first network, associates a second node prefix with second network devices provided in a second network, and associates a third node prefix with third network devices provided in a third network. The network device advertises the first node prefix to the second and third networks, advertises the second node prefix to the first and third networks, and advertises the third node prefix to the first and second networks.

Abstract: In general, techniques are described for seamlessly migrating a secure session established between a first computing device and a secure access appliance to a second computing device. In one example, a client computing device establishes a secure session with a secure access appliance. The client computing device receives a request via a communication channel from a second client computing device for secure session data for the first secure session usable by the second client computing device to establish a second secure session with the secure access appliance. The client computing device generates a message that includes the secure session data for the first secure session and sends the message to the second client computing device. Responsive to receiving the message, the second client computing device establishes a new secure session with the secure access appliance.

Abstract: A method may include receiving a packet; identifying the packet as a multicast packet for sending to a plurality of destination nodes; selecting a first forwarding table or a second forwarding table for sending the packet to each of the plurality of destination nodes, wherein the first forwarding table includes first port information associated with a first destination and second port information associated with a second destination, and wherein the second forwarding table includes third port information associated with the second destination; sending the packet to the first destination using the first port; and sending the packet to the second destination using the second port when the first forwarding table is selected and sending the packet to the second destination using the third port when the second forwarding table is selected.

Abstract: Techniques are described for dynamically optimizing a device management command for bulk retrieval of configuration information. A network management device is described in which a programmable processor is configured to issue a bulk data retrieval command to direct the managed network device to retrieve configuration information variables stored within a set of columns of a table within the managed device, receive a response from the managed network device in response to the managed network device querying the table a first number of repetitions, analyze the response, and update an estimate of the number of variables expected to be received from the managed network device in a single response based on the analysis of the response.

Abstract: A method may include authenticating a node over layer 2 in a network based on authentication rules; sending a node authentication code to the node; and providing layer 3 network access based on the node authentication code.

Abstract: The control plane of a network device comprises a plurality of software processes that manage routing control operations of the device. Through a hypervisor in the control plane, a managing virtual machine controls access to a first virtual machine running a first software system to control a routing communication session between the network device and other network devices. In response to an in-service software upgrade request, the managing virtual machine initializes a second virtual machine. On the second virtual machine, the second software system is loaded. State data maintained by the managing virtual machine can be transferred to the second virtual machine, and the second virtual machine takes control of the routing communication session. During the transfer of control from the first virtual machine to the second virtual machine, techniques of “non-stop forwarding” and “graceful restart” can be implemented to minimize the effect the switchover has on the network.

Abstract: Techniques are described for synchronizing state information between a plurality of control units. A router, for example, is described that includes a primary control unit and a standby control unit. The primary control unit maintains router resources to ensure operation of the router. To ensure operation, the primary control unit receives state information from the router resources and maintains the state information for consumers, i.e. router resources that require or “consume” state information. Prior to updating the consumers with the state information, the primary control unit synchronizes the state information with the standby control unit. In the event the primary control unit fails, the standby control unit assumes control of the router resources. Upon assuming control, the standby control unit resumes updating the consumers with state information without having to “relearn” state information, e.g., by way of power cycling the router resources to a known state.