Abstract: The control plane of a network device comprises a plurality of software processes that manage routing control operations of the device. Through a hypervisor in the control plane, a managing virtual machine controls access to a first virtual machine running a first software system to control a routing communication session between the network device and other network devices. In response to an in-service software upgrade request, the managing virtual machine initializes a second virtual machine. On the second virtual machine, the second software system is loaded. State data maintained by the managing virtual machine can be transferred to the second virtual machine, and the second virtual machine takes control of the routing communication session. During the transfer of control from the first virtual machine to the second virtual machine, techniques of “non-stop forwarding” and “graceful restart” can be implemented to minimize the effect the switchover has on the network.

Abstract: Techniques are described for synchronizing state information between a plurality of control units. A router, for example, is described that includes a primary control unit and a standby control unit. The primary control unit maintains router resources to ensure operation of the router. To ensure operation, the primary control unit receives state information from the router resources and maintains the state information for consumers, i.e. router resources that require or “consume” state information. Prior to updating the consumers with the state information, the primary control unit synchronizes the state information with the standby control unit. In the event the primary control unit fails, the standby control unit assumes control of the router resources. Upon assuming control, the standby control unit resumes updating the consumers with state information without having to “relearn” state information, e.g., by way of power cycling the router resources to a known state.

Abstract: An access network includes an access device having an optical interface module that outputs a plurality of pairs of optical communication signals, each of the pairs of optical communication signals comprising a modulated optical transmit signal and an unmodulated optical receive signal, each of the pairs of optical communication signals having a different wavelength. A customer premise equipment (CPE) comprises an optical interface module to receive the modulated optical transmit signal and the unmodulated optical receive signal for any of the plurality of pairs of optical communication signals. The optical interface module includes a receive module to demodulate the modulated optical transmit signal into inbound symbols and a transmit module having an optical modulator and reflective optics to modulate the unmodulated optical receive signal in accordance with a data signal and reflect a modulated optical receive signal to communicate outbound data symbols to the access device.

Abstract: Using the ALTO Service, networking applications can request through the ALTO protocol information about the underlying network topology from the ISP or Content Provider. The ALTO Service provides information such as preferences of network resources with the goal of modifying network resource consumption patterns while maintaining or improving application performance. This document describes, in one example, an ALTO server that intersects network and cost maps for a first network with network and cost maps for a second network to generate a master cost map that includes one or more master cost entries that each represent a cost to traverse a network from an endpoint in the first network to an endpoint in the second network. Using the master cost map, a redirector may select a preferred node in the first network with which to service a content request received from a host in the second network.

Abstract: Methods and apparatus for transferring packets in a packet switched communication system. A system is provided that includes an L2 device including a controller determining for each packet received whether the received packet is to be inspected, an inspection device operable to inspect and filter packets identified by the controller including using a zone specific policy and an L2 controller for transferring inspected packets in accordance with L2 header information using L2 protocols.

Abstract: An access network is described in which a centralized controller provides seamless end-to-end service from a core-facing edge of a service provider network through aggregation and access infrastructure out to access nodes located proximate the subscriber devices. The controller operates to provide a central configuration point for configuring aggregation nodes (AGs) of a network of the service provider so as to provide transport services to transport traffic between access nodes (AXs) and edge routers on opposite borders of the network.

Abstract: A method includes receiving multicast traffic intended for host devices; identifying a flow associated with the multicast traffic; retrieving information associated with a group of multicast trees, where the group of multicast trees includes information associated with a group of I/O units, associated with a network node; identifying a particular tree that corresponds to the identified flow, where the particular tree includes information associated with a set of I/O units; and transferring the multicast traffic to an I/O unit, of the set of I/O units, based on the identification of the particular tree, where the transferring enables the I/O unit to send a copy of the multicast traffic to other I/O units of the set of I/O units, and the set of I/O units to process the multicast traffic in a manner that utilizes bandwidth or processing resources in a controlled manner and to send a copy of the multicast traffic to each of the host devices.

Abstract: Methods and apparatus, including computer program products, implementing and using techniques for processing a data packet. An input port receives a data packet, a switching board classifies the data packet, determines whether the data packet should be accepted, and switches the data packet to a management board if the data packet is a first data packet in a session, and to a processing board if the data packet is not a first data packet in a session. A management board receives a data packet from the switching board, examines the data packet and forwards the data packet to one of the processing boards. One or more processing boards receives non-first data packets from the switching board and data packets from the management board and processes the data packets. A firewall and a secure gateway with firewall and virtual private network functionality for processing a data packet are also described.

Abstract: Techniques are described for forwarding packets in a VPLS using multi-homing PE routers configured in an “active-active” link topology. A router includes a control unit that forms a customer-facing multi-chassis link aggregation group (LAG) to include a plurality of active access links that couple the router and a second router to a multi-homed customer site associated with the VPLS domain. The control unit also forms a core-facing multi-chassis LAG within the VPLS domain to include a plurality of pseudowires that connect the router and other member routers of the core-facing LAG to a common remote router of the VPLS domain. The router receives layer two (L2) packets from the multi-homed customer site on one or more of the active access links and forwards the L2 packets to the remote router over one or more of the pseudowires using the core-facing multi-chassis LAG.

Abstract: In some embodiments, a system includes a first switch fabric device, a second switch fabric device, a first access switch operatively coupled to the first switch fabric device by a first cable, and a second access switch operatively coupled to the second switch fabric device by a second cable. The second access switch is operatively coupled to the first access switch by a third cable. The first access switch is configured to send data to the first switch fabric device via the first cable. The first access switch is configured to send data to the second switch fabric device via the third cable, the second access switch, and the second cable.

Abstract: In general, techniques are described for flexible packet processing. A network device for processing a data packet comprise a packet processing engine and a special handling unit external from the packet processing engine. The packet processing engine includes one or more of a plurality of pipelined packet processing units that, when processing the data packet, generate one or more events and determine whether to associate a trap and/or a sampling class with the data packet based on the generated events. The pipelined packet processing units then set bits of a vector that is passed between the pipelined packet processing units to associate the packet with the determined trap and/or sampling class, and processes the packet based on the set one or more bits of the vector.

Abstract: In one embodiment, a method includes receiving a configuration request and a first key from a network device, granting a first class of access to the network device, sending a configuration instruction to the network device, receiving an association request from the network device, and granting a second class of access to the network device. The configuration request and the first key are received at a first time. The network device is outside a secure network segment at a first time. The first class of access is granted based on the first key. The configuration instruction is send in response to granting the first class of access. The association request includes a second key. The granting the second class of access is based on the second key.

Abstract: The invention relates to information exchange when a design organization sends a design document to a manufacturer. The design documents may have errors and, once detected, the errors may not be corrected by the design organization. The documents may be resent with a small number of changes or perhaps no changes at all, but may have errors that have been seen before. The documents may have many items that are not important to the receiving organization. A dictionary is used to validate and correct the documents. Changes in the dictionary may require changes in the information used by the manufacturer.

Abstract: A device may include multi-bank SRAM logic configured to receive an lookup result that includes a first number of addresses, parse each of the first number of addresses from the received lookup result, simultaneously provide at least one of the first number of parsed addresses to each of a first number of SRAMs, simultaneously read data from each of the first number of SRAMs and simultaneously transmit the read data from each of the first number of SRAMs.

Abstract: Routers balance network traffic among multiple paths through a network according to an amount of bandwidth that can be sent on an outgoing interface computed for each of the paths. For example, a router receives a link bandwidth for network links that are positioned between the first router and a second router of the network, and selects a plurality of forwarding paths from the first router to the second router. Upon determining that one of the network links is shared by multiple of the plurality of forwarding paths, the router computes a path bandwidth for each of the plurality of outgoing interfaces so as to account for splitting of link bandwidth of the shared network link across the multiple forwarding paths that share the network link. The router assigns packet flows to the forwarding paths based at least on the computed amount of bandwidth for each of the outgoing interfaces.

Abstract: In general, techniques are described for using a light-weight protocol to synchronize layer two (L2) addresses that identify routable traffic to multiple L3 devices, such as PE routers, that cooperatively employ an active-active redundancy configuration using a multi-chassis LAG to provide an L2 network with redundant connectivity. In one example, a network device establishes a multi-chassis LAG with a peer network device to provide redundant connectivity to a layer three (L3) network. A synchronization module of the network device receives a synchronization message that specifies an L2 address of the peer network device. When the network device receives an L2 packet data unit (PDU) from the L2 network, a routing instance of the network device routes an L3 packet encapsulated therein when the PDU has an L2 destination address that matches the L2 address of the peer network device.

Abstract: A network security device performs a three-stage analysis of traffic to identify malicious clients. In one example, a device includes an attack detection module to, during a first stage, monitor network connections to a protected network device, during a second stage, to monitor a plurality of types of transactions for the plurality of network sessions when a parameter for the connections exceeds a connection threshold, and during a third stage, to monitor communications associated with network addresses from which transactions of the at least one of type of transactions originate when a parameter associated with the at least one type of transactions exceeds a transaction-type threshold. The device executes a programmed action with respect to at least one of the network addresses when the transactions of the at least one of the plurality of types of transactions originating from the at least one network address exceeds a client-transaction threshold.

Abstract: An intrusion detection system is described that is capable of applying a plurality of stacked (layered) application-layer decoders to extract encapsulated application-layer data from a tunneled packet flow produced by multiple applications operating at the application layer, or layer seven (L7), of a network stack. In this was, the IDS is capable of performing application identification and decoding even when one or more software applications utilize other software applications as for data transport to produce packet flow from a network device. The protocol decoders may be dynamically swapped, reused and stacked (layered) when applied to a given packet or packet flow.

Abstract: In general, techniques are described for dynamically scheduling and establishing paths in a multi-layer, multi-topology network to provide dynamic network resource allocation and support packet flow steering along paths prescribed at any layer or combination of layers of the network. In one example, a multi-topology path computation element (PCE) accepts requests from client applications for dedicated paths. The PCE receives topology information from network devices and attempts to identify paths through a layer or combination of layers of the network that can be established at the requested time in view of the specifications requested for the dedicated paths and the anticipated bandwidth/capacity available in the network. The PCE schedules the identified paths through the one or more layers of the network to carry traffic for the requested paths. At the scheduled times, the PCE programs path forwarding information into network nodes to establish the scheduled paths.

Abstract: First in, first out (FIFO) queues may be used to transfer data between a producer clock domain and a number of consumer clock domains. In one implementation, a control component for the FIFO queues may include a number of counters, corresponding to each of the consumer clock domains, each of the counters maintaining a count value relating to an amount of data read by the corresponding consumer clock domain. The control component may additionally include a credit deduction component coupled to the count values of the counters, the credit deduction component determining whether any of the count values is above a threshold, and in response to the determination that any of the count values is above the threshold, reducing the count value of each of the counters and issuing a write pulse signal to the producer clock domain, the write pulse signal causing the producer clock domain to perform a write operation to the FIFO queues.