Abstract: A method includes establishing a bi-directional pseudowire (BPW) between a first provider edge (PE) router and a second PE router that are forwarders for a multi-homed VPLS customer site associated with a VPLS domain. The first PE router has a designated forwarder status and the second PE router has a backup forwarder status relative to the VPLS customer site. The BPW is established as an auxiliary standby BPW external to the VPLS domain. The method also includes detecting a change in topology of the network with the first PE router, wherein the change in topology affects connectivity by the first PE router to the VPLS customer site associated with the VPLS domain, and, upon detecting the change in topology, utilizing the BPW as an active interface within the VPLS domain for forwarding network traffic to the VPLS customer site.

Abstract: An example network device includes a data repository configured to store data defining a plurality of time slots, programmable processors that provide an amount of available system processing capacity for each of the time slots, a network communication protocol module configured to perform network communication events, and a system load prediction module. The system load prediction module predicts future events that the network device expects to perform in accordance with the network communication protocol, wherein each of the predicted events requires an amount of system processing capacity to complete, and distributes each of the predicted events across the time slots to reserve the amount of system processing capacity required to complete each of the predicted events from the amount of available system processing capacity of each of the time slots without exceeding a threshold that limits utilization of the amount of system processing capacity for each of the time slots.

Abstract: An apparatus includes a replication engine of a switch module of a multi-stage switch. The replication engine is configured to receive a first validation packet from an input port of the switch module. The replication engine is configured to determine multiple output ports of the switch module to which a data packet can be sent to reach a destination device associated with the first validation packet. The replication engine is configured to define multiple second validation packets based on a number of output ports from the multiple output ports such that each second validation packet from the multiple second validation packets is uniquely associated with an output port from the multiple output ports. The replication engine is configured to send the multiple second validation packets to an output module configured to forward each second validation packet from the multiple second validation packets to its associated output port.

Abstract: A device may include an interface to send authentication information to a plug-in, where the authentication information is related to a client device. The interface may send a policy identifier to the plug-in, where the policy identifier identifies a policy, and may receive a policy result from the plug-in, where the policy result is produced using the authentication information and a policy requirement identified by the policy identifier, and where the policy result identifies whether the client device complies with the policy.

Abstract: A method is provided for handling member link state changes in an aggregate interface. An aggregate interface may be established to include a number of member links. A mask may be associated with the aggregate interface, where the mask identifies a current state of each member link in the aggregate interface. The mask is retrieved and used to identify active links in the aggregate interface when packets are received for forwarding on the aggregate interface.

Abstract: Techniques are described for reducing unnecessary upstream traffic toward a rendezvous point (RP) of a network using Protocol Independent Multicast Bidirectional Mode. The RP may be either a router configured with the rendezvous point address (RPA) on its loopback interface, or one of several routers connected to an RP link with the RPA. The techniques include determining whether the RP needs to receive multicast traffic for a multicast group and, when the RP does not need to receive the multicast traffic, sending RP-prune control messages for the multicast group to downstream routers on non-RP links. Upon receiving an RP-prune control message, a downstream router may prune an outgoing interface for the multicast group to prevent the downstream router from forwarding multicast traffic for the multicast group toward the RP. The downstream router may terminate or propagate the RP-prune control message to a further downstream router.

Abstract: A data center management device determines that a virtual machine should be moved from a first physical system to a second physical system. The data center management device instructs a first service appliance at the first physical system to perform state synchronization with a second service appliance at the second physical system in order to continue providing the services offered prior to the move. The data center management device instructs the virtual machine to be instantiated at the second physical system.

Abstract: A VPN gateway is described that provides single sign-on (SSO) functionality with respect to remote users who have established tunneling sessions with the VPN gateway and who attempt to access a protected resource. The VPN gateway may receive, from a client device, a security assertion request that includes a request for a security assertion to be made by the VPN gateway with respect to a user of a private network associated with the VPN gateway, determine whether the security assertion request was received via a tunneling session established for the user between the client device and the VPN gateway, and issue a security assertion for the user in response to determining that the security assertion request was received via the tunneling session. In this way, a VPN gateway may act as an SSO identity provider for users that have an established tunneling session with the gateway.

Abstract: A network device may receive information regarding a service set identifying service to apply to a data flow received via a particular interface of the network device; receive the data flow via the particular interface; identify a service to provide to the data flow based on the information regarding the service set; identify a processing device to process the data flow; and provide the data flow to the processing device. The processing device may be different than the network device and may process the data flow, on behalf of the network device, to form a processed data flow. The processed data flow may include the data flow with the service applied to the data flow. The network device may further receive the processed data flow from the processing device and transmit the processed data flow toward a destination device.

Abstract: In general, the invention is directed to techniques for establishing secure connections with devices residing behind a security device. In accordance with the techniques, a managed device initiates a transmission control protocol (TCP) session to establish a TCP session with a management device such that the management device acts as the TCP server and the managed device acts as a TCP client. Once established, the managed device sends a role reversal message specifying an identity of the managed device via the TCP session. Upon receiving the role reversal message, the management device initiates a secure connection over the TCP session in accordance with a secure protocol such that the management device acts as the secure protocol client and the managed device acts as the secure protocol server. By properly establishing the secure session, each of the devices assumes the proper roles and administrators may more easily configure the devices.

Abstract: The invention is directed toward techniques for Multi-Protocol Label Switching (MPLS) upstream label assignment for the Resource Reservation Protocol with Traffic Engineering (RSVP-TE). The techniques include extensions to the RSVP-TE that enable distribution of upstream assigned labels in Path messages from an upstream router to two or more downstream routers of tunnel established over a network. The tunnel may comprise a RSVP-TE P2MP Label Switched Path (LSP) or an Internet Protocol (IP) multicast tunnel. The techniques also include extensions to the RSVP-TE that enable a router to advertise upstream label assignment capability to neighboring routers in the network. The MPLS upstream label assignment using RSVP-TE described herein enables a branch router to avoid traffic replication on a Local Area Network (LAN) for RSVP-TE P2MP LSPs.

Abstract: A network device may include a supplicant framework to generate a first 802.1x packet using a MAC address, associated with a first device as a first username and password in the first 802.1x packet; and generate a second 802.1x packet using a second username and password received from a second device via a captive-portal web page. The network device may further include an authenticator state machine to authenticate the first device with a Remote Authentication Dial In User Service (RADIUS) server using a first Extensible Authentication Protocol (EAP) packet that includes the first 802.1x packet; authenticate the second device with the RADIUS server using a second EAP packet that includes the second 802.1x packet; receive a third EAP packet from a third device; and authenticate the third device with the RADIUS server using the third EAP packet.

Abstract: A disaster response system receives location data and status data from participating devices in an area affected by a disaster. The disaster response system provides data to client devices outside the affected area. The data indicate statuses of people within the affected area. Disaster response system also instructs routers to perform actions to adjust bandwidth available for a particular use during and after the disaster.

Abstract: A server device is configured to receive a request to identify a manner in which changed code propagates within an application; generate a group of blocks that correspond to code associated with a parent function corresponding to the application and which includes the changed code; perform an intra-procedural analysis on the group of blocks to identify a block that is affected by the changed code included within an epicenter block; perform an inter-procedural analysis on functions associated with the block, where, when performing the inter-procedural analysis, the server device is to generate another group of blocks associated with the functions, and identify another block that is affected by the changed code included within the epicenter block; and present, for display, information associated with the block or the other block that enables the application to be tested based on the block or the other block.

Abstract: A method and apparatus for switching a data packet between a source and destination in a network. The data packet includes a header portion and a data portion. The header portion includes routing information for the data packet. The method includes defining a data path in the router comprising a path through the router along which the data portion of the data packet travels and defining a control path comprising a path through the router along which routing information from the header portion travels. The method includes separating the data path and control path in the router such that the routing information can be separated from the data portion allowing for the separate processing of each in the router. The data portion can be stored in a global memory while routing decisions are made on the routing information in the control path.

Abstract: A system includes a storage device to store information associated with virtual nodes that correspond to network nodes. The system also includes a server to install a virtual node that corresponds to one of the network nodes, based on the information associated with the virtual node, where installing the virtual node includes creating a logical interface via which traffic is to be sent to, or received from, other virtual nodes; start the virtual node to create an operating virtual node based on a copy of an operating system that is run on the network node, where starting the virtual node causes the operational virtual node to execute the copy of the operating system; and cause the operating virtual node to communicate with a virtual network that includes the virtual nodes, where causing the operating virtual node to communicate with the virtual network enables the operating virtual node to receive or forward traffic associated with the virtual network.

Abstract: A system that processes single stream multicast data includes multiple queues, a dequeue engine, and/or a queue control engine. The queues temporarily store data. At least one of the queues stores single stream multicast data. A multicast count is associated with the single stream multicast data and corresponds to a number of destinations to which the single stream multicast data is to be sent. The dequeue engine dequeues data from the queues. If the data corresponds to the single stream multicast data, the dequeue engine examines the multicast count associated with the single stream multicast data and dequeues the single stream multicast data based on the multicast count. The queue control engine examines one of the queues to determine whether to drop data from the queue and marks the data based on a result of the determination.

Abstract: A device may identify signal channels for connecting circuit blocks, where each circuit block is associated with a block implementation area corresponding to a substrate. The device may assign a channel priority to each of the signal channels based on at least one channel criteria. The device may allocate a channel implementation area, corresponding to the substrate, for each of a plurality of signal channels, based on the channel priority assigned to the signal channel and based on the block implementation areas. The device may generate an integrated circuit design comprising the channel implementation area allocated for each of the plurality of signal channels.

Abstract: A device may include two or more line interfaces. One of the line interfaces may include a component to buffer a packet that is received at the line interface, perform a lookup of information related to selecting a flow based on a header of the packet, apply a symmetric hash function to addresses in the header to obtain a hash when the information related to selecting the flow indicates the flow is to be selected based on a random method, compare the hash to a particular number using the information related to selecting the flow, the particular number being same for the line interfaces, sample a flow when the hash matches the particular number, create a flow record for the flow, and sample packets based on the flow record.

Abstract: A network device may include multiple interfaces, each including a local database to store, in a first group of local records, information associated with a first group of data units sent from or received by a first one of the group of interfaces; a global database to store, in a group of global records, information associated with the first group of data units and information associated with a second group of data units sent from or received by a second one of said group of interfaces. The device may include a processor, to manage the local database and the global database; broadcast at least one of the local records to the second one of the group of interfaces; and analyze each of the local records to identify potential anomalies in the first group of data units.