Abstract: In some embodiments, an apparatus includes a first network device configured to receive, from a second network device, a first forwarding-state packet associated with a peripheral processing device and having a first generation identifier. The first network device is configured to receive, from a third network device, a second forwarding-state packet associated with the peripheral processing device and having a second generation identifier. The first network device is configured to implement forwarding-state information included in the first forwarding-state packet based on a comparison of the first generation identifier and the second generation identifier.

Abstract: A database enables versioning for objects stored in the database via a “snapshot” operation. In one implementation, a device performs a snapshot operation in which a snapshot object, representing a logical view of database objects at a time at which the snapshot operation is performed, is created and stored in the database. In response to a request to store a modified version of a database object, the modified version of the database object is written to replace the previous version of the database object when the database object was last modified after the most recent snapshot operation. Further, in response to the request to store the modified version of the database object, the modified version of the database object is inserted in the database when the previous version of the database object was last modified before the most recent snapshot operation.

Abstract: In some embodiments, an apparatus includes a route reflector implemented in at least one of a memory or a processing device. The route reflector is configured to be included within a switch fabric system. The route reflector is configured to receive, from a network management module, an instruction to install a route associated with a multi-stage switch, and send the instruction to install to a route target network control entity associated with the multi-stage switch. The route reflector is also configured to receive, from the route target network control entity, a first acknowledgement signal indicating that the route was successfully installed at the route target network control entity. The route reflector is configured to send a second acknowledgement signal to the network management module in response to receiving the first acknowledgement signal.

Abstract: A network device may be configured to filter network traffic using multiple different filters bound to different interfaces of the network device. The network device may include logic to identify a relationship map that describes a topology of bind-points associated with the network device. Additionally, the network device may include logic to generate a merge graph based on the relationship map, the merge graph including one or more nodes, where each node represents a walk through the relationship map and includes one or more merge-points, where each merge-point is defined as a filter associated with a bind-point. The network device may also include a ternary content-addressable memory (TCAM) programmed to include entries based on the nodes of the merge graph.

Abstract: In some embodiments, an apparatus includes a module within a first stage of a switch fabric, a module within a second stage of the switch fabric, and a module within a third stage of the switch fabric. The module within the first stage is configured to send data to the module within the second stage. The module within the second stage is configured to send data to the module within the third stage. The module within the second stage is configured to send a first suspension indicator to the module within the third stage. The module within the third stage is configured to send a second suspension indicator to the module within the first stage in response to the first suspension indicator. The module within the first stage is configured to stop sending data to the module within the second stage in response to the second suspension indicator.

Abstract: A method may include obtaining a layer two identification of an endpoint that is seeking access to a network, the endpoint omitting an agent to communicate a layer three address of the endpoint to a policy node, applying one or more authentication rules based on the layer two identification of the endpoint, assigning the layer three address to the endpoint, learning, by the policy node, the layer three address of the endpoint, and provisioning layer three access for the endpoint to the network based on the learned layer three address.

Abstract: A multi-chassis network device may automatically detect whether cables connected between chassis devices are correctly inserted. The device may insert, into a first data stream output from a first port of the device, control information identifying the first port. The device may receive, from a second data stream received by the first port of the device, second control information identifying a second port, at another device connected to the device via a cable. The device may determine, based on the second control information, whether the connection of the first port to the second port, via the cable, is valid and cause, when the connection of the first port to the second port is determined to not be valid, the device to output an indication that the connection is not valid or to reconfigure the device to make the connection of the first port to the second port valid.

Abstract: A device identifies, based on a program code instruction, an attempted write access operation to a fenced memory slab, where the fenced memory slab includes an alternating sequence of data buffers and guard buffers. The device assigns read-only protection to the fenced slab and invokes, based on the attempted write access operation, a page fault operation. When a faulting address of the attempted write operation is not an address for one of the multiple data buffers, the device performs a panic routine. When the faulting address of the attempted write operation is an address for one of the multiple data buffers, the device removes the read-only protection for the fenced slab and performs a single step processing routine for the program code instruction.

Abstract: A multicast-capable firewall allows firewall security policies to be applied to multicast traffic. The multicast-capable firewall may be integrated within a routing device, thus allowing a single device to provide both routing functionality, including multicast support, as well as firewall services. The routing device provides a user interface by which a user specifies one or more zones to be recognized by the integrated firewall when applying stateful firewall services to multicast packets. The user interface supports a syntax that allows the user to define subsets of the plurality of interfaces associated with the zones, and define a single multicast policy to be applied to multicast sessions associated with a multicast group. The multicast policy identifies common services to be applied pre-replication, and exceptions specifying additional services to be applied post-replication to copies of the multicast packets for the one or more zones.

Abstract: A network device includes a main storage memory and a queue handling component. The main storage memory includes multiple memory banks which store a plurality of packets for multiple output queues. The queue handling component controls write operations to the multiple memory banks and controls read operations from the multiple memory banks, where the read operations for at least one of the multiple output queues alternates sequentially between the each of the multiple memory banks, and where the read operations and the write operations occur during a same clock period on different ones of the multiple memory banks.

Abstract: An access network is described in which a centralized controller provides seamless end-to-end service from a core-facing edge of a service provider network through aggregation and access infrastructure out to access nodes located proximate to the subscriber devices. The controller operates to provide a central configuration point for configuring aggregation nodes (AGs) of a network of the service provider so as to provide transport services to transport traffic between access nodes (AXs) and edge routers on opposite borders of the network.

Abstract: First in, first out (FIFO) queues may be used to transfer data between a producer clock domain and a number of consumer clock domains. In one implementation, a control component for the FIFO queues may include a number of counters, corresponding to each of the consumer clock domains, each of the counters maintaining a count value relating to an amount of data read by the corresponding consumer clock domain. The control component may additionally include a credit deduction component coupled to the count values of the counters, the credit deduction component determining whether any of the count values is above a threshold, and in response to the determination that any of the count values is above the threshold, reducing the count value of each of the counters and issuing a write pulse signal to the producer clock domain, the write pulse signal causing the producer clock domain to perform a write operation to the FIFO queues.

Abstract: Techniques are described by which an IP telephone system leverages the digital signal processing functions of end-user IP telephones by distributing signal processing tasks typically carried out by a centralized IP-PBX. The end-user IP telephones publicize their signal processing capabilities and availabilities to an IP-PBX, which maintains a resource capability mapping of the IP telephones. When the IP-PBX receive a bitstream for a communication session involving IP telephones and/or legacy phones of the IP telephone system, the IP-PBX determines the signal processing requirements for the bitstream, selects an available, capable IP telephone to perform the requirements, and distributes the bitstream to the selected IP telephone. The IP telephone performs the requisite signal processing and returns the processed bitstream to the IP-PBX, which forwards the processed bitstream to the destination endpoint for the communication session.

Abstract: A data processing architecture includes multiple processors connected in series between a load balancer and reorder logic. The load balancer is configured to receive data and distribute the data across the processors. Appropriate ones of the processors are configured to process the data. The reorder logic is configured to receive the data processed by the processors, reorder the data, and output the reordered data.

Abstract: A call admission control technique allowing flexible and reliable call admissions at an ATM switch in the case of an ATM network including both QoS-specified and QoS-unspecified virtual connections is disclosed. In the case where a QoS (Quality of Service) specified connection request occurs, an estimated bandwidth is calculated which is to be assigned to an existing QoS-unspecified traffic on the link associated with the QoS-specified connection request. A call control processor of the ATM switch determines whether the QoS-specified connection request is accepted, depending on whether a requested bandwidth is smaller than an available bandwidth that is obtained by subtracting an assigned bandwidth and the estimated bandwidth from a full bandwidth of the link.

Abstract: In general, techniques are described for transmitting MPLS labels over a network. More specifically, a network device such a router receives a packet to be forwarded according to a label switching protocol, such as Multi-Protocol Label Switching (MPLS). The router may determine a service instance for the packet based on a client device from which the packet originated. The network device may determine one or more services to apply to the packet based on the service instance for the packet and generate a label which having a service instance portion and a service information portion. The network device may append the label to the packet to form an MPLS-encapsulated packet, and may forward the MPLS-encapsulated packet via an output interface according to the label switching protocol.

Abstract: Systems and methods for detecting and preventing network security breaches are described. The systems and methods present a gateway-based packet-forwarding network security solution to not only detect security breaches but also prevent them by directly dropping suspicious packets and connections. The systems and methods employ multiple techniques to detect and prevent network security breaches, including stateful signature detection, traffic signature detection, and protocol anomaly detection.

Abstract: A method may include receiving, in a first server from a second server, a request for a service of a network by a device; sending, from the first server to the second server, a response to the request for the service to permit access to the service; and sending state information about the response to a third server for storage in a database.

Abstract: Methods and apparatuses for inspecting packets are provided. A primary security system may be configured for processing packets. The primary security system may be operable to maintain flow information for a group of devices to facilitate processing of the packets. A secondary security system may be designated for processing packets upon a failover event. Flow records may be shared from the primary security system with the secondary security system.

Abstract: A storage server in a distributed content storage and access system provides a mechanism for dynamically establishing storage resources, such as buffers, with specified semantic models. For example, the semantic models support distributed control of single buffering and double buffering during a content transfer that makes use of the buffer for intermediate storage. In some examples, a method includes examining characteristics associated with a desired transfer of data, such as a unit of content, and then selecting characteristics of a first storage resource based on results of the examining. The desired transfer of the data is then affected to use the first storage resource element.