Abstract: A method includes receiving one or more of user information, role information, or authorization information associated with a user accessing a network, selecting a traffic flow to monitor that is associated with the one or more of user information, role information, or authorization information, monitoring the traffic flow, determining whether an anomaly exists with respect to the traffic flow based on a traffic behavior pattern associated with the one or more of user information, role information, or authorization information, and performing a security response when it is determined that the anomaly exists.

Abstract: A system improves bandwidth used by a data stream. The system receives data from the data stream and partitions the data into bursts. At least one of the bursts includes one or more idles. The system selectively removes the idles from the at least one burst and transmits the bursts, including the at least one burst.

Abstract: A circuit simulation apparatus is disclosed by which, even if an STS-N frame of an abnormal length is detected by a reassembly buffer, the frame length can be compensated for while preventing an overflow of the reassembly buffer. When an STS-(N×M) frame formed by multiplexing M STS-N frames formed from different channels is cellularized into ATM cells or M different STS-N frames assembled from ATM cells are multiplexed into an STS-(N×M) frame, an ATM cell sync signal and ATM cell data from a buffer section are outputted as a frame pulse signal and frame data from a reassembly section to a circuit termination section, and frame length compensation of the frame pulse signal and the frame data is performed by the reassembly section.

Abstract: In general, techniques are described for performing scalable layer two (L2) learning in computer networks. A network device that includes interfaces and a control unit may implement these techniques. The control unit stores a L2 learning table having entries that are each associated with a service tag identifying a service virtual local area network. In response to receiving a packet that includes a service tag, the interfaces access the L2 learning table using the service tag to determine whether any of the entries of the L2 learning table are associated with the service tag. When none of the entries are associated with the service tag, the L2 learning module updates the L2 learning table to create a new entry defining an association between the one of the interfaces that received the packet and the service tag.

Abstract: A device identifies, based on a program code instruction, an attempted write access operation to a fenced memory slab, where the fenced memory slab includes an alternating sequence of data buffers and guard buffers. The device assigns read-only protection to the fenced slab and invokes, based on the attempted write access operation, a page fault operation. When a faulting address of the attempted write operation is not an address for one of the multiple data buffers, the device performs a panic routine. When the faulting address of the attempted write operation is an address for one of the multiple data buffers, the device removes the read-only protection for the fenced slab and performs a single step processing routine for the program code instruction.

Abstract: A method may include receiving, in a first server from a second server, a request for a service of a network by a device; sending, from the first server to the second server, a response to the request for the service to permit access to the service; and sending state information about the response to a third server for storage in a database.

Abstract: A system receives discovery rule inputs that include addresses, verifies one or more device identifiers for one or more addresses, obtains device information from each verified device associated with the one or more verified device identifiers, determines whether each verified device is a discovered device based on the device information, and automatically adds each verified device as a discovered device to a management system without human intervention when it is determined that the verified device is discovered. The system further creates device configuration information, creates an identifier and password, provides device configuration information, the identifier, and the password, to each of the discovered devices based on the NETCONF or the Device Management Interface standards, waits for a connection from the discovered devices, imports device configuration information from the discovered devices when the connection has been established, and indicates that the discovered devices are managed devices.

Abstract: A connection between network nodes in a communication network is backed up. A failover switched path such as a label-switched path (LSP) is created starting at a first network node of a connection and ending at the second node of the connection, while bypassing the protected connection. In the event of connection failure, data is transmitted through the failover switched path (e.g., LSP). A network operator can selectively protect different types of data by using filters that bind one or more types of traffic received over one or more interfaces to different failover switched paths (LSPs).

Abstract: A computing device may receive content from a content source. The content may include software code that is executable by a web browser, and may be directed to another computing device. The computing device may inject security content into the content. The security content may include software instructions to enable the web browser to detect malicious software content within the content. The computing device may communicate the content to the other computing device.

Abstract: An intermediate network device intercepts a packet flow associated with a communication session between a client device and a server, splits the intercepted packet flow of the communication session into a plurality of application-layer data channels, wherein each application-layer data channel represents an independent stream of application-layer data within the communication session, performs Quality of Service (QoS) processing on the application-layer data channels, combines the plurality of QoS-processed application-layer data channels into a combined packet flow, and outputs the combined packet flow onto the communication session between the client device and the server.

Abstract: Techniques are described for detecting failure or degradation of a service enabling technology function independent from an operational state of a service node hosting the service enabling technology function. For example, a service node may provide one or more service enabling technology functions, and service engineered paths may be traffic-engineered through a network to service node network devices that host a service enabling technology function. A monitor component at the service layer of the service node can detect failure or degradation of one or more service enabling technology functions provided by the service node. The monitor component reports detection of failure or degradation to a fault detection network protocol in a forwarding plane of the service node. The fault detection network protocol communicates with an ingress router of a service engineered path to trigger fast reroute by the ingress of traffic flows to bypass the affected service enabling technology function.

Abstract: Techniques are described for distributing network device tasks across virtual machines executing in a computing cloud. A network device includes a network interface to send and receive messages, a routing unit comprising one or more processors configured to execute a version of a network operating system, and a virtual machine agent. The virtual machine agent is configured to identify a virtual machine executing at a computing cloud communicatively coupled to the network device, wherein the identified virtual machine executes an instance of the version of the network operating system, to send, using the at least one network interface and to the virtual machine, a request to perform a task, and to receive, using the at least one network interface and from the virtual machine, a task response that includes a result of performing the task. The routing unit is configured to update the network device based on the result.

Abstract: An example device includes an interface to receive, from a device management system, a request message that conforms to a network management protocol, a control unit that provides an execution environment for a management agent, and a data repository. The request message includes a set of managed object identifiers and a set of filter operator object identifiers. The management agent is operable to generate at least one filter criterion based on the managed object identifiers and the filter operator object identifiers, to retrieve managed object values stored in the data repository based on the managed object identifiers, each corresponding to a respective managed object identifier specified in the request message, to generate and output to the device management system a response message based on the managed object identifiers of the request message and the retrieved managed object values that satisfy one or more of the at least one filter criterion.

Abstract: An apparatus includes a memory configured to store multiple route descriptors as a tree, a communications interface configured to be in communication with an access switch, and a processor operatively coupled to the memory and the communications interface. Each route descriptor is a node within the tree, and includes a next hop destination associated with a next hop destination of a route associated with that route descriptor and a next hop indicator associated with a quantity of routes represented by that route descriptor. A first route descriptor has a first child route descriptor and a second child route descriptor. The processor is configured to define, at a first time, a value of the next hop destination of the first route descriptor and to send, at a second time after the first time, the value of the next hop destination of the first route descriptor to the access switch.

Abstract: A packet switching system capable of ensuring the sequence and continuity of packets and further compensating for delays in transmission is disclosed. Each of two redundant switch sections has a high-priority queue and a low-priority queue for each of output ports. A high-priority output selector selects one of two high-priority queues corresponding to respective ones of the two switch sections to store an output of the selected one into a high-priority output queue. A low-priority output selector selects one of two low-priority queues corresponding to respective ones of the two switch sections to store an output of the selected one into a low-priority output queue. The high-priority and low-priority output selectors are controlled depending on a system switching signal and a packet storing status of each of the high-priority and low-priority queues.

Abstract: In one aspect the invention provides a method for allocating bandwidth in a network appliance where the network appliance includes a plurality of guaranteed bandwidth buckets used to evaluate when to pass traffic through the network appliance. The method includes providing a shared bandwidth bucket associated with a plurality of the guaranteed bandwidth buckets, allocating bandwidth to the shared bandwidth bucket based on the underutilization of bandwidth in the plurality of guaranteed bandwidth buckets and sharing excess bandwidth developed from the underutilization of the guaranteed bandwidth allocated to the individual guaranteed bandwidth buckets. The step of sharing includes borrowing bandwidth from the shared bandwidth bucket by a respective guaranteed bandwidth bucket to allow traffic to pass immediately through the network appliance.

Abstract: To provide a switching system with telephone switching function mainly on the basis of hardware processing by using isochronous channel which is a real time communication channel. The switching system comprises a gateway node connected with ISDN (Integrated Services Digital Network) and PSTN (Public Switched Telephone Network), and one or more extension nodes, and a serial bus such as IEEE 1394 bus. The gateway node transforms data rate of outside line into data rate of extension node, and the other way around, and secure a seamless communication channel. Concretely, the gateway node secures an isochronous channel, according to a request from the extension nodes or the outside line, and executes switching such as transfer or reservation. A resource manager holds a table for managing the gateway node and extension node.

Abstract: An example network device includes a network interface and a control unit that receives a packet having header information. The control unit includes a forwarding structure having a plurality of entries that each refers to one of a plurality of logical interfaces, a forwarding engine configured to access the forwarding structure to select a first logical interface to which to forward the packet based on the header information, wherein the first logical interface comprises a pseudo-device interface (PDI). The control unit also includes a PDI module that tunnels the packet to an external service complex (ESC) by at least applying a set of metadata to the packet, encapsulating the packet with a header, and forwarding the packet to the ESC via the network interface, and wherein the metadata allows the ESC to determine a set of services to be applied to the packet based on the metadata.

Abstract: In one example, a network device receives a packet to be forwarded according to a label switching protocol, determines a service to be performed on the packet by a service network device, sends a label request message to the service network device, wherein the label request message indicates support for labels having a particular length, wherein the particular length is larger than twenty bits (e.g., forty bits), and wherein the label request message specifies the service to be performed on the packet, receives, in response to the label request message, a label mapping message defining a label of the particular length, appends the label to the packet to form a Multi-Protocol Label Switching (MPLS)-encapsulated packet, and forwards the MPLS-encapsulated packet according to the label switching protocol.

Abstract: Techniques are described for scaling Multiprotocol Label Switching (MPLS) across areas of an autonomous system using a labeled interior Border Gateway Protocol (iBGP). A method includes executing a first label distribution protocol at a border node at a border between two of a plurality of interior gateway protocol (IGP) areas of a single autonomous system (AS), and exchanging label distribution messages using the first label distribution protocol to establish a first intra-area label switched path (LSP) within a first one of IGP areas. The method also includes executing a labeled interior border gateway protocol at the border node, and exchanging label distribution messages using the labeled interior border gateway protocol to establish a hierarchical inter-area LSP that runs over the previously established first intra-area LSP, wherein the hierarchical inter-area LSP extends across the plurality of IGP areas of the AS.