Abstract: In general, techniques are described for providing multicast communication in a seamless MPLS architecture, in which thousands of PE routers within different routing areas of the same AS require P2MP connectivity to receive multicast communication. In particular, the techniques enable building inter-area P2MP segmented LSPs within an AS by stitching together intra-area segments of the inter-area P2MP segmented LSPs. The techniques provide LSP hierarchy with segmentation to enable aggregation of congruent intra-area segments within a routing area into an intra-area aggregate LSP. The AS may use the BGP as the inter-area label distribution protocol, and each routing area within the AS may independently select one of the multicast MPLS protocols as its intra-area label distribution protocol. The seamless MPLS architecture may be used by private network instances, such as multicast VPLS instances, MVPN instances, and IP multicast instances.

Abstract: A network security appliance supports definition of a security policy to control access to a network. The security policy is defined by match criteria including a layer seven network application, a static port list of layer four ports for a transport-layer protocol, and actions to be applied to packet flows that match the match criteria. A rules engine dynamically identifies a type of layer seven network application associated with the received packet flow based on inspection of application-layer data within payloads of packets of the packet flow without basing the identification solely on a layer four port specified by headers within the packets. The rules engine is configured to apply the security policy to determine whether the packet flow matches the static port lists specified by the match criteria. The network security appliance applies the actions specified by the security policy to the packet flow.

Abstract: In one embodiment, an apparatus comprises a range selection module, a first stage of bloom filters, a second stage of bloom filters and a hashing module. The range selection module is configured to define a set of hash key vectors based on a set of range values associated with at least a portion of an address value from a data packet received at a multi-stage switch. The first stage of bloom filters and the second stage of bloom filters are collectively configured to determine that at least a portion of a hash key vector from the set of hash key vectors has a probability of being included in a hash table. The hashing module is configured to produce a hash value based on the hash key vector such that a first policy vector is selected based on the hash value and the first policy vector is decompressed to produce a second policy vector associated with the data packet.

Abstract: In general, techniques are described for preparing a computer network for planned events. A network device comprising a control unit and an interface implements these techniques. The control unit is configured to be a member a maintenance association that verifies connectivity a single service instance. The interface outputs a maintenance message to an additional network device to verify connectivity between the network device and the additional network device. The control unit receives an indication to initiate a planned event capable of disrupting the maintenance association. Prior to the control unit performing the planned event, the interface generates a modified maintenance message indicating that the planned event will be performed by the network device. The interface then transmits the modified outgoing maintenance message to the additional network device to direct the additional network device to avoid detecting the planned event as a connectivity fault.

Abstract: In one embodiment, an apparatus can include a policy vector module configured to retrieve a compressed policy vector based on a portion of a data packet received at a multi-stage switch. The apparatus can also include a decompression module configured to receive the compressed policy vector and configured to define a decompressed policy vector based on the compressed policy vector. The decompressed policy vector can define a combination of bit values associated with a policy.

Abstract: An ATM switching system 1 is provided with an ATM switch 11, a reserved connection memory 12 for storing reserved connection information, a call history memory 13 for maintaining call histories of requests for connection from subscriber's terminal units 2?1 to 2?n, and a call-signal processing section 15. The call-signal processing section 15 generates a request for connection with respect to a trunk ATM switching network 3 by the use of the call histories in the call history memory 13 in the case where no call was issued from the subscriber's terminal units, and stores response results thereof in the reserved connection memory 16. Thereafter, when there was a call from the subscriber's terminal units 2?1 to 2?n and contents of the request for connection thereof are the same as the reserved connection information, which has been stored in the reserved connection memory 16, processing for connection is executed by the use of the reserved connection information.

Abstract: Malfunctioning machine to machine (M2M) devices in a wireless network can be detected and blocked from the network. In one implementation, a device may monitor uplink traffic from a M2M device and determine, based on the monitoring, whether the M2M device is malfunctioning with respect to an uplink data rate of the M2M device. The device may transmit, in response to the determination that the M2M device is malfunctioning, one or more messages instructing network devices to delete communication sessions corresponding to the M2M device, where at least one of the one or more messages is associated with a time period value indicating a time period in which the deletion of the communication session is to be enforced.

Abstract: A network device may include a heterogeneously organized TCAM in which entries for different applications implemented by the network device are stored at arbitrary locations in the TCAM. The TCAM may be programmed to include entries representing a plurality of prefix tree (“trie”) data structures used in processing network traffic received by the network device. The TCAM may also include logic to insert an entry in the TCAM based on a defragmentation operation performed on the TCAM in which a candidate entry having a minimum relocation weight is chosen to be relocated as part of the defragmentation operation, where the relocation weight is determined based on trie depths corresponding to entries that occupy the candidate entry before defragmentation.

Abstract: A method may include recognizing, by a PEP, a connection failure to a PDP, establishing a reconnection, initiating, by the PEP, a fast state synchronization based on a client-open message of the common open policy service for policy provisioning (COPS-PR) protocol, receiving, by the PEP, an acceptance for the fast state synchronization based on a null decision message of the COPS-PR protocol, and transmitting, by the PEP, differential state information to the PDP.

Abstract: In one embodiment, a method includes detecting a virtual resource hosted by a host device, selecting a configuration template associated with the virtual resource, and providing a provisioning instruction to a virtual switch module hosted by the host device based on the configuration template. The host device is operatively coupled to a network device. The detecting is at the network device; the selecting is at the network device; and the providing is at the network device. The virtual switch module is in communication with the virtual resource. The configuration template associated with the virtual resource is selected from a library of configuration templates accessible to the network device.

Abstract: In general, techniques are described for managing distributed address pools within network devices. A network device that includes a control unit and at least one interface may implement these techniques. The control unit stores data defining a network address pool shared by both the network device and another network device. The control unit includes a shared pool manager module that evaluates the data defining the network address pool to determine a block of addresses of the network address pool that is not in use by the other network device. The at least one interface transmits a request to the other network device requesting the determined block and receives a response from the other network device indicating whether one or more addresses of the requested block are available. The control unit then allocates one or more addresses from the requested block to subscriber devices based on the indication in the response.

Abstract: In some embodiments, an apparatus implemented in a memory and/or a processing device includes a first network control entity to manage a first data plane module associated with a port from a set of ports at a first access switch. The first network control entity associates an identifier of a peripheral processing device operatively coupled to the port from the set of ports with a next hop reference. The first network control entity provides the next hop reference to a second network control entity that manages a second data plane module at a second access switch such that the second data plane module can append the next hop reference to a data packet when the peripheral processing device is within a data path between and including the second access switch and a destination peripheral processing device.

Abstract: A circuit board includes a controller, a first feedback pin, and a second feedback pin. The controller determines a first voltage measurement associated with the first feedback pin. The controller further determines whether the first feedback pin is disconnected from the controller based on the first voltage measurement. The controller determines a second voltage measurement associated with the second feedback pin when the first feedback pin is disconnected from the controller. The controller also adjusts an output voltage of the controller based on the second voltage measurement when the first feedback pin is disconnected from the controller.

Abstract: A network layer device controls provision of data link layer functionality by a data link layer device to provide a requested multimedia service to a subscriber. For example, the network layer device may control the performance of multicast elaboration by the data link layer device, or the queuing and forwarding of packets by the data link layer device to facilitate transmission of packets according to a Quality of Service class. The network layer device may send control messages to the data link layer device to dynamically configure a control object stored by the data link layer device, such as multicast filter information or a Quality of Service profile. The network layer device may be a service edge router, and the data link layer device may be a customer premises equipment device, e.g., a modem or wireless access point, or a switch, e.g., a digital subscriber line access multiplier.

Abstract: In one embodiment, an apparatus includes an intake buffer module and a flow control module configured to define an available bits indicator, the available bits indicator representing a number of unallocated bits within the intake buffer module. The apparatus further includes a transceiver module configured to transmit, to a peripheral device, a credit update frame based at least in part on the available bits indicator. The transceiver module can be configured to receive a Fiber Channel over Ethernet (FCoE) frame from the peripheral device, a size of the FCoE frame being less than or equal to the number of unallocated bits. The apparatus can further include a switch fabric interface module operatively coupled to a plurality of switch fabric devices that define at least a portion of a switch fabric.

Abstract: A network controls provision of access functionality by an access node to provide a network service to a subscriber device. For example, the network device may control the queuing and forwarding of packets by the access node to facilitate packet transmission according to, for example, a Quality of Service class. The network device may send control messages to the access node to dynamically configure a control object stored by the access node, such as a Quality of Service profile. The network device may be a router, and the access node may be a base station that wireless communicates with a subscriber device, e.g., a cellular phone. The access node may then delivery the packets in accordance with the dynamically configured control object.

Abstract: A method performed by a Dynamic Host Configuration Protocol (DHCP) server comprising receiving a DHCP DISCOVER message from a DHCP client; generating a challenge in response to the DHCP DISCOVER message; sending the challenge to an authentication device; receiving a first challenge response from the authentication device; generating a DHCP OFFER message; sending the challenge to the DHCP client in the DHCP OFFER message; receiving a DHCP REQUEST message that includes a second challenge response from the DHCP client; comparing the first challenge response with the second challenge response; and authenticating the DHCP client when the first challenge response and the second challenge response match.

Abstract: A device may include first logic configured to receive a data unit and to receive a network policy. The device may include second logic configured to identify how the data unit will be handled by the network policy and to generate a result that includes information about how the data unit will be handled by the network policy.

Abstract: A system provides congestion control and includes multiple queues that temporarily store data and a drop engine. The system associates a value with each of the queues, where each of the values relates to an amount of memory associated with the queue. The drop engine compares the value associated with a particular one of the queues to one or more programmable thresholds and selectively performs explicit congestion notification or packet dropping on data in the particular queue based on a result of the comparison.

Abstract: This disclosure describes techniques to reduce traffic loss for a Border Gateway Protocol (BGP) session by delaying re-advertisement of routes received from a newly re-established multi-homed router by a primary router until all the routes are installed in a forwarding plane of the primary router. The techniques of this disclosure make use of a BGP marker received from the multi-homed router that indicates the end of a route download for an address family. Upon receiving the BGP marker, a control plane of the primary router requests a route acknowledgement message (Route-ACK) from the forwarding plane for only the last route of the address family received before the BGP marker. When the control plane receives the Route-ACK indicating that the last route has been installed in the forwarding plane, the primary router initiates re-advertisement of the routes to other BGP peer routers.