Abstract: A method may include receiving, at a service server, a request for services from a requesting device. The service server may identify one or more service options responsive to the request and send a list of the identified service options to the requesting device. The service server may receive a selected service option from the requesting device. The service server may collect payment information for the selected service option from the requesting device and providing accounting information to a service provider of the selected service option based on the payment information.

Abstract: The reliability of the connection of a client edge (CE) device to a core network may be improved using redundant provider edge (PE) devices. A first of the PE devices may monitor a connection to the core network, where the PE device acts as a root device in a set of devices that implement a spanning tree using a spanning tree protocol and where a second PE device in the set of devices additionally connects to the core network. The PE device may additionally detect failure of the connection of the PE device to the core network; and change, in response to the detected failure of the connection, a spanning tree protocol priority value of the device to a value having a lower priority than that of the second PE device.

Abstract: Filters are selectively applied to packets depending on forwarding equivalence classes (FECs) of the packets. A FEC filter is defined within the network device and qualified by incoming interface information that identifies source sites of the packets. A label distribution protocol (LDP) FEC is configured such that packets of the given FEC are associated with the FEC filter. The FEC identifies a destination site of the packets received by the router and is automatically combined with incoming interface information. In this way, packet flows may be filtered based on FECs of the packets. FEC filters may be further refined to operate at forwarding class granularity. The techniques allow accurate billing of packets traveling between specific source and destination sites regardless of the number of interfaces of the network device the packets utilize. In addition, the filtering can be used to provide anti-spoofing capabilities.

Abstract: A route for a data unit through a network may be defined based on a number of next hops. Exemplary embodiments described herein may implement a router forwarding table as a chained list of references to next hops. In one implementation, a device includes a forwarding table that includes: a first table configured to store, for each of a plurality of routes for data units in a network, a chain of links to next hops for the routes; and a second table configured to store the next hops. The device also includes a forwarding engine configured to assemble the next hops for the data units based on using the chain of links in the first table to retrieve the next hops in the second table and to forward the data units in the network based on the assembled next hops.

Abstract: An example network device includes a network interface configured to receive a packet of a packet flow, wherein the packet flow is one of a plurality of packet flows processed by the network device, a flow cache configured to receive a lookup key associated with the packet flow, and a Bloom filter configured to process the lookup key. The flow cache is further configured to store information about a portion of the plurality of packet flows processed by the network device, and determine whether to store information about the packet flow by at least applying a selection criterion to processing of the lookup key by the Bloom filter. The flow cache is configured to determine whether the lookup key is stored in the flow cache, and, when the lookup key is stored in the flow cache, retrieve a stored result associated with the lookup key and output the stored result.

Abstract: A device, receives a unicast packet designating a unicast source and a unicast destination, and determines whether the received unicast packet is a Data Register message. The device extracts information relating to a multicast packet encapsulated within the unicast packet when the unicast packet is a Data Register message, and performs a security policy lookup based on the extracted multicast packet information to identify a security policy associated with the multicast packet. The device determines whether the identified security policy authorizes forwarding of the unicast packet, and establishes a multicast data session when the identified security policy authorizes forwarding of the unicast packet. The device establishes a multicast control session based on the multicast data session, where the multicast control session authorizes transmission of PIM-related control messages associated with the multicast packet.

Abstract: Methods, apparatus, and products for routing frames in a network using bridge identifiers, wherein the network includes a plurality of bridge nodes. At least one of the bridge nodes operates as an ingress bridge node through which frames are received into the network. At least one of the bridge nodes operates as an egress bridge node through which frames are transmitted out of the network. One of the bridge nodes receives, from the ingress bridge node, a frame for transmission to a destination node. The destination node connects to the network through the egress bridge node. The frame includes an ingress bridge identifier and an egress bridge identifier. The bridge that received the frame then routes the frame to the egress bridge node through which the destination node connects to the network in dependence upon the ingress bridge identifier and the egress bridge identifier included in the frame.

Abstract: A method includes receiving packets from a network with a plurality of packet-forwarding engines (PFEs) of a router, wherein the plurality of PFEs are interconnected by a switch fabric, determining an egress one of the PFEs for each of the packets, and forming fixed-sized fabric cells that share data associated with the packets that are destined for the same egress PFE while preventing packets destined for different egress PFEs to share any of the fabric cells. The fabric cells are transmitted through the switch fabric to communicate the packets to the egress PFEs.

Abstract: The subject matter of this document can be implemented in, among other things, a method that includes receiving network traffic associated with a computing device, the network traffic including packet flows communicated between the computing device and a network. The method also includes monitoring the network traffic over time, and identifying a plurality of network usage characteristics associated with the network traffic. The network usage characteristics include a usage time that corresponds to an amount of time the computing device has been consuming network resources and a network application identifier that corresponds to a network application being used by the computing device. The method also includes determining whether the network traffic violates a network usage policy based on two or more of the network usage characteristics, and decreasing, over a period of time, throughput of the network traffic that is determined to be violative of the network usage policy.

Abstract: A device provides a time domain reflectometry (TDR) or a vector network analyzer (VNA) test signal to a via test area provided on a printed circuit board (PCB), where the via test area includes vias and via stubs formed in the vias. The device also receives a reflected signal from each via in the via test area of the PCB, and compares the reflected signal from each via to a minimum impedance threshold. The device further provides, for display, an indication of passing for the PCB, when the reflected signals from the vias are greater than the minimum impedance threshold.

Abstract: A network interface card may issue interrupts to a host in which the determination of when to issue an interrupt to the host may be based on the incoming packet rate. In one implementation, an interrupt controller of the network interface card may issue interrupts to that informs a host of the arrival of packets. The interrupt controller may issue the interrupts in response to arrival of a predetermined number of packets, where the interrupt controller re-calculates the predetermined number based on an arrival rate of the incoming packets.

Abstract: In general, techniques are described for dynamic threat protection in mobile networks. A network system comprising a network security device and a management system may implement the techniques. The management system includes a network server having a shared database. A mobile device manager (MDM) of the management system receives a report message from a mobile device, specifying a threat to a mobile network. The MDM publishes the threat to the shared database. A network management system (NMS) of the management system receives data from the shared database identifying the threat and generates a security policy that specifies actions to address the threat. The NMS then installs the security policy in the network security device so that the network security device performs the actions of the security policy to address the threat.

Abstract: In general, techniques are described for atomically installing and withdrawing host routes along paths connecting network routers to attenuate packet loss for mobile nodes migrating among wireless LAN access networks and a mobile network. In some examples, whenever the mobile node moves from one attachment point to the next, it triggers the distribution of its host route from the new attachment point toward the service provider network hub provider edge (PE) router that anchors the mobile node on a service provider network. Routers participating in the Mobile VPN install the host route “atomically” from the attachment point to the mobile gateway so as to ensure convergence of the network forwarding plane with the host route toward the new attachment point prior to transitioning mobile node connectivity from a previous attachment point.

Abstract: A network device includes a primary control unit that establishes a network tunnel with another network device. The network device applies a silent failover technique to failover from the primary control unit to a backup control unit while maintaining the network tunnel. The network tunnel may be, for example, a Layer 2 Tunneling Protocol (L2TP) tunnel, and the network device may be an L2TP Access Concentrator (LAC) or an L2TP Network Server (LNS). The techniques may prevent abnormal termination of the network tunnel during the failover. Once the failover from the primary control unit to the backup control unit is complete, the backup control unit synchronizes sequence numbers associated with the network tunnel with sequence numbers of the non-failed network device, and resolves inconsistencies between subscriber session databases of the backup control unit and the non-failed network device.

Abstract: Methods for optimizing the media path between multimedia endpoints in a network are described. One embodiment allows avoiding having to relay the media traffic through a central device, such as a border controller's media controller element, and lets endpoints communicate directly under various conditions.

Abstract: A device receives, from a client device, a request for a resource, where the request provides an identifier of the client device. The device selects a target device for the resource, connects with the selected target device, and provides a proxy of the request to the selected target device, where the proxy of the request hides the identifier of the client device. The device receives the resource from the selected target device, where the resource provides an identifier of the target device. The device provides a proxy of the resource to the client device, where the proxy of the resource hides the identifier of the target device.

Abstract: A system manages cables to connect to a device provided in a device chassis. The system includes a cable management boom connected to a top portion of the device chassis, cable management shelves connected to a side portion of the device chassis, and a cable management arm connected to and supported by the cable management shelves. The cable management arm is to retain the cables, pivot through an angle to provide access to the device provided in the device chassis, and route the cables from the device to the cable management boom. The cable management boom is to gather the cables, retain the cables, and route the cables above the device chassis.

Abstract: A network device component receives traffic, determines whether the traffic is host bound traffic or non-host bound traffic, and classifies, based on a user-defined classification scheme, the traffic when the traffic is host bound traffic. The network device component also assigns, based on the classification, the classified host bound traffic to a queue associated with network device component for forwarding the classified host bound traffic to a host component of the network device.

Abstract: Methods and devices for processing packets are provided. The processing device may Include an input interface for receiving data units containing header information of respective packets; a first module configurable to perform packet filtering based on the received data units; a second module configurable to perform traffic analysis based on the received data units; a third module configurable to perform load balancing based on the received data units; and a fourth module configurable to perform route lookups based on the received data units.

Abstract: A method performed by a network device may include establishing performance-based Bidirectional Forwarding Detection (BFD) sessions for each link of a primary traffic engineering Label Switched Path (TE-LSP) and establishing performance-based BFD sessions for each link of a secondary TE-LSP. The method may also include, monitoring performance of the primary TE-LSP based on the performance-based BFD sessions for each link of the primary TE-LSP and monitoring performance of the secondary TE-LSP based on the performance-based BFD sessions for each link of the secondary TE-LSP. The method may further include determining that the performance of the primary TE-LSP is degraded based on the monitoring of the performance of the primary TE-LSP and automatically switching a flow of data unit traffic from the primary TE-LSP to the secondary TE-LSP when the performance of the primary TE-LSP is degraded.