Abstract: In general, principles of the invention relate to techniques for detecting data plane failures in Multi-Protocol Label Switching (MPLS) Label-Switched Paths (LSPs) that may be tunneled over one or more other LSPs. More specifically, the techniques described herein allow for testing connectivity of an LSP that is tunneled through at least one other LSP, and testing connectivity of an inter-autonomous system LSP. For example, a method comprises providing, with an intermediate label-switching router (LSR) of an LSP, instructions to an ingress LSR of the LSP to modify a forwarding equivalence class (FEC) stack of MPLS echo request packets. The intermediate LSR may provide the instructions within an MPLS echo reply packet.

Abstract: An integrated, multi-service network client for cellular mobile devices is described. The multi-service network client can be deployed as a single software package on cellular mobile network devices to provide integrated services including secure enterprise virtual private network (VPN) connectivity, acceleration, security management including monitored and enforced endpoint compliance, and collaboration services. The VPN network client is programmed to receive a web-based home page from an enterprise VPN appliance, process the web-based home page to identify a bookmark embedded within the response that corresponds to an enterprise webmail for the user and dynamically construct a user interface to have an input control native to the cellular mobile device for launching a native email client of the cellular mobile device to access the email without launching a web browser.

Abstract: In wireless networking, such as per the IEEE 802.11 standard, a technique automatically republishes an authentication credential to a global credential repository. A station can have a first credential, as is created when the station connects to a first access node of a wireless network. Upon trying and failing to connect to a second access node of the wireless network, the station can have a second credential created and published to the global credential repository. In some situations, the station then roams back to the first access node using the first credential. Efficiently, when the station uses the first credential at the first access node, the first credential can be automatically republished as a global credential. The automatic republishing of the first credential can ensure that the station is able to access the wireless network via various access nodes when roaming.

Abstract: An integrated, multi-service network client for cellular mobile devices is described. The multi-service network client can be deployed as a single software package on cellular mobile network devices to provide integrated services including secure enterprise virtual private network (VPN) connectivity, acceleration, security management including monitored and enforced endpoint compliance, and collaboration services. Once installed on the cellular mobile device, the multi-service client establishes the VPN connection to concurrently include both a layer three (L3) tunnel that uses a first type of transport layer protocol of the operating system and a layer four (L4) tunnel that uses a second type of transport layer protocol of the operating system. The VPN handler determines whether network ports associated with the L3 tunnel are unblocked by an operating system and, when the network ports are unblocked, automatically transitions from the L4 tunnel to the L3 tunnel without terminating the VPN connection.

Abstract: A cable modem termination system measures signal qualities of upstream transmissions associated with one or more cable modems. The system monitors the measured upstream signal qualities, and selectively commands at least one of the one or more cable modems to switch between upstream channels based on the signal quality monitoring.

Abstract: An electronic device includes a bay for a removable component with a vertical axis of insertion and removal. The component is inserted upwardly in the electronic device with aid of an actuation mechanism. For example, the actuation mechanism may include a lever and a horizontal support member sized to hold the bottom side of the component. Rotation of the lever translates the support member in the vertical direction to smoothly lift the component into a seated position in which connectors in the component and the electronic device are coupled. The actuation mechanism may include a latch to hold the component securely in the seated position. Rotation of the lever in the opposite direction lowers the support member. The actuation mechanism may include one or more tabs on the horizontal support member or elsewhere that pull the component during removal to overcome the unmating force of the connectors.

Abstract: GPRS Tunneling Protocol (“GTP”) packets are intercepted by receiving a GTP tunnel packet, determining whether the GTP tunnel packet is to be intercepted, intercepting GTP tunnel packets if it is determined that the GTP tunnel packet is to be intercepted, and processing the intercepted GTP tunnel packets. Multiple tunnels may be intercepted simultaneously and GTP tunnel packets from different tunnels may be processed differently. Implementations include both inline and offline interception of GTP traffic between SGSN and GGSN.

Abstract: A network device receives a packet with a multicast nexthop identifier, and creates a mask that includes addresses of egress packet forwarding engines, of the network device, to which to provide the packet. The network device divides the mask into two portions, generates two copies of the packet, provides a first portion of the mask in a first copy of the packet, and provides a second portion of the mask in a second copy of the packet. The network device also forwards the first copy of the packet to an address of a first egress packet forwarding engine provided in the first portion of the mask, and forwards the second copy of the packet to an address of a second egress packet forwarding engine provided in the second portion of the mask.

Abstract: An apparatus includes a processor disposed within an enclosure and configured to communicate with multiple wireless devices. A first and a second antenna are disposed within the enclosure. The first antenna is configured to operate within a first band, and the second antenna is configured to operate within a second band. The second band has a center frequency less than a center frequency of the first band. The first antenna is configured to send a signal having a signal strength at a wireless device and associated with the first band, and the second antenna is configured to send a signal having a signal strength at the wireless device and associated with the second band. The signal strength for the signal associated with the first band is greater than the signal strength associated with the second band such that the wireless device selects the first band to communicate with the processor.

Abstract: A method and a network device for enabling communication between unnumbered interfaces are provided. A device level address may be assigned to a network device. The network device may announce the assigned device level address to a neighboring network device over a link. A corresponding device level address associated with the neighboring network device may be received over the link. A route may be stored including the received device level address associated with the neighboring network device and the link. In some implementations, the announcement of the assigned device level address is performed during protocol configuration.

Abstract: A network content service apparatus includes a set of compute elements adapted to perform a set of network services; and a switching fabric coupling compute elements in said set of compute elements. The set of network services includes firewall protection, Network Address Translation, Internet Protocol forwarding, bandwidth management, Secure Sockets Layer operations, Web caching, Web switching, and virtual private networking. Code operable on the compute elements enables the network services, and the compute elements are provided on blades which further include at least one input/output port.

Abstract: A subscriber network system is provided which is capable of reducing the response time and reducing the device cost. In the subscriber network system, a control cell is received that includes an ID portion, a data portion, and a cyclic redundancy check (CRC) portion. The control cell is processed in cooperation with a virtual path identifier (VPI), where the processing obtains the ID portion and the CRC portion. The ID portion and the CRC portion are processed and the ID portion is compared to a first stored value and the CRC portion is compared to a second stored value to produce information. A cell is produced to include the information and the produced cell is used to facilitate a connection in a network.

Abstract: A method includes operating in a normal mode to receive and transmit packets, where the network device is one of multiple network devices that operate as a virtual chassis, where the virtual chassis corresponds to a single logical network device, and detecting when the network device crashes. The method further includes initiating a resetting process and operating in a pass through mode, during the resetting process, where the pass through mode permits packets to be received and transmitted to the network devices of the virtual chassis.

Abstract: In general, techniques are described for utilizing anonymous cookies within computer networks to protect customer identities. In particular, a network device is configured to communicate with an edge router of a service provider network that provides access to a public network having network destinations. The network device includes a control unit and an interface. The control unit executes a content delivery layer and a privacy services layer. The content delivery layer receives a network communication sent from one of the customer devices to the public network. The privacy services layer replaces a destination-specified cookie within the network communication with an anonymous cookie, each of which conform to an application layer protocol. The anonymous cookie also specifies a pseudonym for the one of the customer devices that originated the network communication. The at least one interface then forwards the network communication including the anonymous cookie to the network destination.

Abstract: A network device coordinates with other devices in a network to create a distributed filtering system. The device detects an attack in the network, such as a distributed denial of service attack, and forwards attack information to the other devices. The devices may categorize data into one or more groups and rate limit the amount of data being forwarded based on rate limits for the particular categories. The rate limits may also be updated based on the network conditions. The rate limits may further be used to guarantee bandwidth for certain categories of data.

Abstract: A router receives a control plane message for constructing a first LSP to a destination within a network that conforms to a first type of LSP. The control plane message includes a label for the first LSP and an identifier that identifies a first type of data traffic. The router receives a second control plane message for constructing a second LSP that conforms to the first type of LSP. The second control plane message includes a label for the second LSP and an identifier that identifies a second type of data traffic. The router installs forwarding state in accordance with policies that associate the first and second types of data traffic with different LSPs of a second type that each traverse different paths through the network, and forwards packets via the interface in accordance with the installed forwarding state.

Abstract: A software patch is generated by determining the binary differences between a more secure version of the embedded system firmware and the currently operating, vulnerable version. The differences are extracted and analyzed to determine their basis in the source code for the more secure version. Source code that affects the binary differences may be compiled into a binary file and linked, off-line, with the binary executable file that contains the machine code for the currently operating version of the embedded system firmware, producing a security patch. The security patch may be installed on the embedded system at run-time, and it is then executed to modify the currently operating firmware to redirect firmware operation from vulnerable procedures toward the new, secure procedures contained in the software patch.

Abstract: In general, techniques are described for enhanced learning in layer two (L2) networks. A first network device of the intermediate network comprising a control unit and an interface may implement these techniques. The control unit executes a loop-prevention protocol (LPP) that determines a bridge identifier associated with a second network device of the intermediate network, where the first and second network devices each couple to a first network. The LPP selects the second network device as a root bridge and detects a topology change that splits the first network into sub-networks. The interface then outputs a message to direct remaining network devices of the intermediate network to clear L2 address information learned when forwarding L2 communications. The message includes the bridge identifier determined by the loop-prevention protocol as the root bridge and directs these remaining network devices to clear only the L2 addresses learned from this bridge identifier.

Abstract: Scheduling virtual upstream channels within one physical upstream channel is disclosed. The MAP messages of the virtual upstream channels that share the same physical upstream channel are synchronized together such that any one transmission opportunity for a given virtual upstream channel does not overlap with transmission opportunities of any other virtual channel. This includes converting all requests for transmission opportunities into a common unit and then scheduling these requests as appropriate.

Abstract: In some embodiments, an apparatus includes a first network switch configured to be within a Fibre Channel over Ethernet (FCoE) network, which has a set of network switches including the first network switch. The first network switch is configured to receive, from a first network device, a login signal including a proposed logical identifier for the first network device. The first network switch is configured to send, in response to the login signal, a multicast signal including the proposed logical identifier to remaining network switches from the set of network switches. As a result, a second network switch from the set of network switches enforces a zone policy in response to receiving the multicast signal and prior to sending the proposed logical identifier to a second network device.