Abstract: A method may include establishing a first Point-to-Point Protocol (PPP) session on an interface, receiving an indication of a layer one failure, omitting for a period of time, an indication that the first PPP session on the interface is down, based on the indication of the layer one failure, establishing a layer one switchover to another interface based on the indication of the layer one failure, and attempting during the period of time, to establish a second PPP session on the other interface.

Abstract: A method may include authenticating a node over layer 2 in a network based on authentication rules; sending a node authentication code to the node; and providing layer 3 network access based on the node authentication code.

Abstract: The subject matter of this specification can be implemented in, among other things, a method that includes receiving, at a first network device that is associated with an MVPN, an mtrace message that identifies a source device that is associated with the MVPN and that is separated from the first network device by an MPLS network. The method further includes determining an LSP from the first network device to a second network device that is associated with the MVPN and that is separated from the first network device by the MPLS network. The method further includes adding an IP header to the mtrace message, the IP header including a destination address set to a localhost loopback IP address. The method further includes encapsulating the mtrace message with an MPLS label stack that causes the encapsulated mtrace message to reach an instance of the MVPN on the second network device.

Abstract: A method for transferring a packet that is capable of permitting address resolution based on layer 3 packet filter information and that is further capable of preventing establishing an undesirable short cut path is provided. In a network, a server that receives an address resolution request packet from a client determines if the address resolution request packet should be forwarded to another server or another client based on a layer 3 packet filter information.

Abstract: A network device includes an interface (105), a TCP/IP protocol fast processing path (115), and a TCP/IP protocol slow processing path (110). The interface (105) receives a packet and parses the packets to determine a characteristic of the packet. The TCP/IP protocol fast processing path (115) processes the packet if the characteristic of the packet includes a first characteristic. The TCP/IP protocol slow processing path (110) processes the packet if the characteristic of the packet includes a second characteristic.

Abstract: A system includes a memory and a controller. The controller may include a group of pads and an allocation register. The controller is configured to receive input signals corresponding to the group and allocate each one of the pads to output one of the input signals based on a configuration of pins of the memory. The controller is also configured to redirect the input signals, within the controller, based on the allocation of the pads and output the input signals from the controller into the pads.

Abstract: Techniques are described for blocking unidentified encrypted communication sessions. In one embodiment, a device includes an interface to receive a packet, an application identification module to attempt to identify an application associated with the packet, an encryption detection module to determine whether the packet is encrypted when the application identification module is unable to identify an application associated with the packet, and an attack detection module to determine whether the packet is associated with a network attack, to forward the packet when the packet is not associated with a network attack, and to take a response when the packet is associated with a network attack, wherein the encryption detection module sends a message to the attack detection module that indicates whether the packet is encrypted, wherein when the message indicates that packet is encrypted, the attack detection module determines that the packet is associated with a network attack.

Abstract: In one embodiment, an apparatus can include a first edge device that can have a packet processing module. The first edge device can be configured to receive a packet. The packet processing module of the first edge device can be configured to produce cells based on the packet. A second edge device can have a packet processing module configured to reassemble the packet based on the cells. A multi-stage switch fabric can be coupled to the first edge device and the second edge device. The multi-stage switch fabric can define a single logical entity. The multi-stage switch fabric can have switch modules. Each switch module from the switch modules can have a shared memory device. The multi-stage switch fabric can be configured to switch the cells so that the cells are sent to the second edge device.

Abstract: A network router includes a plurality of interfaces configured to send and receive packets, and a routing component comprising: (i) a routing engine that includes a control unit that executes a routing protocol to maintain routing information specifying routes through a network, and (ii) a forwarding plane configured by the routing engine to select next hops for the packets in accordance with the routing information. The forwarding plane comprises a switch fabric to forward the packets to the interfaces based on the selected next hops. The network router also includes a security plane configured to apply security functions to the packets. The security plane is integrated within the network router to share a streamlined forwarding plane of the routing component.

Abstract: In one embodiment, a method includes receiving a provisioning instruction including a device identifier from an external management entity, receiving the device identifier from a network device, associating the provisioning instruction the network device, and sending a portion of the provisioning instruction to the network device. The device identifier being associated with a virtual resource. The associating is based on the device identifier of the virtual resource and a device identifier of a network device. The portion of the provisioning instruction is sent to the network device based on the associating.

Abstract: A device receives, from a client device, a request for a resource, and accesses a table that includes one or more items of information. The device compares information provided in the request to the one or more items of information provided in the table, and terminates a connection for the request at the device when the information provided in the request matches at least one of the one or more items of information provided in the table. The device forwards the request to a network when the connection is not terminated at the device, and selects a target device for the resource when the connection is terminated at the device.

Abstract: A number of wireless networks are established by a network device, each wireless network having an identifier. Requests are received from client devices to establish wireless network sessions via the wireless networks using the identifiers. Network privileges of the client devices are segmented into discrete security interfaces based on the identifier used to establish each wireless network session.

Abstract: A device receives, from a client device, a request for a resource, where the request provides an identifier of the client device. The device selects a target device for the resource, connects with the selected target device, and provides a proxy of the request to the selected target device, where the proxy of the request hides the identifier of the client device. The device receives the resource from the selected target device, where the resource provides an identifier of the target device. The device provides a proxy of the resource to the client device, where the proxy of the resource hides the identifier of the target device.

Abstract: A device receives, from a client device, a request for a resource, and determines, based on information provided in the request, whether to terminate a connection for the request at the device. The device forwards the request to a network when the connection is not terminated at the device, and selects a target device for the resource when the connection is terminated at the device. The device also provides the request to the selected target device, receives the resource from the selected target device, and provides the resource to the client device.

Abstract: In some embodiments, an apparatus includes a module within a first stage of a switch fabric, a module within a second stage of the switch fabric, and a module within a third stage of the switch fabric. The module within the first stage is configured to send data to the module within the second stage. The module within the second stage is configured to send data to the module within the third stage. The module within the second stage is configured to send a first suspension indicator to the module within the third stage. The module within the third stage is configured to send a second suspension indicator to the module within the first stage in response to the first suspension indicator. The module within the first stage is configured to stop sending data to the module within the second stage in response to the second suspension indicator.

Abstract: A system selectively drops data from queues. The system includes a drop table that stores drop probabilities. The system selects one of the queues to examine and generates an index into the drop table to identify one of the drop probabilities for the examined queue. The system then determines whether to drop data from the examined queue based on the identified drop probability.

Abstract: A method includes receiving configuration data for configuring network devices; generating remote procedure calls (RPCs) for configuring the network devices, which include provisioning and reverse provisioning RPCs, where each reverse provisioning RPC reverse provisions a particular pseudowire; providing to the network devices the provisioning RPCs; determining a success with respect to each of the provisioning RPCs, where the success indicates that all endpoints of a pseudowire have been successfully configured; providing the reverse provisioning RPCs to the network devices, when it is determined that the success has not been achieved; and storing an indication of success when it is determined that the success has been achieved with respect to the provisioning RPCs.

Abstract: In one embodiment, an apparatus includes a switch core that has a multi-stage switch fabric. The multi-stage switch fabric has a set of ingress ports and a set of egress ports. The switch core can be configured to be coupled to a set of edge devices via the set of ingress ports and the set of egress ports. The switch core can be configured to receive a packet from an ingress port from the set of ingress ports. The switch core can be configured to send a set of cells associated with the packet from the ingress port to an egress port from the set of egress ports without a store-and-forward delay associated with a zero-load latency for the switch core.

Abstract: A method of implementing a firewall that receives a layer of policies from each of multiple entities with different levels of authority. The method evaluates received packets based on the received layers of policies. A layer of policies of a higher level of authority can accept a received packet, block the received packet, or delegate a decision of whether to accept or block the received packet to a layer of policies of a lower level of authority.

Abstract: A method may include receiving a request for a lawful intercept (LI) session, where the LI session is associated with a particular priority of a set of priority levels, and determining whether a maximum quantity of LI sessions has been initiated by a network device. The method may further include initiating a new LI session based on the request, when the maximum quantity of LI sessions has not been initiated; determining whether at least one LI session exists that is associated with a lower priority than the particular priority, when the maximum quantity of LI sessions has been initiated; and terminating a particular LI session associated with a lowest priority and initiating a new LI session based on the received request, when the at least one LI session associated with the lower priority exists.