Abstract: A device includes a security process unit (SPU) associated with a logical ring of SPUs. The SPU receives a packet with an address associated with a malicious source, and creates, based on the packet, an entry in a data structure associated with the SPU. The entry includes information associated with the packet. The SPU provides an install message to a next SPU in the logical ring. The install message instructs the next SPU to create the entry in another data structure, and forward the install message to another SPU. The SPU receives the install message from a last SPU, and sets a state of the entry to active in the data structure based on receiving the install message from the last SPU. The SPU performs a particular action on another packet, associated with the malicious source, based on the setting the state of the entry to active.

Abstract: The disclosed computer-implemented method for debugging network nodes may include (1) detecting a computing event that is indicative of a networking malfunction within a network node, (2) determining, based at least in part on the computing event, one or more potential causes of the networking malfunction, (3) identifying one or more debugging templates that each define debugging steps that, when performed by a computing system, enable the computing system to determine whether the networking malfunction resulted from any of the potential causes, (4) performing a set of debugging steps defined by one of the debugging templates that corresponds to one of the potential causes, and then (5) determining, based at least in part on the set of debugging steps defined by the debugging template, that the networking malfunction resulted from the potential cause. Various other methods, systems, and apparatuses are also disclosed.

Abstract: A device may receive a set of packets. The device may select a first one or more packets, of the set of packets, for a Layer 7 (L-7) inspection based on a type of network traffic associated with the set of packets. The device may perform the L-7 inspection on the first one or more packets. The device may determine contextual information associated with the first one or more packets based on the L-7 inspection. The device may offload a second one or more packets, of the set of packets, for a Layer 4 (L-4) inspection without performing the L-7 inspection based on the contextual information associated with the first one or more packets.

Abstract: A client device may provide, to a host device, a request to access a website associated with a host domain. The client device may receive, based on the request, verification code that identifies a verification domain and a resource, associated with the verification domain, to be requested to verify a public key certificate. The verification domain may be different from the host domain. The client device may execute the verification code, and may request the resource from the verification domain based on executing the verification code. The client device may determine whether the requested resource was received, and may selectively perform a first action or a second action based on determining whether the requested resource was received. The first action may indicate that the public key certificate is not valid, and the second action may indicate that the public key certificate is valid.

Abstract: In some embodiments, a method includes defining, by a processor included in a first node, a virtual-extensible-local-area-network (VXLAN) tunnel between the first node included in a first layer-two network, and a second node included in a second layer-two network, the VXLAN tunnel traversing at least one node of a layer-three network. The method includes receiving, at the first node, a layer-two data unit that is sent from a third node included in the first layer-two network, to a fourth node included in the second layer-two network. The method includes encapsulating, at the first node, the layer-two data unit to define an encapsulated data unit that includes a VXLAN header. The method includes sending the encapsulated packet from the first node towards the fourth node via the VXLAN tunnel.

Abstract: In some examples, a switching system includes a plurality of fabric endpoints and a multi-stage switching fabric. A fabric endpoint of the system is configured to receive, via the switch fabric, a plurality of cell streams, wherein each cell of a cell stream of the plurality of cell stream is associated with a sequence number that defines a correct ordering of cells of the cell stream; assign subsequences of each cell stream of the plurality of cell streams to respective reorder engines of the fabric endpoint; concurrently reorder the assigned respective subsequences to produce respective ordered subsequences for the subsequences, wherein the ordered subsequences are ordered according to the correct ordering of the corresponding cell stream; interleave the respective ordered subsequences for each cell stream to produce reordered cell streams each having correctly ordered cells; and process each reordered cell stream according to the corresponding correct ordering of cells.

Abstract: An apparatus includes a scheduler module operatively coupled to each memory block from a set of memory blocks via a shared address bus. The scheduler module is configured to receive a group of memory commands from a set of memory controllers. Each memory controller from the set of memory controllers is uniquely associated with a different memory block from the set of memory blocks. The scheduler module is configured to classify each memory command from the group of memory commands into a category based at least in part on memory commands previously sent to the set of memory blocks via the shared address bus. The scheduler module is configured to select an order in which to send each memory command from the group of memory commands to the set of memory blocks via the shared address bus based at least in part on the category of each memory command.

Abstract: A device may receive a packet that includes a destination address. The device may analyze a first Bloom filter, based on the destination address, in order to identify a prefix range entry associated with the destination address and included in a set of prefix range entries associated with the first Bloom filter. The device may analyze a second Bloom filter, based on the destination address and the identified prefix range entry, in order to identify a prefix length entry associated with the destination address and included in a set of prefix length entries associated with the second Bloom filter. The device may determine routing information associated with the identified prefix length entry. The routing information may identify a longest prefix match associated with the destination address. The device may provide the packet based on the routing information.

Abstract: In some embodiments, an apparatus includes an optical transceiver that includes a first set of electrical transmitters operatively coupled to a switch. Each electrical transmitter from the first set of electrical transmitters is configured to transmit an electrical signal from a set of electrical signals. In such embodiments, the switch is configured to switch an electrical signal from the set of electrical signals such that the set of electrical signals are transmitted via a second set of electrical transmitters. Each electrical transmitter from the second set of electrical transmitters is operatively coupled to an optical transmitter from a set of optical transmitters. The set of optical transmitters is operatively coupled to an optical multiplexer. In such embodiments, at least one electrical transmitter from the second set of electrical transmitters is associated with a failure within the optical transceiver.

Abstract: A network device creates a forwarding table that includes information associated with a set of destinations in a network, and determines next hops for the set of destinations. The network device populates the forwarding table with information associated with the next hops, and stores the forwarding table. The forwarding table is used to forward a multicast packet toward a multiple destinations, and includes separate entries that depend upon routes the multicast packet is to traverse towards destinations with multiple choices for next hops.

Abstract: A device may receive information that identifies a set of tasks to be executed and precedence constraints associated with the set of tasks. The device may store the set of tasks in a data structure including a directed acyclic graph, and may determine a set of paths based on the information that identifies the set of tasks and the precedence constraints associated with the set of tasks. Each path, of the set of paths, may include particular tasks of the set of tasks. The device may determine a set of path execution times, for the set of paths, based on an artificial intelligence technique. The device may determine a critical path, of the set of paths, based on the set of path execution times. The device may determine an execution priority of the set of tasks based on the critical path. The device may provide the set of tasks for execution based on the execution priority.

Abstract: An optical coupling device can include a first birefringent layer having opposing first and second surfaces. The first birefringent layer can split incident light received at the first surface into first and second beams. The first and second beams can have respective polarization orientations that are orthogonal to each other. The first birefringent layer can propagate the first and second beams along respective first and second paths within the first birefringent layer to the second surface. The first and second beams can be spatially separated at the second surface. A redirection layer facing the second surface of the first birefringent layer can include first and second grating couplers configured to respectively redirect the first and second beams to propagate within the redirection layer as respective third and fourth beams. In some examples, the third and fourth beams can have respective polarization orientations that are parallel to each other.

Abstract: In some embodiments, an apparatus includes an automatic integrated circuit (IC) handler having a change kit. The change kit has a plunger moveably disposable onto an automatic test equipment (ATE). In such embodiments, the ATE is configured to receive an integrated circuit having an optical interface. The plunger has a first position and a second position. In such embodiments, the plunger is out of contact with the integrated circuit when the plunger is in the first position. The plunger includes an optical connector operatively coupled to the optical interface of the integrated circuit when the plunger is in the second position.

Abstract: A system and method for service discovery. A network management system fetches, from a first network device, configuration data associated with a service executing on the first network device. In response to determining that the service extends across multiple network devices, the network management system constructs, based on the configuration data, a first partial service instance associated with the service executing on the first network device. The network management system merges a plurality of partial service instances to form a merged partial service instance, the plurality of partial service instances including the first partial service instance and a second partial service instance associated with the service executing on a different network device. The network management system promotes the merged partial service instance as a service instance.

Abstract: Techniques are described to provide split-horizon packet forwarding so as to ensure that packets from the customer network that are injected into the provider backbone bridging Ethernet Virtual Private Network (PBB-EVPN) by one of the provider edge (PE) devices of the multi-homed Ethernet segment are not forwarded back toward the customer network by a different PE device connected to the same multi-homed Ethernet segment. For example, a method may comprise receiving a packet via a core-facing interface of a first PE device, determining the Ethernet segment associated with the PE devices by a lookup operation based on keys of the packet; in response to determining the Ethernet segment, supplanting the core-facing interface of the first PE device with a virtual interface associated with the keys, and forwarding the packet to a second CE device without forwarding the received packet back to the Ethernet segment associated with the first PE device.

Abstract: An online network device monitoring and recovery system generates, based at least in part on a schema that describes entities included in a network device, a software entity profile of entity object instances that represent the entities included in the network device, the entities including both hardware components and interfaces between the hardware components. The system registers the software entity profile to one or more proxies implemented on the network device. The system receives diagnostic information corresponding to a respective entity from the plurality of entities represented in the software entity profile registered to the one or more proxies. The system communicates diagnostic information for the respective entity, and a respective connective path through the entities for the respective entity based at least in part on the software entity profile.

Abstract: In some embodiments, an apparatus includes a network node configured to be included in a set of network nodes operatively coupled to a core network node. The network node is configured to receive a first packet and a second packet from a host device operatively coupled to the network node. The network node is configured to send the first packet to the core network node via a first path of a tunnel between the network node and the core network node. The first path of the tunnel has a first cost. The network node is configured to send the second packet to the core network node via a second path of the tunnel. The second path has a second cost different than the first cost.

Abstract: In general, techniques are described for identifying a result set of multiple paths through a network for one or more label switched paths between a source node and a destination node. In some examples, the identified paths are computed to be broadly separate to avoid overlapping network elements. A device that routes the label switched paths to the network may select from the result set of multiple paths to route each of the label switched paths. In response to detecting a failure of a network element along the routed path for a label switched path, the device may select a new path from the result set that includes already-identified paths.

Abstract: In some examples, a path computation device is configured to compute, for a network of routers interconnected by a plurality of links in a network topology and based on a network topology model for the network topology, a first path that is a shortest path of the network topology model between a pair of nodes of the network topology model that represent a pair of the routers; increase, based on the first path, respective metrics for one or more links in the network topology model by respective finite values to obtain a modified network topology model; compute a second path that is a shortest path of the modified network topology model between the pair of nodes; and output data for at least one path of the first path and the second path to the network for programming a label switched path in the network on the at least one path.

Abstract: In general, techniques are described for filtering duplicate broadcast, unknown unicast, and multicast (BUM) packets in a network in which EVPN traffic is tunneled, using a tunneling protocol such as VXLAN or NVGRE, over an IP core network to provide network virtualization overlay (NVO) between provider edge (PE) devices that operate as Network Virtualization Endpoints (NVEs) for the NVO/Virtual Tunnel Endpoints (VTEPs) for the tunneling protocol.