Abstract: In general, techniques are described that facilitate scalable wholesale layer two (L2) connectivity between customers and service providers and a demarcation between the L2 wholesale network and one or more ISPs with which customers communicate L2 PDUs. In one example, a network device receives PDU having both a service identifier identifying a service virtual local area network (SVLAN) and a customer identifier identifying a customer VLAN (CVLAN). A virtual switch determines whether an entry of a L2 learning table is associated with both the service identifier and the customer identifier of the PDU. When no such entry exists, a VLAN learning module updates the L2 learning table to create a new entry that maps to a network device interface and is associated with both the service identifier of the PDU and a plurality of customer identifiers that includes the customer identifier of the PDU.

Abstract: In general, techniques for implementing a flow distribution service using a plurality of traffic nodes that may operate as processing nodes of a distributed computing system are described. In some examples, the traffic nodes in the aggregate form a virtual appliance configured to apply a network service to packet flows.

Abstract: In general, this disclosure describes techniques for applying, with a network device, subscriber-specific packet processing using an internal processing path that includes service objects that are commonly applied to multiple packet flows associated with multiple subscribers. In one example, a network device control plane creates subscriber records that include, for respective subscribers, one or more variable values that specify service objects as well as an identifier for a packet processing template. A forwarding plane of the network device receives and maps subscriber packets to an associated subscriber record and then processes the packet by executing the packet processing template specified by the subscriber record. When the forwarding plane reaches a variable while executing the specified packet processing template, the forwarding plane reads the associated variable value from the subscriber record to identify and then apply the subscriber-specific service object specified by the variable.

Abstract: Techniques are described for performing inline NAT functions in a forwarding element of a mobile gateway router or other device in which subscriber sessions of a mobile access network are distributed across a plurality of session management cards. The session management cards pre-allocate a public network address and port range for subscribers at the time a network connection is established in response to connection request prior to receiving any data traffic associated with the subscriber. NAT profiles are programmed into hardware forwarding elements of the mobile gateway router for inline NAT when routing subscriber traffic for the mobile access network.

Abstract: In general, techniques are described for informing services nodes of private network address information in order to apply subscriber-aware services with the services node. In some examples, a services node includes an Authentication, Authorization, and Accounting (AAA) interface to receive a AAA message, wherein the AAA message has been extended from a AAA protocol to specify a private network address of a subscriber device authenticated to an access network by the AAA server and assigned the private network address that is not routable external to the access network. A mapping module associates the public network address of subscriber data traffic with the private network address received by the AAA message. One or more service modules select one or more of a plurality of subscriber policies using the associated private network address and apply services to the subscriber data traffic in accordance with the selected subscriber policies.

Abstract: In general, this disclosure describes techniques for applying, with a network device, subscriber-specific packet processing using an internal processing path that includes service objects that are commonly applied to multiple packet flows associated with multiple subscribers. In one example, a network device control plane creates subscriber records that include, for respective subscribers, one or more variable values that specify service objects as well as an identifier for a packet processing template. A forwarding plane of the network device receives and maps subscriber packets to an associated subscriber record and then processes the packet by executing the packet processing template specified by the subscriber record. When the forwarding plane reaches a variable while executing the specified packet processing template, the forwarding plane reads the associated variable value from the subscriber record to identify and then apply the subscriber-specific service object specified by the variable.

Abstract: In general, techniques are described for selectively applying and reusing filters stored in a router. In one example, a method includes receiving a network access request from a first user. The method also includes selecting a candidate rule group associated with the packet flow, wherein the candidate rule group comprises one or more currently deployed rules of an existing rule group on the computing device that are currently installed within a forwarding plane and are being applied by the forwarding plane to network traffic associated with a second user. The method also includes installing a new rule group comprising the one or more currently deployed rules of the existing rule group and one or more new rules associated with the first user and not currently installed within a forwarding plane. The method also includes applying each rule of the new rule group to network traffic associated with the first user.

Abstract: Techniques are described for performing inline NAT functions in a forwarding element of a mobile gateway router or other device in which subscriber sessions of a mobile access network are distributed across a plurality of session management cards. The session management cards pre-allocate a public network address and port range for subscribers at the time a network connection is established in response to connection request prior to receiving any data traffic associated with the subscriber. NAT profiles are programmed into hardware forwarding elements of the mobile gateway router for inline NAT when routing subscriber traffic for the mobile access network.

Abstract: A system is configured to: receive a message from a gateway device; identify one or more sessions corresponding to an identifier included in the message; and clear the one or more corresponding sessions. The identifier may correspond to a part of the gateway device where a session is stored or maintained for a mobile device to connect to a server device.

Abstract: Some embodiments of the invention provide a mobile device with multiple access modes. The device in some embodiments has at least two access modes, a primary access mode and a secondary access mode, that provide different restrictions for accessing the applications and/or data that are stored on the device. In some embodiments, the primary access mode of the device provides unfettered access to all of the device's applications and/or data that are available to a user, while its secondary access mode provides access to a limited set of applications and/or data that are stored on the device.

Abstract: A network device may include a timing module and at least one interface. The timing module determines a local time of the network device indicating when the network device sends a synchronization start message. The at least one interface sends the synchronization start message to a time client device to set the current time of day on the time client device, receives a synchronization response message from the time client device indicating that the current time of day of the time client device was set, and sends a synchronization success message to the time client device indicating that the time client device has correctly set its current time of day.

Abstract: A method, performed by a network device, may include sending a request to a first server, detecting a first timeout without receiving a response from the first server, and sending the request to the first server and to a second server, in response to detecting the first timeout without receiving a response from the first server.

Abstract: A method and apparatus for connecting multiple customer sites over a wide area network (WAN) using an overlay network is described. In one embodiment of the invention, each one of multiple customer edge (CE) routers establishes a Border Gateway Protocol (BGP) session with one or more BGP route reflectors and announces their private IP network prefixes and one or more transport IP addresses to reach that CE router. The BGP route reflector(s) reflect those IP network prefixes and the one or more transport IP addresses to reach that specific CE router to the other CE routers. The CE routers receive those reflected IP network prefixes and the corresponding transport IP address(es) to reach that CE router in which those IP network prefixes belong and register them in their corresponding routing/forwarding data structures. In this way, the CE routers learn how to reach each other.

Abstract: Techniques are described for selecting an alternate path for end-to-end service data traffic that traverses multi-homed routers that provide the service to customer networks. For example, as described herein, a router that is a member of a first multi-homing set connected to a layer two (L2) network with one of a plurality of first access links. The router advertises a status of one of the first access links to a second multi-homing set connected to the first multi-homing set with one or more core links. A core link database stores advertised status information for access links of the first and second multi-homing set. Upon a link failure, a path selector selects a core link to transport service data traffic and directs a switch module to switch to active a status a first access links that connects to a router in the first multi-homing set connected to the selected core link.

Abstract: In general, techniques are described for facilitating interchassis redundancy (ICR) among heterogenous mobile gateway member chassis that provide high-availability services as an group to one or more mobile subscribers. In one example, a member chassis of the mobile gateway comprises a control plane having a plurality of distributed subscriber management service units that serve as anchors for subscriber sessions. A redundancy group defines a backup association between one of the subscriber management service units and a subscriber management service unit of another member chassis of the mobile gateway. A routing unit of the member chassis comprises a resource manager that negotiates parameters for a communication channel for the redundancy group.

Abstract: In general, techniques are described for informing services nodes of private network address information in order to apply subscriber-aware services with the services node. In some examples, a services node includes an Authentication, Authorization, and Accounting (AAA) interface to receive a AAA message, wherein the AAA message has been extended from a AAA protocol to specify a private network address of a subscriber device authenticated to an access network by the AAA server and assigned the private network address that is not routable external to the access network. A mapping module associates the public network address of subscriber data traffic with the private network address received by the AAA message. One or more service modules select one or more of a plurality of subscriber policies using the associated private network address and apply services to the subscriber data traffic in accordance with the selected subscriber policies.

Abstract: In general, techniques are described that facilitate scalable wholesale layer two (L2) connectivity between customers and service providers and a demarcation between the L2 wholesale network and one or more ISPs with which customers communicate L2 PDUs. In one example, a network device receives PDU having both a service identifier identifying a service virtual local area network (SVLAN) and a customer identifier identifying a customer VLAN (CVLAN). A virtual switch determines whether an entry of a L2 learning table is associated with both the service identifier and the customer identifier of the PDU. When no such entry exists, a VLAN learning module updates the L2 learning table to create a new entry that maps to a network device interface and is associated with both the service identifier of the PDU and a plurality of customer identifiers that includes the customer identifier of the PDU.

Abstract: In general, techniques are described for decentralizing handling of subscriber sessions within a gateway device of a mobile network. A mobile network gateway comprises a data plane having a plurality of forwarding components to receive session requests from a mobile service provider network in which the mobile network gateway resides. A control plane comprises a plurality of distributed subscriber management service units coupled by a switch fabric to the data plane. Each of the subscriber management service units serve as anchors for communication sessions for mobile devices that are accessing one or more packet data network by the mobile service provider network. A request delegation module within each of the forwarding components directs the session requests to the subscriber management service units unit to provide management services for the sessions requested by the mobile device.

Abstract: In general, techniques are described for aggregating, within a network device, internal forwarding routes for multiple control protocols and allocating next hops for the routes among individual service units of a decentralized control plane for the network device. The techniques may also include aggregating internal forwarding routes for data protocols and allocating next hops for the routes among individual forwarding units of a decentralized data plane for the network device. In one example, a mobile gateway includes a plurality of subscriber management service units that present a uniform interface to nodes within a mobile service provider network. An allocation manager apportions a control protocol session identifier namespace into a plurality of contiguous, non-overlapping protocol session identifier ranges and allocates the ranges among the service units.

Abstract: In general, techniques are described for performing scalable layer two (L2) learning in computer networks. A network device that includes interfaces and a control unit may implement these techniques. The control unit stores a L2 learning table having entries that are each associated with a service tag identifying a service virtual local area network. In response to receiving a packet that includes a service tag, the interfaces access the L2 learning table using the service tag to determine whether any of the entries of the L2 learning table are associated with the service tag. When none of the entries are associated with the service tag, the L2 learning module updates the L2 learning table to create a new entry defining an association between the one of the interfaces that received the packet and the service tag.