Abstract: A Compact computing device with peer-to-peer communication through an Ethernet interface is provided. According to one embodiment, a compact computing device includes an Ethernet interface, an Ethernet discovery agent, a memory and a micro-controller. The Ethernet interface is capable of connecting to a host though an Ethernet link. One side wall of the compact shielding case accommodates only the Ethernet interface. The Ethernet discovery agent is capable of discovering the host to which the compact computing device is connected. The memory is capable of storing information that is to be transferred to the host or information that is received from the host. The micro-controller is capable of exchanging information with the host through the Ethernet link.

Abstract: Systems and methods are for securing link aggregation are provided. According to an embodiment, a network device in a secure domain discovers device information associated with a peer network device in an untrusted domain that is connected through a first link directly connecting a first interface of the network device to a first interface of the peer network device, and authenticates the peer while allowing at least some network traffic to continue to be transmitted through the first interface. The network device establishes a secure session between the network device and the peer over the first link when the peer network device is successfully authenticated. The network device then allows the first link to operate as part of a single aggregated logical link, including a second link coupling a second interface of the network device to a second interface of the peer network device.

Abstract: Systems and methods are for securing link aggregation are provided. According to an embodiment, a network device in a secure domain discovers device information associated with a peer network device in an untrusted domain that is connected through a first link directly connecting a first interface of the network device to a first interface of the peer network device, and authenticates the peer while allowing at least some network traffic to continue to be transmitted through the first interface. The network device establishes a secure session between the network device and the peer over the first link when the peer network device is successfully authenticated. The network device then allows the first link to operate as part of a single aggregated logical link, including a second link coupling a second interface of the network device to a second interface of the peer network device.

Abstract: Systems and methods are for securing link aggregation are provided. According to an embodiment, a network device in a secure domain discovers device information associated with a peer network device in an untrusted domain that is connected through a first link directly connecting a first interface of the network device to a first interface of the peer network device, and authenticates the peer while allowing at least some network traffic to continue to be transmitted through the first interface. The network device establishes a secure session between the network device and the peer over the first link when the peer network device is successfully authenticated. The network device then allows the first link to operate as part of a single aggregated logical link, including a second link coupling a second interface of the network device to a second interface of the peer network device.

Abstract: Systems and methods are described for link aggregation and dynamic distribution of network traffic in a switching Clos network. In one embodiment of the present invention, a spine switch of a Clos network learns a first mapping of a Media Access Control (MAC) address of a client device to a first port of the spine switch and a second mapping of the MAC of the client device to a second port of the spine switch. The spine switch aggregates the first mapping and the second mapping as a link group for the MAC address of the client device in a MAC address table and distributes network traffic destined for the MAC address of the client device among members of the link group.

Abstract: A Compact computing device with peer-to-peer communication through an Ethernet interface is provided. According to one embodiment, a compact computing device includes an Ethernet interface, an Ethernet discovery agent, a memory and a micro-controller. The Ethernet interface is capable of connecting to a host though an Ethernet link. One side wall of the compact shielding case accommodates only the Ethernet interface. The Ethernet discovery agent is capable of discovering the host to which the compact computing device is connected. The memory is capable of storing information that is to be transferred to the host or information that is received from the host. The micro-controller is capable of exchanging information with the host through the Ethernet link.

Abstract: Systems and methods are described for link aggregation and dynamic distribution of network traffic in a switching Clos network. In one embodiment of the present invention, a spine switch of a Clos network learns a first mapping of a Media Access Control (MAC) address of a client device to a first port of the spine switch and a second mapping of the MAC of the client device to a second port of the spine switch. The spine switch aggregates the first mapping and the second mapping as a link group for MAC address of the client device in a MAC address table and distributes network traffic destined for the MAC address of the client device among members of the link group.

Abstract: Systems and methods for a network flow analysis service that facilitates collection, analysis and sharing of information regarding network flows are provided. According to one embodiment, a network flow analysis service provider collects network traffic information of network flows from a plurality of different network sources, analyzes at least one attribute associating with the network flows based on the network traffic information; and distributes the at least one attribute to subscribers of the network flow analysis service.

Abstract: Systems and methods for managing network traffic by a perimeter network security device based on internal network traffic or configuration information are provided. According to one embodiment, a network security appliance of a private network receives internal network information collected by multiple Layer 2/3 network devices of the private network. The Layer 2/3 network devices switch/route internal network traffic among multiple internal host devices without the network traffic passing through the network security device and switch/route external network traffic between the network security appliance and the internal host devices. A topology of the private network is derived based on the internal network information. Existence of potential malicious activity involving an internal host device is identified by evaluating the internal network information.

Abstract: Systems and methods for managing network traffic by a perimeter network security device based on internal network traffic or configuration information are provided. According to one embodiment, a network security appliance of a private network receives internal network information collected by multiple Layer 2/3 network devices of the private network. The Layer 2/3 network devices switch/route internal network traffic among multiple internal host devices without the network traffic passing through the network security device and switch/route external network traffic between the network security appliance and the internal host devices. A topology of the private network is derived based on the internal network information. Existence of potential malicious activity involving an internal host device is identified by evaluating the internal network information.

Abstract: Systems and methods for a network flow analysis service that facilitates collection, analysis and sharing of information regarding network flows are provided. According to one embodiment, a network flow analysis service provider collects network traffic information of network flows from a plurality of different network sources, analyzes at least one attribute associating with the network flows based on the network traffic information; and distributes the at least one attribute to subscribers of the network flow analysis service.

Abstract: Methods and systems for shielding layer two host addresses (e.g., MAC addresses) from a network are provided. An edge network device interposed between a network of switches and multiple local hosts receives from a first local host a first packet destined for a first destination host. The first local host has a first layer 2 (L2) address and a first layer 3 (L3) address associated therewith. The first packet includes the first L2 address as a source L2 address of the first packet, and includes the first L3 address as a source L3 address of the first packet. The edge network device shields the first L2 address from the network of switches by replacing the source L2 address for the first packet with a first substitute L2 address of a first communication channel of the edge network device before sending the first packet to the network of switches.

Abstract: Systems and methods for a network flow analysis service that facilitates collection, analysis and sharing of information regarding network flows are provided. According to one embodiment, a network flow analysis service provider collects network traffic information of network flows from a plurality of different network sources, analyzes at least one attribute associating with the network flows based on the network traffic information; and distributes the at least one attribute to subscribers of the network flow analysis service.

Abstract: Methods and systems for selecting among multiple concurrently active paths through a network are provided. According to one embodiment, a method is performed by a network interface of a source network device within a loop-free, reverse-path-learning network. The network is divided into multiple virtual local area networks (VLANs). Network traffic destined for a destination network device and specifying an address for the destination or including information from which the address can be derived is received from the source. A set of VLANs that can be used to transport the packet from the source to the destination is determined. Each VLAN in the set of VLANs is associated with a different path through the network from the source to the destination. A particular VLAN from the set of VLANs networks is selected, thereby effectively selecting a particular path from multiple selectable paths between the source and the destination.

Abstract: Systems and methods for an end-to-end bidirectional symmetric data flow mapping in a LAG system are provided. According to one embodiment, a forward flow from a first end of the LAG system is received by a second end. The forward flow is from a first device connected to the first end and directed to a second device connected to the second end. The forward flow is transmitted by the second end to the second device. A corresponding backward flow is received by the second end that is from the second device and directed to the first device. The backward flow is assigned by the second end to a member link of multiple member links connecting the first and second end on which the forward flow was received by the second end. The backward flow is transmitted by the second end to the first end through the assigned member link.

Abstract: Methods and systems for co-relating location and identity data available from Access Points (APs) and video surveillance systems are provided. According to one embodiment, data, including a unique identifier of an object and information regarding a first geo-position of the object, is received from an AP of a wireless network of a venue. A video feed captured by a camera system monitoring a portion of the venue and/or information regarding a second geo-position corresponding to the object are also received. The first and second geo-positions are then mapped to a common coordinate system. Based on the unique identifier, information regarding the object as reported by the AP and the camera system or derived therefrom are correlated. Finally, behavioral attributes of the correlated object are assessed based on one or a combination of actions of the object, the first and second geo-positions and the common coordinate system.

Abstract: Methods and systems for shielding layer two host addresses (e.g., MAC addresses) from a network are provided. An edge network device interposed between a network of switches and multiple local hosts receives from a first local host a first packet destined for a first destination host. The first local host has a first layer 2 (L2) address and a first layer 3 (L3) address associated therewith. The first packet includes the first L2 address as a source L2 address of the first packet, and includes the first L3 address as a source L3 address of the first packet. The edge network device shields the first L2 address from the network of switches by replacing the source L2 address for the first packet with a first substitute L2 address of a first communication channel of the edge network device before sending the first packet to the network of switches.

Abstract: Methods and systems for shielding layer two host addresses (e.g., MAC addresses) from a network are provided. A border component interposed between a network of switches and multiple local hosts receives from a first local host a first packet destined for a first destination host. The first local host has a first layer 2 (L2) address and a first layer 3 (L3) address associated therewith. The first packet includes the first L2 address as a source L2 address for the first packet, and includes the first L3 address as a source L3 address for the first packet. The border component shields the first L2 address from the network of switches by replacing the source L2 address for the first packet with a substitute L2 address before sending the first packet to the network of switches.

Abstract: Methods and systems for selecting among multiple concurrently active paths through a network are provided. According to one embodiment, a method is performed by a network interface of a source network device within a loop-free, reverse-path-learning network. The network is divided into multiple virtual local area networks (VLANs). Network traffic destined for a destination network device and specifying an address for the destination or including information from which the address can be derived is received from the source. A set of VLANs that can be used to transport the packet from the source to the destination is determined. Each VLAN in the set of VLANs is associated with a different path through the network from the source to the destination. A particular VLAN from the set of VLANs networks is selected, thereby effectively selecting a particular path from multiple selectable paths between the source and the destination.

Abstract: Methods and systems for selecting among multiple concurrently active paths through a network are provided. According to one embodiment, a method is performed by a network interface of a source node within a loop-free, reverse-path-learning network. The network is divided into multiple virtual networks. A packet destined for a destination node and specifying an address for the destination or including information from which the address can be derived is received from the source. A set of virtual networks that can be used to transport the packet from the source node to the destination node is determined. Each virtual network in the set of virtual networks provides a different path through the network from the source to the destination. A particular virtual network from the set of virtual networks is selected, thereby effectively selecting a particular path from multiple selectable paths between the source and the destination.