Abstract: A method of processing one or more packets includes receiving, at a first processing unit, a first packet including first information bits. The first information bits indicate a first control parameter. The method also includes determining whether the first control parameter will be utilized to process the first packet in at least a second processing unit and, at least partially in response to determining that the first control parameter will not be utilized to process the first packet in at least the second processing unit, replacing one or more bits of the first information bits in the first packet with second information bits. The second information bits indicate a second control parameter. The method also includes providing the first packet including the second information bits to the second processing unit.

Abstract: Systems, methods, and other embodiments associated with controlling transmission of packets over a link aggregation group (LAG) using policies arranged in a tree hierarchy are described. According to one embodiment, a device includes a decision logic configured to manage transmission of packets over a link aggregation group by individually evaluating the packets according to a plurality of policies arranged into a tree hierarchy. The link aggregation group includes a plurality of interfaces connected to a remote device. The decision logic is configured to select one of the plurality of interfaces of the link aggregation group for each of the packets by using the plurality of policies. A transmission logic configured to control transmission of each of the packets according to which interface of the link aggregation group is selected for each of the packets as a result of evaluating the packets using the plurality of policies.

Abstract: Technology is disclosed herein that enhances user interfaces. In one implementation, an application renders a user interface that comprises a navigation element. The navigation element visually links at least one screen to one other screen. The application surfaces a control in the navigation element with which to load data items, and when a data item loaded in the navigation element is active, presents content associated with the data item in the one screen and presents other content associated with the data item in the one other screen.

Abstract: In one embodiment, an apparatus comprises a queue scheduler configured to schedule frames to be buffered through one of a plurality of queues wherein each queue is designated to buffer frames having a pre-assigned priority. Congestion control logic is configured to change the pre-assigned priority of one or more frames before the one or more frames are scheduled by the queue scheduler to cause the one or more frames to be buffered in a different queue than the queue designated for the pre-assigned priority.

Abstract: A packet processor includes an extraction circuit, a lookup circuit, an assignment circuit, a rule matching circuit, and an action circuit. The extraction circuit generates a first set of values based on a first packet. The lookup circuit stores metadata values. Each of the metadata values corresponds to a respective metadata identifier. The assignment circuit assigns a first metadata identifier to the first packet. The lookup circuit selectively retrieves a first metadata value that corresponds to the first metadata identifier. The rule matching circuit selects a first rule from among a predetermined set of rules based on the first set of values and the first metadata value. The action circuit identifies a first action specified by the first rule and performs the first action. The first action includes modifying the first metadata value of the plurality of metadata values.

Abstract: System and methods are provided for performing deep packet inspection of data packets. An example system includes a packet forwarding component and a virtual machine component. The packet forwarding component is configured to receive data packets for transmission and to select one or more of the data packets based at least in part on a first set of rules for deep packet inspection. The virtual machine component is configured to perform deep packet inspection on the selected data packets according to a second set of rules to determine whether the selected data packets are allowed for transmission. The packet forwarding component is further configured to transmit the selected data packets when the selected data packets are allowed for transmission after the deep packet inspection.

Abstract: In aspects of enhanced network access-control credentials, a network access device includes a network interface for data communication with network-connected devices via a network. The network access device implements an access control manager that receives a network access request from a requesting device to access the network, where the network access request includes authentication credentials. The access control manager can then modify the network access request to generate a modified network access request, and initiate communication of the modified network access request to an authentication server that authenticates the requesting device to the network based on the modified network access request.

Abstract: In one embodiment, a method performs, by at least a processor, a computer networking function as controlled, at least in part, by a configuration for a networking device. Source commands are received to establish the configuration, wherein the source commands are written in a source command language. The source commands are translated from the source command language to target commands written in a target command language, wherein the translation is based, at least in part, on a function to function translation model. The configuration is then established by executing at least the target commands.

Abstract: In one or more embodiments, attributes other than a supplicant's MAC address can be used for the user name in the authentication process in a network computing environment. In at least some embodiments, doing so utilizes an association structure, such as a table, that is already resident at the authentication server. By using attributes other than a supplicant's MAC address, various matching scenarios can be provided by the authentication server in which authentication or authorization takes place responsive to satisfying conditions defined in the authentication server's association or database. Furthermore, a variety of non-authentication scenarios can be supported using the authentication server's association.

Abstract: Systems, methods, and other embodiments associated with controlling the flow of packets in a network are described. According to one embodiment, an apparatus includes a transceiver and a flow logic. The flow logic is configured to control the transceiver to transmit a frame to a downstream device by determining whether the frame matches a predetermined pattern. The predetermined pattern identifies a source of frames. The predetermined pattern specifies an action to perform for frames received from the source that are to be transmitted to the downstream device. The flow logic is also configured to control the transceiver to transmit a frame to a downstream device by, in response to determining that the frame matches the predetermined pattern, controlling transmission of the frame to the downstream device according to the action specified by the predetermined pattern.

Abstract: A network device including a first and second processors. The first processor: receives first and second packets; and selects some of the second packets according to contents of the second packets and sampling criteria. The second processor operates in first and second modes. While operating in the first mode, the second processor learns a traffic pattern of the first packets through the network device. While operating in the second mode, the second processor compares a traffic pattern of the some of the second packets to the traffic pattern of the first packets to determine whether the second packets are associated with an attack on the network device. In response to determining the second packets are not associated with an attack on the network device, the second processor updates the patterns of the first packets based on a characteristic of the some of the second packets.

Abstract: An apparatus includes a plurality of network devices to transmit frames of data. Each of the network devices is associated with one or more predetermined transport-layer port numbers that are not associated with any others of the network devices. All of the network devices are associated with a single common predetermined internet protocol (IP) address. Each of the frames of data includes the common predetermined IP address as a source IP address and a respective one of the predetermined transport-layer port numbers as a source transport-layer port number. A switch includes a plurality of first interfaces, each in communication with one of the network devices, to receive the frames of data from the network devices, a second interface to transmit the frames of data from the apparatus, and a forwarding engine to transfer the frames of data from the second interfaces to the first interface.

Abstract: A network device including a classifier and a processor. The classifier is configured to select a plurality of packets according to a rule. The rule describes a characteristic associated with the plurality of packets selected by the classifier. The processor is configured to, during runtime, execute a program to compare a portion of the plurality of packets to one or more predetermined patterns. During the runtime, one or more additional predetermined patterns can be added to the program for comparison with a portion of one or more of the plurality of packets selected by the classifier without having to reboot the network device.

Abstract: Systems, methods, and other embodiments associated with controlling the flow of packets in a network are described. According to one embodiment, an apparatus includes a transceiver and a flow logic. The flow logic is configured to control the transceiver to transmit a frame to a downstream device by determining whether the frame matches a key value. The key value identifies a source of frames. The key value is part of a flow control rule that specifies an action to perform for frames received from the source that are to be transmitted to the downstream device. The flow logic is also configured to control the transceiver to transmit a frame to a downstream device by, in response to determining that the frame matches the key value, controlling transmission of the frame to the downstream device according to the action specified by the flow control rule.

Abstract: Embodiments provide a method for discovering, by a network device of a network, a plurality of network devices of the network; establishing, by the network device, a group of network devices, wherein the group of network devices comprises the network device and a subset of the plurality of network devices; receiving, by the network device, information that is pertinent to one or more network devices included in the group of network devices; processing the information to generate processed information; and propagating the processed information to one or more network devices of the subset of the plurality of network devices.

Abstract: A system including a user interface circuit, a classifier, a counter, and an action circuit. The user interface circuit is configured to receive a user input establishing a rule, wherein the rule describes (i) a characteristic of an event, and (ii) an action to initiate in response to a predetermined threshold being met. The classifier is configured to identify, based on the characteristic described in the rule, events that have the characteristic in a network device. The counter is configured to count a number of the events that have the characteristic in the network device as identified by classifier. The action circuit is configured to initiate the action described in the rule in response to the number of the events meeting the predetermined threshold in the rule.

Abstract: The present disclosure describes techniques for hardware acceleration for routing programs. In some aspects communications between a routing determination program and a packet router are monitored in a router, both the routing determination program and the packet router being part of a software layer of the router. The communications include the routing determination program providing configuration data to the packet router. Based on the monitored communications, a packet processor is changed to reflect the configuration data, the packet processor being part of a hardware layer of the router. The packet processor performs packet routing operations of receiving packets, determining the next routers in the paths to the target destinations of the packets, and sending the packets to the next routers independent of the software layer.

Abstract: Methods having corresponding computer-readable media comprise: generating a authorization token, wherein the authorization token represents i) one or more actions for a target computer, wherein the one or more actions require an authorization, ii) one or more preconditions, wherein the preconditions must be true for the target computer to execute the one or more actions, and iii) the authorization; and providing the authorization token to a person, wherein the person does not have the authorization, and wherein the person provides the authorization token to the target computer.

Abstract: In accordance with an embodiment, there is provided a network component, comprising a data port configured to receive data packets in accordance with a scheduling algorithm; and signal logic configured to while the data port is receiving data packets in accordance with the scheduling algorithm, generate a flow stop signal, wherein responsive to the flow stop signal being generated, the data port is configured to halt reception of data packets, and unconditionally generate a flow start signal subsequent to generating the flow stop signal, wherein responsive to the flow start signal being generated, (i) the scheduling algorithm is configured to be reset, and (ii) the data port is configured to resume reception of the data packets in accordance with the reset scheduling algorithm.

Abstract: A network switch including a plurality of ports, a packet processor, and a first processor. The plurality of ports are configured to receive a plurality of packets transmitted from a network to the network switch. The packet processor comprises a classifier configured to select a subset of the plurality of packets according to sampling criteria. The first processor is configured to determine, based on the subset of the plurality of packets, whether the plurality of packets are associated with an attack on the network switch. The classifier is further configured to, prior to the first processor determining whether the plurality of packets are associated with an attack, copy the subset of the plurality of packets to the first processor while maintaining the plurality of packets in the packet processor.