In general, embodiments relate to a method for establishing trust between supervisors in a network device, the method including obtaining, by a first supervisor, signed platform configuration register (PCR) values from a second supervisor, wherein the first supervisor and the second supervisor are located in the network device, comparing the signed PCR values with stored PCR values, where the stored PCR values were previously obtained by the first supervisor from the second supervisor, and establishing, based on the comparison, trust with the second supervisor.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
2.
SUPPORTING DIFFERENT SECURITY SCHEMES WITH DIFFERENT BOOT PERSONALITIES FOR NETWORK DEVICES
Devices and methods for managing boot personalities in a network device are disclosed. The method includes, after powering on the network device, a programmable component of the network device outputting a first signal unique to a first boot personality. One or more switches are toggled based on the first signal. The toggling results in connecting at least one of one or more first components in the network device associated with the first boot personality and disconnecting at least one of one or more second components in the network device associated with a second boot personality.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
A switch system including a plurality of pluggable modules, a plurality of cages housing the plurality of pluggable modules, and a host printed circuit board (PCB). The system is designed to improve airflow around the host PCB to facilitate cooling. The cages may be designed to have airflow openings on a bottom surface thereof (facing towards the host PCB). The pluggable modules may be designed to have a heat sink on an external lower surface (facing towards the host PCB), which may be in the form of external fins. The host PCB may be designed to have cut-outs in a front portion thereof. The cooperation of the, and the airflow openings, heat sinks, and cut-outs create improved airflow for cooling of the host PCB.
A networking system may disrupt an unauthorized wireless connection to the network. In particular, the networking system may detect a wireless connection between a client device and an unauthorized wireless access point. The networking system may receive a probe request management frame from the client device. The network system may, responsive to the detection of the wireless connection, send a probe response management frame to the client device.
Embodiments of the present disclosure include techniques for securing the flow of configuration commands issued to network devices, such as switches. When an authorized command source (120), such as an authorized user or program, issues a command, security data for the command is generated and associated with the command. The command and security data may flow across multiple software applications (130, 131) to the network device (100). The network device receiving the command may use the security data to verify that the command source is an authorized source and to validate that the command was unaltered. The security data may comprise a signature and a certificate.
The present disclosure describes a network switch design that includes a vertical switch circuit board that is mounted parallel to the front panel of the network switch. The vertical circuit board supports switch chip(s) to process and forward packets and optical module connectors to receive pluggable optics modules that provide connections to other network switches. The arrangement of the circuit board, switch chip(s) and optical module connectors achieves reduced lengths for the electrical signal traces that connect the switch chip(s) to the optical module connectors. In addition, the design improves cooling by providing separate airflow regions between the switch chip heatsink(s) and the optics modules. The vertical switch card assembly and its components can be made removable from the front panel for ease of servicing.
A method for obtaining, by a first network device of a pair of network devices, a packet, wherein the packet specifies a source address corresponding to a first client device and a destination address corresponding to a second client device, making a first determination, by the first network device and using the source address and the destination address, that the first network device is not an owner of bidirectional traffic associated with the packet, based on the first determination, transmitting, by the first network device, the packet to a second network device of the pair of network devices, making a second determination, by the second network device, that the second network device is the owner of bidirectional traffic associated with the packet, performing, in response to the second determination and by the second network device, data processing on the packet to generate a processing result.
Methods, systems and devices for controlling an operating configuration of a network device such as a wireless access point include detecting power supplied to the access point. Operating parameters of the access point, neighboring access points, and client devices wirelessly connected to the access point are determined. The access point is placed in a reduced-capability operating configuration in response to detecting the power supplied is less than a power threshold. The reduced-capability operating configuration is based on the determined operating parameters of the access point, neighboring access points, and client devices.
Prefix compression routes provided via exact match using redirection and mirroring Forwarding Equivalence Class entries in hardware. In a network device, a first table is stored having a first entry, a second table is stored having a second entry, and a third table is stored having a third entry including routing information for routing data packets. The first entry references a first memory location in the second table, the second memory location stores the second entry, and the second entry referencing a second memory location in the third table. A data packet is received, and the first entry is accessed based on a destination address of the data packet. Routing information is obtained as a result of accessing the first entry. The data packet is sent by the network device according to the routing information.
A traffic policy includes policy rules that specify branch actions in their action fields. A branch action specifies another policy rule in the traffic policy. Packet filters generated from the traffic policy represent the traffic policy rules and execution order semantics of the branch rules. The packet filters include resolved actions that are generated by resolving the original actions in the policy rules.
H04L 47/2441 - Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
A passive hybrid heat transfer system for cooling a heat source, such as an integrated circuit, includes a thermosiphon heat transfer subsystem that operates in combination with a supplemental heat transfer subsystem to transfer heat away from and thereby cool the integrated circuit. The heat transfer system includes the thermosiphon heat transfer subsystem including a condenser coupled to an evaporator. The evaporator is coupled to the integrated circuit or other heat source and is positioned below the condenser relative to a direction of gravity. The supplemental heat transfer subsystem is thermally coupled to the evaporator of the thermosiphon heat transfer subsystem and has at least a portion extending below the evaporator relative to the direction of gravity. A network device like a switch or router may include the hybrid heat transfer system to cool high power integrated circuits without the need to resort to active cooling systems.
H05K 7/20 - Modifications to facilitate cooling, ventilating, or heating
F28D 15/02 - Heat-exchange apparatus with the intermediate heat-transfer medium in closed tubes passing into or through the conduit walls in which the medium condenses and evaporates, e.g. heat-pipes
F28F 1/20 - Tubular elements or assemblies thereof with means for increasing heat-transfer area, e.g. with fins, with projections, with recesses the means being only outside the tubular element and extending longitudinally the means being attachable to the element
12.
TRANSACTIONAL DISTRIBUTION OF MODELLED CONFIGURATION FROM A CENTRALIZED SERVER TO A PLURALITY OF SUBSIDIARY DEVICES
Techniques are provided for facilitating network devices to obtain configuration updates from a central configuration repository. Configuration update information is received regarding a configuration update in a configuration repository. A data tree is updated based on the configuration update information. An identifier unique to the update is generated. A determination is performed that network device properties of a network device correspond to a set of network device properties indicated for the configuration update information. A notification indicating the availability of the configuration update is sent over one or more networks to the network device.
H04L 41/40 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
Data taps are provided in a production network to mirror traffic flow through the network. Feeds from the data taps are provided to a monitoring fabric comprising a network of service nodes. A service node receives mirrored traffic and identifies packets in the mirrored traffic for further processing, for example to be forwarded to one or more monitoring/security tools. The packets are identified based on the contents of the packets. For example, packets at the beginning of a TCP session and at the end of the TCP session can be identified based on the TCP flags in the packets. The service node can cause these packets to be sent to one or more monitoring / security tools.
A network device is configured to route an ingress packet based on its L2 header. In some configurations the ingress packet is routed based only on the destination MAC (DMAC) address in the L2 header, which allows the network device to begin routing as soon as the DMAC is received. The DMAC can be used in a table look up operation to identify routing actions for a nexthop. An egress packet is produced from the ingress packet using the routing actions. The egress packet is then sent on an egress port specified in the routing actions.
Malformed VLAN packets can be detected by programming suitable rules in a TCAM in the packet processing pipeline. In some deployments, for example, the TCAM rule(s) can match on the parsed EtherType metadata. More specifically, the match can be based on the EtherType metadata being set to a value equal to known VLAN TPIDs, such as 0x8100, 0x88a8, rather than being set to a standard EtherType.
A method for supporting virtual machine (VM) mobility between network devices connected to a network includes: selecting a first type of route for interconnecting VMs that are connected to the network devices; and adding a feature of a second type of route to the first type of route to enable the network devices to execute proxy address resolution protocol (ARP) for transmitting network traffic between the VMs without requiring each of the network devices to store a physical address of each of the VMs in respective ones of a network address table.
In general, embodiments relates to a method for creating an on-demand tunnel (ODT) in a network between a first network device and a second network device, the method comprising: storing by the first network device, a a potentially suboptimal path to the second network device, determining that a trigger condition to create the ODT between the first network device and the second network device is satisfied, in response to the determination: transmitting, by the first network device, an ODT signaling packet to the second network device via the potentially suboptimal path, receiving, from the second network device and in response to transmitting the ODT signaling packet, an ODT keepalive by first network device via the ODT, and transmitting, after receiving the ODT keepalive, a second packet to the second network device via the ODT.
A method for remotely configuring a network device using a user device and a network management service is provided. The user device includes a first communication interface and a second communication interface, and the method includes: initiating, by the user device, a communication channel with the network device using the second communication interface; after the communication channel is established: obtaining, by the user device via the first communication interface, configuration information for the network device from the network management service; and sending, by the user device, the configuration information to the network device via the communication channel. The user device is in communication with the network management service via the first communication interface, and the user device is configured as a pass-through device that relays the configuration information from the network management service to the network device.bootstrapping and troubleshooting of remote device.
Packets in a network may be dropped from time to time. Although network devices are able to provide counters specifying the number of dropped packets, these network devices are unable to provide additional context about the dropped packets. However, users of a network wish to know more about dropped packets; such as why the packets were dropped. Therefore, methods for capturing and storing the dropped packets are provided. This way, users can analyze the dropped packets to determine why these packets were dropped.
A photonic integrated circuit (PIC) includes an optical transmitter and an optical receiver. An optical loopback is coupled to the optical transmitter and to the optical receiver and is configurable to provide in a communications mode a transmitted optical signal from the optical transmitter to an optical output node and to provide a received optical signal on an optical input node to the optical receiver. The optical loopback is further configurable in a loopback testing mode to optically isolate the received optical signal on the optical input node from the optical receiver and to provide the transmitted optical signal from the optical transmitter to the optical receiver. A PIC including the optical loopback enables improved optical loopback testing of optical ports that will be present on network devices including co-packaged optics.
H04B 10/073 - Arrangements for monitoring or testing transmission systems; Arrangements for fault measurement of transmission systems using an out-of-service signal
A method for reverse path forwarding (RPF) selection by a network device connected to a network includes receiving an advertisement message from each of a plurality of neighbor devices within the network, parsing the advertisement message to determine a color identification (ID) of each of the neighbor devices, and selecting, from among the neighbor devices, a RPF device based on the color ID of each of the neighbor devices.
A method for generating an application-aware virtual topology (AAVT) routing table for a network device among network devices connected via a wide area network is provided. The method is executed by a network controller connected to the network and includes: receiving, from the network devices, path information of the network devices; generating, using the path information, an underlay graph specifying a path topology of the network device; generating, based on the path topology specified in the underlay graph, the AAVT routing table for the network device where the AAVT routing table includes a set of paths; and transmitting, in response to generating the AAVT routing table, the AAVT routing table to the network device to cause the network device to program the set of paths.
Techniques for operating a network device are provided. In some embodiments, a method may comprise: forwarding multicast data packets from a source in a first customer network to a receiver in a second customer network; detecting that another PE device is forwarding the multicast data packets, wherein: Protocol Independent Multicast (PIM) is enabled on supplemental bridge domain (SBD) logical interfaces of the PE device and the another PE device, the PE device and the another PE device are PIM neighbors, and the PE device and the another PE device communicate with each other and with the receiver using the PIM protocol through an Ethernet virtual private network (EVPN). The method may further comprise: determining the another PE device is an assert winner from among the PE device and the another PE device based on at least one PIM assert message, the another PE device forwarding the multicast data packets.
Systems and methods for allocating a per-interface access control list (ACL) counter are disclosed. An ACL is applied to a data packet received at an interface of the network element. In response to matching the highest priority ACL rule, a counter value is obtained based on a combination of a base index and an expansion index value. The base index, expansion index, and counter values are stored in their respective tables. The counter value is uniquely associated with the specific ACL rule hit and the interface used to receive the data packet. Systems and methods also allocate a next set of expansion and counter tables when their storage capacity is exceeded. When the next set of tables are allocated, the older set of tables along with their index mappings and entries are preserved.
Embodiments described herein relate to techniques for designated forwarder (DF) elections, which may include: obtaining DF candidates that are part of a supplementary broadcast domain (SBD), wherein the DF candidate is one of the plurality of DF candidates for the SBD; performing a SBD DF election process to determine an SBD DF winner from among the DF candidates; making a first determination that the DF candidate is not the SBD DF winner; making second determination that a first broadcast domain (BD) provisioned on the DF candidate is not provisioned on the SBD DF winner; excluding the first BD from a set of BDs that are also provisioned on the SBD DF winner; performing additional DF election processes for each BD of the set of BDs; and processing multicast traffic based at least in part on the SBD DF election process and the additional DF election processes.
A networking system may include one or more network nodes such as one or more network switches. The network switches include respective matching engines. The matching engines across the network switches may be configured to match on a consistent set of matching criteria based on low and high entropy data fields to sample a same subset of packets for each network flow of interest. The sampled packets may include annotations and may be sent to collector circuitry for analysis. Controller circuitry may enforce consistent sampling policies across the network switches.
A method for managing a network by a network monitoring system, wherein the network comprises a plurality of network devices, the method comprising receiving, by the network monitoring system, in-band network telemetry (INT) data from a network device of the plurality of network devices, updating a latency model of the network using the INT data to obtain an updated latency model, identifying a congestion point in the network using the updated latency model and at least a portion of the INT data, validating the congestion point; and initiating a remediation action based on the validation.
H04L 43/067 - Generation of reports using time frame reporting
H04L 43/0817 - Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking functioning
Systems for controlling louver positions are described herein. Such systems may include: a louver frame; a louver coupled to the louver frame via a rotation member and adapted to rotate at a louver side around an axis of rotation at the rotation member. In one embodiment, the louver includes a spring member engagement feature. The system also includes a spring member coupled to the louver frame and adapted to engage with the spring member engagement feature of the louver and apply a force to the louver when a forward airflow is applied to the louver in a forward airflow direction.
F04D 25/14 - Units comprising pumps and their driving means the working fluid being air, e.g. for ventilation the unit being adapted for mounting in apertures and having shutters, e.g. automatically closed when not in use
29.
FAST FAILOVER SUPPORT FOR REMOTE CONNECTIVITY FAILURE
In general, embodiments relate to a method for managing traffic flow along a path between network devices. The method includes initiating, by an end-point network device, monitoring of the path, wherein the end-point network device transmits packets to a target network device over the path, detecting after the initiating, by the end-point network device, that at least a portion of the path has failed, wherein the portion of the path that has failed is external to the end-point network device, in response to the detecting, identifying which portions of network device hardware in the source network device need to be updated to redirect the packets from the end-point network device to the target network device to take a second path, and updating the identified portions of the network device hardware.
Routes in an address group are generally resolved according to a next hop resolution profile that applies across the address group. Individual next hop resolution profiles can be defined and associated with specific routes within the address group. Those specific routes are resolved according to their respective associated next hop resolution profiles, thereby bypassing the next hop resolution profile of the address group to provide control over the resolution behavior at the granularity of individual routes within the address group.
A network device includes a switching system for directing packets between ingress ports and egress ports of the network device. The network device also includes a switching system manager that makes an identification of a state change of a virtual output queue of the switching system; and performs an action set, based on the state change, to modify a latency of the virtual output queue to meet a predetermined latency in response to the identification.
Systems and methods are provided herein for an improved method of Zero-Touch Provisioning (ZTP) where a first switch receives a virtual local area network (VLAN) identifier from a second switch, allowing the first switch to reach a dynamic host configuration protocol (DHCP) server. This may be accomplished by a first switch receiving a VLAN identifier from a second switch. The first switch then transmits a DHCP discover message using the VLAN identifier. The first switch then receives reachability information for a ZTP server from the DHCP server. The first switch uses the reachability information to establish a provisioning session between the first switch and the ZTP server.
Techniques for determining a clock offset between monitoring devices in a network. Such techniques include: obtaining, by a first monitoring device, a first set of network traffic data units sent between a first endpoint and a second endpoint via a first tap on a network link between the first endpoint and second endpoint; obtaining, by a second monitoring device, a second set of network traffic data units sent between the first endpoint and the second endpoint via a second tap on the network link; calculating the clock offset between the first monitoring device and the second monitoring device using the first set of network traffic data units and the second set of network traffic data units; and performing an offset action based on the clock offset.
A system and method for provisionally authenticating a host moving from a source port of a switch device to a destination port of the switch device is disclosed. The host is initially authenticated at the source port and blocked from forwarding network traffic at the destination port. During a provisional authentication session, an authentication agent executing on the switch intercepts one or more authentication packets sourced by the host and headed for the destination port of the switch device and redirects the authentication packets to an authentication server for validating the host at the destination port of the switch device. The switch device removes the block at the destination port in response to receiving an acknowledgment of successful authentication at the destination port from the authentication server.
Embodiments of the present disclosure include optical transmitters and transceivers with improved reliability. In some embodiments, the optical transmitters are used in network devices, such as in conjunction with a network switch. In one embodiment, lasers are operated at low power to improve reliability and power consumption. The output of the laser may be modulated by a non-direct modulator and received by integrated optical components, such as a modulator and/or multiplexer. The output of the optical components may be amplified by a semiconductor optical amplifier (SOA). Various advantageous configurations of lasers, optical components, and SOAs are disclosed. In some embodiments, SOAs are configured as part of a pluggable optical communication module, for example.
In one embodiment a device for tightening and loosening a securing device is provided. The device includes a housing, a shaft, and a clutch assembly. In one embodiment, the clutch assembly includes a clutch activation member, a first friction member coupled to the clutch activation member, and a second friction member coupled to the shaft. When the clutch activation member is in a first position, the clutch activation member engages the first friction member with the second friction member for transmission of torque from the first friction member to the second friction member. When the clutch activation member is in the second position, the clutch activation member disengages the first friction member from the second friction member to prevent transmission of the torque from the first friction member to the second friction member.
A method and network device for embedded area abstraction. Specifically, the method and network device described herein implement the abstraction of one or more subareas of an area within a network implementing a link state protocol. Abstraction of a given subarea of a given area within a network may provide for routing using network devices in the given subarea without requiring that the network devices, in the complement of the given subarea within the given area, maintain link state information respective to the entire network topology of the given subarea.
A processing unit (206,306) disposed within a compute unit (202), where the processing unit (206) includes a printed circuit board, PCB (320) that includes an integrated circuit (322); a first thermal management device (310.1), that includes a first vapor chamber (312.1) thermally conductively coupled to a first side of the integrated circuit (322); and a first heatsink (318) thermally conductively coupled to the first vapor chamber (312.1); and a second thermal management device (310.2, 310.3, 310.4), that includes a second vapor chamber (312.2, 312.3, 312.4) and a second heatsink (318) thermally conductively coupled to the second vapor chamber (312.2, 312.3, 312.4), where the second thermal management device (310.2, 310.3, 310.4) is thermally conductively coupled to the first thermal management device (310.1); where the PCB (320) is interposed between the first thermal management device (310.1) and the second thermal management device (310.2, 310.3, 310.4).
A method for processing network communications, the method including receiving a network packet at a network device and performing at least one lookup for the packet in one or more first lookup tables in which the one or more first lookup tables are programmed to include at least one of an exact match or longest prefix match (LPM) table entry. The method includes obtaining a security source segment and a security destination segment based upon the result of the at least one lookup for the packet in the one or more first lookup tables. The method further includes performing a lookup in a second lookup table based upon the security source segment and security destination segment in which the second lookup table is programmed in a content addressable memory. Based upon the result of the lookup in the second lookup table, processing a forwarding decision for the packet according to the security source segment and security destination segment.
A method for managing optical transceivers includes obtaining laser measurements for a laser operating in an optical transceiver in a network device, obtaining a failure profile for the laser, making a first determination that the laser measurements match the failure profile, and based on the first determination, initiating a remediation action for the optical transceiver.
H04B 10/077 - Arrangements for monitoring or testing transmission systems; Arrangements for fault measurement of transmission systems using an in-service signal using a supervisory or additional signal
H04B 10/079 - Arrangements for monitoring or testing transmission systems; Arrangements for fault measurement of transmission systems using an in-service signal using measurements of the data signal
41.
NETWORK DEVICE SUPPORTING MULTIPLE OPERATING SYSTEMS TO ENABLE OPTIMIZED USE OF NETWORK DEVICE HARDWARE
A method for managing a network device that includes a network operating system (NOS) and a third-party network operating system (3PNOS) includes detecting a 3PNOS state change in a 3PNOS database managed by the 3PNOS, translating the 3PNOS state change into a network device state change, storing the network device state change in a state database managed by the NOS, in response to the storing: detecting a change in the state database by a NOS agent executing in the NOS, initiating, in response to detecting the change in the state database, an update to hardware on the network device by the NOS, wherein the 3PNOS does not directly manage the hardware.
Embodiments of the present disclosure include a pluggable optical line system module for amplification, multiplexing, and demultiplexing of coherent optical signals that can be integrated with a switch-router. Integration may include mechanical, electrical, and software control aspects. One example embodiment of the optical line system is in an industry standard small form factor pluggable module such as OSFP (octal small form factor pluggable) or QSFP (quad small form factor pluggable). When configured in a switch-router, the pluggable optical line is powered, managed and controlled by the switch-router which greatly reduces the cost, space, power and the management complexity of optical line systems.
H04B 10/00 - Transmission systems employing electromagnetic waves other than radio-waves, e.g. infrared, visible or ultraviolet light, or employing corpuscular radiation, e.g. quantum communication
H04B 10/25 - Arrangements specific to fibre transmission
H04J 14/02 - Wavelength-division multiplex systems
Techniques described herein relate to a method for computation of network flooding topologies. A flooding topology may refer to a subset of a network which can be utilized by a network device to limit the flooding of link state updates. The flooding topology may be determined by an area leader (i.e., a designated network device) of the network. Computation of the flooding topology may entail the iterative incorporation (or absorption) of nodes and edges of a first connected graph, representing network devices and interconnections of a network topology of the network, into a second connected graph representing the flooding topology.
In response to receiving an ASR message, a VTEP generates a specially modified control plane message advertising the IP-to-MAC binding of the ASR message. The control plane message may be modified to indicate that it is not to be used for MAC learning. The control plane message is advertised over the network. When an intended recipient receives the message, it uses that message just for the IP-to-MAC binding. When an unintended recipient receives the message, it may drop it as invalid.
H04L 12/713 - Route fault prevention or recovery, e.g. rerouting, route redundancy, virtual router redundancy protocol [VRRP] or hot standby router protocol [HSRP] using node redundancy, e.g. VRRP
45.
SYSTEMS AND METHODS FOR FLOW-BASED INBAND TELEMETRY
Methods and systems are described for inband telemetry. The system receives a plurality of packets, each packet comprising a portion with INT data. The system identifies a packet flow from a source device to a destination device in the plurality of packets and calculates a telemetry metric based on INT data of a plurality of packets of the packet flow. Then the system forwards the calculated telemetry metric to an INT collector.
In some implementations, a method is provided. The method includes determining a physical topology of a network and monitoring network events based, at least in part, on control plane information received from one or more devices in the network. The method also includes monitoring the performance of each of a plurality of applications running on the network based, at least in part, on a set of application calls initiated by each application. When a drop in performance of an application is detected, the drop in performance is correlated with one or more of a plurality of detected network events to determine a cause of the drop in performance.
In some embodiments, a method receives address information for two or more paths between a first network device and a second network device. A connection is established between the first network device and the second network device to determine one or more security keys for the first network device and the second network device. Then, the method installs the one or more security keys with the address information for the two or more paths. The one or more security keys are used to provide a security service on one or more packets that are sent or received between the first network device and the second network device using the address information for the two or more paths.
H04L 9/00 - Arrangements for secret or secure communications; Network security protocols
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
H04M 1/66 - Substation equipment, e.g. for use by subscribers with means for preventing unauthorised or fraudulent calling
In general, embodiments relate to systems for latching electrical modules to one another. Specifically, embodiments provide for a latching assembly to mechanically aid an operative connection between electrical modules. Further, embodiments enable a user to physically latch electrical modules to one another and to retain the latching of the electrical modules.
Systems and methods for a path selection by a network router are disclosed. The router receives a data packet destined to travel a current path, as identified by a packet header, to a destination router. The router determines whether the current path is the best path of a set of network paths for the data packet to travel to reach the destination router based on telemetry characteristics of a set of network paths. The telemetry characteristics include a bandwidth availability estimate that is a function of one or both of a corresponding path throughput and a corresponding path packet loss rate. In response to determining the current path is not the best path, the router chooses a best path based on the telemetry characteristics of the set of paths and replaces the current path with the best path for travel by the data packet to the destination router.
Techniques for implementing neighbor equivalence groups on a network device are provided, where a neighbor equivalence group is a group of peers of the network device that communicate identical control plane state information for a given network protocol to the network device. In the context of Border Gateway Protocol (BGP), these techniques can include (1) creating, by the network device, a neighbor equivalence group for a set of BGP peers that advertise the same BGP paths to the device, (2) maintaining, by the network device, a single path database for the neighbor equivalence group (rather than one path database for each BGP peer in the group), and (3) immediately processing. by the network device, BGP path update/withdrawal messages received from any of the BGP peers in the group against the single path database, without waiting for the same message to be received from every peer.
In some embodiments, a method sets a threshold for utilization of a first table, wherein the utilization is based on layer (3) addresses and layer (2) addresses being stored in the first table. When a utilization of the first table does not meet the threshold, the method stores a layer (3) address in the first table. The first table uses a first type of lookup to determine a next hop address for the layer (3) addresses or the layer (2) addresses, and the first table also stores one or more layer (2) addresses. When the utilization of the first table meets the threshold, the method stores the layer (3) address in a second table where the second table uses a second type of lookup to determine the next hop address for layer (3) addresses.
Synchronization of clocks among computing devices in a network includes determining master/slave relations among the computing devices. Some computing devices (e.g., switches) include trunk ports configured to carry traffic for several logical networks; e.g., virtual local area networks, VLANs. A trunk port can be associated with a master / slave setting for each logical network that it is configured for. Synchronization of clocks among the computing devices further includes running a synchronization sequence between a trunk port and each computing device on each of the logical networks configured on the trunk port.
A first network device is configured with a rule preventing network traffic from travelling from the first network device to one or more other network devices. The first network device is configured to receive and distribute network traffic to the one or more other network devices. A second network device receives and distributes network traffic to the one or more other network devices. The first network device determines that the second network device has failed. In response to determining that the second network device has failed, the first network device removes the rule so that the first network device receives and distributes network traffic to the one or more other network devices.
A method and network device for overlay tunnel termination and mirroring spanning datacenters. Specifically, the method and network device disclosed herein entail the traversal of mirrored network traffic from datacenters lacking traffic analysis tools to other datacenters including the sought after traffic analysis tools. Further, the aforementioned traversal of mirrored network traffic may utilize virtual network layer overlay domain tunnels.
A network device includes a hardware component. The network device includes a first device receiver operably connected to the hardware component via a first hardware component connection and adapted to receive a device. The network device further includes a second device receiver operably connected to the hardware component via a second hardware component connection. The first device receiver of the network device is adapted to reversibly reallocate the first hardware component connection to the second device receiver.
Embodiments of the present disclosure include techniques for generating accurate time stamps. In one embodiment, a first timing reference signal corresponding to a first clock domain is combined with a first clock signal corresponding to a second clock domain to produce a second timing reference signal that includes quantization noise. The second timing reference signal is filtered to remove the quantization noise and generate a filtered timing reference signal. The filtered timing reference signal may be sampled in the second clock domain to obtain a time stamp. In one embodiment, a phase locked loop (PEL) is used as the filter. The PEL may generate first and second ramps that correspond to time. One of the ramps may be sampled to obtain a time stamp, for example.
A method for processing network traffic data units (NTDUs). The method includes receiving, by a wireless access point (WAP), a NTDU from a client device. The method further includes identifying a virtual tunnel upon which to transmit the NTDU, where the virtual tunnel is associated with a network device and transmitting, via the virtual tunnel, the NTDU to the network device.
In some implementations, a method is provided. The method may allow a powered device to determine the maximum power available from power supply equipment. The method includes determining the length of a cable connecting the powered device to the power supply equipment based on the resistance of the cable. The method further includes determining the maximum power available to the powered device based on the length of the cable. The powered device may then be operated based on the maximum power available.
A method for managing traffic in a network. The method includes receiving an overlay frame comprising a header portion and obtaining, from the header portion, a first label and a second label. The method further includes generating an expanded label comprising the first label and the second label, making a first determination that an overlay network table comprises an entry for the expanded label, and based on the first determination, processing the overlay frame using the entry.
Techniques for implementing history-based connection-server affinity on a network load balancer are provided. In one set of embodiments, the network load balancer can receive a network packet destined for a service, where the service is associated with a plurality of servers, and where the packet is part of a network connection between a client device and one of the plurality of servers. The network load balancer can further compute, using a portion of the packet, a bucket identifier of a bucket for the network connection, identify a first server in the plurality of servers that is currently mapped to the bucket identifier in a hash table, and send the packet to the first server. If the network load balancer receives the packet back from the first server, the network load balancer can determine, based on local history information, a second server that was previously mapped to the bucket identifier in the hash table and send the packet to that second server.
A method and system for inspecting unicast network traffic between end points residing within a same zone. Specifically, the method and system disclosed herein entail the provisioning of unique forward-service and reverse-service virtual network identifiers (VNIs), and corresponding virtual layer-2 (VL2) forward-service and reverse-service broadcast domains, respectively, to communications originating from and destined to intercept hosts.
Methods and systems for modifying network traffic data. The method of modifying network traffic may include receiving a network traffic data unit that includes an identifier, at a proxy port; based on the identifier, performing a proxy port action set to obtain a modified network traffic data unit; and transmitting the modified network traffic data unit towards an egress port.
Methods, computer readable mediums, and systems for securing network traffic data. The method of securing network traffic data may include obtaining a network traffic data unit, that includes: a payload; forwarding information, that includes: a first forwarding portion; and a second forwarding portion that indicates a network tunnel; encryption type information; and encryption location information; analyzing a first segment of the first forwarding portion to obtain a first forwarding location; modifying the network traffic data unit, based on the encryption type information and the encryption location information, to obtain a modified network traffic data unit; and transmitting the modified network traffic data unit to the first forwarding location.
A method and system for propagating network traffic flows between end points based on service and priority policies. Specifically, the method and system disclosed herein entail configuring network elements with network-disseminated traffic management policies. Each traffic management policy guides the handling of a network traffic flow between origination and termination end points (i.e., source and destination hosts), which may be defined through data link layer, network layer, and/or transport layer header information, as well as group assignment information, associated with the source and destination hosts.
The automatic classification of network devices in a network. Specifically, the disclosure entails the designation of network device roles to network devices, as well as the clustering of network devices into logical groups. The association of network devices with network device roles and logical groups may be contingent on the connections between the network devices and a set of network device classification heuristics.
Embodiments of the invention may relate to a method for routing protocol area abstraction. The method may include electing an area leader from among network devices; generating, by the area leader, an area representation node identifier associated with the first area; distributing, by the area leader, the area representation node identifier to area edge devices; receiving, from the area edge devices, second area link state packets (LSPs); generating, by the area leader and using the second area LSPs, an area representation node LSP that includes the area representation node identifier and area neighbor adjacencies; and distributing, by the area leader, the area representation node LSP to a plurality of network devices in a second area of the network. In response to receiving a copy of the area representation node LSP, each of the network devices in the second area may advertise an adjacency to an area representation node.
A method and apparatus of a network element that processes data by a network element with a data processing pipeline is described. In an exemplary embodiment, the network element prepares a new image for the data processing pipeline of the network element, where the data processing pipeline processes network data received by the network element and the new image modifies one or more functionalities of the data processing pipeline. In addition, the network element puts the data processing pipeline into a non-forwarding mode. Furthermore, the network element writes the new image into memory of the data processing pipeline. The network element additionally puts the data processing pipeline into a forwarding mode, where the data processing pipeline processes network data received by the network element using the new image.
A method and system of accelerating monitoring of network traffic. The method may include receiving, at a network chip of a network device, a network traffic data unit; capturing, by the network chip, the network traffic data unit based on a traffic sampling rate; adding, by the network chip, a sampling header to the network traffic data unit to obtain a sampled network traffic data unit; sending the sampled network traffic data unit from the network chip to a sampling engine; receiving, from the sampling engine, a flow datagram that includes a network traffic data unit portion and a flow datagram header; generating a flow network data traffic unit that includes the flow datagram; and transmitting the flow network data traffic unit towards a collector.
A method and apparatus of a device that recovers accessibility for an inaccessible virtual machine hosted by a cloud service provider is described. In an exemplary embodiment, the device receives an indication that a recovery disk has been attached to a virtual machine hosted by a cloud service provider, wherein the virtual machine is inaccessible to a client. In addition, the device executes an agent that recovers the accessibility of the virtual machine for the client.
G06F 9/38 - Concurrent instruction execution, e.g. pipeline, look ahead
G06F 9/455 - Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
G06F 11/14 - Error detection or correction of the data by redundancy in operation, e.g. by using different operation sequences leading to the same result
70.
REMOTE IN-BAND MANAGEMENT OF A NETWORK INTERFACE CONTROLLER
A method and apparatus of a network element that manages a network interface controller on a device coupled to a network element is described. In an exemplary embodiment, the network element detects that the network interface controller is manageable, wherein the network interface controller is coupled to the network element by a link. In addition, the network element transmits a command packet to the network interface controller in-band, where the network interface controller determines a response to the command packet using the resources of the network interface controller and without communicating data between the network interface controller and the device. The network element receives the response from the network interface controller.
A network switch device includes an L1 switch having a first set of external ports and a first set of internal ports. The network switch device further includes an L2+L3 switch having a second set of internal ports, the L2+L3 switch operatively coupled to the L1 switch via the first set of internal ports and the second set of internal ports.
A method includes receiving a single request to configure a continuous route tracer (CRT) between a first plurality of network devices and a second plurality of network devices and configuring, by a processing device of a control server, the CRT between the first plurality of network devices and the second plurality of network devices. The method further includes receiving a plurality of probe reports corresponding to a plurality of CRT probes sent between the first plurality of network devices and the second plurality of network devices and analyzing the reports to detect one or more anomalies corresponding to a network comprising the first plurality of network devices and the second plurality of network devices. The method further includes providing the one or more anomalies for display.
A method for transmitting packets in a network is provided. The method includes determining that a first packet will be encrypted prior to transmitting the first packet to a network device. The first packet includes a first source address for the first packet. The method also includes generating a routing value based on the first source address. The routing value allows the network device to determine which of a plurality of processing cores will be used to process the first packet. The method further includes encrypting the first packet to generate an encrypted first packet. The method further includes encapsulating the encrypted first packet within a second packet. A payload of the second packet comprises the encrypted first packet and a packet header of the second packet includes the routing value. The method further includes transmitting the second packet to the network device.
A network device is provided. The device includes a housing and a switch card, mounted within the housing and having one or more connectors. A plurality of line cards are oriented parallel to each other and orthogonal to the switch card and assembled to the one or more connectors of the switch card. The switch card has a chip, with a plurality of switches or routing paths, and the switch card and the chip couple to the plurality of line cards through the one or more connectors.
A busbar and connector assembly is provided. The busbar and connector assembly includes a printed circuit board having an attached connector arranged to couple to a first busbar and a second busbar coupled to the connector. The busbar and connector assembly includes the connector arranged to distribute a first portion of current from the first busbar to the printed circuit board and distribute a second portion of the current from the first busbar to the second busbar.
A method and apparatus of a network element that processes control plane data in a network element is described. In an exemplary embodiment, the device receives control plane data with a network element operating system, where at least a functionality of the network element operating system is executing in a container of the network element. In addition, the network element includes a data plane with a plurality of hardware tables and the host operating system. Furthermore, the network element processes the control plane data with the network element operating system. The network element additionally updates at least one of the plurality of hardware tables with the process control plane data using the network element operating system.
A cluster file replication system is provided. Each controller of the plurality of controllers is configured to access a filesystem having a plurality of files including a system database of a controller having state information of the plurality of controllers. Each controller is further configured to have one or more service agents. The one or more service agents of each controller is configured to respond to one of the plurality of controllers becoming a master controller of the cluster. The one or more service agents of each controller is configured to set up one or more objects that react to the state information and coordinate replication of changes to the files, system database and state information from the master controller to follower controllers in the cluster. The one or more objects on each of the follower controllers is supportive of the follower controllers receiving the changes but disabled from initiating the replication. A method for cluster file replication is also provided.
A method for visualizing a network. The method includes identifying, for each of a set of network elements, a network element role and a network element connectivity, grouping the network elements based on the network element roles, displaying at least a subset of the grouped network elements, and displaying connections between the displayed network elements, based on the network element connectivity.
A method and apparatus of a device that installs a new access control list for a port of a network element is described. In an exemplary embodiment, a network element receives an indication that the first access control list for the port is to be updated with a second access control list and the port processes data communicated with port with the first access control list. In addition, the network element configures the port to use a fallback access control list, where the fallback access control list includes a plurality of rules and the port uses the fallback access control list to process data communicated with the port. Furthermore, the network element loads the second access control list for the port. The network element additionally configures the port to use the second access control list, wherein the port uses the second access control list to process data communicated with the port.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 11/14 - Error detection or correction of the data by redundancy in operation, e.g. by using different operation sequences leading to the same result
A method for high-availability operation is provided. The method includes communicating state information from each of a plurality of network elements to at least a first master network controller. The method includes communicating transformed state information from the first master network controller to the plurality of network elements and to each of a plurality of follower network controllers. The method includes continuing the high-availability operation with a new master network controller selected from among the plurality of follower network controllers as a failover, using the transformed state information in the new master network controller and in the plurality of network elements, responsive to a failure of the first master network controller. A network controller system is also provided.
A printed circuit board is provided. The board includes a plurality of vias through the printed circuit board, each having a first section with a first width, a second section with a second width less than the first width, and a third section with a third width greater than the second width and less than the first width. The second section is located between the first section and the third section, the first and second sections are plated, and the third section lacks plating. At least one of the plurality of vias has the first width dimensioned to receive a connector pin inserted through the first face. A further at least one of the plurality of vias has the first width dimensioned to receive a further connector pin inserted through the second face. Further versions of the printed circuit board and method of making a printed circuit board are provided.
A method and apparatus to bring up a network controller in a network of multiple network elements is described. In an exemplary embodiment, the network controller receives an indication that the network controller is booting up. The network controller is coupled to a plurality of network elements in a network, where the network controller maintains a controller database that supports a network-wide service used by the plurality of network elements. The network controller further receives state information from the plurality of network elements. In addition, the network controller builds the controller database from the state information. Furthermore, the network controller sends updates from the controller database to each of the plurality of network elements, where each of the plurality of network elements incorporates these updates into a respective network element database and the network element database is used to perform the network-wide service.
A method and apparatus of a device that measures performance of a plurality of cloud service providers is described. In an exemplary embodiment, the device deploys a plurality of cloud agents to the plurality of cloud service providers. In addition, the device configures a controller to measure the performance of each of the plurality of cloud service providers using each plurality of cloud agents. The device further probes each of the plurality of cloud service providers by sending probe data to each of the plurality of cloud service providers. The device additionally receives response data from each of plurality of cloud agents, wherein the response data is indicative of performance measurements of the plurality of cloud service providers. Furthermore, the device measures the performance for each of the plurality of cloud service providers using the response data.
G06F 11/34 - Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
84.
LINK AGGREGATION SPLIT-BRAIN DETECTION AND RECOVERY
Various embodiments are described herein that provide a network system comprising a set of peers within a link aggregation group (LAG), the first set of peers including a first network element and a second network element and a status resolution server to connect to the set of peers within the link aggregation group, wherein one or more peers within the LAG is to query the status resolution server to determine an operational status of a peer in the set of peers in response to detection of an apparent failure of the peer.
A method and apparatus of a network element that includes a line card without retimers between an ASIC and either a network connector or mid-plane connector is described. In an exemplary embodiment, the network element includes a line card coupled to a fabric card. The line card includes a plurality of mid-place connectors, a plurality of network connectors, and a plurality of application-specific integrated circuits (ASICs). In addition, one of plurality the mid-plane connectors couple the line card with the fabric card. Furthermore, the plurality of network connectors to communicate data with devices coupled to the network element and each of the plurality of ASICs process the data. The line card further is configured such that each of the of plurality of ASICs is coupled to each of the plurality of mid-plane connectors by a different mid-plane connector - ASIC path without boosting a signal on that path and each of the plurality of ASICs is further coupled to each of the plurality of network connectors by a different network connector -ASIC path without boosting a signal on that path.
A method and apparatus of a device that updates boot images of a network segment of a network is described. In an exemplary embodiment, the device receives a configuration point for the network segment, where the network segment includes a heterogeneous mix of a plurality of network elements. For each of the plurality of network elements in the network segment, the device identifies a boot image for that network element corresponding to the configuration point and updates the network element. The boot image for a network element includes the software that network element runs and a configuration of this software.
A method and apparatus of a device that performs a hitless update a boot image of a network element. In this embodiment, the device identifies the network element to update and determines if the network element has redundant paths. If this network element has redundant paths, the device configures the network element to drain data processing of the network element. In addition, the device updates the network element to a new boot image when the data processing of the network element is drained.
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
88.
METHOD AND SYSTEM FOR WITHDRAWING PROGRAMMED ROUTES IN NETWORK DEVICES
A method for withdrawing programmed routes in network devices. The method includes receiving instructions to withdraw at least one route of a set of programmed routes, where the set of programmed routes is stored in a forwarding information base (FIB), removing the at least one route from a set of routes stored in a routing information base (RIB), notifying at least one peer network device of a set of peer network devices about the at least one route to be withdrawn, initializing a timer with a timeout value and starting the timer, before the time expires, processing a packet that uses the at least one route to be withdrawn, and after the timer expires, removing the at least one route from the FIB.
A method and apparatus of a device that determines transmit and receive skew times between pairs of lanes of an electrical interface of a network element is described. In an exemplary embodiment, the device receive a plurality of configurations corresponding to a plurality of electrical loopbacks that can each couple transmit and receive interfaces of the electrical interface via the plurality of lanes in different patterns. In addition, for each of the plurality of electrical loopbacks, the device couples this electrical loopback to the transmit and receive interfaces of the electrical interface and measures overall skew times for pairs of the plurality of lanes of the electrical interface. Furthermore, the device computes the transmit and receive skew times for the transmit and receive interfaces from the overall skew times.
A system and method for calculating latency including a latency calculation device configured to: receive an enqueue notification relating to a packet enqueue operation and including a queue identifier, increment an enqueue counter, and determine that a latency calculation flag is not set. Based on the determination that the latency calculation flag is not set, the latency calculation device is configured to: determine a first time corresponding to the enqueue notification, store the first time, store a latency start count, and set the latency calculation flag. The latency calculation device is also configured to: receive a dequeue notification relating to the packet dequeue operation and including the queue identifier, increment a dequeue counter, determine that the latency start count and the dequeue counter values match, determine a second time corresponding to the dequeue notification, and calculate latency as the difference between the first time and the second time.
A method for processing IP multicast packets in a MLAG domain. The method includes processing the IP multicast packet using the bridging functionality and the routing functionality implemented by each of the MLAG peers to process the IP multicast packets.
In general, embodiments of the invention relate to routing packets between hosts or virtual machines in different layer 2 domains. More specifically, embodiments of the invention relate to using overlay routing mechanisms in an Internet Protocol (IP) fabric to enable communication between hosts or virtual machines in different layer 2 domains to communication. The overlay routing mechanisms may include direct routing, indirect routing, naked routing, or a combination thereof (e.g., hybrid routing).
patents
