A method and system for enforcing network topology. The method includes receiving, at a first port on a first switch, a second role associated with a second switch, where the second switch is connected to the first switch using the first port, and where the first switch is associated with a first role. The method further includes making a first determination, using the first role, the second role, and a network topology policy, that the first switch should not be connected to the second switch. Sending, in response to the first determination, a first alert to an alert recipient, where the first alert specifies that the first switch is improperly connected to the second switch.
A communication link between an unauthorized AP MLD in a wireless network and a client device is terminated in response to spoofing a communication from the unauthorized AP MLD. The communication is sent from a device different than the unauthorized AP MLD to the client device and includes a source identifier that identifies the unauthorized AP MLD as a source device of the communication. The communication additionally or alternatively may contain or indicate a management or configuration element. The management or configuration element may include a reconfiguration multi-link element that specifies the first wireless communication link as no longer available.
A network device or a system can include a printed circuit board, an integrated circuit mounted on a first side of the printed circuit board, a rigid-flex circuit having a first rigid portion, a second rigid portion, and a flexible portion joined between the first and second rigid portions, and port connectors mounted on the second rigid portion of the rigid-flex circuit. The first rigid portion of the rigid-flex circuit can be disposed on a second side, opposing the first side, of the printed circuit board. The rigid-flex circuit is configured to communicatively couple the integrated circuit to the port connectors. The network device can include alignment structures for positioning the printed circuit board and the rigid-flex circuit within a housing of the device.
H01R 12/58 - Fixed connections for rigid printed circuits or like structures characterised by the terminals terminals for insertion into holes
H01R 12/62 - Fixed connections for flexible printed circuits, flat or ribbon cables or like structures connecting to rigid printed circuits or like structures
4.
CONFIGURATION MANAGEMENT AND VERSION CONTROL ON A NETWORK DEVICE
Particular example embodiments described herein can provide for a system, an apparatus, and a method for providing synchronization for a network device operating in a network environment. Operations may include managing a configuration for the network device by a source control management (SCM) engine configured to track changes in the configuration using a source control management system (SCM) database. The operations may also include synchronizing the configuration between the SCM database and a system database of the network device such that their stored representations of configuration information associated with the network device are substantially the same. In particular embodiments, the SCM engine comprises a Git™ element that allows for one or more differences to a configuration session to be committed with a corresponding full textual representation.
H04L 41/0813 - Configuration setting characterised by the conditions triggering a change of settings
H04L 41/0859 - Retrieval of network configurationTracking network configuration history by keeping history of different configuration generations or by rolling back to previous configuration versions
Techniques for implementing dynamic preamble puncturing, or in other words dynamically determining which (if any) subchannels of a wireless channel that a Wi-Fi device is operating on should be punctured based on environmental conditions affecting the channel, are provided. With these techniques, Wi-Fi devices can advantageously operate on wide (e.g., 80, 160, or 320 MHz) wireless channels, even if some portions of those channels are subject to occasional RF interference and/or other availability limitations.
An ingress provider edge (IPE) device of a provider network receives a packet from outside of the provider network. The IPE device determines the packet is to be transmitted to a device on an Ethernet segment on which the IPE device is multihomed. The IPE device transmits the packet on the Ethernet segment even though the designated forwarder for the Ethernet segment is from IPE device. Furthermore, the IPE device labels the packet with an IPE identifier that identifies the IPE device for the packet, and forwards the labeled packet to other devices on the provider network. An egress provider edge (EPE) device that is (a) multihomed on the same Ethernet segment as the IPE device and (b) is the designated forwarder for the Ethernet segment receives the packet. The EPE device refrains from transmitting the packet on the Ethernet segment.
Functionality in a network device is specified by an application installation file that describes programmable devices used to implement the functionality. Profiles for programmable devices generated from the application installation file and stored on the network device. A profile database stores profiles associated with functionality specified in previously received application installation files. A profile associated with a selected functionality is selected to implement the selected functionality, including loading one or more bitfiles identified in the selected profile to program the programmable devices associated with the selected functionality.
Techniques for configuring a default FPGA application on a network device with an FPGA-based data plane (i.e., a data plane that is implemented using a FPGA) are provided. In one set of embodiments, the default FPGA application is loaded onto a non-volatile memory or storage component of the network device at the time of device manufacture and is automatically programmed into the FPGA during the device boot process if there is no user configuration specifying a user-selected FPGA application.
A method of operating a network device is provided. The method can include obtaining incoming data packets, conveying the incoming data packets through a parallel data bus, and using a demultiplexer to split the incoming data packets being conveyed through the parallel data bus onto a plurality of separate independent data paths within the network device. The method can further include using a multiplexer to aggregate or merge data packets from the plurality of data paths onto an egress parallel data bus.
A flash definition specifying a flashing sequence for a status indicator of a multi-lane port is stored on a device. In operation, the status indicator is lit, following the flashing sequence, to indicate a current lane state (in a Port/Lane Signaling Mode) or interface/channel state (in an Interface/Channel Signaling Mode). The flashing sequence may begin with a preamble, indicating a start of the flashing sequence. The device may have different multi-lane ports, each having one or more status indicators configured for indicating states of multiple lanes or a state of an interface having a multiple of component lanes. Flashing sequences for these ports are synchronizable (to the port having the largest number of lanes or, in the Interface/Channel Signaling Mode, the largest number of configured interfaces on that port). The lanes of a multi-lane port may operate at the same or different speeds and may be bundled into interfaces/channels.
G06F 11/32 - Monitoring with visual indication of the functioning of the machine
G08B 5/38 - Visible signalling systems, e.g. personal calling systems, remote indication of seats occupied using electric transmissionVisible signalling systems, e.g. personal calling systems, remote indication of seats occupied using electromagnetic transmission using visible light sources using flashing light
A method of monitoring network traffic flowing in a production fabric, includes, in part, receiving a multitude of mirrored packets of the traffic flow at a service node disposed in a monitoring fabric that is distinct from the production fabric. From the received packets, the start of a communication session established between a first client and a second client on the production fabric is determined. A subset of the received packets are then selected for deep packet inspection at the service node to identify metadata associated with the network traffic of the identified session. The metadata may be used to identify the software application that generates the traffic flow. The mirrored packets may include packets sent from the first client to the second client, as well as packets sent from the second client to the first client.
Particular example embodiments described herein can provide for a system, an apparatus, and a method for a trans-inductor voltage regulator to reduce voltage hazards. The system, apparatus, and method can include, for example, a trans-inductor voltage regulator (TLVR) circuit that includes a multi-phase voltage regulator circuit; a plurality of phases of a primary winding connected in series. The plurality of phases includes a first phase and a last phase. The TLVR circuit can further include a ground located between the first phase and the last phase, and a compensation inductor situated such that at least one of the plurality of phases is between the ground and the compensation inductor.
H02M 1/32 - Means for protecting converters other than by automatic disconnection
H02M 5/293 - Conversion of AC power input into AC power output, e.g. for change of voltage, for change of frequency, for change of number of phases without intermediate conversion into DC by static converters using discharge tubes with control electrode or semiconductor devices with control electrode using devices of a triode or transistor type requiring continuous application of a control signal using semiconductor devices only
13.
LIMITING THE NUMBER OF SUBNET HOSTS LEARNED BY A NETWORK DEVICE IN A GIVEN TIME PERIOD
Some disclosed examples involve receiving, by an application-specific integrated circuit (ASIC) of a network device, an indication that a maximum number of learned Internet Protocol (IP) hosts for a subnet has been reached for a given time interval. A “learned IP host” is an IP host for which a corresponding MAC address is known. Some disclosed examples involve receiving, by the ASIC and in a time interval during which the maximum number of learned IP hosts for the subnet has been reached, a packet having a destination IP address for an unlearned host on the subnet for which the corresponding MAC address is not known. Some disclosed examples involve dropping, by the ASIC, the received packet without involving the CPU of the device.
Systems and methods in which a network switch detects a dropped packet and automatically generates a report with information on the dropped packet. Additionally, a visibility packet that includes the dropped packet and one or more additional headers is generated. The headers are used to route the visibility packet to the pipeline of the network switch that originally processed the dropped packet. The headers also include a visibility indicator that causes the pipeline to store visibility data. As the visibility packet is processed by the pipeline, information (visibility data) generated during the processing of the packet is stored in a visibility memory. The visibility data is retrieved from the visibility memory and added to the generated report prior to transmitting the report to an external collector for analysis of the packet drop.
INCLUDING PACKET PROCESSING DATA FOR DEEP PACKET INSPECTION CLASSIFICATION RULES IN A COMBINED LOOKUP TABLE USED FOR PACKET CLASSIFICATION AT A NETWORK DEVICE
Systems and methods for determining whether to perform deep packet inspection (DPI) on packets received at a network device based on shallow packet inspection data are disclosed. Embodiments may include DPI classification data in a combined lookup table that is utilized for shallow packet data based packet classification at a network device. Using the results of lookups in such a combined look table based on received packets, determinations can be made whether to perform DPI on such received packets, and those packets forwarded accordingly.
A method of forwarding a data packet includes, in part, receiving the data packet at an ingress interface, reordering entries of the data packet such that a first forwarding equivalence class (FEC), indexed by a first forwarding lookup table, is caused to point to a virtual private network (VPN) identifier associated with a tunnel through which the data packet is to be forwarded. The reordering of the entries causes a second FEC to point to a multitude of common tunnel header entries. The second FEC is indexed by the first FEC and has a lower level than the first FEC. The data packet with the reordered entries is forwarded through the tunnel. The egress tunnel header rewrite table entries are also reordered in accordance with which the data packet is forwarded.
Techniques for replicating flow state information in a distributed and highly available stateful network service are provided. In some embodiments, these techniques enable each node of a cluster implementing the network service to replicate its flow state information for a network flow to only one other node (acting as a backup), rather than to all other nodes in the cluster. This advantageously reduces the overhead incurred by the cluster for replicating and maintaining such flow state information and allows the network service to scale to large cluster sizes.
Techniques for leveraging Generic Routing Encapsulation (GRE) to carry monitored network traffic (i.e., network packets that are received and matched to a monitoring policy by a network monitoring system/fabric) are provided. In one set of embodiments, these techniques involve encapsulating a monitored packet using GRE by inserting the monitored packet in an unmodified form into a payload portion of a GRE packet and inserting metadata regarding the monitored packet into a header portion of the GRE packet, where the header portion employs a non-standard GRE header format that is designed to accommodate such metadata.
A sandbox execution environment is described. The sandbox environment simulates the execution environment of a live network device. The sandbox environment allows a user to write and test RCF (routing control function) functions without having to configure a device for testing purposes. The sandbox environment accepts global variables to initialize the context for executing the user-provided RCF functions such as path attributes and environmental variables.
A networking device has a control plane that manages a data plane having a forwarding table with entries describing the operation of the data plane. When the control plane applies a modification, such as a software update, the control plane may re-determine table entries for the forwarding table. Rather than automatically pausing processing of the data plane while the table entries are redetermined and applied to the forwarding plane, the control plane copies the forwarding table to a shadow table and uses the shadow table to initially process entries after the control plane is modified. Entries are matched with the shadow table to determine whether the modified control plane actually requires modification to the existing data plane, enabling selective pausing of the data plane.
The present disclosure defines an “unset” data state for attributes used in RCF functions. An attribute is deemed to be unset when it has not been set via an assignment statement in an RCF function or in an execution environment outside of the RCF execution environment. The present disclosure describes mechanisms for processing expressions in an RCF function that include one or more unset attributes in a predictable manner.
A physical link is split between network devices into a first logical link and a second logical link. The first logical link is designated for communicating user data. The second logical link is designated for exchanging key identifiers (key IDs) only. The second logical link is left open and unencrypted and the key IDs are exchanged over the second logical link. Using the key IDs, quantum keys are acquired, by an agent on each respective network device, from a quantum key distribution network or subsystem. The quantum keys thus acquired are then applied to the physical link between the network devices to thereby transition the physical link between the network devices to a quantum-secure environment and open the first logical link for communicating the user data in the quantum-secure environment.
A port may include a connector and an enclosure for the connector. The enclosure may be mounted to a support substrate. The enclosure may include pins that are received within openings in the support substrate. If desired, one or more of the pins may have characteristics that improve retention of the enclosure to the support substrate. If desired, the enclosure may have indents that create a friction fit with the connector. If desired, adhesive may be used to attach the enclosure to the support substrate.
Operations include: identifying a first dataflow associated with a particular communications protocol; evaluating the first dataflow to determine that the first dataflow meets a hardware-based Network Address Translation (NAT) usage criteria; responsive to determining that the first dataflow meets the hardware-based NAT usage criteria, executing a set of hardware-based NAT operations to process a first set of packets corresponding to the first dataflow; identifying a second dataflow associated with the same particular communications protocol; evaluating the second dataflow to determine that the second dataflow does not meet the hardware-based NAT usage criteria; and responsive to determining that the second dataflow does not meet the hardware-based NAT usage criteria, executing a first set of software-based NAT operations to process a second set of packets corresponding to the second dataflow.
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
Next generation zero touch provisioning (NexGen ZTP) provides programmatic onboarding features that can benefit those who desire ZTP without requiring them to spend time and money to preprogram network devices with a designated URL for ZTP. Particularly, when a connection request is received from a network device, network device identification information contained in the connection request is used to search for a matching identifier stored in a centralized database. The centralized database stores historical transactions that record sales of network devices. If a matching identifier is found, an owner of the network device can be identified from a corresponding sales record using the matching identifier. Once the owner is identified, a tenant or suborganization of the owner is determined. The network device can then be directed to a configuration file or script corresponding to the tenant or suborganization for ZTP of the network device.
To scale out recording capabilities, recorder nodes and service leaf or Top-of-Rack (TOR) switches are added to a production network and provisioned to a network-wide workload orchestration and workflow automation platform operating in a cloud computing environment or on the premises of an enterprise. Additionally, switches in the production network are configured to, at ingress, capture packets of a traffic flow between workload applications, mirror the captured packets, and add metadata to an encapsulation header of each captured packet. The encapsulation header includes a virtual Internet Protocol (VIP) address of a recorder node cluster as the destination IP Address. The mirrored packets are routed to the VIP address. The service leaf or TOR switches symmetrically hash the mirrored packets and store them on a recorder node in the cluster. Through a centralized dashboard, a user can search, select, view, diagnose, analyze, or manage network components of the production network.
A networking device receives packets that may include a label header specifying a label for processing the packet based on a corresponding entry in a label table. When the label has a corresponding entry in the label table, the packet is processed according to the label entry. When the packet has a label but the label table does not have a corresponding label, rather than discarding the packet, the networking device converts the packet for forwarding according to a network address specified in the packet. Label headers may be removed from the packet to prevent subsequent devices from incorrectly continuing label-based processing, enabling the packet to “exit” the overall path represented by the labels and processed as though the packet didn't arrive with a label header. When devices may lack intended labels, this permits continued processing of packets according to the network address information.
Systems and methods for generating routing tables and providing these tables to routers in a network for use in routing data to various destination routers. One embodiment comprises an apparatus that includes a centralized controller for a network. The centralized controller is adapted to receive link metrics for a plurality of links between routers in a WAN. For each pair of routers, the centralized controller determines the paths between the router pair, determines suitability metrics for each path, wherein each metric is specific to a corresponding data type, and selects, for each data type, a corresponding subset of the paths between the router pair based at least in part on the suitability metrics for the data type. The centralized controller then transmits, to each of the routers in the WAN, the selected subsets of the paths for the corresponding router.
Systems and methods for using a daughter board to deliver power from the power supply to a chip on a host board, where power is converted to a desired voltage (e.g., from a higher voltage to a lower voltage), provided to a daughter board, processed as needed on the daughter board, and delivered to the host board at locations close to the chip. The power is delivered from the daughter board to the host board through connective electrical components which may comprise decoupling capacitors that are soldered between the boards to provide minimized transient response characteristics as well as structural support between the boards, or coaxial connectors that provide reduced inductance and are secured between the boards by structural posts.
H05K 1/14 - Structural association of two or more printed circuits
H01L 23/40 - Mountings or securing means for detachable cooling or heating arrangements
H01L 25/16 - Assemblies consisting of a plurality of individual semiconductor or other solid-state devices the devices being of types provided for in two or more different subclasses of , , , , or , e.g. forming hybrid circuits
H05K 1/18 - Printed circuits structurally associated with non-printed electric components
H05K 3/36 - Assembling printed circuits with other printed circuits
30.
ASSOCIATING TAGS TO CONFIGURATION ITEMS FOR TAG-BASED CONFIGURATION MANAGEMENT
Systems, methods and products for associating arbitrary configuration tags to configuration item for a service so that items grouped by the tags can be unconfigured or manipulated as a group with minimal touchpoints. In one embodiment, a method is provided for managing the configuration of per-tenant features in a server system. The method includes identifying a configuration feature of the server system to be configured for a specific tenant. A configuration command is received to configure the configuration feature for the specific tenant, wherein the configuration command includes a configuration tag associated with the specific tenant. The configuration command is stored in a configuration of the server system and is applied to the server system. Tag-based commands are provided which are operable to modify a subset of configuration features corresponding to a designated configuration tag.
A method and system for maintaining persistent network policies for a virtual machine (VM) that includes determining a name of the VM executing on a first host connected to a first network device; binding the name of the VM to a network policy for the VM on the first network device; acquiring from VM management software, using the name of the VM, a universally unique identifier (UUID) of the VM; associating the UUID to the network policy on the first network device; applying the network policy for the VM on the first network device; subscribing to receive notifications from the VM management software of changes to the configuration of the VM corresponding to the UUID; receiving notification from the VM management software of a configuration change made to the VM corresponding to the UUID; and updating the network policy of the VM to reflect the configuration change of the VM.
H04L 41/0816 - Configuration setting characterised by the conditions triggering a change of settings the condition being an adaptation, e.g. in response to network events
Systems and methods for communicating data via a multilane data link from a first clock domain to a second clock domain, where the data streams of a multilane link are clocked into FIFO deskew buffers using clock signals that are recovered from the data streams themselves. Each data stream is clocked into the deskew buffer with the clock signal recovered from that data stream. The data is clocked out of the deskew buffers using the clock signal of a target clock domain so that the data streams clocked out of the deskew buffers are synchronized with each other and with the clock signal of the target clock domain (the target clock signal) to eliminate the need for a separate clock domain crossing buffer.
A method for controlled filling of a backdrill cavity in an unused portion of a via to a desired penetration depth of the backdrill cavity can begin with setting a starting gas pressure in the backdrill cavity to a back-filling fixture chamber pressure in a filling pressure chamber. The back-filling fixture chamber pressure is selected based on a desired penetration depth h of a non-conductive filling material within the backdrill cavity, given a fill application pressure to be applied to the backdrill cavity. Then, the non-conductive filling material is applied with the fill application pressure to the backdrill cavity until a final gas pressure in the backdrill cavity equals to the fill application pressure and the backdrill cavity has a final gas volume of π/4d2(H−h), where H represents a backdrill depth and d represents a backdrill diameter of the backdrill cavity.
A Sync message to start off a 1-step synchronization sequence includes a timestamp (T1′) that represents a time when the Sync message entered the packet processing pipeline of a network device to be processed for egress to a slave device. The packet processing pipeline stores a timestamp (Tduration) in the Sync message as part of processing the Sync message. The timestamp Tduration represents the amount of time spent in the packet processing pipeline. The slave device that receive Sync message computes T1 by summing the timestamps T1′ and Tduration stored in the received Sync. message, where T1 represents the time when the Sync message left the network device.
Techniques for enabling a communication device to determine a geographic location, corresponding to its own geographic location, by computing a polygon-shaped geographical region that surrounds the geographic location of the communication device are disclosed. To compute the polygon-shaped geographical region, a processor at the communication device selects a set of location information corresponding to received geographical coordinates of multiple location-enabled devices. The polygon-shaped geographical region is determined such that each of the plurality of location-enabled devices is located along a perimeter of the polygon-shaped geographical region and such that the communication device is located within the polygon-shaped geographical region.
H04W 64/00 - Locating users or terminals for network management purposes, e.g. mobility management
G01S 19/39 - Determining a navigation solution using signals transmitted by a satellite radio beacon positioning system the satellite radio beacon positioning system transmitting time-stamped messages, e.g. GPS [Global Positioning System], GLONASS [Global Orbiting Navigation Satellite System] or GALILEO
H04W 24/02 - Arrangements for optimising operational condition
H04W 52/28 - TPC being performed according to specific parameters using user profile, e.g. mobile speed, priority or network state, e.g. standby, idle or non-transmission
A flow that experiences packet drops is targeted for explicit sampling based on a dropped packet. A sample policy is created that matches on the dropped packet; for example, the match criteria can be based on the 5-tuple of the dropped packet. The sample policy is programmed in the network device that dropped the packet. The sample policy is distributed to and programmed in network devices that are upstream and downstream of the dropping device. Packets in the flow can then be explicitly sampled to capture the flow as it passes through the network. The sample policy can be updated to remove rules directed to flows that had exhibited drops but have not experienced subsequent drops after a user-configurable period of time.
Embodiments of the present disclosure include techniques for optimizing storage of data in row-oriented data storages. A block of data comprising a plurality of rows of data. Each row of data comprises a set of values for a set of attributes. A set of unique schemas is determined based on the plurality of rows of data. A set of groups of rows of data is determined based on the set of unique schemas. For each group of rows of data in the set of groups of rows of data, the group of rows of data is stored in a column-oriented format. For each group of rows of data in the set of groups of rows of data, a set of encoding techniques are applied to values in the group of rows of data based on the sets of attributes of the group of rows of data.
A network entity aggregation system may obtain different information for entities of a network from various sources of network entity information. The network entity aggregation system may generate a list of unified network entities including a corresponding record for each unified network entity. Unified network entity information and/or aggregated network information of the unified network entities may be presented to a user via a web interface and/or provided to applications and/or services.
H04L 41/0853 - Retrieval of network configurationTracking network configuration history by actively collecting configuration information or by backing up configuration information
39.
CONFIGURING TRANSCEIVERS WITH TUNING EXCEPTIONS AT NETWORK DEVICES
Systems and methods for simply and efficiently configuring transceiver modules are disclosed. These systems and methods may allow the configuration of transceiver modules using values for tuning parameters that are different from standard values for those tuning parameters based on attributes of either a transceiver module or a network device with which that transceiver module is being utilized.
A method for provisioning a network device can include, on a network device in a factory-default state and having a factory-installed Secure Zero Touch Provisioning (SZTP) agent, enabling a wireless communication capability of the network device. Upon detecting the wireless communication capability being enabled, the SZTP agent attempts to establish a connection with an SZTP application on a computing device in close proximity to the network device. Once connected, the SZTP agent requests SZTP bootstrap information from the SZTP Application, receives SZTP artifacts, and determines whether the SZTP artifacts contain redirect information to an SZTP bootstrap server. If so, the SZTP agent validates the redirect information and attempts to connect to the SZTP bootstrap server. Once connected, the SZTP agent attempts to retrieve network device provisioning artifacts from the SZTP bootstrap server and provisions the network device using the network device provisioning artifacts retrieved from the SZTP bootstrap server.
A product cushioning device for protecting a shock sensitive product, said product cushioning device comprising wall structure that defines a product receiving area, the product receiving area extending from a product receiving area opening to a product receiving area base, the wall structure comprising a plurality of product contact portions. The product cushioning device includes a tapered cushion disposed about a portion of the product receiving area to absorb impact in tri-axial vector directions. The tapered cushion comprises a tapered inner wall, a cushion outer wall that is curved and tapered and a compressible channel structure connecting between the tapered inner wall and the cushion outer wall.
B65D 81/05 - Containers, packaging elements, or packages, for contents presenting particular transport or storage problems, or adapted to be used for non-packaging purposes after removal of contents specially adapted to protect contents from mechanical damage maintaining contents at spaced relation from package walls, or from other contents
42.
LINK DOWN EVENT MANAGEMENT WITH LOGICAL PATH REMAPPING
A networking device uses multipath routing for paths designated as logical paths having associated physical interfaces, such that link down events are processed by remapping related logical paths to other physical links. The networking device includes a forwarding table that is generated according to a multipath algorithm, such as an equal-cost multipath (ECMP) algorithm. The forwarding table specifies different logical paths mapped to physical links, which may include different physical interfaces and related processing information. Packets are processed by selecting a logical path and applying the mapped profile information and/or physical egress interface of the selected logical path. When a link down monitor detects a link down event, a logical path mapped to the now-unavailable physical link is remapped to another physical link, enabling packets to be selected for the affected logical path and successfully processed before re-calculation of forwarding table to account for the unavailable physical link.
Systems, methods and products for using context-based analyses of information obtained from certificates contained in the TLS handshakes of network communications in order to identify anomalies in the information and detect threats based on the identified anomalies. In one embodiment, a method for detecting threats in network communications includes obtaining static context data associated with the network. A first network communication transmitted via a network is obtained. A certificate is obtained from a TLS handshake of the first network communication and the certificate is parsed to obtain corresponding certificate field values. One or more analyses of the certificate field values are performed against the static context data and, in response to the analyses resulting in detection of a threat, one or more actions are taken based on the analyses.
A UMR auto-discovery mechanism which allows a gateway EVPN router to advertise a UMR route and to suppress redistribution of remote domain MAC-IP routes. In one embodiment, upon joining a local EVPN domain of a network, a network device (an EVPN router) advertises its UMR capability, which may include UMR installer capability or UMR originator capability. The UMR-capable devices in the network are also advertised to the newly added network device. A UMR originator (e.g., gateway) with knowledge of the UMR capabilities of the devices in the network then generates and sends a route list to the devices, where the route list includes a UMR route, or MAC/IP routes, or both, depending upon whether all of the network devices are all UMR-capable, none are UMR-capable, or the devices include both UMR-capable and non-UMR-capable devices, respectively.
Transmit power determination in a wireless access point (target AP) includes regularly updating receive signal strength indicators (RSSIs) associated with APs and clients in the neighborhood of the target AP. The transmit power of the target AP is recalibrated (adjusted) with each update. Recalibration continues so long as adjustments to the transmit power continue in the same direction (either increasing or decreasing) with each update. When an adjustment reversal occurs, recalibration terminates. In a variation, a final update on the transmit power, in the reversed direction, can be made prior to terminating the recalibration.
H04W 52/24 - TPC being performed according to specific parameters using SIR [Signal to Interference Ratio] or other wireless path parameters
H04W 52/14 - Separate analysis of uplink or downlink
H04W 52/36 - Transmission power control [TPC] using constraints in the total amount of available transmission power with a discrete range or set of values, e.g. step size, ramping or offsets
46.
Analysis tool for secure zero touch provisioning artifacts
A network device may receive encoded provisioning information from a source of provisioning information, such as a bootstrap server, as part of a provisioning operation. An analysis tool on a client device or on the network device may be configured to obtain the encoded provisioning information, parse the encoded provisioning information to obtain one or more decoded portions of the provisioning information, and output information resulting from the parsing operation, thereby providing insight into device provisioning information often encoded in a complex manner.
A method for handling a unicast reverse-path forwarding (uRPF) violation can include, at a network device residing on a network: receiving an incoming packet from a source Internet Protocol (IP) address, the incoming packet having a destination IP address, the network device comprising an application-specific integrated circuit (ASIC) chip; performing an uRPF check on the incoming packet; and responsive to the incoming packet failing the uRPF check, notifying a network controller external to the network device. The network controller is operable to determine, based on a rule or by searching a routing information base (RIB), whether a flow from the source IP address to the designation IP address is legitimate and, in accordance with a result from the determination, drop the incoming packet or forward the incoming packet to the destination IP address.
Systems and methods for providing interfaces for measured boot data on network devices are disclosed. Embodiment of such a measured boot interface on a network device may include both a command line interface (CLI) or an Application Programming Interface (API) provided through the operating system of the network device. Measured boot data returned in response to a request received via the CLI (e.g., through a command) may be returned in an easily digested human readable format. Similarly, measured boot data returned in response to accesses to the API may be returned in a machine readable format such that verification of the measured boot data can be programmatically accomplished.
Systems and methods for interaction between network aware network devices and endpoints to facilitate multi-path communications in a network are disclosed. According to some embodiments, a network aware network device may provide network data associated with paths between an endpoint device and a destination on the network to the endpoint device such that the endpoint device can utilize this network data in the sending of packets to that destination, including using the network data for the determination of entropy values to include in packets in association with the implementation of a packet spraying network protocol.
Systems and methods for risk assessment of network devices are disclosed herein. In particular, embodiments may determine risk scores for devices within a network that are highly individualized to each network device by leveraging data from a number of data sources. These data sources may include search results or the determination of network device data associated with the vulnerabilities, weaknesses, configuration errors or related conditions affecting each device or device type, ensuring a rich and pertinent set of data for risk score determination.
Client devices in the same device group may use the same group-specific key to perform a key exchange operation with access point(s) to obtain network access. A network access management server may provide centralized management of different device groups each being associated with a different group-specific key during the life cycles of the device groups. An access point may communicate with the network access management server to obtain the group-specific key to assist in authenticating network access of a connecting client device.
Client devices in the same device group may use the same group-specific key to perform a key exchange operation with access point(s) to obtain network access. A network access management server may provide centralized management of different device groups each being associated with a different group-specific key during the life cycles of the device groups. An access point may communicate with the network access management server to obtain the group-specific key to assist in authenticating network access of a connecting client device.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
53.
SUPPORTING DIFFERENT SECURITY SCHEMES AFTER POWER CYCLE WITH DIFFERENT BOOT PERSONALITIES FOR NETWORK DEVICES
Devices and methods for managing boot personalities in a network device are disclosed. The method includes, after powering on the network device, a programmable component of the network device outputting a first signal unique to a first boot personality. One or more switches are toggled based on the first signal. The toggling results in connecting at least one of one or more first components in the network device associated with the first boot personality and disconnecting at least one of one or more second components in the network device associated with a second boot personality.
An organization tree comprises nodes which represent different groups within an organization. The nodes are associated with users and devices in the organization. When a user requests an ownership voucher to install a device, the request is validated before an ownership voucher is generated. The validation includes at least verifying that the node the user is associated with is either the same node as the node of the device or is an ancestor node of the device.
The present disclosure is directed to capturing network traffic for analysis. The present disclosure describes techniques to automate setting up a monitoring session for an application. The technique allows a user to set up a monitoring session by specifying the application to be monitored and one or more monitoring destinations (e.g., monitoring tools, monitoring fabric, etc.). The monitoring session can then be autonomously set up by the system without further input from the user.
H04L 43/062 - Generation of reports related to network traffic
H04L 41/082 - Configuration setting characterised by the conditions triggering a change of settings the condition being updates or upgrades of network functionality
Techniques for operating a network device for increasing the logical multi-path size of a hardware forwarding table are provided. In some embodiments, the network device may determine that a number of data points in a first node is greater than a maximum node capacity; generate second nodes; update the first node to refer to the second nodes; distribute the data points among the second nodes; and program a hardware table with the updated first node and the second nodes.
For dynamic installation of extensible network operating system (ENOS) extensions, a network device downloads a full software image (SWI) having a signature and a directory containing software packages from an install source. During downloading, the network device modifies the full SWI on the fly, including reading and removing the software packages (SWIX files) from the directory, as each one is read, determining whether to keep it, for each “keep” SWIX file, extracting an ENOS extension and a corresponding signature, and storing them on a nonvolatile memory, resulting in a modified SWI with a signature but without the SWIX files. After download is complete, the signed ENOS extensions stored on the nonvolatile memory are verified to determine valid ENOS extensions for inclusion in an overlay filesystem which becomes a root filesystem for the network device. The signed modified SWI is also verified before booting the network device into the modified SWI.
Particular embodiments described herein provide for a system, an apparatus, and a method to manage precision time protocol (PTP) domains with different domain numbers. The system, apparatus, and method can include activities for receiving an incoming PTP message at a logical PTP interface, which corresponds to one or more PTP ports of the network element; the incoming PTP message includes a first domain number. The activities also include translating the first domain number of the incoming PTP message into a second domain number to be included in a field of an outgoing PTP message, the translating includes identifying an active domain number entry in an active domain numbers database that includes the second domain number and that is part of a configuration, which allows domain number translations for a PTP region that is defined by its PTP domain and that corresponds to the logical PTP interface.
Some disclosed examples involve writing a test pattern of bits to one or more fields of at least one test packet and injecting the at least one test packet into a packet processing system of a network device. Some disclosed examples involve causing the at least one test packet to loop multiple times through ingress and egress portions of the packet processing system, trapping the at least one test packet and determining whether the test pattern of the at least one test packet has been altered.
A network management system may associate devices with informational tags to facilitate network organization and management. The network management system may obtain a tag query and process the obtained tag query to generate corresponding output such as a device tag state that satisfies the tag query. To enable efficient and scalable processing of the tag query, the network management system may standardize the tag query and process the standardized tag query.
Data taps are provided in a production network to mirror traffic flow through the network. Feeds from the data taps are provided to a monitoring fabric comprising a network of service nodes. A service node receives mirrored traffic and identifies packets in the mirrored traffic for further processing, for example to be forwarded to one or more monitoring/security tools. The packets are identified based on the contents of the packets. For example, packets at the beginning of a TCP session and at the end of the TCP session can be identified based on the TCP flags in the packets. The service node can cause these packets to be sent to one or more monitoring/security tools.
A network device may transmit device configuration request messages of different types for network address assignment operations that are pending in parallel. The network device may complete a corresponding message exchange operation to obtain device configuration information based on a response to one of the request messages. If desired, if no responses are received for the initial set of device configuration request messages within an allocated time, the network device may subsequently send additional device configuration request messages for other network address assignment operations that are also pending in parallel.
Notifications for data written to a shared memory are prioritized so that certain data can be processed ahead of other data. A writer stores all notifications to a main notification queue store, including normal priority notifications and different levels of high priority notifications. A set of priority notification queues store pointers to entries in the main notification queue that contain high priority notifications. The writer stores notifications to the main notification queue of a given high priority level to a corresponding priority notification queue. Readers read notifications and process the data pointed to in the notifications. A reader first reads the priority notification queues to consume high priority notifications followed by consuming normal priority notifications.
The disclosure relates to automating a balanced configuration of traffic monitoring filters to monitor traffic in a production network. A deployment in accordance with the disclosure includes a production network and a monitoring fabric. The production network includes a network controller to configure and provide information about the production network, and likewise the monitoring fabric includes a controller to configure and provide information about the monitoring fabric. A filter agent can create traffic monitoring rules that constitute user-defined traffic monitoring filters, and deploy the rules in a balanced fashion across devices in the production network and in the monitoring fabric using information queried from the production network controller and the monitoring fabric controller. The filter agent can redeploy traffic monitoring rules in response to changes in the operating environment.
Network routes are assessed using a routing policy. The routing policy includes policy directives. A point of application in a policy directive specifies a program statement that can be immediately executed without having to make a function call. Stated differently, the program statement can be immediately executed from the point of application in the policy directive without the program statement having to be incorporated in a function.
A switch system including a plurality of pluggable modules, a plurality of cages housing the plurality of pluggable modules, and a host printed circuit board (PCB). The system is designed to improve airflow around the host PCB to facilitate cooling. The cages may be designed to have airflow openings on a bottom surface thereof (facing towards the host PCB). The pluggable modules may be designed to have a heat sink on an external lower surface (facing towards the host PCB), which may be in the form of external fins. The host PCB may be designed to have cut-outs in a front portion thereof. The cooperation of the airflow openings, heat sinks, and cut-outs create improved airflow for cooling of the host PCB.
Transmitting sampled flows in datagrams to a collector includes adding entropy to the headers of the UDP packets that encapsulate the datagrams. The entropy, for example, can be a timestamp associated with a sampled data packet contained in the datagram. Each UDP packet is transmitted on a data patch selected from among a plurality of data paths using at least the UDP header. The entropy in each UDP header serves to spread the transmission of UDP packets across the plurality of data paths.
Systems and methods for reducing processing resources required for configuration updates in a network device by segregating configuration updates into a first set of direct updates and a second set of updates that require CLI commands. The first set of updates are to vendor-neutral configuration objects that are isomorphically mapped to corresponding native configuration objects. The second set of updates are to vendor-neutral configuration objects that are not isomorphically mapped to corresponding native configuration objects. The first set of updates is forwarded to a configuration agent, which applies them to the configuration stored in the system database. CLI commands that are generated for the second set of updates are forwarded to the configuration agent, which parses them and applies corresponding updates to the system database. The system database confirms successful updates to a configuration module which then updates its own vendor-neutral configuration information.
H04L 41/082 - Configuration setting characterised by the conditions triggering a change of settings the condition being updates or upgrades of network functionality
69.
PROVIDING ARBITRARILY LONG TIMER FROM SHORTER UNDERLYING HARDWARE COUNTER
Systems and methods for extending an original bit length counter maintained by hardware of a network device to generate an extended length timestamp of a longer bit length are disclosed. The extension of the original bit length counter is based on a rollover counter, where the rollover counter is incremented based on the detection of rollovers of the original bit length counter.
A network device uses a routing policy to assess network routes, such as BGP routes. The routes can be routes advertised by neighbors to be programmed in a routing table of the network device. The network routes can be previously programmed routes (e.g., in a routing table) in the network device to be advertised to its neighbors. The routing policy includes routing control functions (RCF functions) for assessing a network route. An RCF function can be invoked with arguments, which allows the user to deploy some common logic (e.g., matching a community list, modifying a local preference value, etc.) with different sets of input values without having to write separate functions for each set of input values.
The present disclosure describes a network switch design that includes a vertical switch circuit board that is mounted parallel to the front panel of the network switch. The vertical circuit board supports switch chip(s) to process and forward packets and pluggable module connectors to receive pluggable optics modules that provide connections to other network switches. The pluggable module connectors are horizontally oriented to facilitate routing of electrical signal traces. The arrangement of the circuit board, switch chip(s) and pluggable module connectors achieves reduced lengths for the electrical signal traces that connect the switch chip(s) to the pluggable module connectors. The design improves cooling by providing separate airflow regions between the switch chip heatsink(s) and the optics modules.
Methods and systems for determining reload causes for computing devices are disclosed. Embodiments may employ a reload model of a computing device to determine a reload cause for the computing device, where that reload model may specify a hierarchy of the monitoring components of the computing device. Reload indicators may be determined in association with the monitoring components of the network device using this reload model. A reload cause for the computing device can be determined by evaluating these reload indicators.
A network device may be coupled to a removable storage device. The network device may process redirect information stored on the removable storage device to connect to a device configuration server indicated by the redirect information. The network device may complete a device provisioning operation based on configuration information obtained from the device configuration server and report status of the device provisioning operation to the device configuration server.
Embodiments of the present disclosure include techniques for discovering services across networks based on a multicast domain name system (mDNS) protocol. An mDNS request for available services in a network is received from a client device. The client device belongs to a particular layer 2 (L2) domain. In response to receiving the mDNS request, a storage of the network device configured to store service records is queried to determine a set of available services. The set of available services is provided in a L2 domain different from the particular L2 domain. A response that includes the set of available services is generated. The response is sent to the client device.
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
H04L 45/00 - Routing or path finding of packets in data switching networks
H04L 61/5069 - Address allocation for group communication, multicast communication or broadcast communication
H04L 67/51 - Discovery or management thereof, e.g. service location protocol [SLP] or web services
75.
ADAPTIVE ACCESS POINT CONFIGURATION BASED ON AVAILABLE POWER
Methods, systems and devices for controlling an operating configuration of a network device such as a wireless access point include detecting power supplied to the access point. Operating parameters of the access point, neighboring access points, and client devices wirelessly connected to the access point are determined. The access point is placed in a reduced-capability operating configuration in response to detecting the power supplied is less than a power threshold. The reduced-capability operating configuration is based on the determined operating parameters of the access point, neighboring access points, and client devices.
H04W 52/36 - Transmission power control [TPC] using constraints in the total amount of available transmission power with a discrete range or set of values, e.g. step size, ramping or offsets
76.
NETWORK DEVICES WITH HARDWARE ACCELERATED TABLE UPDATES
A network device can include a main processor and a packet processor. A method is provided that includes storing a table of values in the packet processor, using the packet processor to receive from the main processor a value that can be used to update the table of values, and using acceleration hardware in the packet processor to update the table of values based on the value received from the main processor without any additional interaction with the software running on the main processor.
System and method to identify a security entity in a computing environment is disclosed. Communication between a user computer and at least one destination computer by a security appliance is monitored by a security appliance. Selective information from the communication is extracted. A primary fingerprint is generated using a subset of the selective information. The generated primary fingerprint is evaluated for a match in an application ID database. When there is a match, corresponding application ID is assigned to the communication, wherein the application ID is associated with an application that generated the communication.
A first network device for a first virtual network identifier (VNI) domain may be coupled to a second network device for a second VNI domain via an interconnect network. When serving as the downstream network device for processing network traffic from the first VNI domain to the second VNI domain, the second network device may perform remote VNI to local VNI translation for the network traffic, thereby facilitating proper network traffic handling even in network configurations in which the first network device is not configured to perform downstream VNI translation. If desired, instead of or in addition to performing VNI translation for its own VNI domain, the second network device may serve as a service device to perform VNI translation for a third VNI domain.
A method of operating a network is provided that includes receiving a query, using a first language model to determine an intent or purpose of the query, using a second language model to extract a named entity from the query, and obtaining search results by searching for the extracted named entity on a named entity list corresponding to a particular tenant. The method can further include generating a response based on the search results. The query can be a natural language query, and the first language model can be a natural language model. The second language model for extracting the named entity can be a network-related language model that is trained on network records associated with a plurality of tenants. The network records associated with the plurality of tenants can be stored on a multi-tenant database.
A device access management server may facilitate secure remote access of a target device by an accessing device. The secure remote access of the target device by the accessing device may be authenticated using a session token. The device access management server may maintain the session token and other session information.
A network management server may provide options via a user interface for configuring a network and a network policy for the network. The network management server may identify values for network attributes based on the user-selected option(s). The network management server may maintain network entity attribute information and use the network entity attribute information to populate the selectable options based on which conditions and/or actions for the network policy are defined.
A method of operating a server is provided that includes providing, with the server, one or more services relating to network access control and management of a network, predicting a network configuration failure associated with the network with a failure prediction model, and generating a network configuration recommendation based on the predicted network configuration failure to avoid the predicted network configuration failure. The failure prediction model can be a machine-learning based network configuration failure prediction model that is trained on past network configuration failure events. Operated in this way, erroneous network configuration issues can be automatically identified and addressed in a timely fashion.
A method of operating a server is provided that includes providing, with the server, one or more services relating to network access control and management of a network, predicting a failure of the server with a failure prediction model, and performing a remedial action to avoid disruption in the one or more services. The server can be a network access control and management server. The failure prediction model can be a machine-learning based server failure prediction model that is trained on past server failure events. Operated in this way, the server can operate with minimal network/server disruption so that service level agreements with various customers are maintained while reducing operational complexity.
A device access management server may facilitate secure access of a target device by an accessing device. The secure remote access of the target device by the accessing device may be facilitated by a public key infrastructure (PKI) certificate issued and/or validated by the device access management server.
A method of operating a network is provided that includes identifying a plurality of client devices connected to the network, categorizing the client devices into respective client groups based on device characteristics of each of the client devices, analyzing traffic patterns among the client groups and assigning the client groups to respective network segments based on the observed traffic patterns, and generating one or more network access policy for at least one of the network segments based on the traffic patterns or baseline behavior associated with a portion of the client devices belonging to the at least one of the network segments.
42 - Scientific, technological and industrial services, research and design
Goods & Services
Software as a service (SAAS) services featuring software for accessing and communicating with SaaS applications and other cloud resources through an alternative, private connection that bypasses the public internet; Software as a service (SAAS) services featuring software for managing network traffic between internet and private path options; Software as a service (SAAS) services featuring software for managing cloud infrastructure through private connections
87.
PRIVATE VIRTUAL LOCAL AREA NETWORK (VLAN) ON PROGRAMMABLE DEVICES
A network device or a system can be used to implement a private virtual local area network (VLAN). Such network device or system can receive a packet via an ingress port, perform a VLAN mapping lookup to identify a private VLAN domain based on the ingress port and an ingress subdomain associated with a primary VLAN or a secondary VLAN in the private VLAN domain, set a forwarding domain of the packet to the private VLAN domain, store the ingress subdomain and optionally the private VLAN domain as metadata, perform learning and forwarding lookups using the private VLAN domain to identify the ingress port and an egress port for the packet, reset the forwarding domain of the packet back to the ingress subdomain by the end of the forwarding lookup, and perform VLAN filtering based on the ingress subdomain.
Some disclosed examples involve receiving information regarding a forwarding information base (FIB) sequence number, placing the FIB sequence number into a FIB sequence number queue and assigning the FIB sequence number a first state. Some examples involve receiving a route processing request including an indication of a route and a platform sequence number associated with the FIB sequence number, assigning the FIB sequence number a second state and placing the route processing request into a route-associated queue corresponding to the route. Some examples involve receiving a route processing response corresponding to the route and corresponding to one or more route processing requests, including the route processing request, removing the route processing request from the route-associated queue, assigning the FIB sequence number a third state and publishing the FIB sequence number.
A network device providing pseudo load sharing capabilities using low-cost power supplies that do not have active load sharing. Each of the power supplies is connected to a corresponding power rail that delivers power to a corresponding subgroup of the PoE ports of the network device. A switchable link is connected between the power rails and is controlled based on the power outputs of the power supplies. If both power supplies are providing output power at acceptable voltages, a switch component of the switchable link remains open, so that each power supply delivers power to its own separate subgroup of the PoE ports. If the output voltage of one of the power supplies falls below a threshold voltage, a switch component of the switchable link is closed to electrically connect the two power rails, allowing PoE ports of both subgroups to draw power from the remaining power supply.
Systems and methods for handling resource requests in programming of network device tables. A feature agent of a network device enters a resource request for a resource in a resource table and a resource server returns a response to the request, where the response includes a resource value and a dependency constraint encapsulating validity criteria for utilizing the resource value. When the resource value and dependency constraint are returned, the feature agent writes an entry to a software table, where the software table entry includes the resource and the corresponding dependency constraint. A hardware examines the software table entry and determines whether the dependency constraint has been satisfied. When the dependency constraint has been satisfied, the hardware agent writes an entry corresponding to the software table entry in a hardware table. The network device then processes packets according to the hardware table with the new entry.
Requests to create entries in a hardware nexthop table can be delayed so that table entry creation rate can be dampened to reduce the occurrence of table overflow under certain transient conditions. When table utilization exceeds a threshold, received creation requests can be buffered instead of being processed right away. When table utilization falls below the threshold, received creation requests can be processed immediately without being buffered. Buffered creation requests can be periodically drained.
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
downloadable network management software for use in monitoring, managing, and configuring a group of network devices as one aggregate entity; recorded management software for use in monitoring, managing, and configuring a group of network devices as one aggregate entity Software as a service (SAAS) services featuring software for use in monitoring, managing, and configuring a group of network devices as one aggregate entity
A method of operating a wireless access point is provided. The method can include connecting with a host and determining whether the host has roamed from the wireless access point to an additional wireless access point. The method can further include activating a tunnel connecting the wireless access point to the additional wireless access point subsequent to determining that the host has roamed from the wireless access point to the additional wireless access point. The method can further include forwarding data packets from the wireless access point to the additional wireless access point via the tunnel. The tunnel can be temporarily created or established based on a configurable timer.
A network device that includes a temperature sensor module is provided. The network device can include a host printed circuit board, one or more processors mounted on a surface of the host printed circuit board, a port protruding from the surface of the host printed circuit board, and a temperature sensor module that is raised over the surface of the host printed circuit board to provide thermal decoupling from the surface of the host printed circuit board. The temperature sensor module can include a sensor printed circuit board, a temperature sensor integrated circuit die disposed on a first side of the sensor printed circuit board, and an exposed conductive pad disposed on a second side of the sensor printed circuit board. The temperature sensor module can include multiple exposed contacts or a plug configured to mate with the protruding port.
Systems and methods for fast movement of IEEE 802.1x supplicants by using a cache local to an authentication agent to store attributes authenticated by the authentication agent for a host device on the original port and by reusing the cached attributes to authenticate the host device on a new port. In the background, the authentication agent starts an authentication process for the host device on the new port. This authentication process does not disrupt the existing authenticated state of the host device. If this authentication succeeds, the host device continues to have access to the network. Otherwise, the host device fails the authentication and is denied network access through the new port.
Packet processing in a EVPN L2 MPLS deployment includes performing tag editing operations in the egress pipeline. More particularly, tag manipulation is based on the egress port. Packet processing further includes performing ESI label selection in the egress pipeline, and includes selecting the ESI label based on the ingress port where the ingress port can be a physical port or a subinterface configured on a physical port.
A virtual hardware component (VHC) can be instantiated by loading an image that implements the VHC into a programmable device such as a field programmable gate array (FPGA) and installing a corresponding inventory list of parameters according to which the VHC operates. One or more managing agents are automatically invoked in response to the instantiated VHC to manage the VHC. The VHC is provisioned in response to instantiation of the VHC.
System and method for detecting a likely threat from a malicious attack is disclosed. Communication between a user computer and a destination computer is monitored by a security appliance. Selective information from the communication is extracted. One or more weak signals of a threat is detected based on the selective information. One or more weak signals are evaluated for a likely threat based on a threshold value. A corrective action is initiated for the likely threat, based on the evaluation.
An EVPN device may convey broadcast, unknown unicast, or multicast (BUM) traffic to one or more peer EVPN devices. Leaf-sourced BUM traffic may be dropped. After the network configuration for (known) unicast traffic has resolved, unicast versions of the BUM traffic may be appropriately forwarded to provide EVPN E-Tree service.
