US Pat. No. 9,471,402

SYSTEMS AND METHODS FOR FACILITATING DEPENDENCY-ORDERED DELIVERY OF DATA SETS TO APPLICATIONS WITHIN DISTRIBUTED SYSTEMS

Juniper Networks, Inc., ...

1. A method comprising:
receiving, at a queue of an application running on a node within a distributed system, a data set from at least one other
application running on another node within the distributed system via an Optimal Flooding Protocol (OFP);

obtaining metadata of the data set that is:
described in a domain-specific language; and
hoisted outside of the data set;
determining, based at least in part on the metadata of the data set, that the data set received from the other application
running on the other node has a dependency on at least one other data set that has yet to arrive at the queue of the application,
wherein the dependency requires a most up-to-date version of the other data set;

gating, due at least in part to the dependency, the data set at the queue of the application running on the node at least
until the most up-to-date version of the other data set arrives at the queue of the application running on the node;

receiving, at the queue of the application running on the node, the other data set from the other application running on the
other node within the distributed system;

determining that the dependency has been satisfied based at least in part on receiving the other data set at the queue of
the application running on the node; and

in response to determining that the dependency has been satisfied, delivering the data set and the other data set to the application
running on the node to enable the application to process the data set and the other data set in accordance with the dependency.

US Pat. No. 9,473,372

CONNECTIVITY PROTOCOL DELEGATION

Juniper Networks, Inc., ...

1. A method comprising:
receiving, by a network device situated on a bidirectional forwarding path connecting a server and a client of the server,
a delegation request from the server, the delegation request specifying parameters for a connectivity protocol session for
monitoring connectivity for an application-layer communication session between an application executing on the server and
an application executing on the client, the parameters including a unique identifier for the application executing on the
server;

sending, by the network device to the client in response to the receiving the delegation request and in accordance with the
parameters for the connectivity protocol session, application-layer data that includes connectivity protocol messages for
the connectivity protocol session with the client to determine a connectivity status for the application-layer communication
session, wherein each of the connectivity protocol messages specifies the unique identifier; and

sending, by the network device, a summary report message that includes the connectivity status for the application-layer communication
session to the server.

US Pat. No. 9,483,340

ESTIMATING BIT ERROR RATE

Juniper Networks, Inc., ...

1. A device, comprising:
one or more processors to:
obtain a first bit error count that identifies a quantity of bit errors that occur in an interval of a bit stream;
determine that the first bit error count indicates that an error burst has occurred,
the first bit error count indicating that an error burst has occurred when the first bit error count identifies a plurality
of bit errors;

determine an estimated bit error rate (BER) for the bit stream based on one or more burst check bit error counts,
the one or more burst check bit error counts being obtained after the first bit error count is obtained and before an amount
of time associated with the interval has elapsed, and

the one or more burst check bit error counts being obtained based on the first bit error count indicating that the error burst
has occurred, and

the one or more burst check bit error counts identifying a quantity of bit errors that occur in a burst check interval after
the first bit error count is obtained; and

selectively perform an action based on whether the estimated BER satisfies a threshold.

US Pat. No. 9,480,097

AUTOMATIC ENABLING OR DISABLING OF AUTO-NEGOTIATION BETWEEN NETWORK DEVICES

Juniper Networks, Inc., ...

1. A first network device, comprising:
one or more processors to:
determine a first auto-negotiation capability associated with the first network device,
the first auto-negotiation capability indicating whether the first network device is configured to establish a communication
link with a second network device using auto-negotiation of one or more transmission capabilities;

determine a second auto-negotiation capability associated with the second network device,
the second auto-negotiation capability indicating whether the second network device is configured to establish the communication
link with the first network device using auto-negotiation of the one or more transmission capabilities;

initiate an auto-negotiation timer for an auto-negotiation process between the first network device and the second network
device;

determine that the auto-negotiation timer has expired;
determine, based on determining that the auto-negotiation timer has expired, that the auto-negotiation process failed to establish
the communication link between the first network device and the second network device; and

selectively enable or disable auto-negotiation on the first network device based on determining that the auto-negotiation
process failed, and further based on the first auto-negotiation capability and the second auto-negotiation capability.

US Pat. No. 9,479,457

HIGH-PERFORMANCE, SCALABLE AND DROP-FREE DATA CENTER SWITCH FABRIC

Juniper Networks, Inc., ...

1. A network system comprising:
a switch fabric comprising a plurality of switches interconnected to form a physical network, wherein the switches provide
connectionless packet-based switching for packets through the switch fabric;

a plurality of servers interconnected by the switch fabric, wherein each of the servers comprises an operating environment
executing one or more virtual machines in communication via one or more virtual networks, and

a plurality of host network accelerators, each of the host network accelerators comprising a hardware-based virtual router
configured to extend the one or more virtual networks to the operating environments of the virtual machines,

wherein each of the host network accelerators comprises a respective flow control unit that exchanges flow control information
with other ones of the flow control units of the host network accelerators, and

wherein the flow control information exchanged between each pair of first and second host network accelerators specifies:
an amount of packet data pending for transmission by the first host network accelerator to the second host network accelerator,
a maximum rate at which the second host network accelerator is permitted to send packets to the first host network accelerator,
and

a timestamp specifying a time at which the first one of the host network accelerators sent flow control information.

US Pat. No. 9,154,371

METHODS AND APPARATUS FOR EFFICIENT USE OF LINK AGGREGATION GROUPS

Juniper Networks, Inc., ...

1. An apparatus, comprising:
a first edge device configured to be included in a plurality of edge devices and configured to be operatively coupled to the
remaining edge devices from the plurality of edge devices via a network interconnect, the first edge device configured to
receive a data unit associated with a multicast group and to be sent to a peripheral processing device from a plurality of
peripheral processing devices, the peripheral processing device being operatively coupled to the network interconnect via
a link aggregation group (LAG) associated with a set of ports on a second edge device from the plurality of edge devices and
a set of ports on a third edge device from the plurality of edge devices,

the first edge device configured to select, in response to receiving the data unit, an edge device set (1) including the third
edge device, (2) not including the second edge device, and (3) from a plurality of edge device sets associated with the multicast
group, each edge device set from the plurality of edge device sets collectively being directly coupled to each peripheral
processing device from the plurality of peripheral processing devices, each edge device set from the plurality of edge device
sets being different than the remaining edge device sets from the plurality of edge device sets,

the first edge device configured to send an instance of the data unit to each edge device associated with the edge device
set such that the third edge device sends an instance of the data unit to the peripheral processing device via a port from
the set of ports on the third edge device based on a selection method that omits the ports from the set of ports on the second
edge device as potential selections.

US Pat. No. 9,350,661

AGGREGATION NETWORK WITH CENTRALIZED CONTROL

Juniper Networks, Inc., ...

1. A centralized controller in communication with a plurality of aggregation nodes, edge routers, and access nodes of a network,
wherein the centralized controller comprises:
a topology module that executes a software defined networking (SDN) protocol to receive topology information from the edge
routers, wherein the topology module receives a plurality of messages flooded by one or more of the access nodes and the aggregation
nodes, wherein each respective message of the plurality of messages specifies a respective list of interfaces for the access
nodes and the aggregation nodes traversed by the respective message,

wherein the centralized controller establishes a respective control channel with each of the aggregation nodes based on the
lists of interfaces specified by the messages flooded by the aggregation nodes; and

a path computation module (PCM) that computes forwarding information for one or more transport data channels in accordance
with the topology information, wherein the transport data channels are for transporting network packets between the access
nodes and the edge routers via the aggregation nodes,

wherein the centralized controller outputs one or more messages to the aggregation nodes via the respective control channels
to communicate and install within each of the aggregation nodes the forwarding information for configuring forwarding planes
of the aggregation nodes to forward the network packets on the one or more transport data channels.

US Pat. No. 9,485,118

PENALTY-BOX POLICERS FOR NETWORK DEVICE CONTROL PLANE PROTECTION

Juniper Networks, Inc., ...

1. A method comprising:
executing, with a control unit that provides a control plane of a network device, protocols each associated with one or more
protocol groups, wherein each protocol group of the one or more protocol groups is associated with a goal weight that defines
a share of host-bound path resources available to the protocol group for a host-bound path from a forwarding unit of the network
device to the control unit, and wherein at least one protocol of the protocols comprises a routing protocol;

receiving, with the forwarding unit of the network device, a plurality of packet flows that each comprises host-bound traffic
destined for the control unit, wherein the forwarding unit comprises a forwarding unit processor and a forwarding component
that processes the packet flows and forwards the packet flows to the control unit via the host-bound path of the network device,

wherein a first packet flow of the packet flows is associated with a first protocol group of the protocol groups associated
with a first goal weight;

with the forwarding unit processor and in response to detecting congestion of the host-bound path from the forwarding component
to the control unit that is caused by forwarding the packet flows, determining that host-bound traffic for the first protocol
group exceeds the first goal weight;

with the forwarding unit processor and in response to the determining, selecting the first packet flow of the packet flows
to constrain based at least on the association of the first packet flow with the first protocol group and configuring a policer
of the forwarding component with one or more identifying features for the first packet flow to constrain a rate at which the
forwarding component forwards the first packet flow to the control unit.

US Pat. No. 9,166,929

PERFORMING SCALABLE L2 WHOLESALE SERVICES IN COMPUTER NETWORKS USING CUSTOMER VLAN-BASED FORWARDING AND FILTERING

Juniper Networks, Inc., ...

1. A method comprising:
by a network switch, storing data defining a reduced layer two (L2) learning table associated with a core-facing interface
that couples the network switch to a service provider core network, wherein the L2 learning table includes a plurality of
entries, each entry from the plurality of entries having a first portion associated with a service virtual local area network
(SVLAN) within the service provider core network and a second portion associated with a plurality of customer virtual local
area networks (CVLANs) associated with the SVLAN, the second portion indicating whether each of the plurality of CVLANs in
combination with the SVLAN is learned and authenticated at the core-facing interface;

receiving, by the network switch, a packet data unit (PDU) specifying an SVLAN and a CVLAN;
determining, by the network switch and without using an L2 address of the PDU, whether the reduced L2 learning table indicates
a combination of the SVLAN and CVLAN specified by the PDU is learned and authenticated at the core-facing interface;

by the network switch and in response to determining the reduced L2 learning table indicates a combination of the SVLAN and
CVLAN specified by the PDU is learned and authenticated at the core-facing interface, switching the PDU; and

by the network switch and in response to determining the reduced L2 learning table does not indicate a combination of the
SVLAN and CVLAN specified by the PDU is learned and authenticated at the core-facing interface, filtering the PDU.

US Pat. No. 9,408,331

CONNECTIVITY SCHEME AND COOLING SCHEME FOR A LARGE RACK SYSTEM

Juniper Networks, Inc., ...

1. A network device comprising:
a first plurality of cards;
a second plurality of cards;
a fabric card,
the fabric card including a baffle that separates air flow across the fabric card into a first air flow and a second air flow,
the baffle directing:
the first air flow across an upper portion of the fabric card and toward the first plurality of cards, and
the second air flow across a lower portion of the fabric card and toward the second plurality of cards; and
two or more of:
a first backplane that connects the first plurality of cards to the fabric card,
a second backplane that connects the fabric card to the second plurality of cards,
a third backplane that connects the second plurality of cards to another fabric card of the network device, or
a fourth backplane that connects the other fabric card to a third plurality of cards of the network device.

US Pat. No. 9,407,545

TUNNELING FROM A PROVIDER EDGE ROUTING DEVICE TO A REMOTE CUSTOMER EDGE NETWORK DEVICE

Juniper Networks, Inc., ...

1. A method comprising:
receiving, with a provider edge routing device, a packet of a virtual private network, the provider edge routing device comprising
a default forwarding table for a core network;

determining whether the packet was received from a logical interface, wherein the logical interface is a default logical interface
for a routing instance of the provider edge routing device and is not associated with a physical output interface of the provider
edge routing device;

in response to determining that the packet was received from the logical interface:
selecting one of a plurality of virtual routing and forwarding (VRF) tables in which to perform an output interface lookup
for the packet that corresponds to the logical interface from which the packet was received, wherein each of the VRF tables
is associated with a respective customer-facing physical interface of the provider edge routing device;

determining an output interface of the provider edge routing device from the one of the plurality of VRF tables based on a
destination of the packet, wherein the output interface comprises a core-facing physical output interface; and

in response to determining that the packet was not received from the logical interface, determining the output interface from
the default forwarding table based on the destination of the packet; and

forwarding the packet via the determined output interface.

US Pat. No. 9,100,289

CREATING SEARCHABLE AND GLOBAL DATABASE OF USER VISIBLE PROCESS TRACES

Juniper Networks, Inc., ...

1. A method comprising:
determining, by a controller device for a virtual network, a set of two or more related processes executed by respective devices
in the virtual network, including a first process executed by a first device of a plurality of devices that form a physical
network and a second, different process executed by a second, different device of the plurality of devices, wherein the virtual
network comprises an overlay network formed over the physical network and between virtual switches executed by the plurality
of devices including a first virtual switch executed by the first device and a second virtual switch executed by the second
device, and wherein determining the set of two or more related processes comprises forming the set to include processes that
perform similar operations on different instances of respective data;

receiving, by the controller device, data for the set of two or more related processes from the respective devices; and
aggregating, by the controller device, the data for the set of two or more related processes to form aggregated data for the
set of two or more related processes.

US Pat. No. 9,451,655

METHODS AND APPARATUS FOR A WIRELESS ACCESS POINT CONVERTER

Juniper Networks, Inc., ...

1. An apparatus, comprising:
a first port having at least a portion disposed within a housing, the first port configured to be operably coupled to a cable
having a first communication medium, the first port configured to receive via the cable a first data unit having a first communication
format associated with the first communication medium;

a processor including a format conversion module having at least a portion disposed within the housing, the format conversion
module operably coupled to the first port, the format conversion module including a plurality of conversion sub-modules, each
conversion sub-module from the plurality of conversion sub-modules configured to convert data of a communication format that
is different from a communication format of each remaining sub-modules from the plurality of conversion sub-modules, the format
conversion module configured to receive the first data unit from the first port, the format conversion module configured to
convert the first data unit from the first communication format to a second communication format associated with a second
communication medium, using a conversion sub-module from the plurality of conversion sub-modules that is associated with the
first communication format, to produce a second data unit, the first communication format being a communication format incompatible
with Power-over-Ethernet (PoE), and the second format being a PoE-compatible format; and

a second port having at least a portion disposed within the housing, the second port operably coupled to the format conversion
module, the second port configured to be operably coupled to a wireless access point (WAP) physically distinct from the housing,
the second port configured to receive the second data unit from the format conversion module and send the second data unit
to the WAP.

US Pat. No. 9,407,716

IDENTIFYING CONTENT FILES IN A CACHE USING A RESPONSE-BASED CACHE INDEX

Juniper Networks, Inc., ...

1. A method comprising:
receiving, by a first device, a content request from a second device,
the content request including a dynamic network address and a request for a content file corresponding to the dynamic network
address,

the first device having stored a single instance of the content file prior to receiving the content request;
determining, by the first device, that the dynamic network address is not included in a first index that stores a plurality
of different dynamic network addresses;

determining, by the first device, one or more response values, associated with the content file, based on determining that
the dynamic network address is not included in the first index and without retrieving the content file from a third device
storing the content file,

at least one of the one or more response values including a last modified timestamp;
determining, by the first device, that the one or more response values are included in a second index when the one or more
response values match one or more response values included in the second index,

the second index identifying that the content file is stored in the first device;
generating, by the first device, an association between the dynamic network address and the second index to map the dynamic
network address to the second index and to the content file based on determining that the one or more response values are
included in the second index,

the content file being associated, in the second index, with one or more other dynamic network addresses that are different
than the dynamic network address; and

providing, by the first device, the content file to the second device.

US Pat. No. 9,369,380

HANDLING ENTROPY LABELS WHEN STITCHING LABEL-SWITCHED PATHS

Juniper Networks, Inc., ...

1. A method comprising:
determining, by a routing device of a label switched path (LSP) for a packet, encapsulated by a label stack including an entropy
label, whether a downstream routing device of the LSP supports entropy labels, wherein the downstream routing device is a
routing device other than an egress routing device of the LSP;

when the downstream routing device does not support entropy labels:
removing the entropy label from the label stack of the packet; and
forwarding the packet, from which the entropy label has been removed, along LSP; and when the downstream routing device supports
entropy labels, forwarding the packet, including the entropy label, along the LSP.

US Pat. No. 9,253,927

REMOVABLE FAN TRAY

Juniper Networks, Inc., ...

1. An apparatus, comprising:
a fan tray having a body, a handle and a latch,
the latch being a leafspring,
an end portion of the handle rotatably coupled to the body, a first portion of the latch fixedly coupled to the handle,
a recess defined, at least in part, by the body, at least a portion of the recess located on an axis of rotation of the handle,
a second portion of the latch configured to be selectively disposed within the recess, and

the handle having a range of motion between a first position when the second end portion of the latch is disposed out of the
recess and a second position when the second portion of the latch is disposed within the recess.

US Pat. No. 9,276,405

SHARING REDUNDANT POWER SUPPLY MODULES AMONG PHYSICAL SYSTEMS

Juniper Networks, Inc., ...

1. A method comprising:
determining, by a first device, whether:
a first power supply, included in a second device, is operational, and
a second power supply, included in a third device, is operational,
the second device and the third device being external to the first device;
selectively receiving, by the first device, power from the second device or power from the third device,
power being received from the second device when the first power supply is operational, and
power being received from the third device when the second power supply is operational; and
selectively providing, by the first device, power to the second device when the second power supply is not operational or
power to the third device when the second power supply is not operational,

the power, provided to the second device, including the power received from the third device,
the power, provided to the third device, including the power received from the second device.

US Pat. No. 9,413,847

DYNAMICALLY GENERATING APPLICATION-LAYER TRAFFIC OPTIMIZATION PROTOCOL MAPS

Juniper Networks, Inc., ...

1. A method comprising:
receiving, by an application-layer traffic optimization (ALTO) server, a first layer 3 topology information advertisement
that specifies a first one or more endpoints and includes a first Border Gateway Protocol (BGP) communities path attribute
that specifies an attribute value for the first endpoints, wherein the first layer 3 topology information advertisement further
includes a first next hop attribute that specifies a next hop for the first endpoints;

receiving, by the ALTO server, a second layer 3 topology information advertisement that specifies a second one or more endpoints
and includes a second BGP communities path attribute that specifies an attribute value for the second endpoints, wherein the
second layer 3 topology information advertisement further includes a second next hop attribute that specifies a next hop for
the second endpoints,

wherein the attribute value for the first endpoints and the attribute value for the second endpoints are different, and
wherein the next hop for the first endpoints and the next hop for the second endpoints are the same;
aggregating, by the ALTO server, the first endpoints into a first provider-defined identifier (PID) of a plurality of PIDs
based at least on a combination of the attribute value for the first endpoints and the next hop for the first endpoints, the
attribute value for the first endpoints and the attribute value for the second endpoints each comprising one of a BGP community
attribute value, a BGP extended community attribute value, and a combination of a BGP community attribute value and a BGP
extended community attribute value;

aggregating, by the ALTO server, the second endpoints into a second PID of the plurality of PIDs based at least on the attribute
value for the second endpoints and the next hop for the second endpoints, the first PID different from the second PID; and

generating, by the ALTO server, an ALTO network map for an ALTO service based at least on the first PID and the second PID
and providing the ALTO service to a client device in accordance with the ALTO network map.

US Pat. No. 9,104,345

RATE CONTROLLED FIRST IN FIRST OUT (FIFO) QUEUES FOR CLOCK DOMAIN CROSSING

Juniper Networks, Inc., ...

1. A system comprising:
a memory; and
one or more processors to:
detect a read operation of an asynchronous first in, first out (FIFO) queue;
increment a credit counter based on the read operation;
determine that a count value of the credit counter satisfies a threshold value;
generate a write pulse signal to perform a write operation to the asynchronous FIFO queue based on the count value satisfying
the threshold value;

smooth the write pulse signal to reduce a minimum separation between write pulses in the write pulse signal; and
issue the write pulse signal after smoothing the write pulse signal.

US Pat. No. 9,253,034

MASS ACTIVATION OF NETWORK DEVICES

Juniper Networks, Inc., ...

1. A method comprising:
generating, with a management device, a bulk configlet executable by a plurality of network devices to be managed by the management
device, wherein the bulk configlet specifies a bulk identifier associated with the plurality of network devices, wherein the
bulk identifier is associated with information on the management device indicating that specific configuration information
is to be sent to the plurality of network devices in response to receiving network session requests from the plurality of
network devices specifying the bulk identifier as an identifier for the plurality of network devices, and wherein the bulk
configlet is configured to cause, during execution, each of the plurality of network devices to initialize a respective network
stack and connect to the management device over a network using the network stack;

receiving, with the management device, a network session request from one of the plurality of network devices via the network,
wherein the network session request specifies the bulk identifier as an identifier for the one of the plurality of network
devices; and

based on the network session request specifying the bulk identifier, sending, with the management device, specific configuration
data, to replace the bulk configlet, to the one of the plurality of network devices in response to receiving the network session
request that specifies the bulk identifier, wherein the specific configuration data includes a specific identifier to replace
the bulk identifier, and wherein the specific configuration data is configured to cause, during execution, the one of the
plurality of network devices to reconnect to the management device using the specific identifier and to become fully enabled.

US Pat. No. 9,112,919

SECURE NETWORK ADDRESS TRANSLATION (NAT) PORT BLOCK ALLOCATION

Juniper Networks, Inc., ...

1. A method, comprising:
receiving, by a first node device and from a second node device, a request to establish a session;
performing, by the first node device and in response to the request, a network address translation (NAT) operation to establish
the session, the NAT operation causing:

a first port block to be allocated to the session,
the first port block including a first set of ports via which traffic, associated with the session, is transported;
determining, by the first node device, that the first set of ports are no longer available for the session;
determining, by the first node device, whether a quantity of times that the first port block has been allocated to the session
is greater than a threshold; and

retaining, by the first node and for the session, the first port block when the quantity of times that the first port block
has been allocated to the session is not greater than the threshold.

US Pat. No. 9,461,980

PREDICTIVE PREFETCHING OF ATTRIBUTE INFORMATION

Juniper Networks, Inc., ...

1. A method comprising:
receiving, by a network access control (NAC) device and from a client device, a request for access to a network, wherein the
request includes a device identifier for the client device;

predicting, by the NAC device and based on the device identifier and a device usage history of the client device, a user assumed
to be making the request;

prior to completing a user authentication process, requesting, by the NAC device and from a directory server, session attributes
for the predicted user;

receiving, by the NAC device and from an authentication server, an indication of whether a user associated with the client
device was successfully authenticated;

determining, by the NAC device and based on an identifier of the user, whether the predicted user is the user associated with
the client device; and

responsive to determining that the predicted user is the user associated with the client device, establishing, by the NAC
and using the session attributes for the predicted user, a session between the client device and the network.

US Pat. No. 9,407,726

CACHING OBJECTS IDENTIFIED BY DYNAMIC RESOURCE IDENTIFIERS

Juniper Networks, Inc., ...

1. A method comprising:
receiving, by a first server and from a client device, an indication for a request for a content file via a network address;
identifying, by the first server, information, provided by a second server, that identifies a format of a dynamic network
address;

determining, by the first server, that the network address is the dynamic network address based on the information that identifies
the format of the dynamic network address;

determining, by the first server, a request value based on determining that the network address is the dynamic network address;
establishing, by the first server, a communication session with the second server based on receiving the indication for the
request for the content file,

the second server storing the content file;
receiving, by the first server and at a particular time, a portion of the content file from the second server based on establishing
the communication session with the second server;

determining, by the first server, an index parameter based on receiving the portion of the content file,
the index parameter identifying the content file;
determining, by the first server and after receiving the portion of the content file from the second server, that the content
file was stored by the first server at a previous time based on a cache index, the index parameter, and the request value,

the previous time being before the particular time, and
the content file including:
the portion of the content file, and
a remaining portion of the content file;
terminating, by the first server, the communication session with the second server based on determining that the content file
was stored by the first server at the previous time; and

providing, by the first server, the content file to the client device based on determining that the content file was stored
by the first server at the previous time.

US Pat. No. 9,356,857

DOUBLE EXPERIMENTAL (EXP) QUALITY OF SERVICE (QOS) MARKINGS FOR MPLS PACKETS

Juniper Networks, Inc., ...

1. A method comprising:
receiving, at a core router of a Multiprotocol Label Switching (MPLS) network, a MPLS packet that includes a first label with
a first experimental (EXP) field and a second label with a second EXP field;

identifying a quality of service (QoS) profile for the MPLS packet based on a combination of the first EXP field and the second
EXP field;

selecting a next hop router for the MPLS packet from a forwarding table based at least on the identified QoS profile; and
forwarding the MPLS packet to the next hop router in the MPLS network in accordance with the identified QoS profile.

US Pat. No. 9,223,997

DETECTING AND BREAKING CAPTCHA AUTOMATION SCRIPTS AND PREVENTING IMAGE SCRAPING

Juniper Networks, Inc., ...

1. A security device, comprising:
one or more processors, at least partially implemented in hardware, to:
receive a request from a client device and intended for a server device;
identify the request as being associated with a malicious activity,
the malicious activity including one or more undesirable tasks directed to the server device;
generate a challenge-response test based on identifying the request as being associated with the malicious activity,
the challenge-response test being generated using one or more construction techniques, and
the challenge-response test including information associated with a character that an optical character recognition (OCR)
program is not capable of recognizing;

provide the challenge-response test to the client device;
receive, from the client device, a proposed solution to the challenge-response test;
identify the proposed solution, provided by the client device, as being generated using the OCR program; and
protect the server device from the client device based on identifying the solution as being generated using the OCR program.

US Pat. No. 9,071,514

APPLICATION-SPECIFIC CONNECTIVITY LOSS DETECTION FOR MULTICAST VIRTUAL PRIVATE NETWORKS

Juniper Networks, Inc., ...

1. A method comprising:
by an egress network device of a point-to-point (P2P) tunnel, receiving a connectivity detection protocol message via the
P2P tunnel from an ingress network device of the P2P tunnel, wherein the connectivity detection protocol message specifies
a label associated with one of a plurality of services provided to the egress network device via the P2P tunnel, wherein the
P2P tunnel serves as a transport tunnel for the plurality of services;

by the egress network device, detecting based on a fault detection network protocol session over the P2P tunnel between the
ingress network device to the egress network device that a state of the P2P tunnel is down; and

in response to the detecting and by the egress network device, determining that the one of the plurality of services is unavailable
from the ingress network device via the P2P tunnel based on the label associated with the one of the plurality of services,
and selecting a new source to provide the one of the plurality of services.

US Pat. No. 9,426,085

METHODS AND APPARATUS FOR MULTI-PATH FLOW CONTROL WITHIN A MULTI-STAGE SWITCH FABRIC

Juniper Networks, Inc., ...

1. An apparatus, comprising:
a first switch associated with a stage of a switch fabric, the first switch configured to receive a first data unit having
a destination address of a destination device from a source device, the first switch configured to store the first data unit
in a queue,

the first switch configured to define a message when an available capacity of the queue falls below a predetermined capacity
threshold,

the first switch configured to include a congestion root indicator in the message, the congestion root indicator indicating
that the first switch is a congestion root, when the available capacity of the queue is decreasing and the first switch is
sending data units substantially at a maximum rate,

the first switch configured to include a congestion victim indicator in the message, the congestion victim indicator indicating
that the first switch is a victim of congestion, when the available capacity of the queue is decreasing and the first switch
is sending data units at a rate below the maximum rate,

the first switch configured to send the message to the source device such that (1) the source device sends a second data packet
having the destination address of the destination device to a second switch associated with the stage of the switch fabric
and not to the first switch when the message includes the congestion root indicator, and (2) the source device reduces a data
rate at which data packets of a data flow associated with the destination address are sent from the source device when the
message includes the congestion victim indicator.

US Pat. No. 9,413,764

FUZZING SERVER RESPONSES TO MALICIOUS CLIENT DEVICES

Juniper Networks, Inc., ...

1. A security device, comprising:
one or more processors to:
receive a request, from a client device and intended for a server device, to provide a resource,
the resource being associated with information stored by the server device;
the client device executing a malicious script that performs one or more undesirable tasks directed to the server device,
the request being transmitted by the client device based on the client device executing the malicious script;
identify the request as being associated with the malicious script based on one or more of:
one or more other requests received from the client device,
a quantity of requests, received from the client device, within a particular amount of time, or
a score indicating a probability that the request is associated with the malicious script;
receive, from the server device, a response to the request,
the response including information associated with the resource;
modify the response to form a modified response,
the response being modified in an attempt to cause the malicious script to experience an error; and
provide the modified response to the client device to cause the malicious script, executing on the client device, to experience
an error.

US Pat. No. 9,356,866

RECEIVE PACKET STEERING FOR VIRTUAL NETWORKS

Juniper Networks, Inc., ...

1. A method comprising:
by a network interface card of a computing device, receiving a tunnel packet associated with a virtual network of a plurality
of virtual networks operating over a physical network and interconnecting a plurality of virtual machines, wherein the tunnel
packet comprises an outer header associated with the physical network, the outer header encapsulating an inner packet comprising
an inner header associated with the virtual network and a payload;

performing, by a first processing core of a plurality of processing cores of the computing device and based at least on one
of the outer header and inner header of the tunnel packet, a first packet steering operation to identify a second processing
core of the plurality of processing cores; and

forwarding, by the second processing core, the inner packet to a virtual machine of the virtual machines.

US Pat. No. 9,413,627

DATA UNIT COUNTER

Juniper Networks, Inc., ...

1. A non-transitory computer-readable medium storing instructions, the instructions comprising:
one or more instructions which, when executed by a network device, cause the network device to:
determine that an indicator, associated with a counter, is detected,
the counter counting data units passing through the network device,
the indicator being detected based on a particular bit, of a plurality of bits of the counter, being asserted, and
the particular bit being asserted to indicate that the counter is reaching a value that causes the counter to roll;
transmit a counter value of the counter to a notification logic device,
the counter value being transmitted based on the indicator being detected, and
counter values of the counter being transmitted at a rate that exceeds a rate at which the counter rolls;
determine whether the counter value has been successfully transmitted,
the transmission of the counter value being unsuccessful based on the counter rolling before the counter value is reset;
reset the counter based on determining that the counter value has been successfully transmitted; and
generate, based on the counter value, statistics relating to the network device,
the statistics being provided for display or storage.

US Pat. No. 9,148,343

METHODS AND APPARATUS FOR IMPROVING COMPATIBILITY BETWEEN NETWORK DEVICES

Juniper Networks, Inc., ...

1. An apparatus, comprising:
a network device configured to be included within a plurality of network devices within a network, the network device configured
to receive an anomaly database of a first image to be installed on at least one network device from the plurality of network
devices, the anomaly database of the first image storing a set of differences between the first image and a base image,

the network device configured to compare the anomaly database of the first image with an anomaly database of a second image
storing a set of differences between the second image and the base image to determine (1) when the first image and the second
image include at least one incompatible critical feature, and (2) when the first image and the second image include at least
one incompatible non-critical feature, the at least one incompatible non-critical feature being at least one of a power over
Ethernet (PoE) standard or a PoE plus standard, used by the first image but not the second image,

the network device configured to send a signal associated with a first action if the first image and the second image include
the at least one incompatible critical feature, the network device configured to send a signal associated with a second action
different from the first action if the first image and the second image include the at least one incompatible non-critical
feature.

US Pat. No. 9,413,611

GENERATING AND ENFORCING A HOLISTIC QUALITY OF SERVICE POLICY IN A NETWORK

Juniper Networks, Inc., ...

17. A non-transitory computer-readable medium storing instructions, the instructions comprising:
one or more instructions that, when executed by at least one processor, cause the at least one processor to:
receive a request to establish a quality of service (QoS) policy that is to be applied to particular nodes of a plurality
of nodes of a network;

generate a QoS model based on the request to establish the QoS policy;
identify a service level agreement (SLA) associated with a network node, of the particular nodes, that communicates with a
client device;

identify particular information associated with the SLA,
the particular information, associated with the SLA, identifying a profile that corresponds to one or more of:
a packet loss probability, or
a maximum data rate;
create a QoS provisioning data structure based on the QoS model and the particular information associated with the SLA,
the one or more instructions to create the QoS provisioning data structure causing the at least one processor to:
map a forwarding priority to the packet loss probability that causes the network node to process packets, associated with
the client device, based on the forwarding priority when a data rate of the packets is less than the maximum data rate; and

transmit, to the network node, the QoS provisioning data structure that permits the network node to process the packets in
a manner that complies with the QoS model or with the SLA.

US Pat. No. 9,356,885

METHODS AND APPARATUS RELATED TO A DISTRIBUTED SWITCH FABRIC

Juniper Networks, Inc., ...

1. A method, comprising:
receiving a first data packet from a first peripheral device including a first data packet header specifying a destination;
appending, at a first edge device, a destination identifier to the first data packet based on the first data packet header
to define a first appended data packet, the destination identifier associated with a destination port of a second edge device;

sending the first appended data packet to a module associated with a first stage of a switch fabric based on the first data
packet header such that the module associated with the first stage of the switch fabric sends the first appended data packet
to a module associated with the second stage of the switch fabric based on the destination identifier, the module associated
with the first stage of the switch fabric being from a plurality of modules associated with the first stage of the switch
fabric, the module associated with the second stage of the switch fabric being from a plurality of modules associated with
the second stage of the switch fabric;

receiving a second data packet including a second data packet header specifying the destination; and
appending, at the first edge device, the destination identifier to the second data packet based on the second data packet
header to define a second appended data packet.

US Pat. No. 9,137,142

REDUCED TRAFFIC LOSS FOR BORDER GATEWAY PROTOCOL SESSIONS IN MULTI-HOMED NETWORK CONNECTIONS

Juniper Networks, Inc., ...

1. A method comprising:
receiving, with a primary router, one or more routes included in a set of routes advertised by a multi-homed router via a
Border Gateway Protocol (BGP) session, wherein the multi-homed router is connected to the primary router and a backup router;

updating, in a control plane of the primary router, routing information in a routing table based on the received routes;
initiating, in a forwarding plane of the primary router, installation of forwarding data structures for the received routes
in forwarding tables based on the routing information;

receiving, with the primary router from the multi-homed router, a BGP marker identifying one of the routes received just before
the BGP marker as a last route in the set of routes;

in response to receiving the BGP marker, requesting, with the control plane of the primary router, an acknowledgement from
the forwarding plane of the primary router indicating that the one of the routes identified as the last route in the set of
routes is installed in the forwarding tables of the forwarding plane of the primary router; and

during installation of the forwarding data structures, deferring, in the control plane of the primary router, re-advertisement
of all of the routes in the set of routes to BGP peer routers until the control plane of the primary router receives the acknowledgement
from the forwarding plane of the primary router.

US Pat. No. 9,350,654

MICROLOOP PROTECTION FOR MULTI-PROTOCOL LABEL SWITCHING PATHS

Juniper Networks, Inc., ...

1. A method comprising:
advertising, out each of a plurality of network interfaces of a label switching router and via a respective label distribution
protocol (LDP) label mapping message, a label to be used in forwarding to the label switching router traffic to a destination
within a network,

computing, with the label switching router, a path within the network to be used when forwarding the network traffic from
the label switching router to the destination within the network,

receiving, a packet on one of the network interfaces of the label switching router, wherein the packet includes the label
advertised by the label switching router; and

discarding, with the label switching router, the packet when the network interface from which the packet was received is an
output interface to the path computed by the label switching router to be used when forwarding network traffic from the label
switching router to the destination.

US Pat. No. 9,098,262

EFFICIENT ARITHIMETIC LOGIC UNITS

Juniper Networks, Inc., ...

1. A device comprising:
a conditional arithmetic logic unit, implemented at least partially in hardware, to:
perform, based on a microinstruction associated with processing received data, a first operation to generate a first result,
and

output the first result via a particular bus of a plurality of buses; and
a main arithmetic logic unit, implemented at least partially in hardware, to:
select, based on the microinstruction, the particular bus from the plurality of buses to determine the first result as corresponding
to a first input,

select, based on the microinstruction, a set of input buses from the plurality of buses to determine a second input,
perform a second operation on the first input and the second input to generate a second result, and
output, based on the microinstruction, the second result, the received data being processed based on the second result.

US Pat. No. 9,256,416

METHODS AND APPARATUS FOR AUTOMATIC SESSION VALIDATION FOR DISTRIBUTED ACCESS POINTS

Juniper Networks, Inc., ...

1. A method, comprising:
installing, at an access point that (1) includes a first software image and (2) is operatively coupled to a network controller
via a network, a second software image different from the first software image;

defining, in response to the installing and at the access point, a virtual client configured to send, at a first time and
to the network controller via the network, a first validation data unit that causes the network controller to send a second
validation data unit to the access point;

sending, to the network controller, a signal indicative of a successful receipt of the second validation data unit if the
virtual client receives the second validation data unit at a second time after the first time, the signal indicative of the
successful receipt of the second validation data unit being indicative of a time value associated with an elapsed time between
the first time and the second time; and

sending, to the network controller, a signal indicative of a failure of a receipt of the second validation data unit if the
virtual client does not receive the second validation unit from the network controller.

US Pat. No. 9,258,726

METHODS AND APPARATUS FOR SPECTRAL SCANNING WITHIN A NETWORK

Juniper Networks, Inc., ...

1. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the code
comprising code to cause the processor to:
receive, at a spectral scanning controller, a first indication of at least one of a service demand or a service quality associated
with a wireless access point (WAP) during a first time period;

determine a first scanning frequency based on the first indication, the first scanning frequency corresponding to a reciprocal
of a first spectral scan period;

determine a first amount of spectral reports based on the first indication;
send a signal configured to cause the WAP to perform, at the first scanning frequency, spectral scanning during a second time
period after the first time period, the spectral scanning during the second time period producing the first amount of spectral
reports;

receive, at the spectral scanning controller, a second indication of at least one of a service demand or a service quality
associated with the WAP during a third time period after the second time period;

determine a second scanning frequency based on the second indication, the second scanning frequency corresponding to a reciprocal
of a second spectral scan period;

determine a second amount of spectral reports based on the second indication; and
send a signal configured to cause the WAP to perform, at the second scanning frequency, spectral scanning during a fourth
time period after the third time period, the first scanning frequency being different than the second scanning frequency,
the spectral scanning during the fourth time period producing the second amount of spectral reports, the first amount of spectral
reports being different than the second amount of spectral reports.

US Pat. No. 9,100,274

ENHANCED VIRTUAL ROUTER REDUNDANCY PROTOCOL HAVING INHERIT GROUPS AND ADVERTISEMENT COUNT

Juniper Networks, Inc., ...

1. A network device comprising: a control unit operable to provide a plurality of backup virtual routers for respective groups
of redundant virtual routers, each of the groups of redundant routers having a respective master virtual routers executing
on a second network device; and an enhanced virtual router redundancy protocol (VRRP) unit executing within each of the plurality
of backup virtual routers, wherein at least a first one of the groups of redundant virtual routers is configured as an active
VRRP group in which the backup virtual router tracks an operational state of the master virtual router for the active VRRP
group by processing VRRP packets received from the respective master virtual router, wherein at least a second one of the
groups of redundant virtual routers is configured as an inherit VRRP group in which the backup virtual router uses the operational
state of the master virtual router of the active VRRP group as an operation state for the master virtual router of the inherit
group, without processing VRRP packets from the master virtual router of the inherit VRRP group, and wherein, responsive to
failure of the master virtual router of the active VRRP group, the backup virtual router of the inherit group sends a VRRP
packet having a type other than type 1 to one or more other virtual routers via a switch, the VRRP packet comprising a source
MAC address that is the media access control (MAC) address of the failed master virtual router.

US Pat. No. 9,092,048

SYNCHRONIZED POWER DELIVERY

Juniper Networks, Inc., ...

1. A method comprising:
transmitting, with a power supply to an electronic component, a switching control signal having clock transitions synchronized
to a pulse width modulated (PWM) control signal within the power supply;

receiving, with the power supply from the electronic component, an electrical power change request indicating a pending power
consumption change in the electronic component, wherein the received electrical power change request is synchronized with
the switching control signal;

determining, with a controller of the power supply, a change in a characteristic of the PWM control signal within the power
supply based upon the electrical power change request;

producing a modified PWM control signal based on the determined change in the characteristic of the PWM control signal; and
outputting a regulated amount of electrical power from the power supply, to provide power to the electronic component in accordance
with the electrical power change request, based upon the modified PWM control signal.

US Pat. No. 9,407,537

DATA PACKET SWITCHING WITHIN A COMMUNICATIONS NETWORK INCLUDING AGGREGATED LINKS

Juniper Networks, Inc., ...

1. An apparatus, comprising:
a memory;
a communications interface operatively coupled to a communications network; and
a processor operatively coupled to the memory and the communications interface,
the processor configured to receive, at a first time, a label identifier associated with an aggregated link within the communications
network via the communications interface, the aggregated link including a plurality of redundant links operatively coupled
to a plurality of network elements of the communications network and to the processor,

the processor configured to store the label identifier at the memory to produce a stored label identifier,
the processor configured to receive, at a second time after the first time, a data packet including a label identifier corresponding
to the stored label identifier via the communications interface,

the processor configured to send one of (1) the data packet, and (2) the data packet with one or more portions of the data
packet omitted, via a link separate from the aggregated link based on the label identifier; and

the processor configured to not send the data packet via a link from the plurality of redundant links of the aggregated link
based on the label identifier to limit a formation of looped links within the communications network.

US Pat. No. 9,374,267

CLOUD BASED CUSTOMER PREMISES EQUIPMENT

Juniper Networks, Inc., ...

1. A method, implemented by a network device, comprising:
receiving, by the network device and over a broadband access circuit, layer 2 traffic from a plurality of access devices at
a plurality of customer premises,

the plurality of access devices at the plurality of customer premises including an access device at a customer premises,
the network device being located external to the customer premises and implementing a virtual private network for the customer
premises,

the virtual private network including an application server that is external to the customer premises,
the application server providing one or more services to the customer premises, and
the virtual private network enabling the one or more services to logically appear, from a perspective of a user utilizing
a computing device of one or more computing devices located at the customer premises, as if the application server is within
a local area network associated with the customer premises;

providing, by the network device, dynamic host configuration protocol (DHCP) services for the one or more computing devices
located at the customer premises,

the DHCP services providing Internet Protocol (IP) addresses to the one or more computing devices located at the customer
premises; and

providing, by the network device, network address translation (NAT) services for the one or more computing devices located
at the customer premises,

one of the DHCP services or the NAT services being provided as global services that are shared by computing devices at the
plurality of customer premises,

the global services being provided by a same virtual router instance included in the network device, and
one of the DHCP services or the NAT services being provided as isolated services that are provided for the one or more computing
devices at the customer premises separately from other computing devices at another customer premises of the plurality of
customer premises,

the isolated services being provided to the one or more computing devices at the customer premises by a first virtual router
instance, included in the network device, that is separate from a second virtual router instance, included in the network
device, that provides the isolated services to the other computing devices at the other customer premises;

maintaining, by the network device, state information, on a per-computing device basis, for the customer premises,
the state information indicating a state of a session; and
providing, by the network device and based on the state information and a user switching use of a first computing device at
the customer premises to a second computing device at the customer premises, continuity of services across the first computing
device and the second computing device based on the state of the session.

US Pat. No. 9,089,073

CHASSIS SYSTEM WITH FRONT COOLING INTAKE

Juniper Networks, Inc., ...

1. A frame of a line card, the frame comprising:
a bottom portion that includes an angled section,
the angled section creating an opening between the line card and another line card included below the line card,
the opening allowing air to cool one or more components of the other line card; and
a top portion that includes a plurality of openings,
the plurality of openings allowing air to pass through the top portion to cool one or more components included on the bottom
portion.

US Pat. No. 9,256,263

EFFICIENT POWER ALLOCATION FOR REDUNDANT POWER SUPPLY WITH SYSTEM PRIORITY

Juniper Networks, Inc., ...

1. A method comprising:
receiving, by a redundant power supply, configuration data specifying a priority and a power requirement for each of a plurality
of ports within a plurality of network switches, wherein the redundant power supply is connected to the network switches by
one or more control busses and one or more reserve power busses, each of the network switches having a respective power supply
separate from the redundant power supply;

receiving, by the redundant power supply, via the one or more control busses, a request from one of the network switches for
reserve power from the redundant power supply in response to power from the respective power supply for the network switch
failing in the network switch;

in response to the request, determining, by the redundant power supply, based on the priorities and power requirements of
the ports within the network switches, an amount of reserve power to grant to the network switch requesting the reserve power;

outputting the amount of reserve power via at least one of the one or more reserve power busses from the redundant power supply
to the network switch requesting the reserve power; and

upon determining that there is insufficient reserve power available from the redundant power supply to provide the amount
of reserve power granted to the network switch that requested the reserve power, outputting one or more messages from the
redundant power supply by the one or more control busses to direct at least one of the switches to deactivate one or more
of the ports having low priorities so that there is sufficient reserve power available from the redundant power supply to
provide the amount of reserve power granted to the network switch that requested the reserve power.

US Pat. No. 9,450,877

METHODS AND APPARATUS FOR LOAD BALANCING COMMUNICATION SESSIONS

Juniper Networks, Inc., ...

1. An apparatus, comprising:
a gateway device configured to be operatively coupled to a switch via a plurality of links, the gateway device configured
to operatively couple a network node during a communication session of the network node with the switch, the gateway device
storing an association between the communication session of the network node and a link from the plurality of links such that
data sent via the communication session of the network node is sent via the link,

the gateway device configured to receive, from a virtual port associated with the network node, a login request, the gateway
device configured to send, based on the login request from the virtual port, a login request to the switch to initiate a communication
session of the virtual port between the virtual port and the switch, the gateway device configured to associate the communication
session of the virtual port with the link from the plurality of links based on the communication session of the network node
being associated with the link such that data sent via the communication session of the virtual port is sent via the link
and such that load through the network node is balanced.

US Pat. No. 9,258,323

DISTRIBUTED FILTERING FOR NETWORKS

Juniper Networks, Inc., ...

7. A method comprising:
receiving, by a network device and via a network, information identifying one or more characteristics of an attack detected
by a firewall device when the firewall device processed first traffic;

inserting, by the network device, the information identifying the one or more characteristics of the attack into a link state
routing packet;

using, by the network device, a link state routing protocol to forward the link state routing packet, with the information
identifying the one or more characteristics of the attack, to a plurality of other network devices included in the network;

receiving, by the network device and via the network, second traffic;
determining, by the network device and based on the one or more characteristics, whether the second traffic is associated
with the attack; and

selectively processing, by the network device, the second traffic based on determining whether the second traffic is associated
with the attack,

the second traffic being discarded when the second traffic is associated with the attack, and
the second traffic being forwarded towards a destination when the second traffic is not associated with the attack.

US Pat. No. 9,253,074

METHODS AND APPARATUS FOR MULTICAST TRAFFIC FAILOVER IN A NETWORK

Juniper Networks, Inc., ...

1. An apparatus, comprising:
an access switch having a set of ports, the access switch configured to be operatively coupled to a multicast router via a
data path including a first port from the set of ports, the access switch configured to be associated with a network associated
with the multicast router, the access switch configured to designate the first port as a multicast-router interface,

the access switch configured to send a message to the multicast router via each port from the set of ports in response to
an indication of a change in a topology of the network, the access switch configured to receive, via a subset of ports from
the set of ports, a signal from the multicast router in response to the message, the access switch configured to select a
port from the subset of ports to designate as the multicast-router interface based on at least one of a predetermined priority
ranking or an order of receipt of the response to the message, the access switch configured to designate the port from the
subset of ports as the multicast-router interface.

US Pat. No. 9,178,762

CONFIGURING NETWORKS INCLUDING SPANNING TREES

Juniper Networks, Inc., ...

1. A method comprising:
determining, by a device, whether to create a first region based on a first digest;
updating, by the device, a field, of a data structure, associated with a second region to equal the first digest when the
first region is to be created,

the first digest being associated with the second region when the first region is not to be created, and
a second digest being associated with the second region when the first digest is associated with the second region;
generating, by the device, a data unit based on the first digest; and
providing, by the device, the data unit to another device to provide the other device with information regarding a new configuration
of the device.

US Pat. No. 9,264,131

FAST RE-ROUTE FOR OPTICAL NETWORKS

Juniper Networks, Inc., ...

1. A method comprising:
receiving, at an optical network device, traffic on a physical slot of a first optical fiber, the first optical fiber connected
to a first port of the optical network device, the traffic including a given data unit;

determining, based on the given data unit being received by the optical network device on the physical slot of the first optical
fiber and based on a flow identifier specified by the given data unit, that the given data unit is associated with a first
path;

determining whether a downstream segment of the first path is operational; and
in response to determining that the downstream segment of the first path is not operational:
identifying a virtual slot of a second optical fiber that is connected to the optical network device, the virtual slot of
the second optical fiber reserved for a second path, wherein reserving virtual slots for a path does not reserve bandwidth
associated with physical slots corresponding to the virtual slots;

identifying, based on the virtual slot of the second optical fiber, a physical slot of the second optical fiber; and
forwarding the given data unit on the physical slot of the second optical fiber.

US Pat. No. 9,258,210

DYNAMIC AREA FILTERING FOR LINK-STATE ROUTING PROTOCOLS

Juniper Networks, Inc., ...

8. A router comprising:
a control unit comprising a processor;
a network interface card;
a management interface executed by the control unit and configured to receive configuration information that configures the
router as logically located in a non-backbone area of a multi-area autonomous system that employs a hierarchical link state
routing protocol to administratively group routers of the autonomous system into areas;

a Border Gateway Protocol (BGP) module executed by the control unit and configured to receive a service endpoint identifier
for a remote router that provides reachability to a service, wherein the remote router is logically located external to the
non-backbone area; and

a link state protocol module executed by the control unit and configured to execute the hierarchical link state routing protocol,
wherein the link state protocol module is further configured to send a request message that requests an area border router
for the non-backbone area to reconfigure a filter associated with the link state routing protocol to cause the area border
router to flood, in accordance with the link state routing protocol, link state information associated with the service endpoint
identifier to the non-backbone area, and

wherein the link state protocol module is further configured to receive, by the router, the link state information flooded
into the non-backbone area by the area border router after the filter is reconfigured, the link state information being usable
to determine a path to the remote router.

US Pat. No. 9,411,447

USING A WAVEGUIDE TO DISPLAY INFORMATION ON ELECTRONIC DEVICES

Juniper Networks, Inc., ...

1. An electronic device comprising:
an instrument panel that includes a display opening,
the instrument panel being located in a first plane;
a circuit board located inside the electronic device,
the circuit board being connected to a display device that includes a display area,
the circuit board being located in a second plane that is different from the first plane,
the display area being located inside of the electronic device, and
the display device displaying information in the display area; and
a waveguide to guide a light path from the display area towards the display opening in order to provide the information via
the display opening of the instrument panel.

US Pat. No. 9,407,536

COLLAPSED-DISTRIBUTED CLOS SWITCHING ARCHITECTURE FOR MULTI-CHASSIS FABRIC CONNECTIVITY

Juniper Networks, Inc., ...

1. A system comprising:
a first network device; and
a second network device,
the first network device and the second network device being associated with a Clos architecture,
the first network device including a first plurality of crossbars associated with the Clos architecture,
each of the first plurality of crossbars comprising:
a first crossbar component;
a second crossbar component; and
a third crossbar component; and
the second network device including a second plurality of crossbars associated with the Clos architecture,
each of the second plurality of crossbars comprising:
a fourth crossbar component;
a fifth crossbar component; and
a sixth crossbar component,
 the first crossbar component, of each of the first plurality of crossbars, connecting to the second crossbar component of
each of the first plurality of crossbars, and the fifth crossbar component of each of the second plurality of crossbars,

 the second crossbar component, of each of the first plurality of crossbars, connecting to the first crossbar component of
each of the first plurality of crossbars, the third crossbar component of each of the first plurality of crossbars, the fourth
crossbar component of each of the second plurality of crossbars, and the sixth crossbar component of each of the second plurality
of crossbars,

 the third crossbar component, of each of the first plurality of crossbars, connecting to the second crossbar component of
each of the first plurality of crossbars, and the fifth crossbar component of each of the second plurality of crossbars,

 the fourth crossbar component of each of the second plurality of crossbars, connecting to the second crossbar component of
each of the first plurality of crossbars, and the fifth crossbar component of each of the second plurality of crossbars,

 the fifth crossbar component, of each of the second plurality of crossbars, connecting to the first crossbar component of
each of the first plurality of crossbars, the third crossbar component of each of the first plurality of crossbars, the fourth
crossbar component of each of the second plurality of crossbars, and the sixth crossbar component of each of the second plurality
of crossbars, and

 the sixth crossbar component, of each of the second plurality of crossbars, connecting to the second crossbar component of
each of the first plurality of crossbars, and the fifth crossbar component of each of the second plurality of crossbars.

US Pat. No. 9,264,321

METHODS AND APPARATUS FOR TRACKING DATA FLOW BASED ON FLOW STATE VALUES

Juniper Networks, Inc., ...

1. A processor-readable non-transitory medium storing code representing instructions that when executed by a processor cause
the processor to:
update, at a memory location, a first flow state value associated with a data flow to a second flow state value when at least
one of a packet from the data flow is received or the memory location is selected after a first time period from a series
of time periods has expired,

the update of the first flow state value is based on a progression through a series of flow state values including the first
flow state value and the second flow state value, each flow state value from the series of flow state values being associated
with a time period from the series of time periods, the series of the time periods including a second time period different
from the first time period, and the first time period being the time period from the series of time periods associated with
the first flow state value,

the first flow state value is incremented to the second flow state value when (1) the packet is received, (2) the memory location
of the first flow state value is identified based on an index value of the packet, and (3) when the first flow state value
is less than the second flow state value, the first flow state value is decremented within the series of flow state values
after the first time period has expired, the first flow state value being a numerical count of a number of data packets that
have been transmitted in connection to the data flow; and

analyze at least a portion of the packet when the second flow state value represents a flow rate of a network data flow anomaly.

US Pat. No. 9,282,060

METHODS AND APPARATUS FOR DYNAMIC RESOURCE MANAGEMENT WITHIN A DISTRIBUTED CONTROL PLANE OF A SWITCH

Juniper Networks, Inc., ...

1. A system, comprising:
a plurality of access switches configured to be operatively coupled to a switch fabric, the plurality of access switches having
a plurality of ports and each being operatively coupled to a plurality of peripheral processing devices,

a first set of ports from the plurality of ports and a second set of ports from the plurality of ports being managed by a
first network control entity located at a first access switch from the plurality of access switches when the system is in
a first capacity configuration,

the first set of ports being managed by the first network control entity and the second set of ports being managed by a second
network control entity located at a second access switch from the plurality of access switches when the system is in a second
capacity configuration,

the second network control entity being automatically initiated when the system is changed from the first capacity configuration
to the second capacity configuration, the system is changed from the first capacity configuration to the second capacity configuration
in response to the system in the first capacity configuration exceeding a capacity threshold.

US Pat. No. 9,178,797

SELECTIVE BGP GRACEFUL RESTART IN REDUNDANT ROUTER DEPLOYMENTS

Juniper Networks, Inc., ...

1. A method, comprising:
determining, by a provider edge router that supports graceful restart procedures, that a first route reflector that advertises
a set of routes forms a redundant group with at least a second route reflector that advertises the set of routes;

receiving, by the provider edge router from the first route reflector, a first copy of the set of routes and forwarding data
packets according to the first copy of the set of routes;

receiving, by the provider edge router from the second route reflector, a second copy of the set of routes;
detecting, by the provider edge router after receiving the first copy of the set of routes and the second copy of the set
of routes, a failure of the first route reflector, wherein the provider edge router is a peer of the first route reflector;

overriding, by the provider edge router in response to determining the second route reflector in the redundant group is operating
while the first route reflector is failed, graceful restart procedures with respect to the failed first route reflector and
forwarding data packets according to the second copy of the set of routes from the second route reflector; and

performing, by the provider edge router in response to determining the second route reflector and the first route reflector
are concurrently failed, a graceful restart procedure with respect to the failed first route reflector and continuing to forward
data packets according to the first copy of the set of routes from the first route reflector.

US Pat. No. 9,264,743

DELIVERY SYSTEM FOR INTERNET CONTENT

Juniper Networks, Inc., ...

1. A method performed by a computer system, the method comprising:
providing, by one or more processors associated with the computer system, a service to a customer device,
the service including a television service and an Internet service;
receiving, by the one or more processors, a request for Internet content from the customer device,
the request being received via the television service or the Internet service;
retrieving, by the one or more processors, the Internet content based on receiving the request;
determining, by the one or more processors, a type of data of the Internet content,
the type of data of the Internet content including:
real-time data, or
non-real-time data;
formatting, by the one or more processors, the Internet content based on the determined type of data of the Internet content
and the request,

formatting the Internet content including:
formatting the Internet content from a particular format to a first data format when the determined type of data of the Internet
content includes the real-time data, and

formatting the Internet content from the particular format to a second data format, different from the first data format,
when the determined type of data of the Internet content includes the non-real-time data;

allocating, by the one or more processors, resources for delivering the Internet content in the first data format or the Internet
content in the second data format,

the allocated resources corresponding to:
first resources when the determined type of data of the Internet content includes the real-time data, and
second resources, different from the first resources, when the determined type of data of the Internet content includes the
non-real-time data; and

delivering to the customer device, by the one or more processors and using the allocated resources, the Internet content in
the first data format or the Internet content in the second data format.

US Pat. No. 9,185,794

APPARATUS AND METHODS FOR PLACEMENT OF DISCRETE COMPONENTS ON INTERNAL PRINTED CIRCUIT BOARD LAYERS

Juniper Networks, Inc., ...

1. An apparatus, comprising:
a printed circuit board (PCB) formed from low loss materials associated with high speed data transfer, the PCB defining a
first outer surface and a second outer surface opposite the first outer surface, the PCB having a recess in the first outer
surface of the PCB, the PCB having a signal layer between the first outer surface and the second outer surface, the signal
layer including a first circuit line having a first portion exposed within the recess and a second portion exposed within
the recess, the first circuit line being devoid of electrical contact with vias, the signal layer including a second circuit
line having a first portion exposed within the recess and a second portion exposed within the recess, the second circuit line
being devoid of electrical contact with vias;

a first component disposed within the recess and connected to the first portion of the first circuit line and the second portion
of the first circuit line such that an entirety of the first component is within the recess and below the first outer surface;
and

a second component disposed within the recess and connected to the first portion of the second circuit line and the second
portion of the second circuit line such that an entirety of the second component is within the recess and below the first
outer surface, the first component and the second component collectively defining a differential pair, a characteristic impedance
mismatch associated with at least one of the first circuit line or the second circuit line being mitigated based on the first
circuit line and the second circuit line being devoid of electrical contact with the vias.

US Pat. No. 9,407,661

BLOCKING VIA AN UNSOLVABLE CAPTCHA

Juniper Networks, Inc., ...

1. A security device, comprising:
one or more processors, implemented at least partially in hardware, to:
receive a request from an attacker device and intended for a server device;
identify the request as being associated with a malicious activity,
the malicious activity including one or more undesirable tasks directed to the server device;
generate an unsolvable challenge-response test based on identifying the request as being associated with the malicious activity,
the unsolvable challenge-response test being generated using a construction technique selected from a plurality of construction
techniques,

the unsolvable challenge-response test being configured in an attempt to block the attacker device without making the attacker
device aware that the attacker device is being blocked;

provide the unsolvable challenge-response test to the attacker device;
receive, from the attacker device, a plurality of solutions to the unsolvable challenge-response test,
the plurality of solutions being different than a username and a password associated with the server device;
notify the attacker device that each solution, of the plurality of solutions, is incorrect regardless of whether the solution
is actually correct;

generate another unsolvable challenge-response test using at least one construction technique designed to indicate, to the
attacker device, that an error, associated with generating a solvable challenge-response test, has occurred; and

provide, to the attacker device and based on generating the other unsolvable challenge-response test, information indicating
an error in displaying the solvable challenge-response test.

US Pat. No. 9,413,454

AUTOMATIC BANDWIDTH ADJUSTMENT ON MULTI-FIBER OPTICS

Juniper Networks, Inc., ...

15. A method, comprising:
establishing, by a device, a multi-lane link with a peer device,
the multi-lane link including a plurality of lanes used to communicate data with the peer device;
determining, by the device, fault states for the plurality of lanes included in the multi-lane link,
at least one of the fault states indicating a particular lane, of the plurality of lanes, is faulty,
the plurality of lanes including available lanes and faulty lanes;
determining, by the device, an available bandwidth for the multi-lane link based on the fault states for the plurality of
lanes;

operating, by the device, the multi-lane link at the available bandwidth when the available bandwidth satisfies a threshold
bandwidth,

the threshold bandwidth indicating a bandwidth with which the multi-lane link is permitted to operate,
operating the multi-lane link at the available bandwidth including:
communicating the data with the peer device via the available lanes of the plurality of lanes, based on a scheduling process
and without adjusting a transmission rate of the data, and

preventing the data from being communicated with the peer device via the faulty lanes of the plurality of lanes; and
terminating, by the device, the multi-lane link when the available bandwidth fails to satisfy the threshold bandwidth.

US Pat. No. 9,357,632

APPARATUS, SYSTEM, AND METHOD FOR REDUCING INTERFERENCE BETWEEN CLOCK SIGNALS

Juniper Networks, Inc., ...

1. An apparatus for reducing interference between clock signals, the apparatus comprising:
a circuit board;
a first set of clock vias that transmit a first clock signal and are coupled to the circuit board;
a second set of clock vias that transmit a second clock signal that cycles at a frequency that is different from a frequency
of the first clock signal, wherein the second set of clock vias are coupled to the circuit board in a linear pattern adjacent
to the first set of clock vias;

at least one ground via coupled to the circuit board in line with the second set of clock vias, wherein a total number of
ground vias coupled to the circuit board is less than a total number of clock vias coupled to the circuit board;

wherein each ground via coupled to the circuit board, including the at least one ground via, is positioned outside any region
of the circuit board located between the first and second sets of clock vias.

US Pat. No. 9,264,348

AVOIDING DATA TRAFFIC LOSS IN AN ETHERNET RING MULTIHOMED, IN AN ACTIVE-STANDBY MANNER, TO A VIRTUAL PRIVATE LAN SERVICE TRANSPORT NETWORK

Juniper Networks, Inc., ...

1. A computer-implemented method for avoiding traffic loss in an active-standby, multihomed Ethernet Ring running an Ethernet
Ring Protection (ERP) protocol including a specified Ring Protection Link (RPL), in which a first node of the Ethernet Ring
in a first portion of a network is linked with a designated border router of a second portion of the network and in which
a second node of the Ethernet Ring in the first portion of the network is linked with a standby border router of the second
portion of the network, the computer-implemented method comprising:
a) receiving an indication that the link between the first node and the designated border router of the network has failed,
wherein the designated border router is not a part of the Ethernet Ring running the ERP protocol;

b) responsive to the received indication that the link between the first node and the designated border router of the network
has failed,

1) invoking an ERP Media Access Control (MAC)-flush in the Ethernet Ring, even in the absence of a failed link in the Ethernet
Ring, and

2) maintaining the specified RPL of the Ethernet Ring in an inactive or blocked state;
c) receiving an indication that a link in the Ethernet Ring has failed; and
d) responsive to the received indication that the link in the Ethernet Ring has failed,
1) invoking an ERP Media Access Control (MAC)-flush in the Ethernet Ring, and
2) activating the specified RPL of the Ethernet Ring.

US Pat. No. 9,356,880

MULTI-LINK ROUTING

Juniper Networks, Inc., ...

1. A method comprising:
receiving data packets from a plurality of links in one or more interface cards of a network device;
performing, by the network device, a first routing operation to forward the data packets from the one or more interface cards
to a service card of the network device in accordance with routing information that reflects a topology of a computer network,
wherein the routing information identifies the service card as a destination for the data packets;

prioritizing the data packets with the service card of the network device; and
performing, by the network device, a second routing operation in accordance with the routing information to forward the prioritized
data packets to the interface cards of the network device for communication over the computer network in an order based at
least in part on the prioritization.

US Pat. No. 9,282,115

SYSTEMS AND METHODS FOR DETECTING CACHE-POISONING ATTACKS IN NETWORKS USING SERVICE DISCOVERY PROTOCOLS

Juniper Networks, Inc., ...

16. A system for detecting cache-poisoning attacks in networks using SDPs, the system comprising:
a maintenance module, stored in memory, that maintains a cache of service information that identifies one or more services
provided by one or more client devices connected to a network using an SDP;

a detection module, stored in memory, that detects at least one cache-poisoning attack directed at the cache of service information
by:

receiving, from a client device connected to the network, at least one SDP message related to at least one service allegedly
provided via the network;

identifying, within the SDP message, at least one attribute of a type of the service allegedly provided via the network;
determining that the client device is attempting to corrupt the cache of service information by:
comparing the type of the service identified within the SDP message with the cache of service information;
determining, based at least in part on the comparison, that a client device allegedly providing the service is unable to provide
the type of service identified within the SDP message;

a security module, stored in memory, that performs at least one security action to mitigate the cache-poisoning attack, in
response to detecting the cache-poisoning attack;

at least one processor that executes the maintenance module, the detection module, and the security module.

US Pat. No. 9,795,054

CHASSIS SYSTEM WITH FRONT COOLING INTAKE

Juniper Networks, Inc., ...

1. A frame comprising:
a front portion;
a bottom portion to receive attachment of a printed circuit board,
the bottom portion including an angled section located at the front portion of the frame; and
a top portion that includes a plurality of openings located at the front portion of the frame,
the plurality of openings including:
a first set of openings with a first density of openings, and
a second set of openings with a second density of openings,
the second density of openings being greater than the first density of openings, and
a depth of the frame being equal to a depth of a chassis frame that includes the frame.

US Pat. No. 9,729,572

REMOTE REMEDIATION OF MALICIOUS FILES

Juniper Networks, Inc., ...

1. A device, comprising:
one or more processors to:
analyze a file while the file is being downloaded by a client device,
a download of the file by the client device being completed before analysis of the file is completed;
determine that the file is a malicious file;
obtain remote access to the client device using a connection tool,
the connection tool providing access and control of the client device,
the remote access including access to a file location of the malicious file;
determine, via the remote access to the client device using the connection tool, whether the malicious file is executing on
the client device before the analysis of the file is completed;

select one or more remediation actions based on whether the malicious file is executing on the client device after the download
is complete and before the analysis of the file is completed,

the one or more remediation actions including a first remediation action if the malicious file is determined to be executing
on the client device after the download is complete and before the analysis of the file is completed, and

the one or more remediation actions including a second remediation action, different than the first remediation action, if
the malicious file is determined not to be executing on the client device after the download is complete and before the analysis
of the file is completed; and

cause the one or more remediation actions to be executed using the remote access to the client device.

US Pat. No. 9,407,555

SYSTEMS AND METHODS FOR LOAD BALANCING MULTICAST TRAFFIC

Juniper Networks, Inc., ...

1. A computer-implemented method comprising:
identifying a plurality of switches that comprise at least a first switch and a second switch, wherein:
the first switch is connected to the second switch by a first path that extends from the first switch to the second switch;
the first switch is also connected to the second switch by a second path that extends from the first switch to the second
switch;

calculating a plurality of multicast distribution trees for distributing multicast traffic among the plurality of switches
by:

selecting a first root switch from the plurality of switches;
selecting a second root switch from the plurality of switches;
generating a first tree for distributing multicast traffic among the plurality of switches that is rooted on the first root
switch and that includes the first path;

generating a second tree for distributing multicast traffic among the plurality of switches that is rooted on the second root
switch and that includes the second path, wherein

the first root switch of the first tree is different than the second root switch of the second tree;
receiving a plurality of multicast packets ingress to the plurality of switches at the first switch; and
using, at each switch along the first path, the first tree to transmit a first portion of the plurality of multicast packets
from the first switch to the second switch via the first path;

using, at each switch along the second path, the second tree to transmit a second portion of the plurality of multicast packets
from the first switch to the second switch via the second path.

US Pat. No. 9,246,820

METHODS AND APPARATUS FOR IMPLEMENTING MULTIPLE LOOPBACK LINKS

Juniper Networks, Inc., ...

1. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the code
comprising code to cause the processor to:
receive, at a network device, a data unit having a header portion;
select a route based on the header portion;
modify, based on the route being associated with a tunnel, the data unit to define a tunnel data unit including a tunnel header;
select a loopback link from a plurality of loopback links of a loopback link aggregation group (LAG);
transmit, via the loopback link within the network device, the tunnel data unit; and
send the tunnel data unit via the tunnel based on the tunnel header.

US Pat. No. 9,413,662

INTRA-TERM LOGICAL OR OPERATION IN A NETWORK FILTER

Juniper Networks, Inc., ...

1. A device comprising:
a computer memory to store instructions; and
one or more computer processors to execute the instructions to:
receive a filter definition,
the filter definition including one or more terms that define how network traffic is to be filtered through the device;
parse the filter definition into the one or more terms;
determine that a particular term, of the one or more terms, includes a logical OR condition;
determine attribute counts of the particular term,
the attribute counts including an attribute count for a particular attribute of the particular term, and
the attribute count being a quantity of different values being matched;
calculate a first expansion factor based on a product of the attribute counts;
calculate a second expansion factor that is different from the first expansion factor;
expand the particular term into a plurality of sub-terms based on determining that the particular term includes the logical
OR condition, based on the first expansion factor, and based on the second expansion factor,

the plurality of sub-terms including a first sub-term and a second sub-term,
the first sub-term including a first condition that specifies the particular attribute and a first discrete value for the
particular attribute,

the second sub-term including a second condition that specifies the particular attribute and a second discrete value for the
particular attribute,

the particular attribute being associated with an address, a port, or a protocol, and
the second discrete value being different from the first discrete value;
determine a particular priority associated with the particular term;
determine, for the plurality of sub-terms and based on the particular priority, locations within a ternary content-addressable
memory (TCAM);

store the plurality of sub-terms as a plurality of entries at the locations within the TCAM,
the plurality of entries including a value entry, and
when storing the plurality of sub-terms as the plurality of entries, the one or more computer processors are to:
determine that the first sub-term specifies the first discrete value for the particular attribute that corresponds to a first
field of the value entry,

set the first field, of the value entry, to the first discrete value based on determining that the first sub-term specifies
the first discrete value for the particular attribute,

determine that the first sub-term does not specify a value for a different attribute that corresponds to a second field of
the value entry,

 the second field being a virtual local area network (VLAN) field, and
set a field, of a mask entry, to an indicator that indicates that the value for the different attribute does not matter based
on determining that the first sub-term does not specify the value for the different attribute,

 the mask entry corresponding to the value entry; and
append strings, in the TCAM and to the plurality of entries, that indicate a spatial ordering of the plurality of sub-terms;
update the TCAM based on the strings to preserve the spatial ordering; and
process the network traffic based on one or more of the plurality of entries in the TCAM by performing an action corresponding
to the value entry,

the action being one of discarding, accepting, or counting.

US Pat. No. 9,872,406

RETENTION-EXTRACTION DEVICE FOR REMOVABLE CARDS IN A CHASSIS

Juniper Networks, Inc., ...

1. A chassis comprising:
a retention device for a removable card,
the retention device comprising:
an actuation rod mounted on the chassis,
a lever,
a first end of the lever being connected to an end of the actuation rod,
a second end of the lever being connected to the chassis, and
a latch hook connected to the chassis,
the latch hook pivoting between a first position and a second position,
 the first position allowing the removable card to be inserted into the chassis or removed from the chassis, and
 the second position allowing the removable card to be retained within the chassis.

US Pat. No. 9,571,570

WEIGHTED RENDEZVOUS HASHING

Juniper Networks, Inc., ...

1. A device, comprising:
one or more processors to:
store virtual identifier information indicating a plurality of virtual identifiers associated with a plurality of servers,
the virtual identifier information associating a virtual identifier, of the plurality of virtual identifiers, based on a weight
associated with a server of the plurality of servers;

receive an object identifier identifying an object to be processed by at least one of the plurality of servers;
determine a size of a window based on the weight;
select a subset of the plurality of virtual identifiers based on the size of the window and the object identifier;
calculate hash values for the subset of the plurality of virtual identifiers based on selecting the subset of the plurality
of virtual identifiers;

determine a particular virtual identifier associated with a hash value that satisfies a particular condition,
the hash values including the hash value, and
the subset of the plurality of virtual identifiers including the particular virtual identifier;
select a particular server associated with the particular virtual identifier; and
send an instruction to the server to process the object.

US Pat. No. 9,877,407

APPARATUS AND SYSTEM FOR MODULAR CABLE MANAGEMENT IN TELECOMMUNICATIONS SYSTEMS

Juniper Networks, Inc., ...

1. An apparatus comprising:
at least one physical extension handle that is installed to at least one helical ejector that:
rotates in one direction into at least one threaded hole of a chassis of a telecommunications system to secure a line card
to the chassis of the telecommunications system; and

rotates in another direction away from the threaded hole of the chassis of the telecommunications system to eject the line
card from the chassis of the telecommunications system; and

wherein the physical extension handle, when installed to the helical ejector:
extends the helical ejector such that a user is able to access the helical ejector by way of the physical extension handle
to secure the line card to or eject the line card from the chassis of the telecommunications system using the physical extension
handle; and

facilitates physically supporting one or more communication cables connected to the line card in a horizontal orientation
such that the communication cables avoid hanging down vertically directly from the chassis.

US Pat. No. 9,591,785

APPARATUS, SYSTEM, AND METHOD FOR INCREASING ACCESS TO TRANSCEIVERS

Juniper Networks, Inc., ...

1. A line card comprising:
an access surface that:
provides access to ports used to connect devices to a telecommunications network via the line card; and
includes a first section, a second section, and a slanted section that connects the first section and the second section;
a back opposite the access surface;
a first row of ports arranged along the first section of the access surface to house a set of transceivers;
a second row of ports arranged along the second section of the access surface to house an additional set of transceivers;
and

wherein the second row of ports is recessed inward toward the back relative to the first row of ports due at least in part
to the slanted section of the access surface.

US Pat. No. 9,136,624

ORTHOGONAL CROSS-CONNECTING OF PRINTED CIRCUIT BOARDS WITHOUT A MIDPLANE BOARD

Juniper Networks, Inc., ...

1. An apparatus, comprising:
a line card configured to be included in a plurality of line cards and configured to be matingly coupled, without overlap,
to a plurality of switch-fabric cards to collectively define at least a portion of an orthogonal cross fabric without a midplane
board, the line card having an edge portion, a first side and a second side opposite the first side, the line card having
a first plurality of connectors and a second plurality of connectors, the first plurality of connectors being disposed along
the edge portion of the first side, the second plurality of connectors being disposed along the edge portion of the second
side such that each connector from the first plurality of connectors is opposite a different connector from the second plurality
of connectors.

US Pat. No. 9,258,762

MOBILE NODE HOST ROUTE INSTALLATION AND WITHDRAWAL

Juniper Networks, Inc., ...

1. A method comprising:
removing, by a router of a service provider network in response to determining a wireless device is no longer attached to
a wireless alternate access network that provides access to the service provider network, a host route for the wireless device,

wherein the host route specifies an Internet Protocol (IP) address allocated by the service provider network to the wireless
device,

wherein the host route at least partially defines a forwarding path from the router to the wireless alternate access network
for network packets that match the host route; and

sending, by the router to a downstream router logically located on the forwarding path and after removing the host route from
the router, a reverse path host route withdraw message to cause the downstream router to remove the host route.

US Pat. No. 9,118,411

METHOD AND APPARATUS FOR DETECTION AND CORRECTION OF CHANNEL FAILURE IN AN OPTICAL TRANSCEIVER SYSTEM

Juniper Networks, Inc., ...

1. An apparatus, comprising:
an optical transceiver system having:
a plurality of optical transmitters, each optical transmitter from the plurality of optical transmitter configured to transmit
at a unique wavelength from a plurality of wavelengths;

a backup optical transmitter operable to transmit at any wavelength from the plurality of wavelengths, the backup optical
transmitter configured to transmit at a first wavelength from the plurality of wavelengths when an optical transmitter from
the plurality of optical transmitters and associated with the first wavelength fails;

a first optical switch associated with the plurality of optical transmitters and the backup optical transmitter; and
a second optical switch associated with a plurality of optical receivers,
the first optical switch and the second optical switch collectively configured to define a loopback path when the first optical
switch and the second optical switch are activated.

US Pat. No. 9,585,259

APPARATUS AND METHODS FOR PLACEMENT OF DISCRETE COMPONENTS ON INTERNAL PRINTED CIRCUIT BOARD LAYERS

Juniper Networks, Inc., ...

1. An apparatus, comprising:
a printed circuit board (PCB) having a recess in an outer surface of the PCB, the PCB including a first circuit line having
a first portion exposed within the recess and a second portion exposed within the recess, the first circuit line being devoid
of electrical contact with vias, the PCB including a second circuit line having a first portion exposed within the recess
and a second portion exposed within the recess, the second circuit line being devoid of electrical contact with vias;

a first component disposed within the recess and connected to the first portion of the first circuit line and the second portion
of the first circuit line; and

a second component disposed within the recess and connected to the first portion of the second circuit line and the second
portion of the second circuit line, the first component and the second component collectively defining a differential pair,
a characteristic impedance mismatch associated with at least one of the first circuit line or the second circuit line being
mitigated based on the first circuit line and the second circuit line being devoid of electrical contact with the vias,

a first portion of the PCB defining the recess being sized to receive the first component and a size of the second component,
a second portion of the PCB mutually exclusive from the first portion of the PCB and having a plurality of ground vias that
provide electromagnetic interference shielding for a circuit line in electrical contact with at least one ground via from
the plurality of ground vias, a component density of the first portion of the PCB being greater than a component density of
the second portion of the PCB.

US Pat. No. 9,984,233

IDENTIFYING MALWARE BASED ON A RELATIONSHIP BETWEEN A DOWNLOADER FILE AND A DOWNLOADED FILE

Juniper Networks, Inc., ...

1. A non-transitory computer-readable medium storing instructions, the instructions comprising:one or more instructions that, when executed by one or more processors, cause the one or more processors to:
determine that a first file causes a second file to be downloaded,
the second file being different from the first file;
identify a relationship between the first file and the second file based on determining that the first file causes the second file to be downloaded;
determine a first malware score for the first file based on:
analyzing the first file for malware,
analyzing the second file for malware, and
the relationship between the first file and the second file; and
determine a second malware score for the second file based on:
analyzing the first file for malware, and
the relationship between the first file and the second file.

US Pat. No. 10,076,033

PRINTED CIRCUIT BOARD WITH CONNECTOR HEADER MOUNTED TO BOTTOM SURFACE

Juniper Networks, Inc., ...

1. An apparatus, comprising:a printed circuit board;
an integrated circuit mounted on a first surface of the printed circuit board;
one or more vias that extend through the printed circuit board from the first surface to a second surface of the printed circuit board to provide electrical connectivity for the integrated circuit,
the second surface of the printed circuit board being opposite the first surface of the printed circuit board; and
a pin header that mechanically supports one or more pins that provide electrical connectivity for the integrated circuit,
the pin header being mounted to the second surface of the printed circuit board to mate the one or more pins with the one or more vias to provide electrical connectivity for the integrated circuit, and
the one or more vias including a via that is mated with a pin, of the one or more pins, that does not provide electrical connectivity for the integrated circuit.

US Pat. No. 9,445,249

DISASTER RESPONSE SYSTEM

Juniper Networks, Inc., ...

1. A method for adjusting bandwidth available for a particular use during and after a disaster, the method comprising:
receiving a disaster profile at a router, the disaster profile specifying Internet Protocol (IP) addresses associated with
emergency response personnel;

after receiving the disaster profile, receiving a reconfiguration message at the router, the reconfiguration message indicating
an occurrence of the disaster in a specified area; and

adjusting the bandwidth available for the particular use by modifying data in a routing information base (RIB) of the router
based on the disaster profile, wherein adjusting the bandwidth comprises:

after modifying the data in the RIB, generating forwarding rules based on the data in the RIB;
receiving a packet at the router after generating the forwarding rules; and
applying the forwarding rules to the packet after receiving the packet, wherein applying the forwarding rules comprises:
determining whether a source address or a destination address of the packet is in the IP addresses associated with the emergency
response personnel; and

prioritizing the packet after determining that the source address or the destination address of the packet is in the set of
addresses associated with the emergency response personnel.

US Pat. No. 9,083,628

CONTENT SERVICE AGGREGATION SYSTEM

Juniper Networks, Inc., ...

1. A method comprising:
receiving, with a flow control element of a data center, a plurality of packet flows from a network, wherein the data center
includes a plurality of compute elements interconnected by a hardware switching fabric to communicate packet data between
the compute elements, and wherein the set of compute elements is arranged in a plurality of processing pipelines to provide
a set of network services;

identifying, with the flow control element, each of the packet flows as being associated with a subscriber and determining
a subset of one or more of the network services that are required to be applied to each of the packet flows based on the identified
subscriber;

selecting, with the flow control element and for each of the packet flows, one of the processing pipelines based on the subset
of network services for the subscriber associated with the packet flow; and

distributing, with the flow control element, each of the plurality of packet flows to the compute elements in accordance with
the processing pipeline selected for the packet flow to provide the subset of network services determined for the subscriber
associated with the packet flow.

US Pat. No. 9,485,155

TRAFFIC ANALYSIS OF DATA FLOWS

Juniper Networks, Inc., ...

1. A system comprising:
a plurality of network devices, in a network, to:
aggregate information regarding a plurality of data flows associated with data units received or transmitted by the plurality
of network devices without impacting throughput of the data units, and

output the aggregated information; and
a traffic analyzer, connected to the plurality of network devices, to:
receive the aggregated information from the plurality of network devices,
the aggregated information including information regarding successful data flows and unsuccessful data flows associated with
a particular source,

the aggregated information providing an indication of an attack on the network or a misconfiguration of the network when the
particular source is responsible for creation of more than a particular quantity of the plurality of data flows during a period
of time,

the successful data flows being data flows that are successfully established, and
the unsuccessful data flows being data flows that are unsuccessfully established,
the plurality of data flows including the successful data flows and the unsuccessful data flows, and
the successful data flows and the unsuccessful data flows including at least a portion of the data units,
determine creation information regarding when one or more of the successful data flows were created;
determine termination information regarding when the one or more of the successful data flows were terminated,
the termination information being determined based on the one or more of the successful data flows for which no data units
are received for at least a threshold amount of time; and

provide information based on one or more of the aggregated information, the creation information, or the termination information.

US Pat. No. 9,356,789

ROBUST CONTROL PLANE ASSERT FOR PROTOCOL INDEPENDENT MULTICAST (PIM)

Juniper Networks, Inc., ...

1. A method comprising:
initiating a Protocol Independent Multicast (PIM) election process for selecting one of a plurality of routers as a forwarding
router to forward multicast traffic to a shared media computer network;

determining, with a first one of the routers, whether the first one of the routers has received the multicast traffic; and
outputting, with the first one of the routers based on the determination and in association with the PIM election process,
a PIM assert message,

wherein the PIM assert message comprises assert information for a plurality of different multicast sources for a plurality
of multicast groups, and

wherein the PIM assert message includes, for each of the multicast sources of each of the multicast group, an indication as
to whether the first one of the routers has successfully received multicast traffic for the corresponding combination of multicast
source and multicast group.

US Pat. No. 9,240,923

METHODS AND APPARATUS FOR AUTOMATICALLY PROVISIONING RESOURCES WITHIN A DISTRIBUTED CONTROL PLANE OF A SWITCH

Juniper Networks, Inc., ...

1. An apparatus, comprising:
a network management module to be operability coupled to a plurality of edge devices that are coupled to a plurality of peripheral
processing devices, the network management module to receive a signal associated with a broadcast protocol substantially similar
to the Intermediate System to Intermediate System (IS-IS) protocol from an edge device from he plurality of edge devices in
response to that edge device sending the signal to the network management module and the plurality of edge devices such that
the plurality of edge devices store information contained in the signal when that edge device is operatively coupled to a
switch fabric, the network management configured to provision that edge device in response to receiving the signal,

the network management module to define a plurality of network control entities at the plurality of edge devices such that
each network control entity from the plurality of network control entities is to provide forwarding-state information associated
with at least one peripheral processing device from the plurality of peripheral processing devices to at least one remaining
network control entity from the plurality of network control entities using a selective protocol substantially similar to
the Border Gateway Protocol (BGP).

US Pat. No. 9,178,801

AUTOMATED SERVICE DISCOVERY IN COMPUTER NETWORKS

Juniper Networks, Inc., ...

1. A method comprising:
determining, with a control plane of a router positioned in a network, one or more services provided by a service plane of
the router;

generating, with the control plane, a routing protocol message that includes service discovery information related to the
one or more services provided by the service plane;

transmitting, with a forwarding plane of the router, the routing protocol message to enable network devices of the network
to discover the one or more services provided by the service plane based on the service discovery information included in
the routing protocol message;

receiving traffic with the forwarding plane via a path established based on the service discovery information included in
the routing protocol message;

redirecting, with the forwarding plane, the traffic received via the path to the service plane;
applying, with the service plane, the one or more services to the traffic received via the path;
outputting, with the service plane and after applying the one or more of the services, the traffic to the forwarding plane;
and

performing a route lookup with the forwarding plane to forward the traffic output by the service plane.

US Pat. No. 9,172,609

AUTOMATIC CONFIGURATION OF VIRTUAL NETWORK SWITCHES

Juniper Networks, Inc., ...

1. A method comprising:
electing a first layer two (L2) network switch as a master switch for a virtual L2 network switch within a network having
a plurality destination devices, each of the destination devices associated with a network address;

creating, with the first L2 network switch elected as the master network switch, forwarding information for a second L2 network
switch participating in the virtual network switch, wherein the forwarding information maps one or more of the network addresses
of the destination devices to network interfaces of the second L2 network switch; and

outputting the forwarding information from the first L2 network switch to the second L2 network switch to control switching
of L2 network communications by the second L2 network switch.

US Pat. No. 9,178,798

FAST REROUTE USING LOOP FREE ALTERNATE NEXT HOPS FOR MULTIPOINT LABEL SWITCHED PATHS

Juniper Networks, Inc., ...

1. A method comprising:
establishing, with an upstream router using multicast extensions to Label Distribution Protocol (mLDP), a multipoint label
switched path (LSP) between at least one root router and two or more leaf routers, the multipoint LSP including a direct link
as a primary path between the upstream router and a downstream router;

establishing, with the upstream router using a Label Distribution Protocol (LDP), a point-to-point (P2P) LSP to the downstream
router as a backup path between the upstream router and the downstream router, wherein the P2P LSP avoids the direct link
between the upstream router and the downstream router that is a protected link of the multipoint LSP;

establishing, with the upstream router using the mLDP, a targeted adjacency session between the upstream router and the downstream
router, wherein a targeted adjacency session label associated with the multipoint LSP is allocated for the targeted adjacency
session by the downstream router;

installing a primary next hop with an associated primary label for the primary path of the multipoint LSP into forwarding
information of the upstream router, wherein the primary label includes the targeted adjacency session label associated with
the multipoint LSP;

installing an alternate next hop with an associated alternate label stack for the backup path of the P2P LSP into forwarding
information of the upstream router, wherein the alternate label stack includes a P2P LSP label associated with the P2P LSP
and the targeted adjacency session label associated with the multipoint LSP;

forwarding multicast traffic from the upstream router toward the downstream router along the multipoint LSP according to the
primary next hop with the primary label; and

upon detecting a failure of the protected link of the multipoint LSP, tunneling the multicast traffic from the upstream router
toward the downstream router along the P2P LSP according to the alternate next hop with the associated alternate label stack.

US Pat. No. 9,106,530

CONSTRAINED ROUTE DISTRIBUTION FOR MULTIPLE VIRTUAL PRIVATE NETWORK SERVICES

Juniper Networks, Inc., ...

1. A method comprising:
receiving, with a network device, configuration data that defines a first virtual private network (VPN) service and associates
the first VPN service with a route target, wherein the route target identifies the network device as a member of a route target
extended community;

responsive to receiving the configuration data, sending a request for routes that match a type of the first VPN service from
the network device to a routing protocol speaker that stores a first set of routes that match the type of the first VPN service
and a second set of routes that match a type of a second VPN service, wherein the request includes first data that identifies
the type of the first VPN service;

receiving, with the network device from the routing protocol speaker, the first set of routes that match the type of the first
VPN service;

installing routes of the first set of routes that match the type of the first VPN service and are associated with the route
target to a routing information base of the network device; and

forwarding traffic for the first VPN service with the network device in accordance with the installed routes.

US Pat. No. 9,100,342

EXTERNAL SERVICE PLANE

Juniper Networks, Inc., ...

1. A system comprising:
a network device to:
receive network traffic from a first device;
identify, based on the network traffic and a service level agreement, stored by the network device, that a service is to be
applied to the network traffic;

send the network traffic to a second device to obtain the service for the network traffic,
the second device using a first service plane, of the second device, to apply the service to the network traffic;
receive the network traffic from the second device after the service is applied to the network traffic;
send the network traffic, received from the second device, to a fourth device;
receive an updated service level agreement;
determine, based on the updated service level agreement, that an increased bandwidth capacity is to be provided for a user
associated with the network traffic;

determine that a second service plane is to be allocated to the service to provide the increased bandwidth capacity;
send, to a third device and based on determining that the second service is to be allocated to the service, an instruction
that instructs the third device to create the second service plane,

the third device being separate from the second device;
receive additional network traffic from the first device;
determine, based on the increased bandwidth capacity and after receiving the additional network traffic, that the service
is to be provided by the second device and the third device; and

perform load balancing of the additional network traffic among the second device and the third device,
when performing the load balancing, the network device is to:
send a first portion of the additional network traffic to the second device to obtain the service for the first portion of
the additional network traffic,

the second device using the first service plane, of the second device, to apply the service to the first portion of the additional
network traffic;

send a second portion of the additional network traffic to the third device to obtain the service for the second portion of
the additional network traffic,

the second portion of the additional network traffic being different from the first portion of the additional network traffic,
and

the third device using the second service plane, of the third device, to apply the service to the second portion of the additional
network traffic;

receive the additional network traffic from the second device and the third device after the service is applied to the additional
network traffic by the second device and the third device; and

send the additional network traffic, received from the second device and the third device, to the fourth device.

US Pat. No. 9,083,740

NETWORK TRAFFIC PATTERN MATCHING USING ADAPTIVE DETERMINISTIC FINITE AUTOMATA

Juniper Networks, Inc., ...

1. A method comprising:
processing network packets with a network device using a hybrid deterministic finite automata (DFA) having a first set of
states in a first portion of the DFA in an uncompressed format and a second set of states in a second portion of the hybrid
DFA in a compressed format to traverse the first set of states and the second set of states of the hybrid DFA;

when processing the network packets, comparing, with the network device, a number of times one or more of the first set of
states and one or more of the second sets of states have been traversed by the network device and dynamically reallocating
the first set of states of the first portion of the hybrid DFA in the uncompressed format and the second set of states of
the second portion of the hybrid DFA in the compressed format based on the comparison by at least in part:

converting at least one of the first set of states of the first portion of the hybrid DFA to generate a corresponding state
in the compressed format,

converting at least one of the second set of states of the second portion of the hybrid DFA to generate a corresponding state
in the uncompressed format,

deleting the at least one of the first set of states,
deleting the at least one of the second set of states,
adding the corresponding state in the compressed format to the second portion of the hybrid DFA, and
adding the corresponding state in the uncompressed format to the first portion of the hybrid DFA.

US Pat. No. 10,098,253

APPARATUS, SYSTEM, AND METHOD FOR ALIGNING AND SUPPORTING LINE CARDS WITHIN TELECOMMUNICATIONS SYSTEMS

Juniper Networks, Inc., ...

1. An apparatus comprising:at least one receptacle that:
is coupled to a line card that facilitates communication among computing devices; and
mates with at least one member coupled to a backplane of a telecommunications device to physically support the line card upon installation in the telecommunications device; and
a plurality of leaf springs that:
are secured to the receptacle by a U-bracket;
reside between the receptacle and the U-bracket;
are arranged vertically relative to one another such that one of the leaf springs is secured to a top side of the receptacle relative to a horizontal cross section of the telecommunications device and another one of the leaf springs is secured to a bottom side of the receptacle relative to the horizontal cross section of the telecommunications device; and
when the member coupled to the backplane is inserted into the receptacle, apply a force on the member coupled to the backplane to lift the line card in an upward direction.

US Pat. No. 9,413,782

MALWARE DETECTION USING INTERNAL MALWARE DETECTION OPERATIONS

Juniper Networks, Inc., ...

1. A system, comprising:
one or more processors; and
a memory storing instructions that, when executed by the one or more processors, cause the one or more processors to:
determine to perform an internal malware detection operation to detect malware executing on a client device;
perform the internal malware detection operation,
the internal malware detection operation being performed locally on a particular device without requiring communication with
another device, and

the internal malware detection operation including at least one of:
an artifact persistence operation to delete a first artifact and determine whether the first artifact has been recreated,
an artifact decoy operation to create a second artifact and determine whether the second artifact has been modified, or
an artifact integrity operation to detect that a third artifact has been modified in a particular manner;
modify an environment executing on the particular device, to form a modified environment, based on performing the internal
malware detection operation;

monitor the modified environment for a particular behavior indicative of a malware infection;
detect that the particular behavior has occurred; and
provide a notification that the client device is infected with malware based on detecting that the particular behavior has
occurred,

the notification causing one or more network devices to block network traffic to or from the client device.

US Pat. No. 9,363,169

APPARATUS, SYSTEM, AND METHOD FOR RECONFIGURING POINT-TO-MULTIPOINT LABEL-SWITCHED PATHS

Juniper Networks, Inc., ...

1. A method comprising:
detecting that at least a portion of an initial branch path of a point-to-multipoint label-switched path has failed over to
a failover route that rejoins the initial branch path at a merge-point device;

establishing an alternate branch path that merges with the initial branch path at the merge-point device;
transmitting data via the alternate branch path while data is still being input into the initial branch path and transmitted
to the merge-point device via the failover route; and

instructing the merge-point device to forward data from the alternate branch path rather than from the failover route.

US Pat. No. 9,351,219

APPARATUS, SYSTEM, AND METHOD FOR PREDICTING ROAMING PATTERNS OF MOBILE DEVICES WITHIN WIRELESS NETWORKS

Juniper Networks, Inc., ...

1. An apparatus comprising:
a storage device that maintains information about mobile devices roaming within a wireless network;
an Access Point (AP)-prediction unit communicatively coupled to the storage device, wherein the AP-prediction unit:
identifies at least one of the mobile devices roaming within the wireless network;
determines, based at least in part on the information maintained in the storage device, a number of times that the mobile
device has visited a specific AP within the wireless network;

generates, based at least in part on the number of times that the mobile device has visited the specific AP, a score that
represents a probability that the specific AP is the next AP visited by the mobile device; and

determines that the score is above a certain threshold;
a profile-distribution unit that provides, in response to the determination that the score is above the certain threshold,
the specific AP with a roaming-session profile that facilitates transferring a roaming session of the mobile device to the
specific AP in anticipation of the specific AP being the next AP visited by the mobile device while roaming within the wireless
network; and

a storage-maintenance unit communicatively coupled to the storage device, wherein the storage-maintenance unit:
constructs a table that includes the information about the mobile devices roaming within the wireless network;
indexes the information included in the table by Media Access Control (MAC) addresses that each correspond to a different
mobile device roaming within the wireless network;

receives, from the specific AP, one or more notifications indicating that one or more of the mobile devices roaming within
the wireless network have recently visited the specific AP; and

updates the information included in the table based at least in part on the notifications received from the specific AP.

US Pat. No. 9,350,453

OPTICAL ACCESS NETWORK HAVING EMITTER-FREE CUSTOMER PREMISE EQUIPMENT AND ADAPTIVE COMMUNICATION SCHEDULING

Juniper Networks, Inc., ...

1. A method comprising:
executing, with a routing component of a router, routing protocols to communicate routing information with peer routing devices;
maintaining, with the routing component, routing information that describes a topology of a network in accordance with the
routing information;

programming a plurality of forwarding components coupled to the routing component with forwarding information based on the
routing information, wherein the forwarding information controls forwarding of network packets by the respective forwarding
component;

scheduling, with a scheduler executing on an optical interface of an interface card installed within one of the forwarding
components, upstream communication by a plurality of customer premise equipment (CPEs) coupled to the optical interface;

outputting, with the optical interface and in accordance with the schedule, an unmodulated optical receive signal to the CPEs
for upstream communication by the plurality by CPEs, and

receiving the upstream communications from the CPEs in accordance with the schedule and routing the upstream communications
in accordance with the routing information.

US Pat. No. 9,323,627

SYSTEM, METHOD, AND APPARATUS FOR DETECTING FAULT CONDITIONS EXPERIENCED BY REMOTE PHYSICAL PORTS

Juniper Networks, Inc., ...

1. A method comprising:
identifying a network connection between a first physical port operating in a first communication mode and a second physical
port operating in a second communication mode;

monitoring at least one count that identifies the number of block-sized transmission errors encountered by the first physical
port;

determining, based at least in part on the count that identifies the number of block-sized transmission errors encountered
by the first physical port, that the second physical port has experienced a fault condition;

in response to determining that the second physical port has experienced the fault condition, deactivating the network connection
to avoid dropping network traffic directed to the network connection.

US Pat. No. 9,128,785

SYSTEM AND METHOD FOR EFFICIENT SHARED BUFFER MANAGEMENT

Juniper Networks, Inc., ...

1. A method comprising:
receiving, by a processor of a device, a first data unit, a second data unit, and a third data unit;
en-queuing, by the processor and during a first time period, the first data unit to a first queue, of a plurality of queues
of the device, and the second data unit to a second queue of the plurality of queues;

performing, by the processor and during a second time period that occurs after the first time period, a de-queue operation,
the de-queue operation including:
removing the first data unit from the first queue, and
forwarding the first data unit toward an output port,
the output port being unavailable to receive the second data unit during the second time period based on the first data unit
being forwarded toward the output port during the second time period;

performing, by the processor and during the second time period, a drop operation that includes removing the second data unit
from the second queue based on the output port being unavailable to receive the second data unit during the second time period;
and

en-queuing, by the processor, the third data unit to one of the first queue or the second queue after performing the de-queue
operation and the drop operation.

US Pat. No. 9,106,577

SYSTEMS AND METHODS FOR DROPPING DATA USING A DROP PROFILE

Juniper Networks, Inc., ...

1. A method comprising:
identifying, by a device and for a queue, a drop probability using an index;
determining, by the device and based on the identified drop probability, whether to drop data from a head of the queue,
determining whether to drop the data including:
comparing the identified drop probability to a random number,
the random number having a greater number of bits than a number of bits in the identified drop probability, and
generating a drop decision based on a result of the comparison; and
processing, by the device, the data at the head of the queue based on determining whether to drop the data.

US Pat. No. 9,485,191

FLOW-CONTROL WITHIN A HIGH-PERFORMANCE, SCALABLE AND DROP-FREE DATA CENTER SWITCH FABRIC

Juniper Networks, Inc., ...

1. A network system comprising:
a switch fabric comprising a plurality of switches interconnected to form a physical network, wherein the switches provide
connectionless packet-based switching for packets through the switch fabric;

a plurality of servers interconnected by the switch fabric, wherein each of the servers comprises an operating environment
executing one or more virtual machines in communication via the one or more virtual networks; and

a plurality of host network accelerators, a host network accelerator of the host network accelerators comprising:
a hardware-based virtual router configured to extend the one or more virtual networks to the operating environments of the
virtual machines; and

a flow control unit configured to allocate bandwidth among the plurality of host network accelerators based at least on an
amount of data to be transmitted by each of the plurality of host network accelerators;

wherein the flow control unit is further configured to send, to each other host network accelerator having data to send to
the host network accelerator, a rate message that specifies a permitted transmission rate at which the other host network
accelerator may send data to the host network accelerator,

wherein the flow control unit is further configured to compute the permitted transmission rate at which the other host network
accelerator may send data to the host network accelerator according to:


wherein ri is the permitted transmission rate at which the other host network accelerator i may send data to the host network accelerator,

wherein qi specifies the amount of data to be sent by the other host network accelerator i, and

wherein ?i=1Nql specifies a total amount of data to be sent by the plurality of host network accelerators.

US Pat. No. 9,484,771

UNINTERRUPTABLE POWER SUPPLY FOR DEVICE HAVING POWER SUPPLY MODULES WITH INTERNAL AUTOMATIC TRANSFER SWITCHES

Juniper Networks, Inc., ...

1. A method comprising:
determining, with a controller of a power supply module of an electronic device, whether power from a first power source is
unavailable to the power supply module;

responsive to determining that power from the first power source is unavailable, de-coupling, with one or more de-coupling
components of the power supply module that connect an automatic transfer switch (ATS) of the power supply module to an output
of the power supply module, the first power source from one or more components of the electronic device that are connected
to the output of the power supply module;

subsequent to de-coupling the first power source from the one or more components of the electronic device, de-coupling, with
the ATS, the power supply module from the first power source; and

coupling, with the ATS, the power supply module to a second power source for delivering power to the one or more components
of the electronic device.

US Pat. No. 9,385,994

NETWORK SECURITY DEVICE

Juniper Networks, Inc., ...

1. A system comprising:
a network device to:
determine whether a data packet is a first data packet in a session associated with the data packet;
determine whether information regarding the session, associated with the data packet, is stored in a data structure after
determining whether the data packet is the first data packet in the session,

the data structure storing information regarding sessions;
selectively transmit the data packet to one or more first components, of the network device, or to one or more second components
of the network device,

the one or more second components being different than the one or more first components,
the data packet being transmitted to the one or more first components when the information regarding the session, associated
with the data packet, is not stored in the data structure, or

the data packet being transmitted to the one or more second components, without being transmitted to the one or more first
components, when the information regarding the session,

associated with the data packet, is stored in the data structure; and
selectively process the data packet by one of:
the one or more first components, or
the one or more second components.

US Pat. No. 9,351,324

INLINE NETWORK ADDRESS TRANSLATION WITHIN A MOBILE GATEWAY ROUTER

Juniper Networks, Inc., ...

1. A method comprising:
receiving, with a mobile gateway, a request to attach a wireless device of a subscriber to a mobile wireless network;
establishing, with a control plane of the mobile gateway, a packet-based network connection for the wireless device to communicate
using the mobile wireless network, wherein establishing the network connection comprises assigning a private network address
to the wireless device;

upon establishing the network connection and prior to receiving subscriber data traffic from the wireless device, pre-allocating
with the control plane of the mobile gateway a public network address and a port range for the wireless device;

constructing, with the control plane of the mobile gateway, a network address translation (NAT) profile specifying the public
network address and the port range and installing the NAT profile within a hardware forwarding element of the mobile gateway;

upon receiving a packet of a new packet flow of the subscriber data traffic, dynamically selecting a port within the port
range of the NAT profile for the subscriber with the hardware forwarding element and creating a NAT binding within the hardware
forwarding element that maps the private network address for the wireless device to the public network address and the selected
port; and

performing network address translation on packets for the packet flow within the hardware forwarding element based on the
NAT binding.

US Pat. No. 9,336,617

ASSIGNING VALUES TO OBJECTS USING A TWO-DIMENSIONAL DATA INPUT PLANE

Juniper Networks, Inc., ...

1. A method comprising:
displaying, by a computing device, identifiers for a set of network devices along an x-axis of a graph and a set of potential
configuration parameters for the network devices along a y-axis of the graph, wherein the potential configuration parameters
include one or more of security domains, IP addresses, subnets, ports to use when communicating with a particular device that
is separate from the one of the network devices, protocols to use when communicating with the particular device, and an IP
address of the particular device;

receiving a selection of an intersection of one of the identifiers along the x-axis and one of the potential configuration
parameters;

assigning the selected one of the potential configuration parameters to the one of the network devices corresponding to the
selected one of the identifiers; and

configuring the one of the network devices corresponding to the selected one of the identifiers with a configuration parameter
corresponding to the selected one of the potential configuration parameters.

US Pat. No. 9,258,329

DYNAMIC ACCESS CONTROL POLICY WITH PORT RESTRICTIONS FOR A NETWORK SECURITY APPLIANCE

Juniper Networks, Inc., ...

1. A network security device comprising:
an interface configured to receive a packet flow;
a control unit configured to receive a security policy to control access by the packet flow to a network, wherein the security
policy includes:

(a) match criteria that include a static port list of one or more layer four ports for a transport-layer protocol and a type
of layer seven application, and

(b) actions to be applied to packet flows that match the match criteria; and
a rules engine of the control unit configured to dynamically identify a type of layer seven application associated with the
packet flow by inspecting application-layer data within payloads of packets of the packet flow and without basing the identification
solely on a layer four port specified by headers within the packets,

wherein the rules engine is further configured to determine whether the dynamically identified type of layer seven application
associated with the packet flow matches the type of layer seven application of the security policy,

wherein the rules engine is further configured to apply the security policy to determine whether the packet flow matches a
layer four port in the static port list of the match criteria of the security policy, and

wherein the rules engine is further configured to, upon determining that the packet flow matches a layer four port of the
static port list and upon determining the dynamically identified type of layer seven application associated with the packet
flow matches the type of layer seven application of the security policy, applies the actions of the security policy to the
packet flow.

US Pat. No. 9,100,270

IDENTIFICATION FRAGMENT HANDLING

Juniper Networks, Inc., ...

1. A method implemented by a device, the method comprising:
receiving, by the device, a fragment of a data unit;
determining, by the device, whether the fragment of the data unit is a first fragment in a sequence of one or more fragments
of the data unit;

determining, by the device, forwarding information of the data unit when the fragment of the data unit is the first fragment;
comparing, by the device, the forwarding information of the data unit to stored forwarding information,
the stored forwarding information being determined from another fragment of another data unit; and
forwarding, by the device, the fragment of the data unit,
the fragment being forwarded based on the stored forwarding information when the forwarding information of the data unit matches
the stored forwarding information, and

the fragment being forwarded based on updated forwarding information and updated fragment information when the forwarding
information of the data unit does not match the stored forwarding information,

the updated forwarding information being stored and replacing the stored forwarding information, and
the updated fragment information being stored and replacing stored fragment information of the other data unit.

US Pat. No. 9,064,216

IDENTIFYING LIKELY FAULTY COMPONENTS IN A DISTRIBUTED SYSTEM

Juniper Networks, Inc., ...

1. A method of predicting component failure, the method comprising:
receiving, by a communication protocol and with a virtual network controller that includes an analytics plane to analyze operations
of a plurality of components in one or more virtual networks, a first parameter set from each of the components, wherein a
parameter set from a component includes one or more quantitative parameters that each describes a state of the component;

receiving, by the communication protocol and with the virtual network controller, an indication of detected component failure
for one or more of the components;

training, with the virtual network controller and using the first parameter sets and the indication of detected component
failure, a trainable automated classifier to develop a classifying structure that distinguishes between component parameter
sets that logically associate with a detected component failure and component parameter sets that do not logically associate
with a detected component failure;

receiving, by the communication protocol and with the virtual network controller, a second parameter set from each of the
components; and

predicting, with the virtual network controller using the trainable automated classifier and the classifying structure, a
failure of a first one of the components.

US Pat. No. 9,049,030

METHODS AND APPARATUS FOR EFFICIENT MULTICAST

Juniper Networks, Inc., ...

1. An apparatus, comprising: a core network node configured to associate with a native multicast group a first client device
that is associated with a first virtual local area network (VLAN) and operatively coupled to the core network node via a first
access network node and an aggregation network node, the core network node configured to associate with the native multicast
group a second client device that is associated with a second VLAN and operatively coupled to the core network node via a
second access network node and the aggregation network node, the core network node configured to define a multicast VLAN including
the first VLAN and the second VLAN, the core network node configured to receive a multicast data unit associated with the
native multicast group, the core network node configured to define a first instance of the multicast data unit for the multicast
VLAN, the core network node configured to send the first instance of the multicast data unit to the aggregation network node
via a multicast tunnel and such that the aggregation network node (1) defines, based on the first instance of the multicast
data unit, a second instance of the multicast data unit and a third instance of the multicast data unit, (2) sends the second
instance of the multicast data unit to the first access network node based on the first client device being associated with
the first VLAN that is a member of the multicast VLAN, and (3) sends the third instance of the multicast data unit to the
second access network node based on the second client device being associated with the second VLAN that is a member of the
multicast VLAN.

US Pat. No. 9,485,216

MULTI-LAYERED APPLICATION CLASSIFICATION AND DECODING

Juniper Networks, Inc., ...

1. A network firewall comprising:
a processor configured to process one or more packets of a packet flow to determine, responsive to receiving and processing
the packet flow, an identity of an outer application-layer communication protocol associated with the packet flow and an identity
of an inner application-layer communication protocol that is using the outer application-layer communication protocol to transport
communications,

wherein the processor is configured to dynamically select a set of at least two application-layer decoders from a plurality
of application-layer protocol decoders responsive to determination of the identity of the outer application-layer communication
protocol and the identity inner application-layer communication protocol, and

wherein the processor is configured, responsive to selection of the at least two application layer decoders, to apply the
selected set of two or more application-layer decoders to the packet flow to processes application-layer data within the packet
flow and execute an action in response to the processing of the application-layer data.

US Pat. No. 9,473,198

APPARATUS AND METHOD FOR BYPASSING AMPLIFIERS USED TO AMPLIFY SIGNALS RECEIVED BY WIRELESS COMMUNICATION SYSTEMS

Juniper Networks, Inc., ...

17. A wireless communication system comprising:
an antenna;
a receiver; and
a multi-throw switch having a common terminal connected to the antenna, the multi-throw switch configured to direct signals
received from the antenna between:

an amplification path that connects a receive terminal of the multi-throw switch to the receiver, the amplification path comprising
at least one amplifier that amplifies signals received from the antenna; and

at least one bypass path that connects an additional receive terminal of the multi-throw switch to the receiver, the bypass
path comprising at least:

a filter that attenuates unwanted signals received from the antenna;
an attenuator that optionally produces a desired attenuation of signals received from the antenna; and
a bypass amplifier that optionally produces a desired amplification of signals received from the antenna and that has a gain
that is less than a gain of the amplification path;

wherein the filter in the bypass path comprises a bandpass filter that removes signals outside of a certain frequency range
received from the antenna.

US Pat. No. 9,391,843

PRE-COMPUTING EFFECTS OF MODIFYING COMPONENTS IN A DATA CENTER SWITCH

Juniper Networks, Inc., ...

1. A method comprising:
sending, with a data center analyzer connected to a centralized management system for a data center switch, queries to components
included in the data center switch to discover a current topology of the data center switch, wherein the components in the
data center switch comprise a plurality of data center nodes interconnected via one or more data center interconnects, and
wherein sending the queries to the components included in the data center switch comprises sending queries to the plurality
of data center nodes to discover connections between each of the plurality of data center nodes and the one or more data center
interconnects within the data center switch, and discover connections between each of the plurality of data center nodes and
one or more network devices external to the data center switch, and sending queries to the one or more data center interconnects
to discover connections within each of the one or more data center interconnects;

receiving, with the data center analyzer, proposed modifications to the current topology of the data center switch, wherein
the proposed modifications to the current topology comprise proposed modifications to one or more of the components included
in the data center switch;

computing an expected traffic distribution across connections of the components in a modified topology of the data center
switch based on a traffic distribution algorithm and the proposed modifications; and

sending the expected traffic distribution to an administrator for a decision whether to allow the proposed modifications to
the components in the data center switch.

US Pat. No. 9,350,445

METHOD AND APPARATUS FOR DETECTION AND CORRECTION OF CHANNEL FAILURE IN AN OPTICAL TRANSCEIVER SYSTEM

Juniper Networks, Inc., ...

1. A method, comprising:
transmitting at a unique wavelength from a plurality of wavelengths from each optical transmitter from a plurality of optical
transmitter;

transmitting at a first wavelength from the plurality of wavelengths from a backup optical transmitter when an optical transmitter
from the plurality of optical transmitters and associated with the first wavelength fails; and

defining a loopback path when a first optical switch and a second optical switch are activated, the first optical switch associated
with the plurality of optical transmitters and the backup optical transmitter, the second optical switch associated with a
plurality of optical receivers.

US Pat. No. 9,319,347

DEADLOCK-RESISTANT FABRIC TREE REPLICATION IN A NETWORK DEVICE

Juniper Networks, Inc., ...

1. A method comprising:
configuring, by a network device for each packet replicator of a plurality of packet replicators of the network device, a
plurality of partitions of a packet buffer of the packet replicator to store multicast packet data received by the network
device;

generating, by the network device, a plurality of multi-level replication data structures each having nodes hierarchically
arranged in a plurality of levels that define an internal forwarding relationship among the nodes, wherein each node represents
one of the plurality of packet replicators;

generating, by the network device from the plurality of multi-level replication data structures, forwarding information that
maps the plurality of levels of each of the plurality of multi-level replication data structures to respective partitions
of the plurality of partitions of packet buffers of the plurality of packet replicators; and

internally forwarding, by the plurality of packet replicators according to the forwarding information, the multicast packet
data received by the network device.

US Pat. No. 9,258,228

FILTERING AND ROUTE LOOKUP IN A SWITCHING DEVICE

Juniper Networks, Inc., ...

1. A method comprising:
determining, by a device, a data transfer rate per unit time interval associated with a flow of data;
determining, by the device, a first time,
the first time being associated with receiving a first data unit included in the flow of data;
determining, by the device and based on the data transfer rate per unit time interval, a quantity of data associated with
the flow of data between the first time and a second time,

the second time being associated with receiving a second data unit included in the flow of data; and
policing, by the device, the second data unit based on the quantity of data associated with the flow of data between the first
time and the second time.

US Pat. No. 9,246,800

INTERFACE FOR EXTENDING SERVICE CAPABILITIES OF A NETWORK DEVICE

Juniper Networks, Inc., ...

1. A method for providing one or more services to a packet traversing a service provider network, the method comprising:
receiving, with a network router of the service provider network, a packet associated with a client device of the service
provider network;

determining, with the network router, to apply one or more services to the packet associated with client device;
accessing, with a forwarding engine of the network router, a forwarding structure to select a first logical interface to which
to forward the packet, wherein the forwarding structure comprises a plurality of entries that each refer to one of a plurality
of logical interfaces, wherein the first logical interface comprises one of the plurality of logical interfaces, wherein each
of the plurality of logical interfaces correspond to a respective internal service component of the network router, and wherein
the first logical interface corresponds to a particular internal service component of the network router;

forwarding, with the forwarding engine, the packet to the particular internal service component;
applying, with the particular internal service component, a tunnel header and metadata to the packet to form a tunnel packet,
wherein the metadata specifies at least one network service to be applied when forwarding the packet within the service provider
network; and

forwarding, by the network router and through a network tunnel, the tunnel packet from the network router to a service complex
external to the network router, the external service complex comprising a plurality of network devices for application of
the one or more network services to the packet in accordance with the metadata.

US Pat. No. 9,100,198

NETWORK PROVIDER BRIDGE MMRP REGISTRATION SNOOPING

Juniper Networks, Inc., ...

1. A method comprising:
creating, by a device, a multicast distribution tree that is associated with a plurality of service virtual local area networks
(SVLAN)

the plurality of SVLANs being associated with one or more ports of a plurality of ports associated with the device;
creating, by the device, a multicast forwarding table based on the multicast distribution tree;
receiving, by the device, a data unit;
extracting, by the device, a media access control (MAC) address from the data unit;
determining, by the device, a particular SVLAN, of the plurality of SVLANS, associated with the MAC address;
determining, by the device and based on the multicast forwarding table, the one or more ports associated with the particular
SVLAN; and

forwarding, by the device and via the one or more ports, the data unit.

US Pat. No. 9,369,785

INTEGRATED CONTROLLER FOR ROUTING / SWITCHING NETWORK AND UNDERLYING OPTICAL TRANSPORT SYSTEM

Juniper Networks, Inc., ...

1. A system comprising:
a routing and switching network having a plurality of interconnected layer three (L3) routing components and layer two (L2)
switching components for communicating packet-based network traffic;

a plurality of packet-optical transport devices interconnected to form an optical transport system and coupled to the routing
and switching system for optically transporting the network traffic between the routing and switching components; and

a controller comprising:
a path computation element to compute paths for the network traffic through the routing and switching network;
a software defined networking control module to communicate updated routing information to the routing components of the routing
and switching network to control packet flows through the routing and switching network in accordance with the computed paths;
and

a routing wavelength and spectrum assignment control module to that configures the packet-optical transport devices to operate
at particular wavelengths in response to the updated routing information and bandwidth requirements for the network traffic.

US Pat. No. 9,350,169

APPARATUS, SYSTEM, AND METHOD FOR CONTROLLING POWER WITHIN A POWER-REDUNDANT SYSTEM

Juniper Networks, Inc., ...

1. An apparatus comprising:
a bus that electrically couples an electrical load to redundant power feeds, the bus comprising a first rail and a second
rail;

at least one capacitive component electrically coupled between the first and second rails of the bus via a conductive path
and a resistive path, the resistive path having substantially greater resistance than the conductive path;

a switching mechanism electrically coupled between the first and second rails of the bus that:
causes the capacitive component to charge through the conductive path until a threshold voltage on the first rail of the bus
is reached;

when the threshold voltage on the first rail of the bus is reached, closes the conductive path and forces the capacitive component
to charge through the resistive path.

US Pat. No. 9,344,359

INGRESS PROTECTION FOR MULTIPOINT LABEL SWITCHED PATHS

Juniper Networks, Inc., ...

1. A method comprising:
advertising, with a primary ingress node of a network connected to a multicast source, a virtual node identifier that identifies
a virtual node as a next hop for the multicast source through the primary ingress node;

advertising, with a backup ingress node of the network connected to the same multicast source, the same virtual node identifier
that identifies the same virtual node as the next hop for the multicast source through the backup ingress node;

forwarding, with the primary ingress node, traffic of the multicast source on a multipoint label switched path (LSP) established
between the virtual node as a root node and two or more egress nodes of the network; and

based on a failure at the primary ingress node, forwarding, with the backup ingress node, the traffic of the multicast source
through a backup path onto the same multipoint LSP with the virtual node as the root node.

US Pat. No. 9,317,347

SYSTEMS AND METHODS FOR FACILITATING ATOMIC DELIVERY OF BUNDLED DATA SETS TO APPLICATIONS WITHIN DISTRIBUTED SYSTEMS

Juniper Networks, Inc., ...

1. A method comprising:
receiving, at a queue of an application running within a distributed system, a data set from at least one other application
running within the distributed system;

determining that the data set received from the other application is incorporated in a bundle whose contents have yet to completely
arrive at the queue of the application;

gating, due at least in part to the data set being incorporated in the bundle, the data set at the queue of the application
at least until the bundle's contents have completely arrived at the queue of the application;

receiving, at the queue of the application, another data set incorporated in the bundle from the other application running
within the distributed system;

determining that the bundle's contents have completely arrived at the queue of the application based at least in part on receiving
the other data set incorporated in the bundle; and

in response to determining that the bundle's contents have completely arrived at the queue of the application, notifying the
application that the bundle is ready for atomic delivery to the application such that the application is able to consume the
bundle's contents on an as-needed basis,

wherein the bundle comprises:
a root node that includes metadata that identifies the bundle's contents;
a plurality of bundles that each include a bundle root that connects one or more content nodes to the root node, wherein:
at least one of the content nodes represents the data set received from the other application;
at least one of the content nodes represents the other data set received from the other application; and
each bundle root represents a beginning of a bundle within the plurality of bundles; and
modifying the bundle's contents to incorporate an updated version of the other data set without re-transferring any redundant
versions of the bundle's contents from the other application to the queue of the application by:

receiving, at the queue of the application, the updated version of the other data set from the other application running within
the distributed system;

modifying, within the bundle, each bundle root along a path that leads from the root node to the content node representing
the other data set to account for the updated version of the other data set without modifying any bundle roots that do not
lead from the root node to the content node representing the other data set; and

replacing the other data set with the updated version of the other data set to account for the updated version of the other
data set without modifying any content nodes that do not represent the other data set.

US Pat. No. 9,270,426

CONSTRAINED MAXIMALLY REDUNDANT TREES FOR POINT-TO-MULTIPOINT LSPS

Juniper Networks, Inc., ...

15. A network device comprising:
a processor;
a constrained maximally redundant tree module configured for execution by the processor to calculate a plurality of maximally
redundant trees from the network device to a plurality of egress network devices based on a network graph, in which each of
the plurality of maximally redundant trees comprises a spanning tree to the plurality of egress network devices rooted at
the network device, wherein each of the maximally redundant trees is calculated to comprise a point to multipoint (P2MP) path
from the network device to the plurality of egress network devices that is as disjoint as possible from a respective P2MP
path from the network device to the plurality of egress network devices for each other one of the plurality of maximally redundant
trees, and wherein the maximally redundant trees are calculated such that each link along each of the plurality of maximally
redundant trees satisfies a specified traffic-engineering constraint,

wherein the constrained maximally redundant tree module is configured to, in response to determining that the plurality of
maximally redundant trees includes at least one node whose removal partitions a network represented by the network graph:

modify the specified traffic-engineering constraint to have a less restrictive value;
modify the network graph to add links to the network graph that satisfy the modified traffic-engineering constraint to obtain
a modified network graph; and

re-calculate at least a portion of the plurality of maximally redundant trees based on the modified network graph to obtain
a plurality of maximally redundant trees in which at least two nodes must be removed before the network is partitioned; and

a resource reservation protocol module configured for execution by the processor to establish a plurality of P2MP label switched
paths (LSPs) from the network device as an ingress network device to the plurality of egress network devices along each of
the plurality of maximally redundant trees in which at least two nodes must be removed before the network is partitioned,
wherein each of the P2MP LSPs corresponds to a different one of the plurality of maximally redundant trees in which at least
two nodes must be removed before the network is partitioned.

US Pat. No. 9,258,328

IDENTIFYING MALICIOUS DEVICES WITHIN A COMPUTER NETWORK

Juniper Networks, Inc., ...

1. A method comprising:
receiving, by a security device, from a device, network traffic directed to one or more computing devices protected by the
security device;

determining, based on content of the network traffic, a first set of data points for the device, the first set of data points
specifying characteristics of a software application executing at the device;

sending, by the security device, a response to the device to ascertain a second set of data points for the device, the second
set of data points including characteristics of an operating environment provided by and local to the device;

receiving, by the security device and from the device, at least a portion of the second set of data points;
determining whether the received portion of the second set of data points and the first set of data points include inconsistent
information;

determining, based on the inconsistent information, a maliciousness rating for the device, wherein the maliciousness rating
indicates an increased likelihood that the device is malicious in response to determining that the received portion of the
second set of data points and the first set of data points include inconsistent information and a decreased likelihood that
the device is malicious in response to determining that the received portion of the second set of data points and the first
set of data points include consistent information; and

selectively managing, based on the maliciousness rating, additional network traffic directed to the one or more computing
devices protected by the security device and received from the device.

US Pat. No. 9,253,335

USAGE MONITORING CONTROL FOR MOBILE NETWORKS

Juniper Networks, Inc., ...

1. A method comprising:
establishing, with a mobile gateway positioned in a mobile access network, a session by which a mobile device is to access
a service;

determining, by one or more processors of the mobile gateway, that the mobile gateway has incomplete information to activate
usage monitoring of the service responsive to receipt of a message to activate a charging rule that includes a request to
activate usage monitoring for a service identified by an identifier without having received any message associating the identifier
to the service provided via the session; and

in response to determining that the mobile gateway has the incomplete information to activate the usage monitoring, rejecting,
with the one or more processors of the mobile gateway, the charging rule.

US Pat. No. 9,178,787

DISTRIBUTED ADMISSION CONTROL

Juniper Networks, Inc., ...

1. A method comprising:
receiving, by a network device, a request to initiate a data transfer;
transmitting, by the network device, one or more packets on one or more paths;
analyzing, by the network device, information identifying packet loss associated with at least one of the one or more packets;
transmitting, by the network device, one or more additional packets on the one or more paths based on analyzing the information
identifying packet loss associated with the at least one of the one or more packets;

receiving, by the network device, one or more responses to the one or more additional packets; and
causing, by the network device, the data transfer to be initiated on a particular path, of the one or more paths, when one
or more response times, associated with the one or more responses, do not exceed a threshold.

US Pat. No. 9,176,758

CONTROLLING VIRTUALIZATION RESOURCE UTILIZATION BASED ON NETWORK STATE

Juniper Networks, Inc., ...

1. A system comprising:
a controller device, comprising a processor and connected to a plurality of virtual machines, to:
receive network activity data from a network device in a network;
identify a virtual machine, of the plurality of virtual machines, to start up or shut down,
the virtual machine being identified based on the network activity data and at least one policy of a plurality of policies,
the plurality of policies including:
a policy relating to users logging into or logging out of the network,
a policy relating to users attempting to access the plurality of virtual machines, and
a policy relating to particular types of traffic in the network; and
cause the virtual machine to start up or shut down.

US Pat. No. 10,015,904

REMOVABLE FAN TRAY

Juniper Networks, Inc., ...

1. An apparatus, comprising:a fan tray having a first end and a second end opposite the first end, the fan tray configured to be slideably disposed within a chassis by inserting the first end of the fan tray into the chassis; and
a key removeably coupled to the fan tray such that the key can be moved relative to the fan tray from a first position to a second position, the first position associated with a first air flow direction, the second position associated with a second air flow direction opposite the first air flow direction.

US Pat. No. 9,391,958

HARDWARE IMPLEMENTATION OF COMPLEX FIREWALLS USING CHAINING TECHNIQUE

Juniper Networks, Inc., ...

1. A method comprising:
accessing, by a firewall device and based on a filter specification, a first hardware-implemented filter of a plurality of
hardware-implemented filters associated with the firewall device,

each of the plurality of hardware-implemented filters being a physical filter included in the firewall device and not being
a software-implemented filter,

the filter specification identifying a filter sequence of the plurality of hardware-implemented filters to be executed to
process packets;

processing, by the firewall device, a packet using the first hardware-implemented filter identified by the filter sequence,
the packet being processed based on first information included in the packet and a type of filter associated with the first
hardware-implemented filter;

determining, by the firewall device, that a particular rule, associated with the first hardware-implemented filter, includes
a next-filter action,

the next-filter action identifying a second hardware-implemented filter that is not included in the filter sequence;
accessing, by the firewall device, and based on the next-filter action and the packet, the second hardware-implemented filter;
and

processing, by the firewall device, the packet using the second hardware-implemented filter after processing the packet using
the first hardware-implemented filter and before processing the packet using a third hardware-implemented filter included
in the filter sequence,

an actual sequence for processing the packet of using the second hardware-implemented filter after processing the packet using
the first hardware-implemented filter and before processing the packet using the third hardware-implemented filter being different
than the filter sequence indicated by the filter specification,

the packet being processed based on second information included in the packet and a type of filter associated with the second
hardware-implemented filter.

US Pat. No. 9,391,796

METHODS AND APPARATUS FOR USING BORDER GATEWAY PROTOCOL (BGP) FOR CONVERGED FIBRE CHANNEL (FC) CONTROL PLANE

Juniper Networks, Inc., ...

1. An apparatus, comprising:
a first Fibre Channel (FC) switch configured to be operatively coupled to an FC network device and a second PC switch, the
first PC switch configured to receive, from the FC network device, a first control packet,

the first FC switch configured to send to the second FC switch, based on the first control packet; a second control packet
defined based on a decentralized control plane protocol, the second control packet including information associated with an
FC route associated with the FC network device such that (1) the second FC switch does not route FC data packets to the FC
network device using the FC route before the second FC switch receives the second control packet; and (2) the second FC switch
routes FC data packets to the PC network device using the FC route after the second FC switch receives the second control
packet;

the first FC switch further configured to send a third control packet, such that priority information for the first FC switch
and included in a network layer reachability information (NLRI) portion of the third control packet is used in a principle
switch election associated with a plurality of FC switches that includes the first FC switch.

US Pat. No. 9,100,296

NETCONF/DMI-BASED SECURE NETWORK DEVICE DISCOVERY

Juniper Networks, Inc., ...

1. A method comprising:
determining, by a network device, that a device has been added to a network management system associated with the network
device,

the device utilizing a network management protocol that requires the device to initiate a connection with the network device;
generating, by the network device, configuration information for establishing the connection between the network device and
the device;

accessing, by the network device, the device,
accessing the device including logging into the device using secure shell version 2 (SSH v2) credentials;
providing, by the network device and based on accessing the device, the configuration information for establishing the connection
to the device to cause the device to establish the connection;

logging off, by the network device, from the device based on the configuration information having been provided to the device;
determining, by the network device, that the device has established the connection;
receiving, by the network device, device configuration information from the device via the connection; and
providing, by the network device, the device configuration information to the network management system,
the device configuration information being usable by the network management system to manage the device.

US Pat. No. 9,485,138

METHODS AND APPARATUS FOR SCALABLE RESILIENT NETWORKS

Juniper Networks, Inc., ...

1. An apparatus, comprising:
a first controller configured to be operatively coupled within a network having a plurality of network nodes, a forwarding
gateway and a configuration entity, the first controller configured to manage session state and node state associated with
the plurality of network nodes independent of the forwarding gateway,

the first controller is configured to be operatively coupled to a plurality of controllers interconnected in a mesh configuration
and within the network, the first controller is configured to send session state and node state to each controller within
the plurality of controllers, the first controller is configured to receive session state and node state from each controller
within the plurality of controllers,

the first controller configured to automatically detect a failure of a second controller of the plurality of controllers,
the first controller configured to initiate a fail-over process for the second controller when the second controller fails,
without intervention from a master controller within the network.

US Pat. No. 9,485,196

INTERNAL PACKET STEERING WITHIN A WIRELESS ACCESS GATEWAY

Juniper Networks, Inc., ...

1. A method performed by a wireless access gateway of a wireless local area network (WLAN) access network, the method comprising:
assigning each forwarding unit of a plurality of forwarding units a different gateway layer 2 (L2) address from a plurality
of gateway L2 addresses that each identifies the wireless access gateway as a gateway device that terminates the WLAN access
network at layer 2 and provides access to a layer 3 (L3) network for packets destined to any of the gateway L2 addresses,
wherein the plurality of forwarding units are internal to the wireless access gateway, and wherein the wireless access gateway
includes an upstream interface for a mobility tunneling protocol operating over the L3 network, wherein the upstream interface
is to a mobile gateway of a mobile service provider network;

selecting, by the wireless access gateway, an anchor forwarding unit of the plurality of forwarding units to anchor a subscriber
session for a wireless endpoint device;

sending, by the wireless access gateway to the wireless endpoint device, the gateway L2 address assigned to the anchoring
forwarding unit to be used by the wireless endpoint device as a gateway L2 address for the wireless access gateway;

receiving, by an ingress forwarding unit of the plurality of forwarding units and from the wireless endpoint device, a packet
comprising a destination L2 address;

in response to determining, by the ingress forwarding unit, the destination L2 address of the packet matches the gateway L2
address assigned to the anchor forwarding unit:

forwarding, by the ingress forwarding unit, the packet to the anchor forwarding unit; and
processing, by the anchor forwarding unit using a subscriber session context for the subscriber session for the wireless endpoint
device, the packet to remove the L2 destination address and generate an encapsulated packet having a mobility tunneling protocol
header for output via the upstream interface.

US Pat. No. 9,438,699

TCP PROXYING OF NETWORK SESSIONS MID-FLOW

Juniper Networks, Inc., ...

1. A method comprising:
sending, by an intermediate network device, packets that advertise a transmission control protocol (TCP) window size of zero
bytes to a client device and a server device of an established network session after a synchronization (SYN) packet, a SYN-ACK
(acknowledgement) packet, and an ACK packet of the established network session have been exchanged between the client device
and the server device;

after sending the packets, receiving, by the intermediate network device, a first zero-window probe packet from the client
device, wherein the first zero-window probe packet includes data representing a first current sequence number for a client-to-server
packet flow of the established network session, and a second zero-window probe packet from the server device, wherein the
second zero-window probe packet includes data representing a second current sequence number for a server-to-client packet
flow of the established network session;

initializing a first TCP state for the client-to-server packet flow based on the first current sequence number and a second
TCP state for the server-to-client packet flow based on the second current sequence number; and

acting, by the intermediate network device, as a TCP proxy for packets following the first zero-window probe packet of the
client-to-server packet flow based on the first TCP state and packets following the second zero-window probe packet of the
server-to-client packet flow based on the second TCP state.

US Pat. No. 9,269,307

VISUAL ALERT SYSTEMS AND METHODS FOR DATA PROCESSING UNITS

Juniper Networks, Inc., ...

1. An apparatus, comprising:
a data processing unit configured to be operatively coupled within a data center network, the data processing unit configured
to output a first visual indicia, a second visual indicia and a third visual indicia,

the first visual indicia including a plurality of light outputs, each light output from the plurality of light outputs associated
with a port status of a network port of the data processing unit, at least one light output from the plurality of light outputs
being indicative of a Power over Ethernet (PoE) status of the data processing unit,

the second visual indicia including a plurality of graphical outputs produced by a display screen, each graphical output from
the plurality of graphical outputs associated with an operating status of the data processing unit,

the third visual indicia including at least a first backlight output produced by a first portion of the display screen and
a second backlight output produced by a second portion of the display screen, the second backlight output different from the
first backlight output, the first backlight output and the second backlight output each being uniquely associated with a characteristic
from a plurality of characteristics associated with the operating status of the data processing unit, each characteristic
from the plurality of characteristics including at least one of a brightness or a contrast,

the data processing unit being configured to adjust the brightness of the first backlight output when the operating status
of the data processing unit associated with the first backlight output has changed within a first predetermined time period,
and

the data processing unit is configured to adjust the brightness of the second backlight output when the operating status of
the data processing unit associated with the second backlight output has changed within a second predetermined time period,
the data processing unit configured to adjust the brightness of the first backlight output when the second backlight output
is produced by the second portion of the display screen.

US Pat. No. 9,231,820

METHODS AND APPARATUS FOR CONTROLLING WIRELESS ACCESS POINTS

Juniper Networks, Inc., ...

1. An apparatus, comprising:
a first Control And Provisioning of Wireless Access Points (CAPWAP) control module implemented in at least one of a memory
or a processor device, the first CAPWAP control module configured to be designated as a backup control module for a wireless
access point during a first time period, the first CAPWAP control module configured to receive state information associated
with the wireless access point during the first time period and from a second CAPWAP control module designated as a primary
control module for the wireless access point during the first time period,

the first CAPWAP control module configured to be automatically designated as the primary control module during a second time
period after the first time period and in response to the second CAPWAP control module not operating according to at least
one predefined criterion,

the first CAPWAP control module configured to send a control packet including a CAPWAP header portion specific to a type of
the control packet and not specific to a CAPWAP binding.

US Pat. No. 9,191,799

SHARING DATA BETWEEN WIRELESS SWITCHES SYSTEM AND METHOD

Juniper Networks, Inc., ...

1. A system, comprising:
a first wireless switch configured to be coupled to (1) a first access point wirelessly coupled to a wireless station, (2)
a second wireless switch that is coupled to a second access point; the second access point having radio adjacency with the
first access point when the first access point detects a second access point, and (3) a third wireless switch coupled to a
third access point; the third access point not having radio adjacency with the first access point when the first access point
does not detect the third access point;

the first wireless switch configured to be coupled to a first contiguous radio domain database including wireless data associated
with the first wireless switch that includes radio frequency (RF) information including access point radio adjacency information
associated with the first access point;

the first wireless switch configured to be coupled to a second contiguous radio domain database (1) including the wireless
data associated with the first wireless switch, (2) including wireless data associated with the second wireless switch based
on the second access point having radio adjacency with the first access point, the wireless data associated with the second
wireless switch includes RF information including access point radio adjacency information associated with the second access
point, and (3) not including wireless data associated with the third wireless switch based on the third access point not having
radio adjacency with the first access point, the second wireless switch configured to be coupled to the first contiguous radio
domain database, the second contiguous radio domain database, and a third contiguous radio domain database, the third contiguous
radio domain database including wireless data associated with the third wireless switch based on the second access point having
radio adjacency with the third access point.

US Pat. No. 9,172,645

METHODS AND APPARATUS FOR DESTINATION BASED HYBRID LOAD BALANCING WITHIN A SWITCH FABRIC

Juniper Networks, Inc., ...

1. An apparatus, comprising:
a processor configured to be operatively coupled to a memory and that is configured to execute a switch module; and
the switch module configured to receive an order identifier of a first data packet from a first stage of a multi-stage switch;
the switch module configured to receive an indicator of an available capacity of a first module of a second stage of the multi-stage
switch, and an indicator of an available capacity of a second module of the second stage of the multi-stage switch;

the switch module configured, when the order identifier is assigned, to direct the first data packet to the first module when
the available capacity of the second module is higher than the available capacity of the first module;

the switch module is configured, when the order identifier is flexible, to direct the first data packet to the first module
when the available capacity of the first module is above a threshold.

US Pat. No. 9,485,159

RULES-BASED NETWORK SERVICE MANAGEMENT WITH ON-DEMAND DEPENDENCY INSERTION

Juniper Networks, Inc., ...

1. A method comprising:
monitoring, with a rules engine, a network service at one or more network devices in a network to detect a device-level event;
in response to detecting a first device-level event, inserting a first data set of dependencies associated with the first
device-level event into a working memory, wherein the first data set of dependencies inserted in the working memory comprises
a first subset of a plurality of dependencies for the network service, and wherein the first data set of dependencies defines
links between the first device-level event and actions triggered by the first device-level event;

applying, with the rules engine, a set of network service rules to the first data set of dependencies inserted in the working
memory to determine a first service-level impact of the detected first device-level event;

in response to detecting a second device-level event, inserting a second data set of dependencies associated with the second
device-level event into the working memory, wherein the second data set of dependencies inserted in the working memory comprises
a second subset of the plurality of dependencies for the network service; and

applying, with the rules engine, the set of network service rules to the second data set of dependencies inserted in the working
memory to determine a second service-level impact of the second device-level event.

US Pat. No. 9,258,056

METHODS AND APPARATUS FOR MONITORING AND CONTROLLING THE PERFORMANCE OF OPTICAL COMMUNICATION SYSTEMS

Juniper Networks, Inc., ...

1. An apparatus, comprising:
an optical detector configured to sample asynchronously an optical signal from an optical component; and
a processor operatively coupled to the optical detector, the processor configured to calculate a metric value of the optical
signal without an extinction ratio of the optical signal being measured, the metric value being proportional to the extinction
ratio of the optical signal,

the processor configured to calculate a calibration value based on the optical signal such that the calibration value is calculated
by the processor when: (1) a bit rate of the optical signal is greater than an analog bandwidth of the optical detector and
(2) a sampling frequency of the optical signal is not less than the analog bandwidth of the optical detector,

the processor configured to define an error signal based on the calibration value and the metric value of the optical signal,
the processor configured to send the error signal to an optical transmitter such that the optical transmitter modifies an
output optical signal.

US Pat. No. 9,251,535

OFFLOAD OF DATA TRANSFER STATISTICS FROM A MOBILE ACCESS GATEWAY

Juniper Networks, Inc., ...

1. A method for offloading a data transfer statistic from a packet forwarding engine (PFE) forming part of a forwarding unit
in a mobile access gateway, the method comprising:
receiving, at the forwarding unit of the mobile access gateway, packets associated with a subscriber session for a subscriber;
storing the received packets in a packet buffer within the PFE;
updating, by the PFE, the data transfer statistic based on quantities of data in the received packets, the data transfer statistic
stored in a memory within the PFE;

generating, by the mobile access gateway, synthetic packets on a recurring basis, the synthetic packets having a packet type
different than packet types of any packets received by the forwarding unit from a content access network or a packet data
network;

storing, by the PFE, the synthetic packets in the packet buffer; and
responsive to determining a packet that was stored in the packet buffer is a synthetic packet, performing, by the PFE, a callout
operation to push the data transfer statistic from the memory of the PFE to a memory of the forwarding unit, the memory of
the forwarding unit being separate from the memory within the PFE.

US Pat. No. 9,100,201

INTER-SITE PIM-DENSE MODE AND PIM-BSR SUPPORT FOR MPLS/BGP IP VPNS

Juniper Networks, Inc., ...

1. A method comprising:
receiving multicast traffic with a first provider edge (PE) router of a service provider network, wherein the first PE router
is connected to a first customer site and is a member of an Internet Protocol (IP) virtual private network (VPN) provided
by the service provider network, and wherein the multicast traffic comprises PIM (Protocol Independent Multicast) Dense Mode
(PIM-DM) traffic for which no PIM join control messages have been received by the first PE router;

when the first PE router is configured to support the PIM-DM multicast traffic and a tunnel has not been established for the
PIM-DM multicast traffic received by the first PE router, automatically signaling the tunnel to establish the tunnel to transport
the PIM-DM multicast traffic through the provider network even though no PIM join control messages have been received by the
first PE router;

encapsulating the PIM-DM multicast traffic with the first PE router to form encapsulated packets; and
forwarding the encapsulated packets with the tunnel to all other PE routers connected to the IP VPN.

US Pat. No. 9,413,719

MEDIA ACCESS CONTROL ADDRESS TRANSLATION IN VIRTUALIZED ENVIRONMENTS

Juniper Networks, Inc., ...

1. A method for transmitting network packets through a network security device, the method comprising:
receiving, by a first virtual firewall (VF) of a first network device, a network packet from a first virtual machine (VM)
hosted by the first network device to be sent over a network to a second VM hosted by a second network device, wherein the
network comprises the network security device, a first network switch on a first side of the network security device, and
a second network switch on a second side of the network security device, and wherein the network packet comprises a first
medium access control (MAC) address identifying the first VM and a second MAC address identifying the second VM;

translating, by the first VF, the first MAC address of the network packet to a third MAC address for the first VM hosted by
the first network device, wherein the third MAC address belongs to a first network interface connected to the first network
switch on the first side of the network security device;

translating, by the first VF, the second MAC address of the network packet to a fourth MAC address for the second VM hosted
by the second network device, wherein the fourth MAC address belongs to a second network interface connected to the second
network switch on the second side of the network security device; and

transmitting the network packet from the first VF of the first network device over the network through the first network switch,
the network security device, and the second network switch to a second VF of the second network device hosting the second
VM based on the third MAC address and the fourth MAC address.

US Pat. No. 9,380,051

AUTOMATICALLY AUTHENTICATING A HOST KEY VIA A DYNAMICALLY GENERATED CERTIFICATE USING AN EMBEDDED CRYPTOGRAPHIC PROCESSOR

Juniper Networks, Inc., ...

1. A system comprising:
a device to:
receive, from another device, information indicating initiation of a secure connection over a session in accordance with a
secure protocol,

the secure connection being initiated for a first time between the device and the other device;
provide, to the other device, a trusted certificate,
a host key being embedded in the trusted certificate,
the trusted certificate being generated based on a component of the device signing a certificate signing request (CSR) with
a private key,

the private key being provided to the component prior to the component signing the CSR with the private key,
the CSR being signed by a particular certificate authority (CA) with a chain of trust to a CA trusted by the other device,
and

the host key being authenticated by the other device based on the CSR being signed by the particular CA with the chain of
trust to the CA trusted by the other device; and

establish the secure connection with the other device based on an authentication of the host key by the other device via the
trusted certificate provided to the other device.

US Pat. No. 9,379,982

ADAPTIVE STATELESS LOAD BALANCING

Juniper Networks, Inc., ...

1. A method comprising:
applying stateless load balancing, by a service node according to a hash table having a plurality of hash table entries that
each maps a hash value to a server of a plurality of servers that provide a common service, to packet flows to distribute
the packet flows among a plurality of servers;

modifying, by the service node in response to determining a failure of a failed server from the plurality of servers, a hash
table entry from the plurality of hash table entries to prescribe flow learning for packet flows that match the hash value
of the hash table entry;

generating and storing, by the service node in response to receiving an initial packet for a new packet flow that matches
the hash value of the hash table entry and determining the hash table entry prescribes flow learning for packet flows that
match the hash value of the hash table entry, a flow table entry that maps the new packet flow to an active server from the
plurality of servers; and

forwarding, by the service node, the initial packet and subsequent packets of the new packet flow according to the flow table
entry to override the stateless load balancing for the new packet flow.

US Pat. No. 9,252,972

POLICY CONTROL USING SOFTWARE DEFINED NETWORK (SDN) PROTOCOL

Juniper Networks, Inc., ...

1. A method comprising:
detecting, with a flow control unit of a data plane within a router, a new packet flow;
accessing, with a policy engine of a control plane within the router, a plurality of policies stored within a policy database
within the control plane within the router to determine whether one or more of the policies stored within the policy database
within the control plane within the router specify criteria that match attributes of the new packet flow;

outputting, in response to failing to identify in the policy database within the control plane within the router the one or
more policies that specify criteria that match attributes of the new packet flow, a message from the control plane within
the router to a policy server external to the router to request a policy from the policy server, wherein outputting the message
comprises constructing the message with the control plane within the router to conform to a software defined networking (SDN)
protocol as if the data plane within the router were directly exposed to an external device by the SDN protocol;

receiving, with the control plane within the router, a response message from the policy server, wherein the response message
conforms to the SDN protocol and specifies at least one new policy; and

installing the policy within the policy database within the control plane within the router.

US Pat. No. 9,178,781

FILTERING OUTPUT FROM OPERATIONAL COMMANDS EXECUTED ON A NETWORK DEVICE

Juniper Networks, Inc., ...

1. A method comprising:
receiving, at an interface of a routing device, an input from a client device using a communicative connection, wherein the
input comprises an operational command and a selection request, and wherein the selection request specifies a field identifier;

enumerating a schema identified by the operational command to form an enumerated schema, wherein the schema defines a class
of elements that conform to a data description language, and wherein the enumerating includes assigning a unique element number
to each element of the defined class of elements;

receiving, at the interface, data generated based at least in part on the schema, wherein the received data conforms to the
data description language;

filtering the received data to form filtered data, wherein the filtering includes mapping the field identifier specified by
the selection request to a unique element number of the enumerated schema;

rendering the filtered data to form a filtered textual output comprising one or more fields, wherein each field is associated
with a unique element number of the enumerated schema; and

transmitting, from the interface, the filtered textual output to the client device using the communicative connection.

US Pat. No. 9,178,877

PROVIDING A SERVICE BASED ON TIME AND LOCATION BASED PASSWORDS

Juniper Networks, Inc., ...

1. A method comprising:
receiving, by a first device, a first password from a second device,
the first password being generated based on first location information identifying
a geographic location of the second device, first time information identifying a particular time at which the second device
was at the geographic location, and an algorithm;

receiving, by the first device and from a device separate from the second device, second location information identifying
the geographic location of the second device and second time information identifying the particular time at which the second
device was at the geographic location;

determining, by the first device, a second password based on the second time information, the second location information
identifying the geographic location of the second device, and the algorithm;

determining, by the first device, that the second device is located at the geographic location at the particular time when
characters in the first password match characters in the second password;

determining, by the first device, a verification level based on a quantity of characters in the first password that match
characters in the second password;

selecting, by the first device, a service based on the verification level; and providing, by the first device, the service
based on selecting the service and determining that the second device is located at the geographic location at the particular
time.

US Pat. No. 9,100,329

PROVIDING NON-INTERRUPT FAILOVER USING A LINK AGGREGATION MECHANISM

Juniper Networks, Inc., ...

1. A device, comprising:
a processor to:
replicate a first packet to obtain a first replicate of the first packet and a second replicate of the first packet,
transmit the first replicate of the first packet to a first node via a first port and the second replicate of the first packet
to a second node via a second port,

receive from the first node, and via the first port, a second packet based on the first node receiving the first replicate
of the first packet,

the second packet including information identifying an address,
the second replicate of the first packet being dropped by the second node,
associate the address with an aggregate interface associated with the first port and with the second port,
receive traffic that is destined for a client device,
the traffic being associated with the address,
determine that the address is associated with the aggregate interface,
the first node being in a first state,
the first state indicating that the first node is available to forward the traffic to the client device, and
the second node being in a second state,
the second state indicating that the second node is not available to forward the traffic to the client device, and
transmit the traffic to the first node and to the second node, via the aggregate interface, based on the address being associated
with the aggregate interface,

the first node forwarding the traffic to the client device based on the first node being in the first state, and
the second node not forwarding the traffic to the client device based on the second node being in the second state.

US Pat. No. 9,094,299

AUTO-GENERATION OF PLATFORM-INDEPENDENT INTERFACE AND OPERATIONAL SCRIPTS FOR CONFIGURING NETWORK DEVICES

Juniper Networks, Inc., ...

1. A method comprising:
parsing, by script builder software of a network device, configuration data of the network device in accordance with a schema
of the network device for one or more candidate parameters for configuration, wherein each of the one or more candidate parameters
comprises a configurable attribute of the network device in the configuration data;

outputting, at an interface of the network device, a parameter identifier of each of the one or more candidate parameters;
receiving, at the interface of the network device, an indication of a selection of the one or more candidate parameters and
a plurality of labels, wherein each label in the plurality of labels corresponds to a different one of the selected candidate
parameters, and wherein both the selected candidate parameters and the plurality of labels conform to a platform-independent
interface for a remote procedure call for provisioning a service on any one of a plurality of different devices within a network;

generating, by the script builder software of the network device, based at least in part on the selected candidate parameters
and the schema, at least one configuration script for modifying the configuration data of the network device in accordance
with the schema, wherein generating the at least one configuration script comprises configuring the at least one configuration
script to:

receive, via the platform-independent interface for the remote procedure call, parameterized information associated with at
least one of the selected candidate parameters; and

update, based on the parameterized information, the configurable attribute in the configuration data that corresponds to the
at least one of the selected candidate parameters.

US Pat. No. 9,069,957

SYSTEM AND METHOD OF REPORTING AND VISUALIZING MALWARE ON MOBILE NETWORKS

Juniper Networks, Inc., ...

1. A system that monitors malware within a mobile network, comprising:
a receiver component that obtains data regarding the malware transferred to a plurality of different mobile devices operating
in the mobile network, the data comprising:

a first set of malware data, obtained from a first source positioned in the mobile network that monitors network data containing
a first plurality of applications transferred to at least a first mobile device of the mobile devices and that scans the first
plurality of applications to determine which of the first plurality of applications is a malware application, and

a second set of malware data obtained from a second source positioned in the mobile network that monitors network data containing
a second plurality of applications transferred to at least a second mobile device of the mobile devices and that scans the
second plurality of applications to determine which of the second plurality of applications is a malware application,

wherein the first source and the second source are separate from the first mobile device and the second mobile device, wherein
the second source is of a different type than the first source, and wherein the first source and the second source are located
at different positions within the mobile network;

an analysis component that processes the first set of malware data and the second set of malware data and generates a malware
analysis of the malware applications included within the first plurality of applications transferred to the first mobile device
of the mobile network and of the malware applications included within the second plurality of applications transferred to
the second mobile device of the mobile network as a function of the data; and

a mitigation component that mitigates effects of the malware applications transmitted to the first and second mobile devices
based at least in part on an aggregation of the first set of malware data and the second set of malware data.

US Pat. No. 9,485,194

VIRTUAL LINK AGGREGATION OF NETWORK TRAFFIC IN AN AGGREGATION SWITCH

Juniper Networks, Inc., ...

1. A method comprising:
determining, by a first device, that information regarding a virtual aggregated link, that represents a plurality of possible
output links associated with a second device, is not received;

determining, by the first device and after determining that the information regarding the virtual aggregated link is not received,
that information regarding a failed link between the second device and a third device is received;

selecting, by the first device and after determining that the information regarding the failed link is received, particular
links of the plurality of possible output links based on the information regarding the failed link between the second device
and the third device,

the particular links connecting the first device to the third device; and
updating, by the first device, membership information of the virtual aggregated link to remove the particular links from the
virtual aggregated link.

US Pat. No. 9,392,018

LIMITING THE EFFICACY OF A DENIAL OF SERVICE ATTACK BY INCREASING CLIENT RESOURCE DEMANDS

Juniper Networks, Inc, S...

1. A device, comprising:
one or more processors, at least partially implemented in hardware, to:
detect a denial-of-service attack;
receive a request, for access to a resource, from a client device;
determine, based on the request and further based on detecting the denial-of-service attack, a computationally expensive problem
to be provided to the client device,

the computationally expensive problem being determined based on:
a type of browser being utilized by the client device, and
a request category associated with the request;
provide the computationally expensive problem to the client device,
the computationally expensive problem being provided to cause the client device to solve the computationally expensive problem,
the computationally expensive problem causing the client device to utilize an amount of processing power and memory space
to solve the computationally expensive problem,

the amount of processing power and memory space satisfying a threshold, and being utilized by the client device prior to the
client device from sending one or more additional requests;

receive, from the client device, a solution to the computationally expensive problem; and
grant or deny the client device access to the resource based on the solution to the computationally expensive problem.

US Pat. No. 9,379,957

MULTI-LEVEL AGER RINGS FOR TRACKING SESSION LIFE CYCLE

Juniper Networks, Inc., ...

1. A device, comprising:
one or more processors to:
detect a communication session;
determine a session life cycle associated with the communication session,
the session life cycle indicating a time period after which the communication session is to be terminated;
determine whether the session life cycle satisfies a threshold; and
selectively perform a first action or a second action based on determining whether the session life cycle satisfies the threshold,
the first action including monitoring expiration of the communication session using a single ager ring when the session life
cycle does not satisfy the threshold,

the second action including monitoring expiration of the communication session using a plurality of ager rings when the session
life cycle satisfies the threshold.

US Pat. No. 9,374,835

METHODS AND APPARATUS FOR ENFORCING A COMMON USER POLICY WITHIN A NETWORK

Juniper Networks, Inc., ...

8. A non-transitory processor-readable medium storing code representing instructions to cause a processor to:
receive, during a first time period, a first data packet to be sent to a wired device, the wired device being operatively
coupled to a first wired network node from a plurality of wired network nodes during the first time period, the code to cause
the processor to receive the first data packet includes code to cause the processor to receive the first data packet via a
multiprotocol label switching (MPLS) tunnel or a layer-3 protocol tunnel through an aggregation network node to which the
first wired network node is operatively coupled;

apply a policy to the first data packet based on a user identifier being associated with the wired device during the first
time period, the policy not being stored at the aggregation network node;

restrict the first data packet from being sent to the wired device based on (1) the policy being applied to the first data
packet, and (2) the policy being applied to the first wired network node;

receive, during a second time period, a second data packet to be sent to the wired device, the wired device being operatively
coupled to a second wired network node from the plurality of wired network nodes during the second time period;

apply the policy to the second data packet based on the user identifier being associated with the wired device during the
second time period, and

allow the second data packet to be sent to the wired device based on (1) the policy being applied to the second data packet,
and (2) the policy being applied to the second wired network node.

US Pat. No. 9,258,742

POLICY-DIRECTED VALUE-ADDED SERVICES CHAINING

Juniper Networks, Inc., ...

19. A policy control server comprising:
a control unit comprising a processor;
a rule module executed by the control unit and configured to generate, for a subscriber device, a policy rule that defines
at least one of policy control and application detection by an access network for a subscriber device, wherein the access
network provides connectivity for the subscriber device to access a packet data network,

wherein the policy rule includes a service chain identifier that identifies a service chain that defines one or more value-added
services to be applied in a particular order by one or more value-added service nodes external to the policy control server
and located on a service path for the service chain between the policy enforcement device and the packet data network to provide
a composite service for application to packet flows associated to the service chain;

a network interface card configured to send the policy rule to a gateway device of the access network.

US Pat. No. 9,178,780

DYNAMIC REMOTE PACKET CAPTURE

Juniper Networks, Inc., ...

1. A method comprising:
generating, by one or more processors of a traffic analysis device, a request for information regarding a port associated
with a network device,

the request being generated using a network analysis software tool, running on the traffic analysis device, capable of analyzing
traffic at only ports included in the traffic analysis device;

transmitting, by the one or more processors, the request for information regarding the port to the network device;
receiving, by the one or more processors of the traffic analysis device, information regarding the port associated with the
network device based on the request generated using the network analysis software tool;

providing, by the one or more processors, filter information to the network device,
the filter information including information associated with the port, and
the filter information specifying one or more conditions associated with traffic of interest;
receiving, by the one or more processors, from the network device, and based on the filter information, information regarding
traffic received or sent by the network device via the port,

the traffic satisfying the one or more conditions associated with the traffic of interest; and
storing or outputting, by the one or more processors, a representation of at least a portion of the received information regarding
the traffic.

US Pat. No. 9,166,878

NETWORK MANAGEMENT CONFIGURATION FOR RETRIEVING AND AGGREGATING STATUS INFORMATION FROM RESOURCES DISTRIBUTED ACROSS A NETWORK

Juniper Networks, Inc., ...

1. An apparatus, comprising:
a processor;
a memory; and
a network management module configured to be operatively coupled to a switch fabric having a distributed data plane and a
distributed control plane and configured to be operatively coupled to a plurality of network resources including a first set
of network resources and a second set of network resources each including resource elements distributed across the distributed
data plane and each resource element being associated with at least one control plane element of the distributed control plane,
the first set of network resources is a subset of the second set of network resources, each network resource from the second
set of network resources being configured to send data units;

the network management module configured to receive a request for information regarding the first set of network resources;
the network management module configured to query each resource of the second set of network resources through the distributed
control plane based on the received request;

the network management module configured to receive an output descriptor language (ODL) result stream about the second set
of network resources in response to the query, the ODL result stream including data about the second set of network resources
in a data descriptor language (DDL) format, the ODL result stream including data for a requesting entity and data for at least
one non-requesting entity;

the network management module configured to parse the ODL result stream to select data applicable to the first set of network
resources and not the second set of network resources, the data about the first set of network resources being for the requesting
entity; and

the network management module configured to define a response to the request for information regarding the first set of network
resources, the response not including the data for the at least one non-requesting entity,

the network management module being implemented in at least one of the processor or the memory.

US Pat. No. 9,166,918

METHODS AND APPARATUS FOR SCHEDULING TRANSMISSION OF DATA IN A NETWORK

Juniper Networks, Inc., ...

1. An apparatus, comprising:
a transmission schedule module implemented in at least one of a memory or a processing device, the transmission schedule module
configured to select, at a first time, a data unit to send to a network device from a plurality of network devices based at
least in part on a value of a transmission rate counter at the first time indicating that the network device is in a first
state,

the transmission schedule module configured to receive, at a second time after the first time, an indication of a number of
buffers from a set of buffers associated with the data unit,

the transmission schedule module configured to calculate a size estimate based on the indication of the number of buffers
and a capacity associated with each buffer from the set of buffers,

the transmission schedule module configured to calculate, based on the size estimate and a value of the transmission rate
counter at a third time after the second time, a temporary transmission rate count, the transmission schedule module configured
to send a signal to transition the network device from the first state to a second state if the temporary transmission rate
count meets a criterion.

US Pat. No. 9,077,466

METHODS AND APPARATUS FOR TRANSMISSION OF GROUPS OF CELLS VIA A SWITCH FABRIC

Juniper Networks, Inc., ...

1. An apparatus, comprising:
an egress schedule module implemented in at least one of a memory or a processing device, the egress schedule module configured
to receive, from an ingress schedule module associated with an ingress stage of a multi-stage switch fabric, a request to
schedule transmission of a group of cells from an ingress queue, the group of cells including at least two cells, the request
including a sequence value representing an order of the group of cells within a plurality of cells in the ingress queue, the
egress schedule module being associated with an egress stage of the multi-stage switch fabric,

the egress schedule module configured to define, in response to the request, a response including the sequence value when
an egress port associated with the egress stage of the multi-stage switch fabric is available to transmit the group of cells,
the egress schedule module configured to send the response to the ingress schedule module.

US Pat. No. 9,479,917

RATING GROUP-SPECIFIC ACTIONS FOR MOBILE NETWORKS

Juniper Networks, Inc., ...

1. A method comprising:
receiving, with a mobile network gateway that performs charging control for a mobile network, configuration information that
defines a first rating group and a second rating group for a subscriber session, wherein the first rating group is associated
with a first service for the subscriber session and the second rating group is associated with a second service for the subscriber
session, and wherein the configuration information defines an actionable event and a corresponding charging control action
for the first rating group;

establishing, with the mobile network gateway, a bearer of the mobile network for the subscriber session and associating the
first rating group and the second rating group with the bearer;

determining, with the mobile network gateway, the occurrence of the actionable event defined by the configuration information
for the first rating group; and

applying, in response to the determining and based on the association of the first service with the first rating group, the
corresponding charging control action for the actionable event for the first rating group to the first service associated
with the first rating group without applying the corresponding charging control action for the actionable event to the second
service associated with the second rating group.

US Pat. No. 9,176,850

AUTOMATED PARALLEL SOFTWARE CODE IMPACT ANALYSIS

Juniper Networks, Inc., ...

1. A method comprising:
generating, by a device, a first control flow graph that corresponds to a first function associated with one or more of a
plurality of lines of code,

the one or more of the plurality of lines of code including a changed line of code,
the first control flow graph including one or more blocks that correspond to the one or more of the plurality of lines of
code, and

the one or more blocks including a particular block associated with the changed line of code;
identifying, by the device, at least one impacted block, of the one or more blocks, that is affected by a set of variables,
within the particular block, that call a second function;

generating, by the device, a second control flow graph for the second function,
the second control flow graph including a different one or more blocks that correspond to different one or more of the plurality
of lines of code;

detecting, by the device, a calling statement associated with a third function that is called by the first function;
assigning, by the device, a distance to the third function based on detecting the calling statement;
identifying, by the device and based on executing a plurality of analysis threads associated with the distance, at least one
other impacted block, of the different one or more blocks, that is affected by the set of variables; and

providing, by the device and for display, identifiers associated with the at least one impacted block and the at least one
other impacted block.

US Pat. No. 9,755,454

METHODS AND APPARATUS FOR PROVIDING REDUNDANT POWER SUPPLY PROTECTION WITH POWER ZONES FOR ELECTRONIC DEVICES

Juniper Networks, Inc., ...

1. An apparatus, comprising:
a plurality of power supplies, each power supply from the plurality of power supplies being associated with a power zone from
a plurality of power zones;

a redundant power supply, an output voltage level from a plurality of output voltage levels for each power supply from the
plurality of power supplies being adjustable based on an output voltage level of the redundant power supply,

a plurality of controllers, each controller from the plurality of controllers associated with a power supply from the plurality
of power supplies and configured to adjust an output voltage level from the plurality of output voltage levels for that power
supply, and

a plurality of electronic devices, each electronic device from the plurality of electronic devices being associated with a
power zone from the plurality of power zones, each electronic device from the plurality of electronic devices being operatively
coupled to a power supply from the plurality of power supplies for that power zone and operatively coupled to the redundant
power supply.

US Pat. No. 9,479,439

METHODS AND APPARATUS FOR LOAD BALANCING VLAN TRAFFIC

Juniper Networks, Inc., ...

1. An apparatus, comprising:
a first core device configured to be disposed within a network having a plurality of access nodes and a second core device,
the first core device including:

a memory, and
a processor operatively coupled to the memory, the processor configured to receive a first signal designating the first core
device as a master device for a first set of virtual group identifiers, the first signal associated with a third signal causing
the second core device to be designated as a back-up device for the first set of virtual group identifiers, and

the processor configured to receive a second signal designating the first core device as a back-up device for a second set
of virtual group identifiers, the second signal associated with a fourth signal causing the second core device to be designated
as a master device for the second set of virtual group identifiers, the first set of virtual group identifiers being mutually
exclusive from the second set of virtual group identifiers,

a destination address of a data unit from a plurality of data units, while communicated within the network, being associated
with a virtual group identifier from the first set of virtual group identifiers or a virtual group identifier from the second
set of virtual group identifiers.

US Pat. No. 9,338,192

CONNECTION MANAGEMENT USING CONNECTION REQUEST TRANSFER PROTOCOL

Juniper Networks, Inc., ...

1. A device, comprising:
one or more processors to:
receive, from a client device, a client request associated with a first TCP connection between a server device and the client
device,

the client request identifying requested content;
determine connection information that identifies the first TCP connection between the server device and the client device,
the connection information including at least one of a source port number associated with the first TCP connection, a destination
port number associated with the first TCP connection, a packet sequence number associated with the first TCP connection, a
packet acknowledgement number associated with the first TCP connection, or a TCP window size associated with the first TCP
connection;

determine whether the client request is a candidate for a TCP connection transfer based on whether the connection information
is identified in a routing table accessible to the device;

generate a connection transfer request to transfer the first TCP connection from the server device to a proxy server when
the client request is the candidate for the TCP connection transfer,

the connection transfer request identifying the connection information and the requested content,
the connection transfer request being different than the client request;
transmit, to the proxy server, the connection transfer request,
the connection transfer request, transmitted to the proxy server, causing the first TCP connection to be transferred by establishing
a second TCP connection between the proxy server and the client device,

the second TCP connection being established based on the connection information that identifies the first TCP connection and
without the proxy server sending a TCP control packet to the client device;

receive, from the proxy server, an indication that the proxy server is capable of providing the requested content;
provide, from the proxy server and to the client device via the second TCP connection, a response to the client request, based
on the indication; and

provide, from the proxy server and to the server device, information that causes the server device to terminate the first
TCP connection, based on the indication.

US Pat. No. 9,294,304

HOST NETWORK ACCELERATOR FOR DATA CENTER OVERLAY NETWORK

Juniper Networks, Inc., ...

1. A host network accelerator comprising:
a removable peripheral component interconnect express (PCIe) card configured for insertion within a slot of a server;
a physical network interface to connect the server to a switch fabric comprising a plurality of switches that provide connectionless
packet-based switching for packets through a physical network;

a physical input/output (I/O) bus interface to connect to an I/O bus of the server providing an operating environment executing
one or more virtual machines associated with one or more virtual networks, wherein the I/O bus interface comprises a PCIe
interface configured to connect to a PCIe bus of the server; and

a hardware-based virtual router executing within one or more integrated circuits positioned on a data path between the physical
network interface and the I/O bus interface, the virtual router configured to apply routing information of the virtual networks
to route packets between the virtual machines executing on the server and virtual machines executing on one or more remote
servers coupled to the physical network.

US Pat. No. 9,246,838

LABEL SWITCHED PATH SETUP USING FAST REROUTE BYPASS TUNNEL

Juniper Networks, Inc., ...

1. A method comprising:
receiving, by a Resource Reservation Protocol with Traffic Engineering extensions (RSVP-TE) module executing on a processor
of an intermediate network device positioned between an ingress node and an egress node in a network, a resource request message
that requests to establish a label switched path (LSP) along a primary path from the ingress node to the egress node;

while establishing the LSP, identifying, by the intermediate network device, that a failed resource exists along the primary
path of the LSP;

in response to identifying that the failed resource exists, determining, by the RSVP-TE module executing on a processor of
the intermediate network device, whether a bypass tunnel exists from the intermediate network device to a bypass tunnel destination
node along the primary path, wherein the bypass tunnel avoids the failed resource;

in response to determining that the bypass tunnel exists and by the RSVP-TE module of the intermediate network device, modifying
the resource request message to request to establish the LSP to the egress node via the bypass tunnel destination node, encapsulating
the modified resource request message with a Multiprotocol Label Switching (MPLS) label associated with the bypass tunnel,
and outputting the encapsulated modified resource request message over the bypass tunnel to the bypass tunnel destination
node; and

in response to receiving a resource reservation signaling message for the LSP from the bypass tunnel destination node indicating
the LSP has been established, sending one or more communications from the intermediate network device toward the ingress node
indicating the LSP to the egress node has been established and that the LSP has been rerouted through the bypass tunnel.

US Pat. No. 9,112,776

METHOD AND APPARATUS FOR FAST REROUTE IN A CONNECTION-ORIENTED NETWORK

Juniper Networks, Inc., ...

1. A method comprising:
determining, by a first node, a failure of at least one of a second node or a link, the second node and the link being located
downstream, along a first route, from the first node;

determining, by the first node and based on the failure of the at least one of the second node or the link, that the first
node does not store information regarding a second route; and

transmitting, by the first node and based on determining that the first node does not store the information regarding the
second route, a message to a third node,

the third node being located upstream, along the first route, from the first node, the third node being different than the
second node, and the message causing the third node to use the second route to forward packets intended for the first route,

the second route being different than the first route, and
the second route being a route that is modified based on administrative constraints,
the administrative constraints including: bandwidth information, and a quantity of hops information.

US Pat. No. 9,077,692

BLOCKING UNIDENTIFIED ENCRYPTED COMMUNICATION SESSIONS

Juniper Networks, Inc., ...

1. A method comprising:
displaying an administrator interface;
receiving, with the administrator interface, one or more instructions to add, remove, or edit at least one filter;
receiving a network packet;
using an application-layer header of the packet, determining whether the packet is associated with an identifiable network
application;

when the packet is determined to be associated with an identifiable network application, forwarding the packet without determining
whether the packet is encrypted;

only when the packet is not determined to be associated with an identifiable network application, determining whether data
in the packet is encrypted by applying the at least one filter to the data and calculating a randomness value of the packet
from a payload of the packet that includes the application-layer header and an application-layer payload and determining that
the packet is encrypted when the randomness value exceeds a randomness threshold;

when the data in the packet is determined to be encrypted, executing a programmed response; and
when the data in the packet is determined to not be encrypted, forward the packet.

US Pat. No. 9,485,278

PLUG-IN BASED POLICY EVALUATION

Juniper Networks, Inc., ...

1. A method comprising:
identifying, by a first device, information identifying a policy associated with a second device,
the second device being different than the first device,
the first device including a first server, and
the second device including a client device;
identifying, by the first device, a requirement identifier for the policy, the requirement identifier including information
related to a policy

requirement that needs to be satisfied for the second device to be identified as complying with the policy;
transmitting, by a plug-in of the first device, the policy requirement and information associated with the second device to
a third device,

the third device being different than the first device and the second device,
and the third device including a second server;
receiving, by the plug-in of the first device, a policy result from the third device, the policy result being received based
on transmitting the policy

requirement and the information associated with the second device to the third device, and
the policy result indicating whether the second device complies with the policy; and
transmitting, by the first device and to a fourth device, an instruction,
the fourth device being different than the first device, the second device, and the third device,
the fourth device including a network device,
the instruction being based on the policy result, and
the instruction being transmitted to the fourth device to enable the fourth device to selectively grant the second device
access to a network destination.

US Pat. No. 9,473,394

PROACTIVE FLOW TABLE FOR VIRTUAL NETWORKS

Juniper Networks, Inc., ...

1. A method comprising:
receiving, by a virtual router of a computing device for one or more virtual networks, a tunnel packet comprising an outer
header and an inner packet that defines a packet flow, wherein the virtual router receives the tunnel packet from a switch
fabric coupled to the computing device and comprising a plurality of switches interconnected to form a physical network that
switches packets for the one or more virtual networks;

determining, based at least on the outer header, that the packet is associated with a virtual network of the one or more virtual
networks;

determining, by the virtual router, a packet flow defined by the inner packet does not match any flow table entry of a flow
table that identifies active flows only for the virtual network; and

in response to determining the packet flow defined by the inner packet does not match any flow table entry of the flow table
for the virtual network:

adding a first flow table entry for the packet flow to the flow table; and
adding a second flow table entry for a reverse packet flow of the packet flow to the flow table.

US Pat. No. 9,438,350

METHOD AND APPARATUS FOR DISTORTION CORRECTION IN OPTICAL COMMUNICATION LINKS

Juniper Networks, Inc., ...

1. An apparatus, comprising:
an optical transmitter module configured to be electrically coupled to an electrical serializer/deserializer and a controller,
the optical transmitter module including an electrical detector configured to receive an in-band signal,

the electrical detector configured to send to a controller a first power error signal based on the in-band signal such that
the controller sends a correction control signal to the electrical serializer/deserializer based on the first power error
signal and a second power error signal and such that the electrical serializer/deserializer modifies a pre-emphasized signal
to the optical transmitter module based on the correction control signal,

the first power error signal, the second power error signal and the correction control signal being out-of-band.

US Pat. No. 9,306,835

SCALABLE FORWARDING TABLE WITH OVERFLOW ADDRESS LEARNING

Juniper Networks, Inc., ...

9. A method comprising:
receiving, by one or more devices and from a plurality of nodes, overflow information associated with the plurality of nodes,
the overflow information including information indicating, for each of the plurality of nodes, a capacity of a node memory
included in a respective node of the plurality of nodes;

identifying, by the one or more devices, a distance to each of the plurality of nodes;
assigning, by the one or more device, a score to each of the plurality of nodes,
the score for the respective node being based on a capacity of the node memory included in the respective node and a distance
to the respective node;

selecting, by the one or more devices, a node, of the plurality of nodes, based on the score assigned to the selected node;
transmitting, by the one or more devices and when a device memory, associated with the one or more devices, does not have
capacity to store an unknown address associated with a packet, the packet to a destination device using the selected node;
and

when the device memory does have capacity to store the unknown address associated with the packet:
storing, by the one or more devices, the unknown address in the device memory; and
transmitting, by the one or more device, the packet to the destination device independent of using the selected node.

US Pat. No. 9,258,237

ENHANCING DOCSIS SERVICES THROUGH NETWORK FUNCTIONS VIRTUALIZATION

Juniper Networks, Inc., ...

1. A method comprising:
intercepting, by a network device, a transmission of a cable modem boot file from an FTP server to a cable modem by snooping
on the transmission, wherein the cable modem boot file is for configuring a cable modem in a cable network;

identifying, with the network device, based on the intercepted and snooped transmission of the cable modem boot file from
the FTP server to the cable modem, information in the cable modem boot file that specifies an association between a specific
Data Over Cable System Interface Specification (DOCSIS) service flow for the particular cable modem and a Network Function
Virtualization (NFV) service chain defining a plurality of network services provided by a plurality of service nodes, wherein
the service nodes provide an execution environment for the NFV service chain;

determining that network traffic received from the cable modem matches the DOCSIS service flow; and
re-directing the network traffic onto one or more tunnels to the NFV service chain for application of the network services
provided by the plurality of service nodes that provide the execution environment for the NFV service chain.

US Pat. No. 9,961,799

APPARATUSES AND SYSTEMS FOR INCREASING THERMAL MASS IN LINE CARD HEATSINKS

Juniper Networks, Inc., ...

10. A faceplate comprising:at least one communication port that facilitates securing at least one communication cable to a line card that forwards traffic in connection with a network;
at least one heatsink that:
is integrated into the faceplate such that the heatsink and the faceplate collectively form a single inseparable piece of the line card; and
absorbs heat emitted by at least one electronic component included in the line card;
at least one mount that:
is integrated into the faceplate; and
enables the electronic component to attach to the heatsink; and
wherein the faceplate is designed as an external portion of the line card that is outward-facing and accessible when the line card is installed in a telecommunications device.

US Pat. No. 9,485,270

POLLUTING RESULTS OF VULNERABILITY SCANS

Juniper Networks, Inc., ...

1. A security device, comprising:
a memory; and
one or more processors, operatively connected to the memory, to:
receive, from a server device, a response to a request,
the request being provided by an attacker device and including a plurality of input values input via at least one input field
of a website associated with the server device,

the response including a reflected input value, of the plurality of input values, that is included in the request and reflected
by the response;

determine the plurality of input values included in the request based on information received from the server device,
modify the response to form a modified response,
the response being modified by adding information associated with a non-reflected input value, of the plurality of input values,
that is included in the request but not reflected by the response,

the response being modified in an attempt to prevent the attacker device from identifying a vulnerability, associated with
the server device, based on the reflected input value being reflected in the response; and

provide the modified response to the attacker device.

US Pat. No. 9,477,257

METHODS AND APPARATUS FOR LIMITING A NUMBER OF CURRENT CHANGES WHILE CLOCK GATING TO MANAGE POWER CONSUMPTION OF PROCESSOR MODULES

JUNIPER NETWORKS, INC., ...

1. An apparatus, comprising:
a dispatch module implemented in at least one of a memory or a processing device, the dispatch module configured to be operatively
coupled to a plurality of processing modules each having a first clock configuration and a second clock configuration,

the dispatch module configured to change, at a first time during a predetermined time period, a processing module from the
plurality of processing modules from the first clock configuration to the second clock configuration,

the dispatch module configured to prohibit a change in clock configuration of each processing module from the plurality of
processing modules from the first clock configuration to the second clock configuration at a second time after the first time
and within the predetermined time period if an indicator associated with a number of clock configuration changes between a
first clock configuration and a second clock configuration within the predetermined time period satisfies a criterion, the
criterion being based on a threshold number of times an electric current changes, within the predetermined time period, for
at least one of a chip package associated with the dispatch module or a power supply associated with the dispatch module.

US Pat. No. 9,411,776

SEPARATION OF DATA AND CONTROL IN A SWITCHING DEVICE

Juniper Networks, Inc., ...

1. A method comprising:
transferring, by a device, data, received at an input port of the device, to a memory via an input switch of the device;
identifying, by the device and based on information included in a header of the data:
an output port, of the device, associated with a destination identified in the header, and
information for routing the data through the device;
transmitting, by the device, information identifying the output port and the information for routing the data through the
device to an output switch of the device; and

initiating, by the output switch of the device, transfer of the data from the memory to the output port based on the information
identifying the output port and the information for routing the data through the device.

US Pat. No. 9,350,704

PROVISIONING NETWORK ACCESS THROUGH A FIREWALL

Juniper Networks, Inc., ...

1. A method comprising:
receiving, by a firewall device, one or more rules for provisioning access to a resource;
receiving, by the firewall device, a data unit from a device;
determining, by the firewall device and based on the one or more rules, not to forward the data unit to a destination address
associated with the resource;

redirecting, by the firewall device, the device to a server associated with provisioning access to the resource,
the firewall device redirecting the device to the server based on determining not to forward the data unit to the destination
address;

receiving, by the firewall device and from the server, a rule for allowing the firewall device to provision access to the
resource for the device,

the rule being received by the firewall device after the server determines that the firewall device should provision access
to the resource for the device;

provisioning, by the firewall device, access to the resource for the device based on the rule;
providing, by the firewall device and to the server, information indicating that the access to the resource for the device
has been provisioned,

the information being used to permit the server to redirect the device to the destination address via the firewall device;
and

allowing, by the firewall device, the device to access the resource, based on provisioning the access to the resource, after
the device is redirected to the destination address.