US Pat. No. 9,098,664

INTEGRATED CIRCUIT OPTIMIZATION

Juniper Networks, Inc., ...

1. A system comprising:
a device to:
allocate, for a signal channel, a channel implementation area of a substrate,
the signal channel connecting circuit blocks of the substrate;
select a wire pattern for signal wires,
the signal wires being associated with the signal channel,
the wire pattern being selected based on the signal wires;
allocate, based on the wire pattern, a wire implementation area, of the substrate, for each signal wire of the signal wires;
and

generate an integrated circuit design,
the integrated circuit design comprising:
the channel implementation area, and
the wire implementation area allocated for each signal wire of the signal wires.

US Pat. No. 10,645,839

APPARATUS, SYSTEM, AND METHOD FOR PREVENTING DEMATE BETWEEN FIELD-REPLACEABLE UNITS AND TELECOMMUNICATIONS SYSTEMS

Juniper Networks, Inc., ...

1. An apparatus comprising:a field-replaceable unit that:
is designed to mate with a backplane of a telecommunications system; and
facilitates communication among computing devices within a network; and
at least one multi-bar ejector that:
is coupled to the field-replaceable unit;
fastens to a housing of the telecommunications system to enable the field-replaceable unit to mate with the backplane of the telecommunications system;
includes at least one lever;
includes at least one link that is coupled to the lever via a joint capable of moving from a first end of the link toward a second end of the link; and
includes a spring coupled to the joint such that, when the multi-bar ejector is fastened to the housing of the telecommunications system:
the joint moves from the first end of the link toward the second end of the link; and
the spring applies a force on the field-replaceable unit that pushes the field-replaceable unit toward the backplane of the telecommunications system.

US Pat. No. 10,148,490

ONLINE NETWORK DEVICE DIAGNOSTIC MONITORING AND FAULT RECOVERY SYSTEM

Juniper Networks, Inc., ...

1. A method comprising:receiving, by at least one proxy implemented on a network device, diagnostic information corresponding to a respective entity from a plurality of entities included in the network device, wherein the plurality of entities are represented in a software entity profile that represents the plurality of entities; and
communicating, by the at least one proxy to a response subsystem, the diagnostic information for the respective entity, and a respective connective path through the entities for the respective entity, based at least in part on the software entity profile, to enable a recovery action to be performed.

US Pat. No. 10,148,551

HEURISTIC MULTIPLE PATHS COMPUTATION FOR LABEL SWITCHED PATHS

Juniper Networks, Inc., ...

1. A method comprising:computing, by a path computation device for a network of routers interconnected by a plurality of links in a network topology and based on a network topology model for the network topology, a first path that is a shortest path of the network topology model between a pair of nodes of the network topology model that represent a pair of the routers;
increasing, by the path computation device based on the first path and a number of computed paths, including the first path, that include a common failure mode, respective metrics for one or more links in the network topology model by respective finite values to obtain a modified network topology model;
computing, by the path computation device, a second path that is a shortest path of the modified network topology model between the pair of nodes; and
outputting, by the path computation device, data for at least one path of the first path and the second path to the network for programming a label switched path in the network on the at least one path.

US Pat. No. 10,097,516

PARTITIONING A FILTER TO FACILITATE FILTRATION OF PACKETS

Juniper Networks, Inc., ...

1. A method of partitioning a packet filter, comprising:identifying, by a device for partitioning the packet filter, summary vectors, the summary vectors being associated with at least one key associated with a packet and a packet filter type, and each of the summary vectors being based on:
at least one match vector comprising a plurality of segments, and
a summary width identifying a quantity of consecutive bits of the at least one match vector that correspond to one bit of a summary vector;
identifying, by the device for partitioning the packet filter, location information associated with each of the summary vectors, the location information identifying at least one segment, of the plurality of segments, within the at least one match vector corresponding to a similarly positioned bit;
identifying, by the device, the similarly positioned bit in the summary vectors by comparing the summary vectors or segments of the summary vectors;
decompressing, by the device for partitioning the packet filter, the at least one segment within the at least one match vector based on identifying the similarly positioned bit in the summary vectors;
determining, by the device for partitioning the packet filter, a particular packet filter rule, of one or more packet filter rules, based on decompressing the at least one segment within the at least one match vector;
identifying, by the device for partitioning the packet filter, one or more actions based on the particular packet filter rule; and
causing, by the device for partitioning the packet filter, the one or more actions to be performed on the packet.

US Pat. No. 10,075,534

METHOD, SYSTEM, AND APPARATUS FOR REDUCING CONTROL TRAFFIC IN CONNECTION WITH NEIGHBOR REACHABILITY CONFIRMATIONS

Juniper Networks, Inc., ...

1. A method comprising:receiving, via a control plane of a network node within a network, a keepalive message of a routing protocol of the control plane from a neighbor of the network node;
determining that the keepalive message of the routing protocol serves as evidence that the neighbor of the network node is currently reachable via a link within the network;
identifying a neighbor cache that includes entries for neighbors of the network node within the network; and
refreshing an entry for the neighbor within the neighbor cache to:
indicate that the neighbor is currently reachable via the link; and
avoid initiation of a reachability confirmation process directed to the neighbor due at least in part to the keepalive message of the routing protocol serving as evidence that the neighbor is currently reachable via the link.

US Pat. No. 9,866,428

FABRIC SWITCHOVER FOR SYSTEMS WITH CONTROL PLANE AND FABRIC PLANE ON SAME BOARD

Juniper Networks, Inc., ...

1. A method comprising:
verifying links between a first fabric plane and input/output units of a network device that includes a first control card
and a second control card;

detecting, by a first control plane of the first control card and after verifying the links between the first fabric plane
and the input/output units, a first failure of a second control plane, of the second control card, while the first control
plane is in standby,

the first control card including the first control plane and the first fabric plane, and
the second control card including the second control plane and a second fabric plane;
switching, by the first control plane and based on the first control plane detecting the first failure of the second control
plane, the first control plane from being in standby to being active;

detecting, by the first control plane, a second failure of the second fabric plane; and
initiating, by the first control plane and based on detecting the second failure of the second fabric plane, a switchover
to the first fabric plane without again verifying the links with the input/output units after detecting the second failure
of the second fabric plane and before initiating the switchover to the first fabric plane.

US Pat. No. 9,674,036

METHODS AND APPARATUS FOR DYNAMIC RESOURCE MANAGEMENT WITHIN A DISTRIBUTED CONTROL PLANE OF A SWITCH

Juniper Networks, Inc., ...

1. A method, comprising:
managing, at a network control entity, a first set of ports from a plurality of ports at a first access switch that hosts
the network control entity and is in a switch fabric system, and a second set of ports from the plurality of ports at a second
access switch in the switch fabric system, when the switch fabric system is in a first capacity configuration,

managing, at the network control entity, the first set of ports and not the second set of ports, when the switch fabric system
is in a second capacity configuration,

receiving, at the network control entity, a first portion of a configuration file that is associated with the first set of
ports when the switch fabric system is in the first capacity configuration,

updating a configuration table at the first access switch when the network control entity receives the first portion of the
configuration table;

receiving, at the network control entity, a second portion of the configuration file that is associated with the first set
of ports and the second set of ports when the switch fabric system is in the second capacity configuration; and

updating the configuration table at the first access switch when the network control entities receives the second portion
of the configuration table.

US Pat. No. 9,602,591

MANAGING TCP ANYCAST REQUESTS

TATA COMMUNICATIONS (AMER...

1. A method for managing traffic in a content delivery network (CDN), comprising:
monitoring, with a network device, a number of requests being processed by a plurality of servers in a first node in said
CDN;

receiving a request at the network device in the first node, wherein the request is serviceable by at least one of the first
node and a second node;

first determining, with the network device, whether the first node is in a maintenance or backup mode;
redirecting, with the network device, the request to a second node if the first node is determined to be in the maintenance
or backup mode as decided in the first determining step;

servicing, with the network device, any existing sessions at the first node if the first node is determined to be in the maintenance
or backup mode as decided in the first determining step;

second determining, with the network device, when the servicing step is finished; and
performing a maintenance operation or backup operation at the first node when it is determined in the second determining step
that the servicing step is finished;

wherein the first node and the second node share a same anycast IP.

US Pat. No. 9,596,181

TWO STAGE BLOOM FILTER FOR LONGEST PREFIX MATCH

Juniper Networks, Inc., ...

1. A device, comprising:
an input component; and
one or more processors to:
receive, via the input component, a packet that includes a destination address;
analyze a first Bloom filter, based on the destination address, in order to identify a prefix range entry,
the first Bloom filter including a set of prefix range entries, and
the prefix range entry being associated with the destination address and being included in the set of prefix range entries;
analyze a second Bloom filter, based on the destination address and the identified prefix range entry, in order to identify
a prefix length entry,

the second Bloom filter including a set of prefix length entries,
the prefix range entry encompassing one or more prefix length entries of the set of prefix length entries,
a first quantity of entries of the set of prefix range entries being less than a second quantity of entries of the set of
prefix length entries, and

the prefix length entry being associated with the destination address and being included in the set of prefix length entries;
determine routing information associated with the prefix length entry,
the routing information identifying a longest prefix match associated with the destination address; and
provide the packet based on the routing information.

US Pat. No. 9,577,925

AUTOMATED PATH RE-OPTIMIZATION

Juniper Networks, Inc., ...

1. A method comprising:
signaling, by a network router, a label switched path (LSP) in a packet-switched network according to an allocated bandwidth
for the LSP, wherein the network router is a head-end label edge router for the LSP;

determining, by the network router, bandwidth usage information for the LSP that indicates a volume of network packets mapped
to the LSP by the network router for transport along the LSP;

sending, by the network router in a notification message, the bandwidth usage information for the LSP to a path computation
element that computes label switched paths for a path computation domain that includes the network router to trigger reoptimization
of the path computation domain by the path computation element;

receiving, by the network router from the path computation element and in response to sending the notification message, a
configuration message that includes one of a route according to a layer 3 routing protocol and a filter that defines criteria
for mapping subsequent network packets to the LSP; and

by the network router in response to receiving the configuration message, one of (1) installing the route to a routing information
base associated with the layer 3 routing protocol and advertising, to one or more other network devices, the route in a routing
protocol message according to the layer 3 routing protocol to cause the one or more other network devices to divert subsequent
network packets that match the route from the network router to reduce an amount of subsequent network packets received by
the network router and mapped to the LSP and (2) installing the filter to forwarding information to modify the criteria for
mapping the subsequent network packets to the LSP.

US Pat. No. 9,477,284

MINIMIZING POWER LOSS

Juniper Networks Inc., S...

1. A method comprising:
receiving, by a logic element of a device, a first input signal from a first input feed of a circuit board of the device;
receiving, by the logic element of the device, a second input signal from a second input feed of the circuit board;
determining, by the logic element of the device and at a first time, that only one of the first input feed or the second input
feed is receiving power based on the first input signal received by the logic element and the second input signal received
by the logic element;

generating, by the logic element of the device, an output signal with a close control value based on determining that only
one of the first input feed or the second input feed is receiving power; and

transmitting, by the logic element of the device, the output signal with the close control value to a control input of a switch
of the circuit board,

the switch being closed based on the output signal with the close control value.

US Pat. No. 9,479,402

EXTERNAL SERVICE PLANE

Juniper Networks, Inc., ...

1. A method comprising:
receiving, by a first device, first network traffic;
determining, by the first device, that a service is to be applied to the first network traffic;
sending, by the first device, the first network traffic to a second device to apply the service to the first network traffic
based on determining that the service is to be applied to the first network traffic,

the service being applied to the first network traffic without using a third device,
the third device being separate from the second device, and
an increase in a quantity of service planes being determined based on an updated service level agreement, and
a service plane being created in the third device based on the increase in the quantity of service planes being determined;
receiving, by the first device, second network traffic;
determining, by the first device and after receiving the second network traffic, that the service is to be applied to the
second network traffic by the second device and the third device after the service plane is created in the third device;

sending, by the first device and based on determining that the service is to be applied to the second network traffic by the
second device and the third device, a first portion of the second network traffic to the second device to apply the service
to the first portion of the second network traffic;

sending, by the first device and based on determining that the service is to be applied to the second network traffic by the
second device and the third device, a second portion of the second network traffic to the third device to apply the service
to the second portion of the second network traffic;

receiving, from the second device, the first portion of the second network traffic after the service is applied to the first
portion of the second network traffic; and

receiving, from the third device, the second portion of the second network traffic after the service is applied to the second
portion of the second network traffic.

US Pat. No. 9,413,634

DYNAMIC END-TO-END NETWORK PATH SETUP ACROSS MULTIPLE NETWORK LAYERS WITH NETWORK SERVICE CHAINING

Juniper Networks, Inc., ...

1. A method comprising:
receiving, by a controller network device of a network, a request for network connectivity between a service entry point and
a service exit point for a service chain of three or more service points, each of the service points performing a respective
service, to provide a composite service for application to packet flows associated to the service chain;

receiving and storing, by the controller network device, active topology information for the network;
for each pair of the service points in the service chain and by the controller using the active topology information, computing
at least one end-to-end sub-path through a sub-network of the network, the at least one end-to-end sub-path connecting the
pair of the service points according to a constraint;

computing, by the controller network device and using the at least one end-to-end sub-path for each pair of the service points,
a service path between the service entry point and the service exit point for the service chain; and

sending, by the controller network device to at least one layer of the network, one or more messages to configure the at least
one layer of the network to establish the service path between the service entry point and the service exit point for the
service chain.

US Pat. No. 9,413,660

METHODS AND APPARATUS TO IMPLEMENT EXCEPT CONDITION DURING DATA PACKET CLASSIFICATION

Juniper Networks, Inc., ...

1. A method, comprising:
receiving, via a processor, a value associated with a portion of a data packet;
identifying, via the processor, one of a first data set or a default data set from a plurality of data sets based on the value,
each data set from the plurality of data sets being associated with a range of values each associated with an instruction
to trigger a routing action associated with a condition, the first data set being associated with a first range of values
including the value, the default data set being associated with a default range of values each associated with an instruction
to trigger a routing action associated with a default condition;

when the first data set is identified:
combining, via the processor, the first data set and the default data set to produce a first combined data set including a
plurality of values each associated with an instruction to trigger a routing action associated with at least one of the condition
or the default condition; and

sending the first combined data set; and
when the first data set is not identified:
sending the default data set.

US Pat. No. 9,407,605

ROUTING A PACKET BY A DEVICE

Juniper Networks, Inc., ...

1. A system comprising:
a device, comprising a memory and a processor, to:
extract information from a layer 2 header of a packet received from a first security zone,
the information including a security identifier;
determine, based on the security zone identifier, whether the packet is to be screened,
the packet being screened when the packet is intended for a second security zone that is different from the first security
zone,

the packet not being screened when the packet is intended for the first security zone;
when the packet is intended for the second security zone:
screen the packet for security,
process the packet, to obtain a first processed packet, based on a security policy corresponding to the second security zone
after screening the packet,

determine, based on screening the packet for security, whether to drop the first processed packet or route the first processed
packet toward a destination of the packet; and

route the first processed packet to a port of the device for routing toward the destination of the packet based on determining
whether to drop or route the first processed packet; and

when the packet is intended for the first security zone:
process the packet to obtain a second processed packet based on a security policy corresponding to the first security zone,
and

route the second processed packet to the port for routing toward the destination of the packet, without processing the packet
based on the security policy corresponding to the second security zone,

the port being associated with an address included in the information.

US Pat. No. 9,397,913

PACKET LOSS MEASUREMENT IN A DISTRIBUTED DATA PLANE

Juniper Networks, Inc., ...

1. A method comprising:
switching, with a local router having a plurality of forwarding units interconnected by a switch fabric to implement a distributed
data plane, layer two (L2) packet data units (PDUs) between the local router and a remote router using a virtual path, wherein
the virtual path includes first and second links that operate as a single logical link to transmit the PDUs between the local
router and the remote router, and wherein the first and second links are coupled to different, respective first and second
forwarding units of the plurality of forwarding units;

incrementing, by the first forwarding unit and in response to the first forwarding unit processing any PDU of the PDUs for
the virtual path, a first counter, stored by the first forwarding unit and associated with the virtual path;

incrementing, by the second forwarding unit and in response to the second forwarding unit processing any PDU of the PDUs for
the virtual path, a second counter, stored by the second forwarding unit and associated with the virtual path;

updating, by the first forwarding unit and based at least in part on a value of the first counter, a loss-measurement packet
(LMP);

internally forwarding, by the first forwarding unit via the switch fabric, the LMP to the second forwarding unit;
updating, by the second forwarding unit and based at least in part on a value of the second counter, the LMP; and
sending, with the local router, the LMP to the remote router.

US Pat. No. 9,350,630

DYNAMIC REMOTE PACKET CAPTURE

Juniper Networks, Inc., ...

1. A method, comprising:
generating, by one or more processors of a network device, a request for information regarding ports that are local to a routing
device using an implementation of an application programming interface (“API”) that is associated with the network device;

sending, by the one or more processors of the network device, the request to the routing device:
receiving, by the one or more processors of the network device, information regarding the ports that are local to the routing
device;

generating, by the one or more processors of the network device, a filter associated with at least one particular port of
the ports that are local to the routing device,

the filter being generated based on filter information specifying one or more conditions associated with traffic of interest;
and

outputting, by the one or more processors of the network device and to the routing device, the filter,
outputting the filter causing the routing device to install the filter for the at least one particular port that filters traffic
based on the one or more conditions.

US Pat. No. 9,253,019

FAULT TOLERANCE FOR AUTHENTICATION, AUTHORIZATION, AND ACCOUNTING (AAA) FUNCTIONALITY

Juniper Networks, Inc., ...

1. A method comprising:
providing, with a network access device, network access to a plurality of subscribers upon authenticating the subscribers
with an authentication, authorization, and accounting (AAA) server;

storing, within the network access device, information for a plurality of subscriber sessions associated with the plurality
of subscribers;

sending a first keep alive message from the network access device to the AAA server, wherein the first keep alive message
includes a trigger parameter, wherein the trigger parameter specifies an initial value;

when a response to the first keep alive message is not received from the AAA server and by the network access device within
a configurable amount of time, determining, with the network access device, that the AAA server is no longer reachable by
the network access device;

responsive to determining that the AAA server is not reachable by the network access device, sending a second keep alive message
from the network access device to the AAA server, wherein the second keep alive message includes a different value for the
trigger parameter to cause the AAA server to send a discovery request message to the network access device;

receiving, with the network access device, the discovery request message from the AAA server, wherein the discovery request
message includes a request for the information about one or more of the subscriber sessions;

generating, with the network access device, a discovery response message that includes information about at least a portion
of the plurality of subscriber sessions; and

sending, with the network access device, the discovery response message to the AAA server.

US Pat. No. 9,178,810

HANDLING ENTROPY LABELS WHEN STITCHING LABEL-SWITCHED PATHS

Juniper Networks, Inc., ...

1. A method comprising:
determining, by a notional egress routing device, whether a next label switched path (LSP) segment of an end-to-end LSP for
a packet, encapsulated by a label stack including an entropy label, supports entropy labels, wherein the notional egress routing
device comprises a routing device of a current LSP segment of the end-to-end LSP, and wherein the next LSP segment includes
a plurality of routing devices;

when the plurality of routing devices of the next LSP segment does not support entropy labels;
removing the entropy label from the label stack of the packet; and
forwarding the packet, from which the entropy label has been removed, along the end-to-end LSP; and
when the plurality of routing devices of the next LSP segment supports entropy labels, forwarding the packet, including the
entropy label, along the end-to-end LSP.

US Pat. No. 9,178,905

ENABLING CUSTOM COUNTERMEASURES FROM A SECURITY DEVICE

Juniper Networks, Inc., ...

1. A security device, comprising:
one or more processors to:
receive information identifying a set of conditions for injecting countermeasure code into a response to be provided to a
client device;

receive information identifying an action to be performed when the countermeasure code is executed by the client device;
determine the countermeasure code to be provided to the client device when the set of conditions is satisfied,
the countermeasure code including a key that represents a dynamic value;
receive a request from the client device,
the request being intended for a server device associated with the security device;
receive, from the server device, the response to the request;
determine that the set of conditions has been satisfied;
determine the dynamic value based on the key, based on information associated with the client device or the request, and based
on determining that the set of conditions has been satisfied;

replace the key, included in the countermeasure code, with the dynamic value based on determining the dynamic value;
inject the countermeasure code, including the dynamic value, into the response based on determining that the set of conditions
has been satisfied;

provide the response, with the countermeasure code, to the client device,
the countermeasure code causing the client device to perform the action;
determine client device information based on providing the response to the client device,
the client device information identifying at least one of:
a quantity of times that the countermeasure code or other countermeasure code was provided to the client device,
a quantity of attacks associated with the client device,
a profile associated with the client device,
the action performed by the client device, or
an indication of whether the countermeasure code was executed by the client device; and
prevent the countermeasure code from being included in a subsequent response provided to the client device based on the client
device information.

US Pat. No. 9,116,814

USE OF CACHE TO REDUCE MEMORY BANDWIDTH PRESSURE WITH PROCESSING PIPELINE

Juniper Networks, Inc., ...

1. A method comprising:
receiving, by a device, a write request;
determining, by the device, a quantity of entries stored in a cache,
each of the quantity of entries including a dirty bit field,
the dirty bit field indicating whether data stored in a data field of a particular entry, of the quantity of entries, has
been written back from the cache to a memory;

transmitting, by the device and when a particular quantity of entries, of the quantity of entries including the dirty bit
field that indicates that the data has not been written back from the cache to the memory, is greater than a threshold, a
blocking notification;

determining, by the device and based on the particular quantity of entries, if a cache flush is needed,
the cache flush resulting in an entry, of the quantity of entries, being written to the memory at an earliest clock cycle
during which the memory is available and prior to writing the entry to the memory based on a first priority;

selectively writing, by the device and based on the threshold and when a cache flush is not needed, the entry, of the quantity
of entries, based on the received write request,

the selectively writing including:
writing, when the particular quantity is greater than the threshold, the entry to the memory based on the first priority,
the dirty bit field of the entry indicating that data stored in the data field of the entry has not been written back from
the cache to the memory; or

writing, when the particular quantity is not greater than the threshold, the entry to the memory based on a second priority,
the second priority being less than the first priority; and
changing, by the device and based on the selectively writing, a value associated with the dirty bit field of the entry.

US Pat. No. 9,077,777

ENCAPSULATING/DECAPSULATING DATA IN HARDWARE

Juniper Networks, Inc., ...

1. A device comprising:
a first integrated circuit to:
receive data,
decapsulate the received data to obtain decapsulated data,
the received data being intended for a network destination,
the received data including:
a data stream of a first type, and
a data stream of a second type that is different than the first type,
 the data stream of the first type including a packet over synchronous optical network (SONET) data stream, and
forward the decapsulated data; and
a second integrated circuit to:
receive the decapsulated data,
encapsulate the decapsulated data, in a particular format, to obtain encapsulated data,
the particular format being associated with the network destination, and forward the encapsulated data for transmission to
the network destination.

US Pat. No. 10,567,274

METHOD, SYSTEM, AND APPARATUS FOR PROXYING INTRA-SUBNET TRAFFIC ACROSS MULTIPLE INTERFACES WITHIN NETWORKS

Juniper Networks, Inc, S...

1. A method comprising:creating, at a proxy node within an Internet Protocol (IP) network, a proxy group that includes a plurality of network nodes within a subnet of the IP network that are represented by a pseudo Media Access Control (MAC) address;
receiving, at the proxy node, a neighbor solicitation from a first network node included in the proxy group;
identifying, within the neighbor solicitation, a link-layer address of the first network node that sent the neighbor solicitation received at the proxy node;
modifying the neighbor solicitation by replacing, within the neighbor solicitation, the link-layer address of the first network node with the pseudo MAC address of the proxy group; and
forwarding the modified neighbor solicitation to a second network node included in the proxy group to facilitate completion of a Neighbor Discovery Protocol (NDP) process in which the second network node responds to the modified neighbor solicitation with a neighbor advertisement proxied by the proxy node to establish a proxy communication channel between the first network node and the second network node included in the proxy group.

US Pat. No. 10,566,801

APPARATUS, SYSTEM, AND METHOD FOR PREVENTING IMPROPER INSTALLATION OF POWER SUPPLY MODULES ON NETWORK DEVICES

Juniper Networks, Inc, S...

1. An apparatus comprising:at least one power distribution module that:
distributes power to a network device that forwards traffic within a network; and
includes a series of interlock blocks keyed to:
enable power supply modules whose electrical ratings satisfy a certain threshold to be installed to the network device; and
prevent other power supply modules whose electrical ratings do not satisfy the certain threshold from being installed to the network device; and
at least one power supply module that:
has an electrical rating that satisfies the certain threshold;
includes a flange that is keyed to fit between the interlock blocks of the power distribution module; and
when installed to the network device by way of the power distribution module, provides power to the network device that forwards traffic within the network.

US Pat. No. 10,547,521

NETWORK DASHBOARD WITH MULTIFACETED UTILIZATION VISUALIZATIONS

Juniper Networks, Inc., ...

1. A method comprising:determining, by a computing system, information about a plurality of instances executing on a plurality of host devices within a network, wherein the network includes a message bus on which metric information associated with the network is published;
identifying, by the computing system, an instance to represent within a user interface, wherein the instance is one of the plurality of instances;
requesting, by the computing system, that the message bus report metric values for a metric associated with the instance;
requesting, by the computing system, that the message bus report summary metric values for the plurality of instances, wherein the summary metric values are based on metric values for all of the plurality of instances during a time window, and are determined by identifying a maximum value for the metric values for all of the plurality of instances during the time window;
receiving, by the computing system and from the message bus, a metric value for the instance;
receiving, by the computing system and from the message bus, a summary metric value;
determining, by the computing system, a plurality of value ranges for the metric value, wherein the plurality of value ranges are based on a plurality of percentages of the summary metric value;
identifying, by the computing system and based on the metric value for the instance, a representative value range for the instance, wherein the representative value range is one of the plurality of value ranges that includes the metric value for the instance, and
generating, by the computing system and for inclusion in the user interface, a display element for each of the plurality of instances, including a first display element representing the instance, wherein the first display element is configured to have an appearance in the user interface that indicates the representative value range for the instance.

US Pat. No. 10,075,416

NETWORK SESSION DATA SHARING

Juniper Networks, Inc., ...

1. A method comprising:receiving, by a first security device, layer 7 (L7) network data representative of application classification information for a first packet flow from a second security device, wherein the L7 network data representative of the application classification information identifies an application that produced the first packet flow;
receiving, by the first security device, data packets of a second packet flow;
determining, by the first security device, that the second packet flow is produced by the application that produced the first packet flow; and
based on the second packet flow being produced by the application that produced the first packet flow, inspecting, by the first security device, the data packets of the second packet flow based on the L7 network data representative of the application classification information for the first packet flow without determining separate application classification information for the second packet flow.

US Pat. No. 9,996,560

TEMPLATE MAPPING SYSTEM FOR NON-COMPLIANT COLLECTORS

Juniper Networks, Inc., ...

1. A system, comprising: one or more devices to:receive a flow record;
identify a type of the flow record;
discard or ignore the flow record if the type of the flow record is a template record, received template records being discarded or ignored and not being used for decoding and/or interpreting data records;
parse the flow record for a template identifier (ID) if the type of the flow record is a data record;
compare the template ID from the data record to a predetermined template ID identifying a data record of template IDs;
identify the data record as a data record of template IDs if the template ID matches the predetermined template ID;
generate a map associating template IDs, from the data record of template IDs, to template information for decoding and/or interpreting data records, the template information being associated with the data record of template IDs; and
store the map,
the map being used to identify an appropriate template associated with the data record of template IDs for decoding ands/or interpreting the data records.

US Pat. No. 9,940,272

HARDWARE-BASED HANDLING OF MISSING INTERRUPT PROPAGATION

Juniper Networks, Inc., ...

1. A circuit, comprising:one or more components to:
receive an interrupt associated with a device,
the interrupt relating to an event that needs attention, and
the interrupt being sent by the device via an interrupt line associated with the device;
send the interrupt associated with the device,
the interrupt being sent via an interrupt line associated with the circuit;
start a missing interrupt timer, associated with the interrupt, based on sending the interrupt,
the missing interrupt timer being associated with a threshold amount of time by which the interrupt is to be serviced;
identify, based on the missing interrupt timer, the interrupt as a missing interrupt; and
resend the missing interrupt via the interrupt line associated with the circuit, the missing interrupt being resent to cause the missing interrupt to be serviced.

US Pat. No. 9,935,885

MANAGING FLOW TABLE ENTRIES FOR EXPRESS PACKET PROCESSING BASED ON PACKET PRIORITY OR QUALITY OF SERVICE

Juniper Networks, Inc., ...

1. A device, comprising:one or more processors to:
receive a packet associated with a flow;
identify a capacity indicator associated with a flow table,
the capacity indicator indicating an available storage capacity associated with the flow table,
the flow table being stored by another device and including entries for one or more flows and one or more corresponding actions to be taken in association with the one or more flows;
determine a service indicator that indicates a priority associated with the flow;
compare the capacity indicator and the service indicator; and
selectively provide a message to the other device based on comparing the capacity indicator and the service indicator,
the message including an instruction for the other device to store an entry, associated with the flow, in the flow table.

US Pat. No. 9,935,783

SYSTEM FOR AVOIDING TRAFFIC FLOODING DUE TO ASYMMETRIC MAC LEARNING AND ACHIEVING PREDICTABLE CONVERGENCE FOR PBB-EVPN ACTIVE-ACTIVE REDUNDANCY

Juniper Networks, Inc., ...

1. A method comprising:in response to receiving a first layer two (L2) data message, by a first provider edge (PE) router included in an Ethernet segment of a Provider-Backbone Bridging Ethernet Virtual Private Network (PBB-EVPN) and from a first customer edge (CE) router, performing L2 learning of a Customer MAC (C-MAC) address included in the first L2 data message;
sending, by the first PE router and to at least one other PE router included in the Ethernet segment, an L2 control message, the L2 control message comprising the C-MAC address and a first Bridging MAC (B-MAC) address that is not configured at the at least one other PE router, the L2 control message causing the at least one other PE router to learn the reachability of the C-MAC address through the first B-MAC address of the first PE router based at least in part on the first PE router and the at least one other PE router each being configured for a second B-MAC address associated with the Ethernet segment; and
in response to receiving, by the first PE router and from the at least one other PE router in the Ethernet segment, a second L2 data message as unicast traffic that includes the C-MAC address, forwarding the second L2 data message to the first CE router.

US Pat. No. 9,848,006

DETECTING PAST INTRUSIONS AND ATTACKS BASED ON HISTORICAL NETWORK TRAFFIC INFORMATION

Juniper Networks, Inc., ...

1. A method, comprising:
identifying, by a device, an attack signature, for a new type of intrusion, that was generated after an occurrence of the
new type of intrusion;

receiving, by the device, information to apply the attack signature to network traffic;
applying, by the device, the attack signature to the network traffic based on receiving information to apply the attack signature;
detecting, by the device, an intrusion that occurred prior to the attack signature being generated based on applying the attack
signature to the network traffic; and

performing, by the device, an action based on detecting the intrusion.

US Pat. No. 9,847,953

METHODS AND APPARATUS RELATED TO VIRTUALIZATION OF DATA CENTER RESOURCES

Juniper Networks, Inc., ...

1. An apparatus, comprising:
a first switch core having a multi-stage switch fabric, the first switch core configured to be logically partitioned into
a first virtual switch core and a second virtual switch core, the first virtual switch core and the second virtual switch
core being logical partitions of the first switch core and not a second switch core; and

a processor remote from and operatively coupled to the first switch core, the processor, when operative, assigning a first
plurality of peripheral processing devices coupled to the first virtual switch core of the multi-stage switch fabric, to a
first virtual application cluster (VAC) of the first virtual switch core, the first VAC of the first virtual switch core being
controlled by a first administration entity and defining a first resource of a first resource type that includes a first set
of physical resources of the first switch core that are interconnected;

the processor, when operative, assigning a second plurality of peripheral processing devices coupled to the first virtual
switch core of the multi-stage switch fabric, to a second VAC of the first virtual switch core being controlled by a second
administration entity different from the first administration entity, the second VAC associated with the first virtual switch
core and defining a resource of a second resource type that includes a second set of physical resources of the first virtual
switch core that are different from the first set of physical resources, the second plurality of peripheral processing devices
including a subset of the first plurality of peripheral processing devices coupled to the first virtual switch core;

the processor, when operative, assigning a third plurality of peripheral processing devices coupled to the second virtual
switch core of the multi-stage switch fabric, to a VAC of the second virtual switch core, the VAC of the second virtual switch
core defining a second resource of the first resource type that includes a set of physical resources of the second virtual
switch core that are interconnected;

the second VAC is associated with the first virtual switch core at a first time;
the second VAC is associated with the second virtual switch core at a second time different from the first time; and
the second plurality of peripheral processing devices is de-allocated from the first virtual switch core at the second time
as a result of the second VAC being associated with the second virtual switch core.

US Pat. No. 9,838,248

CONFIDENCE LEVEL INFORMATION FOR NETWORK ALARMS

Juniper Networks, Inc., ...

1. A method comprising:
generating, by a network device, a network alarm based on detecting that a network alarm condition of the network device has
been satisfied;

determining, by the network device, a first confidence level associated with the network alarm, the first confidence level
indicating that the network alarm has been triggered but has not yet been tested;

outputting, by the network device, a first message comprising information indicative of the network alarm and information
indicative of the first confidence level;

determining, by the network device, a second confidence level associated with the network alarm, the second confidence level
indicating that the network alarm has been triggered and is being tested;

outputting, by the network device, a second message comprising information indicative of the network alarm and information
indicative of the second confidence level;

determining, by the network device, a third confidence level associated with the network alarm, the third confidence level
indicating that the network alarm has been tested and has been confirmed as valid; and

outputting, by the network device, a third message comprising information indicative of the network alarm and information
indicative of the third confidence level.

US Pat. No. 9,654,386

APPARATUS, SYSTEM, AND METHOD FOR RECONFIGURING POINT-TO-MULTIPOINT LABEL-SWITCHED PATHS

Juniper Networks, Inc., ...

1. A method comprising:
detecting that at least a portion of an initial branch path of a point-to-multipoint label-switched path has failed over to
a failover route that rejoins the initial branch path at a network node;

establishing an alternate branch path that merges with the initial branch path at the network node;
transmitting data via the alternate branch path; and
instructing the network node to forward data received from the alternate branch path rather than from the failover route.

US Pat. No. 9,594,906

CONFIRMING A MALWARE INFECTION ON A CLIENT DEVICE USING A REMOTE ACCESS CONNECTION TOOL TO IDENTIFY A MALICIOUS FILE BASED ON FUZZY HASHES

Juniper Networks, Inc., ...

1. A device, comprising:
one or more processors to:
receive a trigger to determine whether one or more client devices, of a set of client devices, are infected by a malicious
file,

a client device, of the set of client devices, being infected by the malicious file when the malicious file was executed or
the malicious file is executing on the client device;

generate file identification information associated with the malicious file based on receiving the trigger to determine whether
the one or more client devices are infected by the malicious file,

the file identification information including a first set of fuzzy hashes associated with execution results of the malicious
file;

obtain remote access to the one or more client devices using a connection tool based on receiving the trigger to determine
whether the one or more client devices are infected by the malicious file,

the connection tool providing access to the one or more client devices;
obtain information, associated with the one or more client devices, using the remote access,
the information including one or more second sets of fuzzy hashes,
each of the one or more second sets of fuzzy hashes being associated with each of the one or more client devices, respectively;
determine, based on the one or more second sets of fuzzy hashes, that the one or more client devices are infected by the malicious
file;

generate, based on determining that the one or more client devices are infected by the malicious file and based on the one
or more second sets of fuzzy hashes, a prioritization order for remediating the set of client devices; and

provide, based on the file identification information and the information associated with the one or more client devices,
information indicating that the one or more client devices are infected by the malicious file and information indicating the
prioritization order for remediating the set of client devices.

US Pat. No. 9,596,159

FINDING LATENCY THROUGH A PHYSICAL NETWORK IN A VIRTUALIZED NETWORK

Juniper Networks, Inc., ...

1. A method comprising:
receiving, from a virtual network controller, by a network device having a virtual network agent and a virtual network switch
of a plurality of interconnected virtual network switches connected to the virtual network controller by an overlay network,
information specifying packet characteristics of packets to be analyzed and a time period during which to apply the packet
characteristics;

in response determining that a time the information is received is later than the time period during which to apply the packet
characteristics, ignoring, by the virtual network agent, the received information; and

in response to determining that the time period during which to apply the packet characteristics has not passed:
installing, by the virtual network agent and based on the information, a packet classifier to the virtual network switch;
responsive to determining that a received packet matches the specified characteristics, by the virtual network agent, determining
a hash of an invariant portion of the packet that uniquely identifies the packet to obtain a packet signature; and

forwarding, to the virtual network controller, a message that specifies: (1) the packet signature, (2) an identifier of the
network device, and (3) a timestamp indicating a time the packet was processed by the network device.

US Pat. No. 9,571,458

ANTI-REPLAY MECHANISM FOR GROUP VIRTUAL PRIVATE NETWORKS

Juniper Networks, Inc., ...

1. A method comprising:
receiving, with a first virtual private network (VPN) device from a second VPN device, a first packet having a first encryption
header, the first encryption header including a first group VPN member identifier and a first sequence number, wherein the
first group VPN member identifier uniquely identifies the second VPN device within a group VPN;

receiving, with the first VPN device from a third VPN device, a second packet having a second encryption header, the second
encryption header including a second group VPN member identifier and a second sequence number, wherein the first and second
sequence numbers are included in a shared sequential number pool for the group VPN, wherein the second group VPN member identifier
uniquely identifies the second VPN device within the group VPN, wherein the first, second, and third VPN devices are members
of the group VPN, and wherein the first, second, and third VPN device are distinct VPN devices;

identifying, based on the first group VPN member identifier, a first window of sequence numbers maintained by the first VPN
device for the second VPN device;

identifying, based on the second group VPN member identifier, a second window of sequence numbers maintained by the first
VPN device for the third VPN device, wherein the first window of sequence numbers is different from the second window of sequence
numbers;

determining whether the first sequence number of the encryption header is included in the first window of sequence numbers;
determining whether the second sequence number of the encryption header is included in the second window of sequence numbers;
processing, by the first VPN device and based on whether the first sequence number is included in the first window of sequence
numbers, the first packet; and

processing, by the first VPN device and based on whether the second sequence number is included in the second window of sequence
numbers, the second packet.

US Pat. No. 9,553,861

SYSTEMS AND METHODS FOR MANAGING ACCESS TO SERVICES PROVIDED BY WIRELINE SERVICE PROVIDERS

Juniper Networks, Inc., ...

1. A computer-implemented method for managing access to services provided by wireline service providers, at least a portion
of the method being performed by a computing device comprising at least one processor, the method comprising:
receiving, at an access gateway of a wireline service provider, at least one request to authenticate a subscriber device for
access to at least one service provided by the wireline service provider, wherein the access gateway:

interfaces a network of the wireline service provider with the subscriber device; and
directs network traffic within the network of the wireline service provider;
authenticating, based at least in part on the request, the subscriber device at the access gateway of the wireline service
provider;

in response to authenticating the subscriber device at the access gateway:
generating a unique session identifier that uniquely identifies the authenticated subscriber device during a service-access
session; and

delivering the unique session identifier to a management server of the wireline service provider to enable the management
server to authorize, based at least in part on the unique session identifier, at least one network device of the wireline
service provider to provide the service to the subscriber device via the access gateway; and

upon delivering the unique session identifier to the management server, facilitating access by the subscriber device to the
service provided by the network device via the access gateway during the service-access session.

US Pat. No. 9,467,855

SYSTEMS AND METHODS FOR DETECTING ROGUE CLIENT DEVICES CONNECTED TO WIRELESS HOTSPOTS

Juniper Networks, Inc, S...

1. A computer-implemented method for detecting rogue client devices connected to wireless hotspots, at least a portion of
the method being performed by a computing device comprising at least one processor, the method comprising:
maintaining, at a wireless hotspot, at least one illegitimate authentication identifier that appears to:
facilitate authentication with an external network via the wireless hotspot, and
correspond to an Internet Service Provider (ISP) that has established a roaming agreement with the wireless hotspot to offload
at least a portion of network traffic from a data network of the ISP to the wireless hotspot;

providing the illegitimate authentication identifier that apparently corresponds to the ISP to one or more client devices
connected to the wireless hotspot;

receiving, from a client device, an authentication request to authenticate the client device with at least one external network
via the wireless hotspot; and

upon receiving the authentication request from the client device:
determining that the authentication request includes the illegitimate authentication identifier that apparently corresponds
to the ISP, and

determining, based at least in part on the illegitimate authentication identifier that apparently corresponds to the ISP being
included in the authentication request, that the client device is a rogue device that is not authorized to use the wireless
hotspot.

US Pat. No. 9,444,721

TWO-PART METRIC FOR LINK STATE ROUTING PROTOCOLS

Juniper Networks, Inc., ...

1. A method comprising:
communicating, in accordance with a layer three link state protocol, link state advertisements (LSAs) between a plurality
of layer three routers coupled to an intermediate layer two shared access network, wherein the link state advertisements specify
a set of outbound cost metrics representative of respective outbound costs to send network traffic to the intermediate layer
two shared access network for each of the plurality of layer three routers and a set of inbound cost metrics representative
of respective inbound costs to receive network traffic for each of the plurality layer three routers from the intermediate
layer two shared access network;

computing, with a first one of the plurality of layer three routers, a total cost metric for each link through the intermediate
layer two shared access network that originates at the first one of the plurality of layer three routers and terminates at
each remaining one of the plurality of layer three routers based on one of the outbound cost metrics for the first one of
the plurality of layer three routers and the corresponding inbound cost metrics for each of the remaining ones of the plurality
of layer three routers;

performing path selection based on the total cost metrics; and
forwarding network traffic based on the path selection.

US Pat. No. 9,344,445

DETECTING MALICIOUS NETWORK SOFTWARE AGENTS

Juniper Networks, Inc., ...

1. A method of determining whether a single network session is originated by an automated software agent, the method comprising:
receiving, with a network device, packets of a single network session comprising one or more connections between a single
client device and a single server device;

assembling network session data for the network session from the packets, the network session data comprising application-layer
data and packet flow data for the network session;

calculating a plurality of scores for the network session based on a plurality of metrics applied to the network session data,
wherein each of the metrics corresponds to a characteristic of a network session originated by an automated software agent,
and wherein each of the scores represents a likelihood that the network session is originated by an automated software agent;

aggregating the plurality of scores to produce an aggregate score such that the aggregate score only reflects the plurality
of metrics applied to the network session data for the single network session between the client device and the server device;

determining that the network session is originated by an automated software agent when the aggregate score exceeds a threshold;
and

executing a programmed response when the network session is determined to be originated by an automated software agent.

US Pat. No. 9,258,076

AMORTIZATION OF EXPENSIVE OPTICAL COMPONENTS

Juniper Networks, Inc., ...

1. A system comprising:
a laser system comprising:
a laser bank that includes lasers,
a first multiplexer connected to the laser bank, and
an amplifier connected to the first multiplexer; and
an optical transport system, connected to the laser system, comprising:
a combiner,
a demultiplexer connected to the combiner,
a plurality of transmitters connected to the demultiplexer, and
a second multiplexer connected to the plurality of transmitters.

US Pat. No. 9,253,097

SELECTIVE LABEL SWITCHED PATH RE-ROUTING

Juniper Networks, Inc., ...

1. A method comprising:
establishing a plurality of label switched paths (LSPs) having a common transit network device other than an ingress network
device or an egress network device of any of the plurality of LSPs;

by the transit network device along the plurality of LSPs, detecting a congestion condition on a link along the plurality
of LSPs and coupled to the transit network device;

responsive to detecting the congestion condition, and by the transit network device, selecting a subset of the plurality of
LSPs to evict from the link, wherein the subset comprises less than all of the plurality of LSPs;

outputting an error message to one or more ingress network devices associated with the selected subset of the plurality of
LSPs to evict from the link, without outputting an error message to the ingress network devices associated with those of the
plurality of LSPs not selected to evict from the link, wherein the error message specifies the respective one of the selected
subset of LSPs; and

updating a forwarding plane of the transit network device to reroute network traffic received for the selected subset of the
plurality of the LSPs for forwarding to a next hop on a bypass LSP that avoids the link.

US Pat. No. 9,246,801

TRANSMITTING PACKET LABEL CONTEXTS WITHIN COMPUTER NETWORKS

Juniper Networks, Inc., ...

1. A method comprising:
receiving, with a first network device intermediately positioned along a label-switched path (LSP) through a network between
an ingress to the LSP and an egress to the LSP, a Multi-Protocol Label Switching (MPLS) data unit from a second network device
of the network in accordance with a label switching protocol, wherein the data unit includes a label stack affixed to a payload,
wherein the label stack includes two or more MPLS labels used for forwarding the data unit through the network and context
information associated with at least two of the MPLS labels of the label stack, wherein the context information is arranged
in the label stack to alternate between entries containing individual ones of the two or more MPLS labels and entries containing
portions of the context information that pertains to the preceding one of the MPLS labels in the label stack and provides
a context unused to forward the MPLS data unit and for understanding the associated at least two MPLS labels of the label
stack, and wherein the context information identifies a packet flow transported by the data unit by specifying a source address,
a source port, a destination address, a destination port and a protocol associated with the payload contained within the data
unit;

forwarding the data unit out an output interface of the first network device in accordance with the two or more MPLS labels
of the label stack;

when forwarding the data unit, parsing, with the first network device, the data unit to determine the context information;
and

recording, with the first network device, the forwarding of the data unit and the determined context information.

US Pat. No. 9,147,075

APPARATUS AND METHOD FOR SECURELY LOGGING BOOT-TAMPERING ACTIONS

Juniper Networks, Inc., ...

1. An apparatus comprising:
a storage device;
a tamper-logging component that:
detects an action that is associated with booting untrusted images from the storage device; and
in response to detecting the action, securely logs the action by incrementing a secure counter; and
a security component that:
includes the secure counter;
receives a request from the tamper-logging component for the secure counter's present value;
in response to receiving the request from the tamper-logging component:
creates a signed version of the secure counter's present value by signing the secure counter's present value using a private
cryptographic key; and

provides the signed version of the secure counter's present value to the tamper-logging component; and
wherein the tamper-logging component determines the secure counter's present value by verifying the signed version of the
secure counter's present value using a public cryptographic key that corresponds to the private cryptographic key.

US Pat. No. 9,130,859

METHODS AND APPARATUS FOR INTER-VIRTUAL LOCAL AREA NETWORK MULTICAST SERVICES

Juniper Networks, Inc., ...

1. An apparatus, comprising:
a first access point configured to be (1) included in a first virtual local area network (VLAN) and not included in a second
VLAN and (2) operatively coupled to a second access point that is included in the second VLAN and not included in the first
VLAN, the second VLAN including a multicast domain name system (mDNS) service that is not multicast to the first VLAN,

the first access point configured to receive an mDNS request for the mDNS service from a client device that is operatively
coupled to the first VLAN,

the first access point configured to place the mDNS request in a quarantine queue,
the first access point configured to send, in response to the mDNS request being placed in the quarantine queue, a signal
to the second access point such that the second access point determines the availability of the mDNS service on the second
VLAN,

the first access point configured to, in response to an indication from the second access point that the mDNS service is available
on the second VLAN, define an encapsulated mDNS request,

the first access point configured to send, to the second access point, the encapsulated mDNS request, based on the mDNS request,
such that a connection is established between the client device and a network device providing the mDNS service within the
second VLAN.

US Pat. No. 9,100,323

DEADLOCK-RESISTANT FABRIC TREE REPLICATION IN A NETWORK DEVICE

Juniper Networks, Inc., ...

1. A method comprising:
generating, by a network device, a multi-level replication data structure having a plurality of hierarchically-arranged nodes
each associated with one of a plurality of packet replicators of the network device and each occupying one of a plurality
of levels of the multi-level replication data structure, wherein each of the plurality of packet replicators of the network
device comprises a plurality of packet buffer partitions for storing multicast packets;

by a packet replicator of the plurality of packet replicators that is associated with a node of the plurality of hierarchically-arranged
nodes that occupies a level of the plurality of levels of the multi-level replication data structure, receiving a multicast
packet; and

by the packet replicator, determining a packet buffer partition of the plurality of packet buffer partitions of the packet
replicator that is associated with the level of the plurality of levels of the multi-level replication data structure and
storing the multicast packet to the packet buffer partition prior to internally forwarding the multicast packet to a receiving
packet replicator of the plurality of packet replicators in accordance with the multi-level replication data structure.

US Pat. No. 9,094,372

MULTI-METHOD GATEWAY-BASED NETWORK SECURITY SYSTEMS AND METHODS

Juniper Networks, Inc., ...

1. A method comprising:
receiving, at a network device, a packet;
determining, by the network device and using a key, whether information identifying a packet flow, associated with the packet,
is stored in a data structure,

the key being generated based on information included in the packet;
retrieving, by the network device and based on the information identifying the packet flow, particular information that is
used to perform at least two of a first inspection of the packet regarding one or more protocol irregularities, a second inspection
of the packet regarding one or more attack signatures, or a third inspection of the packet regarding one or more traffic signatures
matching the packet flow when the information identifying the packet flow is stored in the data structure;

determining, by the network device, whether to drop the packet or forward the packet,
determining whether to drop the packet or forward the packet including performing the at least two of:
the first inspection without a user request to perform the first inspection,
the second inspection without a user request to perform the second inspection, or
the third inspection without a user request to perform the third inspection,
the at least two of the first inspection, the second inspection, or the third inspection being performed using the particular
information when the particular information is retrieved,

one of the first inspection, the second inspection, or the third inspection being performed based on another one of the first
inspection, the second inspection, or the third inspection being performed; and

processing, by the network device, the packet based on determining whether to drop the packet or forward the packet,
processing the packet including dropping the packet based on determining that the packet is to be dropped, and
processing the packet including forwarding the packet based on determining that the packet is to be forwarded.

US Pat. No. 9,077,617

KERNEL-BASED TCP-LAYER ASSIST FOR FAST RECOVERY BY BACKUP CONTROL UNIT OF A DEVICE

Juniper Networks, Inc., ...

1. A method comprising:
maintaining, with a secondary control unit of a network device, a prioritized data structure having a plurality of hierarchically
arranged nodes, each of the nodes associated with a different subset of application-level communication sessions having a
common session timeout value, wherein the nodes of the prioritized data structure are maintained in an ordered arrangement
in accordance with the common session timeout values of the respective subset of the communication sessions with which each
node is associated;

detecting, with the secondary control unit of a network device, a failover event that causes the network device to failover
from a primary control unit of the network device to the secondary control unit; and

in response to detecting the failover event, sending, with an operating system of the secondary control unit, a session maintenance
message on each of the plurality of application-level communication sessions in accordance with the prioritized data structure.

US Pat. No. 9,054,996

DYNAMIC PRIORITIZED FAIR SHARE SCHEDULING SCHEME IN OVER-SUBSCRIBED PORT SCENARIO

Juniper Networks, Inc., ...

1. A method comprising:
configuring, by a network device, initial policer limits for a plurality of over-subscribing ingress ports based on bandwidth
limits for an over-subscribed egress port associated with the plurality of over-subscribing ingress ports;

obtaining, by the network device, a first threshold watermark and a second threshold watermark for bandwidth usage of the
over-subscribed egress port,

the first threshold watermark being higher than the second threshold watermark;
identifying, by the network device, a queue, associated with the over-subscribed egress port, having a queue volume that is
above the first threshold watermark or below the second threshold watermark over a particular quantity of consecutive samples;

determining, by the network device, an oversubscription factor based on a ratio of a total bandwidth of the over-subscribed
egress port and a total bandwidth of the plurality of over-subscribing ingress ports;

determining, by the network device and when the queue volume is below the second threshold watermark over the particular quantity
of consecutive samples, a rate of increase based on the oversubscription factor; and

increasing, by the network device and when the queue volume is below the second threshold watermark over the particular quantity
of consecutive samples, the initial policer limits to create increased policer limits based on the rate of increase, the initial
policer limits being increased without having been previously decreased.

US Pat. No. 9,049,256

FABRIC SWITCHOVER FOR SYSTEMS WITH CONTROL PLANE AND FABRIC PLANE ON SAME BOARD

Juniper Networks, Inc., ...

10. A network device comprising:
a first control board including a first control plane and a first fabric plane;
a second control board including a second control plane and a second fabric plane; and
a plurality of input/output units to:
receive instructions from the first control plane or the second control plane, and
transmit, based on the received instructions, traffic through the first fabric plane or the second fabric plane,
the network device being to:
designate as active the first control plane to communicate with the plurality of input/output units,
designate as active the second fabric plane to receive traffic from the plurality of input/output units,
designate as standby the second control plane,
designate as standby the first fabric plane,
identify a failure of the first control board, and
switch, based on the failure of the first control board, the second control plane from standby to active while maintaining
active links between the second control plane and the plurality of input/output units to continue to allow the plurality of
input/output units to process traffic.

US Pat. No. 10,425,345

METHODS AND APPARATUS FOR DETECTING A SIGNAL DEGRADATION USING THE PRE-FORWARD ERROR CORRECTION BIT ERROR RATE AT AN OPTICAL TRANSPONDER

Juniper Networks, Inc., ...

1. An apparatus, comprising:an optical transponder including a processor, an electrical interface and an optical interface, the processor operatively coupled to the electrical interface and the optical interface, the optical interface configured to be operatively coupled to a plurality of optical links and the electrical interface configured to be operatively coupled to a router such that the optical transponder is configured to be operatively coupled between the plurality of optical links and the router,
the processor configured to receive data packets and diagnosis packets via an optical link from the plurality of optical links,
the processor configured to perform pre-forward error correction (FEC) bit error rate (BER) detection to identify a degradation of the optical link from the plurality of optical links,
the processor configured to drop a subset of the diagnosis packets designated to be transmitted via the optical link in response to the degradation being identified such that the router is notified of the degradation of the optical link in response to the subset of the diagnosis packets being dropped.

US Pat. No. 10,091,222

DETECTING DATA EXFILTRATION AS THE DATA EXFILTRATION OCCURS OR AFTER THE DATA EXFILTRATION OCCURS

Juniper Networks, Inc., ...

1. A device, comprising:a memory; and
one or more processors, implemented at least partially in hardware, to:
receive, from a security device, exfiltration information that was exfiltrated by a file after the file is executed in a testing environment of the security device and after the security device fails to detect the exfiltration information in outbound network traffic that leaves the security device or the testing environment,
the outbound network traffic being monitored by the security device,
the exfiltration information including program code or a script that accesses a resource,
the program code or the script including a resource identifier that identifies the resource,
the resource identifier including a file identifier, and
the file identifier identifying the file;
determine that the resource has been accessed;
identify, based on determining that the resource has been accessed and based on the exfiltration information, the file; and
perform an action, associated with the file, to counteract data exfiltration based on determining that the resource has been accessed and based on identifying the file.

US Pat. No. 10,031,177

METHODS AND APPARATUS FOR OPTICAL TRANSCEIVER CALIBRATION AND TEST

Juniper Networks, Inc., ...

1. An apparatus, comprising:an automatic integrated circuit (IC) handler having a change kit and at least one optical detector, the change kit having a plunger, the plunger moveably disposable onto an Automatic Test Equipment (ATE),
the ATE configured to receive an integrated circuit having an optical interface,
the plunger having a first position and a second position,
the plunger being out of contact with the integrated circuit when the plunger is in the first position,
the plunger having an optical connector operatively coupled to the optical interface of the integrated circuit when the plunger is in the second position, the at least one optical detector configured to test an optical power of the integrated circuit when the plunger is in the second position.

US Pat. No. 10,027,591

APPARATUS, SYSTEM, AND METHOD FOR APPLYING POLICIES TO NETWORK TRAFFIC ON SPECIFIC DAYS

Juniper Networks, Inc., ...

1. An apparatus comprising:at least one storage device that stores at least one policy for handling certain network traffic destined for an online application during at least one specific day;
at least one policy-enforcement unit communicatively coupled to the storage device, wherein the policy-enforcement unit:
configures the policy by:
creating an extended time-of-day profile that identifies a period of time in which the policy is to be applied; and
associating the extended time-of-day profile with the certain network traffic destined for the online application;
activates the policy on the specific day;
receives, while the policy is activated, at a network device that facilitates network traffic within a network, at least one packet destined for the online application; and
handles the packet in accordance with the activated policy without analyzing a timestamp within the packet.

US Pat. No. 10,027,576

METHOD, SYSTEM, AND APPARATUS FOR PROXYING INTRA-SUBNET TRAFFIC ACROSS MULTIPLE INTERFACES WITHIN NETWORKS

Juniper Networks, Inc., ...

1. A method comprising:creating, at a proxy node within an Internet Protocol (IP) network, a proxy group that includes a plurality of network nodes within a subnet of the IP network that are represented by a pseudo Media Access Control (MAC) address;
building, at the proxy node, a routing table for the proxy group by populating the routing table with entries that identify routes to the plurality of network nodes within the subnet;
receiving, at the proxy node, a neighbor solicitation from a network node included in the proxy group;
identifying, within the neighbor solicitation, a link-layer address of the network node that sent the neighbor solicitation received at the proxy node;
modifying the neighbor solicitation by replacing, within the neighbor solicitation, the link-layer address of the network node with the pseudo MAC address of the proxy group;
forwarding the modified neighbor solicitation to at least one other network node included in the proxy group to facilitate completion of a Neighbor Discovery Protocol (NDP) process in which the other network node responds to the modified neighbor solicitation with a neighbor advertisement proxied by the proxy node;
receiving, at the proxy node, a packet that originated from the network node and is destined for the other network node;
identifying, within the packet, a link-layer address of the network node that sent the packet received at the proxy node;
determining, based at least in part on the link-layer address and the routing table for the proxy group, that the network node that sent the packet is included in the proxy group; and
in response to determining that the network node that sent the packet is included in the proxy group, forwarding the packet to the other network node included in the proxy group.

US Pat. No. 9,838,246

MICRO-LOOP PREVENTION USING SOURCE PACKET ROUTING

Juniper Networks, Inc., ...

17. A method comprising:
receiving, by a non-point of local failure (non-PLR) network device of a plurality of network devices in a segment routing
domain, a link state advertisement that a communication link has failed between a near-side point of local failure (NPLR)
and a far-side point of local failure (FPLR) that are each included in the segment routing domain, wherein the non-PLR, NPLR
and the FPLR are each network devices that implement a Source Packet Routing in Networking (SPRING) protocol to forward network
packets using node labels according to an initial network topology of a network that includes the plurality of network devices,
wherein the non-PLR, the NPLR, the FPLR, and any of the other network devices operating in accordance with the SPRING protocol
exchange the node labels using at least one link-state interior gateway protocol (IGP);

responsive to receiving the link state advertisement, initiating, by the non-PLR network device, a timer;
configuring, before the timer has expired, a forwarding state of the non-PLR network device, to forward network packets according
to a new network topology; and

forwarding, while the timer has not expired and by the non-PLR network device, network packets destined for a destination
network device according to a temporary network topology that is different than the new network topology, wherein the temporary
network topology is based on one or more adjacency labels in accordance with the SPRING protocol that define a set of one-hop
tunnels corresponding to a backup sub-path that circumvents the failed communication link between the NPLR and the FPLR.

US Pat. No. 9,838,327

DISTRIBUTED GENERATION OF HIERARCHICAL MULTICAST FORWARDING STRUCTURES

Juniper Networks, Inc., ...

1. A method comprising:
sending, by a first packet replicator of a plurality of packet replicators within a network device to a second packet replicator
of the plurality of packet replicators and according to first local forwarding state stored by the first packet replicator
for a multicast replication tree for replicating data units of multicast packets among the plurality of packet replicators,
a data unit of a multicast packet;

sending, by the first packet replicator to the second packet replicator, a tear-down message directing the second packet replicator
to delete local forwarding state for the multicast replication tree; and

deleting, by the second packet replicator in response to receiving the tear-down message, second local forwarding state stored
by the second packet replicator for the multicast replication tree.

US Pat. No. 9,774,633

DISTRIBUTED APPLICATION AWARENESS

Juniper Networks, Inc., ...

1. A security device, comprising:
a memory to store a first plurality of application identifiers; and
one or more processors to:
provide a second plurality of application identifiers to an edge device, of a plurality of edge devices, in a network,
the first plurality of application identifiers including one or more application identifiers that are not included in the
second plurality of application identifiers and are not included in a third plurality of application identifiers stored by
another edge device of the plurality of edge devices,

the edge device communicating with the security device,
the edge device being provided at an edge of the network between the security device and a user device attempting to access
the network via the edge device;

receive information associated with network traffic generated by an application executing on the user device,
the network traffic being received from the user device and via the edge device,
the information associated with the network traffic being provided to the security device when an application identifier,
associated with the network traffic, does not match one of the second plurality of application identifiers;

determine, based on the information associated with the network traffic, the application identifier associated with the network
traffic,

the application identifier identifying the application;
determine whether the application identifier matches one of the first plurality of application identifiers stored in the memory;
identify a policy associated with the one of the first plurality of application identifiers when the application identifier
matches the one of the first plurality of application identifiers; and

provide the policy to the edge device to permit the edge device to apply the policy to the network traffic.

US Pat. No. 9,634,928

MESH NETWORK OF SIMPLE NODES WITH CENTRALIZED CONTROL

Juniper Networks, Inc., ...

1. A system comprising:
a mesh network comprising a plurality of mesh nodes, wherein each of the plurality of mesh nodes is configured to communicate
with one or more subscriber devices;

one or more edge nodes to couple the mesh network to a core network; and
a centralized controller in communication with the plurality of mesh nodes and edge nodes, wherein the centralized controller
comprises:

a topology module that executes a control protocol to receive topology information for the mesh network from the plurality
of mesh nodes; and

a path computation module (PCM) that computes forwarding information for
one or more data channels based at least in part on the topology information, wherein the data channels are for transporting
network packets to and from the subscriber devices via the mesh nodes,

wherein each of the mesh nodes operates a reduced control plane without execution of a layer three (L3) routing protocol that
maintains routing information for the mesh network and generates forwarding information for the respective mesh node,

wherein the topology module receives a set of messages sent by the mesh nodes, wherein each of the set of messages specifies
a list of interfaces traversed by the respective message, wherein the centralized controller establishes a control channel
with each of the mesh nodes based on the list of interfaces specified by the messages, and

wherein the centralized controller outputs one or more messages to the mesh nodes via the respective control channels to communicate
and install within each of the mesh nodes the forwarding information for the one or more data channels.

US Pat. No. 9,606,896

CREATING SEARCHABLE AND GLOBAL DATABASE OF USER VISIBLE PROCESS TRACES

Juniper Networks, Inc., ...

1. A method comprising:
determining, by a controller device for a virtual network, a set of two or more related processes executed by respective devices
in the virtual network, the related processes including a first process executed by a first device of a plurality of devices
that form a physical network and a second, related process executed by a second, different device of the plurality of devices,
wherein the virtual network comprises an overlay network formed over the physical network and between virtual switches executed
by the plurality of devices including a first virtual switch executed by the first device and a second virtual switch executed
by the second device, and wherein determining the set of two or more related processes comprises forming the set to include
processes that perform similar operations on different instances of respective data;

receiving, by the controller device, data for the set of two or more related processes from the respective devices;
aggregating, by the controller device, the data for the set of two or more related processes to form aggregated data for the
set of two or more related processes; and

detecting, by the controller device, a fault in the virtual network from the aggregated data.

US Pat. No. 9,594,908

IDENTIFYING AN EVASIVE MALICIOUS OBJECT BASED ON A BEHAVIOR DELTA

Juniper Networks, Inc., ...

1. A device comprising:
one or more hardware processors to:
receive an object;
execute the object in a test environment;
perform a static analysis of the object including at least one of:
scanning the object with anti-virus software,
performing a strings search of the object, or
disassembling the object;
determine, based on executing the object in the test environment and performing the static analysis of the object, test behavior
information associated with the object,

the test behavior information identifying a first behavior associated with testing the object in the test environment;
determine actual behavior information associated with the object,
the actual behavior information identifying a second behavior exhibited by the object when the object is opened or executed
on a user device;

determine that the object is a malicious object based on the actual behavior information being different from the test behavior
information; and

provide an indication that the object is the malicious object based on determining that the object is the malicious object.

US Pat. No. 9,596,268

SECURITY ENFORCEMENT IN VIRTUALIZED SYSTEMS

Juniper Networks, Inc., ...

1. A system comprising:
a first server to:
receive information about a first application and a second application of a second server;
receive identity information of a user,
the user being associated with a client that is connected to a third server, and
the third server executing an operating system for the client;
determine access control information based on the information about the first application and the second application and based
on the identity information; and

provide the access control information to an enforcer,
the operating system being provided, by the enforcer, selective access to the first application or the second application
based on the access control information.

US Pat. No. 9,596,167

INTERNET PROTOCOL VIRTUAL PRIVATE NETWORK SERVICE PERFORMANCE MONITORING

Juniper Networks, Inc., ...

1. A method comprising:
receiving, by a router, virtual private network (VPN) routing and forwarding table (VRF) configuration data defining a VRF
for a VPN and a VPN address space for the VPN;

receiving, by the router, configuration data defining a measurement endpoint for measuring performance of a layer 3 (L3) service
and associating the measurement endpoint with a remote measurement endpoint of a remote router;

encapsulating, by the router, to generate a flow measurement packet, a layer 2 (L2) measurement packet in a layer 4 (L4) header
and an L3 header,

wherein the L3 header comprises a source L3 address within the VPN address space and associated with the measurement endpoint,
and

wherein the L3 header comprises a destination L3 address within the VPN address space and associated with the remote measurement
endpoint; and

outputting, by the router, the flow measurement packet to the remote router.

US Pat. No. 9,590,853

CONFIGURATION OF APPLICATIONS FOR DISTRIBUTED COMPUTING SYSTEMS

Juniper Networks, Inc., ...

1. A method comprising:
receiving, by a first device of a distributed computing system, an incoming message from an application running on a second
device of the distributed computing system, the application performing a function of the distributed computing system, the
incoming message instructing the first device to associate the application with a configuration parameter of the distributed
computing system;

generating, by the first device in response to receiving the incoming message, registration data indicating that the application
is associated with the configuration parameter;

receiving, by the first device, a command in a management interface for the distributed computing system;
in response to receiving the command, modifying, by the first device, a copy of the configuration parameter stored at the
first device;

identifying, by the first device and based on the registration data, the application as being associated with the command,
wherein the first device identifies the application from among a plurality of applications that run on one or more devices
of the distributed computing system and that provide functions of the distributed computing system;

in response to identifying the application, determining, by the first device, whether the application is available; and
in response to determining that the application is available or has become available, sending, by the first device, an outgoing
message to the application, the outgoing message instructing the application to synchronize a copy of the configuration parameter
stored at the second device with the copy of the configuration parameter stored at the first device.

US Pat. No. 9,590,895

REFRESH INTERVAL INDEPENDENT FAST REROUTE FACILITY PROTECTION TEAR DOWN MESSAGING

Juniper Networks, Inc., ...

1. A method comprising:
receiving, by a first network device and from a second network device, a conditional pathtear message, wherein the second
network device is positioned upstream from the first network device along a label switched path in a network; and

responsive to determining, by the first network device, that the first network device is a node protecting merge point network
device for the second network device along the label switched path:

retaining, with the first network device, state information for the label switched path; and
sending, from the first network device to a third network device, a resource reservation path message that specifies local
protection and node protection of the label switch path are no longer available at the second network device, wherein the
third network device is a nexthop for the first network device in a downstream direction along the label switched path.

US Pat. No. 9,568,988

EFFICIENT POWER ALLOCATION FOR REDUNDANT POWER SUPPLY WITH SYSTEM PRIORITY

Juniper Networks, Inc., ...

1. A method comprising:
receiving, by a redundant power supply, configuration data specifying a priority and a power requirement for each of a plurality
of ports within a plurality of network switches, wherein the redundant power supply is connected to the network switches by
one or more control busses and one or more reserve power busses, each of the network switches having a respective power supply
separate from the redundant power supply;

receiving, by the redundant power supply, via the one or more control busses, a request from one of the network switches for
reserve power from the redundant power supply in response to power from the respective power supply for the network switch
failing in the network switch;

in response to the request, determining, by the redundant power supply, based on the priorities and power requirements of
the ports within the network switches, an amount of reserve power to grant to the network switch requesting the reserve power;
and

outputting the amount of reserve power via at least one of the one or more reserve power busses from the redundant power supply
to the network switch requesting the reserve power.

US Pat. No. 9,571,388

SEPARATION OF CONTROL PLANE FUNCTIONS USING VIRTUAL MACHINES IN NETWORK DEVICE

Juniper Networks, Inc., ...

1. A method comprising:
initializing a first virtual machine in a control unit of a network device that operates as a logically separate routing engine
assigned to one or more packet forwarding components of the network device to form a logical device, the first virtual machine
including a first kernel with a first guest operating system, and a first set of control processes for the logical device;

initializing a second virtual machine in the control unit of the network device that operates as a routing engine for the
network device, the second virtual machine including a second kernel with a second guest operating system, and a second set
of control processes for the network device that map assignments of the packet forwarding components to the first virtual
machine;

initializing a third virtual machine in the control unit of the network device that operates as a chassis manager, the third
virtual machine including a third kernel with a third guest operating system, and a chassis management process for the network
device and the logical device;

executing, by the first virtual machine, a first routing control process to control routing functionality for the logical
device and a first chassis shell process to facilitate management of the packet forwarding components for the logical device
via the chassis management process in the third virtual machine; and

executing, by the second virtual machine, a second routing control process to control routing functionality for the network
device and a second chassis shell process to facilitate management of the packet forwarding components for the network device
via the chassis management process in the third virtual machine.

US Pat. No. 9,568,893

FIRE PREVENTION IN A NETWORK DEVICE WITH REDUNDANT POWER SUPPLIES

Juniper Networks, Inc., ...

1. A device comprising:
a first power supply to generate power for the device,
the first power supply including:
a first temperature sensor to measure a temperature of the first power supply, and
a first communication component to transmit the measured temperature of the first power supply;
a second power supply to generate power for the device,
the second power supply including:
a second temperature sensor to measure a temperature of the second power supply, and
a second communication component to transmit the measured temperature of the second power supply,
power signals from the first power supply and the second power supply being cross-connected with one another, in the device,
to redundantly power the first temperature sensor, the first communication component, the second temperature sensor, and the
second communication component;

at least one fan, located within the device and external to the first power supply and the second power supply; and
a fan control component to:
receive the measured temperature of the first power supply and the measured temperature of the second power supply as measured
temperatures,

determine, based on the measured temperatures, whether one of the measured temperatures includes a temperature value indicating
that the first power supply or the second power supply is likely to be experiencing a fire, and

shut off operation of the at least one fan when one of the measured temperatures includes the temperature value indicating
that the first power supply or the second power supply is likely to be experiencing a fire.

US Pat. No. 9,531,644

METHODS AND APPARATUS FOR A DISTRIBUTED FIBRE CHANNEL CONTROL PLANE

Juniper Networks, Inc., ...

1. A system, comprising:
a plurality of network control entities associated with a distributed multi-stage switch, each network control entity from
the plurality of network control entities configured to manage at least one edge device having a plurality of ports and coupled
to the distributed multi-stage switch, the at least one edge device not included in the distributed multi-stage switch,

each network control entity from the plurality of network control entities being associated with a unique set of identifiers,
a first network control entity from the plurality of network control entities and instantiated on a first edge device of the
distributed multi-stage switch including a Fabric Login (FLOGI) server implemented by a processor associated with the first
network control entity, and configured to request a unique identifier from the unique set of identifiers from a Distributed
FLOGI Server Coordinator (DFSC) of a management module instantiated on a second edge device of the distributed multi-stage
switch and implemented by a processor associated with the management module, the FLOGI server configured to assign a unique
identifier from the set of identifiers associated with the first network control entity to a port from the plurality of ports
of at least one edge device managed by the first network control entity in response to receiving, at the FLOGI server, a login
request associated with the port, the FLOGI server configured to send the unique identifier to the port, the first network
control entity configured to forward data from the login request from the at least one edge device to at least one other network
control entity from the plurality of network control entities,

each network control entity from the plurality of network control entities includes an instance of a Fibre Channel Registered
State Change Notification (RSCN) module, the RSCN module configured to obtain, from a sub zone server of that network control
entity, zone membership information of a node port of the at least one edge device, the RSCN module configured to modify a
list of detected ports stored at the RSCN module based on the zone membership information of the node port.

US Pat. No. 9,495,428

FILTERING OUTPUT FROM OPERATIONAL COMMANDS EXECUTED ON A NETWORK DEVICE

Juniper Networks, Inc., ...

1. A method comprising:
receiving, at an interface of a network device, input from a client device using a communicative connection, wherein the input
comprises an operational command and a selection request, and wherein the selection request specifies a field identifier;

processing the operational command with the network device to generate data that conforms to an enumerated schema, wherein
the enumerated schema defines a class of elements that conform to a data description language, and wherein the enumerated
schema assigns a unique element number to each element of the defined class of elements;

filtering the data to form filtered data, wherein the filtering includes mapping the field identifier specified by the selection
request to a unique element number of the enumerated schema;

rendering the filtered data to form a filtered textual output comprising one or more fields, wherein each field is associated
with a unique element number of the enumerated schema; and

transmitting, from the interface, the filtered textual output to the client device using the communicative connection.

US Pat. No. 9,438,433

EFFICIENT MULTICAST ACROSS MULTIPLE VIRTUAL LOCAL AREA NETWORK (VLANS)

Juniper Networks, Inc., ...

1. An apparatus, comprising:
an aggregation network node including a processor and a communications interface, the aggregation network node configured
to send, to a core network node, a request to associate with a native multicast group a first client device (1) coupled to
the aggregation network node via a first access network node and (2) associated with a first Virtual Local Area Network (VLAN),

the aggregation network node configured to send, to the core network node, a request to associate with the native multicast
group a second client device (1) coupled to the aggregation network node via a second access network node and (2) associated
with a second VLAN,

the aggregation network node configured to receive a first instance of a multicast data unit associated with the native multicast
group from the core network node,

the aggregation network node configured to define, based on the first instance of the multicast data unit, a second instance
of the multicast data unit and a third instance of the multicast data unit,

the aggregation network node configured to send the second instance of the multicast data unit to the first access network
node based on the first client device being associated with the first VLAN that is a member of a multicast network segment
group,

the aggregation network node configured to send the third instance of the multicast data unit to the second access network
node based on the second client device being associated with the second VLAN that is a member of the multicast network segment
group.

US Pat. No. 9,413,615

TRAP FILTERING WITHIN A DEVICE MANAGEMENT PROTOCOL

Juniper Networks, Inc., ...

1. A method comprising:
receiving a set of configuration information, with a simple network management protocol agent executing on a network device,
wherein the set of configuration information specifies one or more trap conditions and one or more filter criteria, and wherein
each of the one or more filter criteria specifies a variable identifier, a variable value associated with the variable identifier,
and an operator, wherein the operator corresponds to one of a mathematical operator, a logical operator, and a regular expression
operator;

detecting, with the simple network management protocol agent, that at least one of the one or more trap conditions is met;
responsive to detecting the at least one of the one or more trap conditions, generating, with the simple network management
protocol agent, a message based on the at least one trap condition that is met, wherein the message includes a set of variable
identifiers and associated variable values from a management information base (MIB) storing configuration information for
the network device;

determining, with the simple network management protocol agent, whether at least one of the variable identifiers and associated
value pairs included in the message meet at least one of the one or more filter criteria by at least comparing the variable
value associated with the variable identifier of a respective filter criteria to the variable value associated with the variable
identifier of the message that corresponds to the variable identifier of the respective filter criteria in a manner consistent
with the operator; and

selectively sending, by the network device, the message to a device management system based on the determination.

US Pat. No. 9,383,901

METHODS AND APPARATUS FOR NAVAGATING DATA CENTER USING ADVANCED VISUALIZATION

Juniper Networks, Inc., ...

1. A method, comprising
storing a plurality of data point values, each data point value from the plurality of data point values associated with a
compute device from a plurality of compute devices that are included in a data center;

receiving a selection indicative of a region of the data center;
mapping, via a mapping module implemented by at least a processor, the region of the data center, to position data stored
in a database record associated with a portion of compute devices from the plurality of compute devices; and

sending a signal to display a topological map that includes a plurality of indicators and a set of tiles in an inset window,
a number of the set of tiles corresponding to a number of indicators within the plurality of indicators, each indicator from
the plurality of indicators associated with a compute device from the portion of the plurality of compute devices, and a characteristic
of an indicator from the plurality of indicators, the characteristic being based on a data point value of a respective compute
device from the plurality of data point values, the signal including instructions to display the topological map such that
each tile in the plurality of tiles changes in size to collectively fit within the inset window.

US Pat. No. 9,386,422

MULTIPATH-AWARE WIRELESS DEVICE LOCATION IDENTIFIER SYSTEMS, DEVICES AND METHODS

Juniper Networks, Inc., ...

1. A method, comprising:
receiving from a device a frequency-domain data associated with signals received at the device from a wireless device during
a time period;

determining a plurality of frequency-domain magnitudes associated with the frequency-domain data for the time period to define
a spectral magnitude signature associated with the frequency-domain data, each frequency-domain magnitude from the plurality
of frequency-domain magnitudes being uniquely associated with a frequency bin from a plurality of mutually-exclusive frequency
bins associated with the frequency domain data;

identifying a spectral response deviation associated with the spectral magnitude signature; and
sending a location identifier associated with a location of the wireless device based on the spectral response deviation.

US Pat. No. 9,258,433

USAGE MONITORING CONTROL FOR MOBILE NETWORKS

Juniper Networks, Inc., ...

1. A method comprising:
establishing, by a mobile gateway positioned within a mobile access network, a session by which a mobile device accesses a
service provided by the mobile access network;

determining, by a processor of the mobile gateway, that the mobile gateway has received an incomplete indication to activate
usage monitoring of the service using the session based on a message indicating activation of the usage monitoring without
having received a previous message triggering reporting for the usage monitoring or the message triggering reporting for the
usage monitoring; and

in response to determining that the mobile gateway has received the incomplete indication to activate the usage monitoring
of the service using the session, configuring, by the processor, at least a portion of the usage monitoring by the mobile
gateway without activating the usage monitoring.

US Pat. No. 9,197,578

HIGH-AVAILABILITY REMOTE-AUTHENTICATION DIAL-IN USER SERVICE

Juniper Networks, Inc., ...

1. A method comprising:
receiving, by a first device and from a second device, a request associated with a third device;
determining, by the first device, one or more restrictions associated with the third device based on the request,
the one or more restrictions including information identifying a period of time for a particular privilege;
determining, by the first device, to grant the request based on the information identifying the period of time for the particular
privilege;

assigning, by the first device, a network address to the third device based on determining to grant the request;
causing, by the first device, a fourth device to update information identifying a time when a session is established with
the third device based on the network address;

requesting, by the first device, a group of network addresses from the fourth device; and
receiving, by the first device and as the group of network addresses, unassigned addresses stored by the fourth device.

US Pat. No. 9,191,366

SCALABLE SECURITY SERVICES FOR MULTICAST IN A ROUTER HAVING INTEGRATED ZONE-BASED FIREWALL

Juniper Networks, Inc., ...

1. A network device comprising:
one or more hardware-based processors;
a plurality of interfaces configured to send and receive multicast packets;
a firewall integrated within the network device, wherein the network device is configured with one or more zones to be recognized
by the firewall when applying stateful firewall services to the multicast packets;

a user interface that supports a syntax that allows a user to define a single multicast policy to be applied to multicast
sessions associated with a multicast group, wherein the multicast policy specifies one or more stateful firewall services
to be applied by the firewall to the multicast packets destined for one or more specified zones of the one or more zones;
and

a services component executing on the one or more hardware-based processors of the network device, wherein the services component
is configured to determine, based on the single multicast policy and interfaces associated with the specified zones, one or
more of the stateful firewall services to be applied by the firewall prior to replication of the multicast packets and one
or more of the stateful firewall services to be applied by the firewall after replication of the multicast packets,

wherein the firewall is configured to apply the stateful firewall services to the multicast packets as determined by the services
component.

US Pat. No. 9,166,901

DETERMINING LIVENESS OF PROTOCOLS AND INTERFACES

Juniper Networks, Inc., ...

1. For use with a node of a communication network, a method comprising:
a) accepting, using the node, status information indicating a state of each of at least two different kinds of routing protocols;
b) composing, using the node, an aggregated message including at least two indicators, each indicator identifying a different
one of the at least two different kinds of routing protocols and the corresponding status information indicating a state of
each of the at least two different kinds of routing protocols as data within the aggregated message;

c) sending, using the node, the aggregated message towards a neighbor node;
d) maintaining, using the node, a first timer tracking a send time interval, wherein the acts of composing the aggregated
message and sending the aggregated message are performed after each recurring expiration of the first timer; and

e) restarting, using the node, the first timer after the aggregated message is sent, wherein the aggregated message further
includes a single dead time interval associated with all of the at least two different kinds of routing protocols, wherein
the send time interval is less than the single dead time interval, and wherein the single dead time interval defines a time
interval after which, if no further aggregated message is received, all of the at least two different kinds of routing protocols
are declared as down.

US Pat. No. 9,118,687

METHODS AND APPARATUS FOR A SCALABLE NETWORK WITH EFFICIENT LINK UTILIZATION

Juniper Networks, Inc., ...

1. An apparatus, comprising:
a core network node configured to be operatively coupled to a plurality of network nodes,
the core network node configured to receive, from a network node from the plurality of network nodes, a signal (1) originating
as a broadcast request signal from a host device operatively coupled to the network node, and (2) tunneled to the core network
node from the network node in response to a determination that the signal is associated with the broadcast request signal
such that the remaining network nodes from the plurality of network nodes do not receive the broadcast request signal, the
tunnel including at least one intervening network node from the plurality of network nodes between the core network node and
the network node and excluding the remaining network nodes from the plurality of network nodes,

the core network node configured to retrieve control information associated with the broadcast request signal without sending
a broadcast signal, the core network node configured to send a unicast signal including the control information via the tunnel
to the network node.

US Pat. No. 9,104,871

MALWARE DETECTION SYSTEM AND METHOD FOR MOBILE PLATFORMS

Juniper Networks, Inc., ...

1. A method of detecting malware, comprising:
selecting, by a mobile device, a first set of hash values hashed from prefixes of a set of malware signatures, each of the
prefixes having a first-portion-size, wherein the malware signatures have lengths greater than the first-portion-size;

hashing, by the mobile device, a plurality of strings of a target application to create a plurality of second hash values,
each of the strings having the first-portion-size, the target application comprising a downloaded application having a size
greater than the first-portion size;

comparing, by the mobile device, the plurality of second hash values to the first hash values to determine if there is a match;
determining, by the mobile device, that the target application is malware-free when there is no match between the plurality
of second hash values and the first hash values; and

when there is a match between one of the first set of hash values and one of the second set of hash values:
determining the malware signature of the set of malware signatures from which the one of the first set of hash values was
hashed that matched the one of the second set of hash values;

comparing a hash of the entire determined malware signature to hashes of one or more strings of the target application, each
of the strings having lengths equal to the length of the determined malware signature; and

determining that the target application is malware-infected when there is a match between the hash of the entire determined
malware signature and at least one of the strings of the target application having the lengths equal to the length of the
determined malware signature.

US Pat. No. 9,055,694

THERMAL INTERFACE MEMBERS FOR REMOVABLE ELECTRONIC DEVICES

Juniper Networks, Inc., ...

1. An apparatus, comprising:
a thermal interface member configured to be coupled to a first surface of a printed circuit board such that a portion of the
thermal interface member is in contact with a thermally-conductive portion of the first surface when the thermal interface
member is coupled to the first surface, the portion of the thermal interface member being deformable and thermally-conductive,
the thermal interface member having a first layer and a second layer, the first layer being tear-resistant and thermally-conductive,
the second layer disposed between the first layer and the first surface of the printed circuit board when the thermal interface
member is coupled to the first surface, the second layer including a first region and a second region mutually-exclusive from
the first region, the first region including a first material that is deformable and thermally-conductive, the second region
including a second material that is an adhesive.

US Pat. No. 9,055,000

DISTRIBUTED NETWORK SUBNET

Juniper Networks, Inc., ...

1. A method comprising: establishing, within a first network device, a first virtual integrated routing and bridging (VIRB)
interface that comprises a first routing interface for a first layer two (L2) bridge domain that provides L2 connectivity
for a first network local to the first network device, wherein the first routing interface is associated with a network subnet
for the first network; establishing, within a second network device, a second VIRB interface that comprises a second routing
interface for a second L2 bridge domain that provides L2 connectivity for a second network local to the second network device,
wherein the second routing interface is associated with a network subnet for the second network, wherein the first network
is not local to the second network device and the second network is not local to the first network device, wherein the network
subnet for the first network and the network subnet for the second network comprise a distributed network subnet in which
the network subnet for the first network and the network subnet for the second network comprise a common network subnet, and
wherein the first VIRB interface and the second VIRB interface have a common gateway MAC address that identifies routable
L2 traffic received by the first VIRB interface from the first L2 bridge domain or received by the second VIRB interface from
the second L2 bridge domain; receiving first L2 traffic with the first network device from the first L2 bridge domain and
forwarding L3 traffic encapsulated by the first L2 traffic by the first routing interface when the first L2 traffic is destined
for the common gateway MAC address; and receiving second L2 traffic with the second network device from the second L2 bridge
domain and forwarding L3 traffic encapsulated by the second L2 traffic by the second routing interface when the second L2
traffic is destined for the common gateway MAC address.

US Pat. No. 10,567,288

AUTOMATIC DISCOVERY, SCALING, AND LOAD BALANCING OF MULTIPLE CLOUD DATA CENTERS IN A SOFTWARE-DEFINED NETWORK ENVIRONMENT

Juniper Networks, Inc., ...

1. A method comprising:receiving, by a global load balancing (GLB) device of a first cloud data center of a plurality of cloud data centers that provide one or more virtual service instances, and from a software-defined networking (SDN) controller for a service provider network, address information for a first set of virtual service instances provided by the first cloud data center of the plurality of cloud data centers;
receiving, by the GLB device and from the SDN controller, a hostname of a domain for which to perform load balancing across the plurality of cloud data centers;
requesting, by the GLB device and from a domain name server (DNS) for the domain, address information for other sets of virtual service instances provided by other cloud data centers of the plurality of cloud data centers; and
applying, by the GLB device, a load balancing algorithm to network traffic for the one or more of the virtual service instances provided by the plurality of cloud data centers.

US Pat. No. 10,558,469

USING PUBLIC KEY INFRASTRUCTURE FOR AUTOMATIC DEVICE CONFIGURATION

Juniper Networks, Inc., ...

1. A device, comprising:a memory; and
one or more processors to:
receive a certificate signing request associated with a customer requesting automatic device configuration;
generate, based on receiving the certificate signing request, a customer certificate;
provide the customer certificate to a customer device;
receive, from the customer device, order information for an order for an auto-configuration device to be configured using the automatic device configuration;
generate, based on receiving the order information, a digital voucher to be used for validation during the automatic device configuration,
the digital voucher being associated with the auto-configuration device; and
provide the digital voucher to the customer device.

US Pat. No. 10,291,584

DYNAMIC PRIORITIZATION OF NETWORK TRAFFIC BASED ON REPUTATION

Juniper Networks, Inc., ...

1. A network device, comprising:a memory; and
one or more processors to:
receive network traffic associated with a flow;
determine a plurality of reputation indicators that indicate a measure of reputation associated with the flow,
a first reputation indicator, of the plurality of reputation indicators, being determined based on applying a first reputation analysis technique in association with the flow,
a second reputation indicator, of the plurality of reputation indicators, being determined based on a different device performing a second reputation analysis technique in association with the flow,
the different device being different from the network device, and
the second reputation analysis technique being different from the first reputation analysis technique;
determine a reputation score for the flow based on the plurality of reputation indicators; and
prioritize the flow based on the reputation score,
the one or more processors, when prioritizing the flow, being to:
allocate bandwidth to the flow based on the reputation score, or
cause the bandwidth to be allocated to the flow based on the reputation score.

US Pat. No. 10,291,464

SEPARATION OF CONTROL PLANE FUNCTIONS USING VIRTUAL MACHINES IN NETWORK DEVICE

Juniper Networks, Inc., ...

1. A method comprising:initializing a first virtual machine in a control unit of a network device that operates as a logically separate routing engine assigned to at least one of a plurality of packet forwarding components of the network device to form a logical device, the first virtual machine including a first kernel with a first guest operating system;
initializing a second virtual machine in the control unit of the network device that operates as a routing engine for the network device and maps the at least one of the plurality of packet forwarding components to the first virtual machine, the second virtual machine including a second kernel with a second guest operating system;
executing, by the first virtual machine, a first routing control process to control routing functionality for the logical device, and a first chassis management process to manage the at least one of the plurality of packet forwarding components assigned to the first virtual machine;
executing, by the second virtual machine, a second routing control process to control routing functionality for the network device, and a second chassis management process to manage other of the plurality of packet forwarding components of the network device; and
upon detecting a failure of the first virtual machine, performing a failover of the first virtual machine without disrupting performance of the second routing control process and the second chassis management process of the second virtual machine.

US Pat. No. 10,193,811

FLOW DISTRIBUTION USING TELEMETRY AND MACHINE LEARNING TECHNIQUES

Juniper Networks, Inc., ...

1. A network device, comprising:one or more memories; and
one or more processors to:
receive information that permits the network device to identify a set of expected bandwidth values associated with a first set of flows,
the information that permits the network device to identify the set of expected bandwidth values having been generated using a machine learning technique on telemetry information, associated with a second set of flows, from a set of network devices;
receive network traffic associated with a flow of the first set of flows;
identify an expected bandwidth value, of the set of expected bandwidth values, associated with the flow using the information that permits the network device to identify the set of expected bandwidth values;
identify a set of bandwidth values of a set of links;
compare the expected bandwidth value and the set of bandwidth values;
select a link, of the set of links, to use when providing the network traffic associated with the flow based on comparing the expected bandwidth value and the set of bandwidth values of the set of links; and
provide the network traffic on the link.

US Pat. No. 10,187,290

METHOD, SYSTEM, AND APPARATUS FOR PREVENTING TROMBONING IN INTER-SUBNET TRAFFIC WITHIN DATA CENTER ARCHITECTURES

Juniper Networks, Inc., ...

9. A system comprising:a detection module, stored in memory at a leaf node of a data center, that detects a route advertisement that advertises a route to a spine node of another data center that interfaces with the data center;
an identification module, stored in memory at the leaf node of the data center, that identifies an Internet Protocol (IP) identifier of the spine node of the other data center included in the route advertisement;
a determination module, stored in memory at the leaf node of the data center, that determines that the route corresponds to the spine node of the other data center based at least in part on the IP identifier identified in the route advertisement;
a routing module, stored in memory at the leaf node of the data center, that rejects the route to the spine node of the other data center at the leaf node of the data center such that the leaf node does not learn the route to the spine node of the other data center;
wherein the identification module:
identifies a packet to be forwarded to another leaf node of the data center; and
identifies a route to a spine node of the data center;
wherein the routing module ensures that the leaf node does not forward the packet to the other leaf node via the route to the spine node of the other data center;
further comprising a forwarding module, stored in memory at the leaf node of the data center, that forwards the packet to the other leaf node via the route to the spine node of the data center; and
at least one physical processor configured to execute the detection module, the identification module, the determination module, the routing module, and the forwarding module.

US Pat. No. 10,148,506

NETWORK CONFIGURATION SERVICE DISCOVERY

Juniper Networks, Inc., ...

1. A method comprising:fetching, by a network management system and from a first network device, configuration data associated with a service executing on the first network device;
in response to determining that the service extends across multiple network devices, constructing, by the network management system and based on the configuration data, a first partial service instance associated with the service executing on the first network device;
merging, by the network management system, a plurality of partial service instances to form a merged partial service instance, the plurality of partial service instances including the first partial service instance and a second partial service instance associated with the service executing on a different network device; and
promoting the merged partial service instance as a service instance.

US Pat. No. 10,148,566

SPLIT-HORIZON PACKET FORWARDING IN A MULTI-HOME PBB-EVPN NETWORK

Juniper Networks, Inc., ...

1. A method comprising:receiving, by a first provider edge (PE) device and from a second PE device that implement a provider backbone bridging Ethernet Virtual Private Network (PBB-EVPN), a packet via a core-facing interface of the first PE device, wherein the first and second PE devices are coupled to a multi-homed customer edge (CE) device by an Ethernet segment, and wherein the first PE device has been elected a designated forwarder for forwarding packets from the PBB-EVPN to the CE device over the Ethernet segment;
determining, by the first PE device, that the received packet was previously received on a local interface associated with the Ethernet segment of the second PE device and forwarded into the PBB-EVPN by the second PE device;
in response to determining that the received packet was previously received on the local interface associated with the Ethernet segment of the second PE device and forwarded into the PBB-EVPN by the second PE device, assigning a local interface of the first PE router associated with the Ethernet segment as an ingress interface that received the packet instead of the core-facing interface of the first PE device on which the packet was actually received from the PBB-EVPN; and
applying split-horizon forwarding, based on the assigned ingress interface, to process the received packet without forwarding the received packet out the local interface to the Ethernet segment coupling the first PE device to the CE device.

US Pat. No. 10,142,239

SYNCHRONIZING MULTICAST STATE BETWEEN MULTI-HOMED ROUTERS IN AN ETHERNET VIRTUAL PRIVATE NETWORK

Juniper Networks, Inc., ...

1. A method comprising:receiving, by a first provider edge (PE) router of a plurality of PE routers included in an Ethernet segment of an Ethernet Virtual Private Network (EVPN) and from a second PE router of the plurality of PE routers, a withdrawal of a Border Gateway Protocol (BGP) join synch route used to synchronize a join request for a multicast group across the Ethernet segment, wherein a customer edge (CE) router is multi-homed to the plurality of the PE routers over the Ethernet segment;
in response to receiving the withdrawal of the BGP join synch route, determining, by the first PE router, whether the withdrawal of the BGP join synch route is due to a multicast state timeout event at the second PE router or a disruption event at the second PE router;
upon determining that the withdrawal of the BGP join synch route is due to the disruption event at the second PE router, retaining, by the first PE router, a multicast state for the multicast group associated with the BGP join synch route, and forwarding, by the first PE router, multicast traffic of the multicast group toward at least one receiver connected to the CE router; and
upon determining that the withdrawal of the BGP join synch route is due to the multicast state timeout event at the second PE router, deleting, by the first PE router, the multicast state for the multicast group associated with the BGP join synch route, and stopping, by the first PE router, forwarding of the multicast traffic of the multicast group.

US Pat. No. 10,110,496

PROVIDING POLICY INFORMATION ON AN EXISTING COMMUNICATION CHANNEL

Juniper Networks, Inc., ...

1. A device, comprising:a memory; and
one or more processors to:
receive a message for routing to a destination on a communication channel,
the device being a first network device, and
the communication channel having been established between a source of the message and the destination;
determine first policy information related to at least one of the message, the destination, or the source of the message,
the first policy information describing a first action for a second network device to perform, and
the first policy information being determined based on one or more of:
a blacklist that lists one or more of sources or destinations that are to be blocked or banned,
a whitelist that lists one or more of sources or destinations that are deemed acceptable, or
a graylist the lists one or more of sources or destinations that are subject to a particular rule;
associate a first policy token with the message based on the first policy information,
the first policy token including information identifying a different device that stores the first policy information for the second network device; and
provide the message with the first policy token to the second network device on the communication channel to cause the second network device to request the first policy information from the different device based on the first policy token,
second policy information being determined by the second network device after the second network device receives the message with the first policy token,
the first policy token being removed by the second network device after the second network device receives the message with the first policy token,
a second policy token being associated with the message based on the second policy information,
the message being provided with the second policy token by the second network device to a third network device,
a second action being performed by the third network device based on the second policy information after the third network device receives the message with the second policy token, and
the second action including one of:
dropping the message,
monitoring the source of the message,
quarantining the source of the message, or
redirecting traffic to or from the source of the message.

US Pat. No. 10,085,253

METHODS AND APPARATUS FOR CONTROLLING WIRELESS ACCESS POINTS

Juniper Networks, Inc., ...

1. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the code comprising code to cause the processor to:send, from a wireless access point using a Transport Control Protocol (TCP) and at a first time, a first Control And Provisioning of Wireless Access Points (CAPWAP) control packet to a CAPWAP controller via a CAPWAP tunnel, the CAPWAP control packet includes a Dynamic Host Configuration Protocol (DHCP) request;
activate a TCP timer based on sending the first CAPWAP control packet;
send, using TCP, a second CAPWAP control packet to the CAPWAP controller after the first time and before a second time;
receive, using TCP and at the second time, a response to the first CAPWAP control packet;
suspend the TCP timer in response to receiving the response to the first CAPWAP control packet such that the TCP timer provides an indication of a duration of time between the first time and the second time; and
set a retransmission time between the wireless access point and the CAPWAP controller via the CAPWAP tunnel based on the duration of time between the first time and the second time.

US Pat. No. 10,050,702

REAL-TIME RAMAN GAIN MONITORING

Juniper Networks, Inc., ...

1. An optical node comprising:a Raman amplifier configured to amplify an optical signal having a second wavelength;
a photodiode; and
a processor configured to:
determine an amount of current generated by the photodiode that receives, from a previous optical node, an optical signal having a first wavelength;
receive information based on a correction factor, the correction factor is indicative of an amount of optical power loss that the Raman amplifier causes in the optical signal having the first wavelength that is transmitted by the previous optical node;
determine the Raman amplifier gain for optical signals having the second wavelength based on the determined amount of current generated by the photodiode and the received information; and
set the Raman amplifier gain of the Raman amplifier for the Raman amplifier to amplify the optical signal having the second wavelength.

US Pat. No. 10,038,591

APPARATUS, SYSTEM, AND METHOD FOR SECURE REMOTE CONFIGURATION OF NETWORK DEVICES

Juniper Networks, Inc., ...

1. An apparatus comprising:an encryption device that:
includes physical circuitry;
includes an endorsement key that is burned into the encryption device during a manufacturing process such that the endorsement key is unable to be changed after the manufacturing process; and
signs, with the endorsement key, information exchanged between network devices to ensure the integrity of the information; and
a network device communicatively coupled to the encryption device, wherein the network device:
obtains geo-location information that identifies a current location of the network device;
directs the encryption device to sign, with the endorsement key, the geo-location information that identifies the current location of the network device to ensure the integrity of the geo-location information;
provides the signed geo-location information to a remote management system that manages the configuration of the network device by:
verifying the authenticity of the signed geo-location information;
selecting, based at least in part on the current location of the network device identified in the signed geo-location information, a configuration profile that:
modifies the configuration of the network device to account for the current location of the network device; and
includes operating parameters that allow the network device to prioritize certain types of network traffic over other types of network traffic; and
pushing the configuration profile to the network device;
receives the configuration profile from the remote management system in response to providing the signed geo-location information to the remote management system; and
modifies the configuration of the network device based at least in part on the configuration profile to account for the current location of the network device and enable the network device to prioritize the certain types of network traffic over the other types of network traffic.

US Pat. No. 10,033,805

SPANNING TREE APPROACH FOR GLOBAL LOAD BALANCING

Juniper Networks, Inc., ...

1. A load balancing device, comprising:one or more processors to:
receive first information associated with a plurality of local data centers included in a local region with the load balancing device;
designate a local authoritative data center, of the plurality of local data centers, based on the first information,
the local authoritative data center being designated based upon one or more factors including at least one of:
information relating to a local data center with a lowest network address of network addresses associated with the plurality of local data centers,
information relating to a local data center with a highest network address of the network addresses of the plurality of local data centers,
information relating to a local data center with a minimum number of servers, or
information relating a local data center with a closest geographical proximity to a remote data center,
the load balancing device being included in the local authoritative data center and being authoritative, and
the load balancing device communicating with one or more local load balancing devices within the local region;
receive second information associated with a plurality of remote data centers included in a plurality of remote regions separate from the local region,
each remote region, of the plurality of remote regions, having an authoritative data center and an authoritative load balancing device;
generate, based on one or more geographic proximities between the local region and the plurality of remote regions, a spanning tree based on the first information and the second information,
the spanning tree indicating a manner in which the load balancing device and a plurality of other authoritative load balancing devices of the plurality of remote regions are to communicate to exchange third information associated with the plurality of local data centers and the plurality of remote data centers; and
exchange the third information with one or more remote load balancing devices, included in one or more remote data centers of the plurality of remote data centers, based on the spanning tree.

US Pat. No. 9,954,694

TRAFFIC BLACK HOLING AVOIDANCE AND FAST CONVERGENCE FOR ACTIVE-ACTIVE PBB-EVPN REDUNDANCY

Juniper Networks, Inc., ...

1. A method comprising:configuring a first provider edge (PE) router of a Provider Backbone Bridging (PBB) Ethernet Virtual Private Network (EVPN) to join an Ethernet Segment in active-active mode with at least a second PE router that is operating as a designated forwarder for the Ethernet Segment;
receiving, by the first PE router from a remote PE router and prior to the first PE router performing Media Access Control (MAC) learning of a customer-MAC (C-MAC) address that is reachable via a backbone-MAC (B-MAC) address associated with the Ethernet Segment, a network packet that includes the C-MAC address; and
in response to determining that the C-MAC address has not been learned by the first PE router and that the B-MAC address included in the network packet is associated with the Ethernet Segment, forwarding, by the first PE router, the network packet to a destination identified by the C-MAC address.

US Pat. No. 9,935,869

INSTALLING ACTIVE FLOWS IN A FORWARDING TABLE

Juniper Networks, Inc., ...

1. A device, comprising:one or more memories; and
one or more processors to:
determine that a route is inactive,
information identifying the route being stored on the one or more memories in a forwarding plane portion of a forwarding table and a control plane portion of the forwarding table,
the route being associated with directing network traffic toward an endpoint network device;
remove the information identifying the route from the forwarding plane portion of the forwarding table without removing the information identifying the route from the control plane portion of the forwarding table based on determining that the route is inactive; and
route network traffic based on the forwarding table after removing the information identifying the route from the forwarding plane portion of the forwarding table without removing the information identifying the route from the control plane portion of the forwarding table.

US Pat. No. 9,917,774

CONTENT CACHING IN METRO ACCESS NETWORKS

Juniper Networks, Inc., ...

1. A method comprising:
establishing an Ethernet Virtual Private Network (EVPN) within a metro transport network positioned between at least one Internet
service provider network and a set of subscriber devices, wherein the metro transport network provides layer two (L2) packet
switching for transporting network packets between the Internet service provider network and the subscriber devices, wherein
the Internet service provider network authenticates the subscriber devices and allocates the subscriber devices respective
Internet Protocol (IP) network addresses from an IP network address prefix assigned to the Internet service provider network,
and wherein the EVPN is established within the metro transport network by at least one access router that is connected to
the subscriber devices by one or more access links and by at least one caching router that is coupled to a local content cache
of the metro transport network;

receiving, by the caching router of the EVPN and from the access router, an EVPN route advertisement that advertises network
address reachability information of the subscriber devices on behalf of the Internet service provider network, wherein the
EVPN route advertisement indicates that the subscriber devices are reachable through the access router;

outputting a routing protocol route advertisement that advertises the network address reachability information of the local
content cache of the metro transport network to a router of the Internet service provider network; and

responsive to content requests redirected from the Internet service provider network and based on the EVPN router advertisement
from the access router, forwarding, with the caching router of the metro transport network and by the EVPN, content from the
local content cache to the access routers for delivery to one or more of the subscribers.

US Pat. No. 9,894,037

MEDIA ACCESS CONTROL ADDRESS TRANSLATION IN VIRTUALIZED ENVIRONMENTS

Juniper Networks, Inc., ...

1. A method for transmitting network packets through a network security device, the method comprising:
receiving, by a first network device, a network packet from a first computing device to be sent over a network to a second
computing device connected to a second network device, wherein the network includes the network security device and a network
switch, and wherein the network packet includes a first interface identifier that identifies the first computing device as
a source of the network packet and a second interface identifier that identifies the second computing device as a destination
of the network packet;

translating, by the first network device, the second interface identifier of the network packet to a third interface identifier
that identifies an interface connected to the network switch, wherein the network switch is located downstream from the network
security device; and

transmitting the network packet from the first network device over the network through the network security device and through
the network switch to the interface based on the third interface identifier.

US Pat. No. 9,867,317

HEAT SINK WITH MOUNTED POWER SUPPLY

Juniper Networks, Inc., ...

1. An apparatus, comprising:
a heat sink directly mounted to a printed circuit board or a component of the printed circuit board using a conductive fastener;
and

a power supply, mounted to the heat sink, to:
receive input power via the conductive fastener, and
supply output power to one or more components of the printed circuit board.

US Pat. No. 9,848,016

IDENTIFYING MALICIOUS DEVICES WITHIN A COMPUTER NETWORK

Juniper Networks, Inc., ...

1. A method comprising:
receiving, by a security device, from a device, network traffic directed to one or more computing devices protected by the
security device;

determining, based on content of the network traffic, a first set of data points for the device, the first set of data points
specifying characteristics of a software application executing at the device;

sending, by the security device, a response to the device to ascertain a second set of data points for the device, the second
set of data points including characteristics of an operating environment provided by and local to the device;

receiving, by the security device and from the device, at least a portion of the second set of data points;
determining whether the received portion of the second set of data points and the first set of data points include inconsistent
information; and

responsive to determining that the received portion of the second set of data points and the first set of data points include
inconsistent information, managing additional network traffic directed to the one or more computing devices protected by the
security device and received from the device.

US Pat. No. 9,705,769

SERVICE LATENCY MONITORING USING TWO WAY ACTIVE MEASUREMENT PROTOCOL

Juniper Networks, Inc., ...

7. A computer-readable medium storing instructions, the instructions comprising:
one or more instructions that, when executed by one or more processors, cause the one or more processors to:
establish, with a client device, a communication session for monitoring latency of a service;
provide, to the client device and via the communication session, a monitored service list,
the monitored service list identifying one or more services for which latency monitoring is supported;
receive, from the client device, a request for a latency monitoring session,
the request for the latency monitoring session identifying the service to be monitored;
establish, with the client device, the latency monitoring session;
receive, from the client device, a packet,
the packet being encapsulated in a two way active measurement protocol (TWAMP) header,
the TWAMP header indicating that the packet is associated with the latency monitoring session;
generate, based on the TWAMP header, a packet identifier,
the packet identifier identifying the packet;
remove, from the packet, the TWAMP header;
attach, to the packet, the packet identifier;
associate, with the packet, a first time stamp,
the first time stamp representing a provision time of the packet;
provide, at the provision time and to a particular device associated with performing the service, the packet;
cause the service to be performed by the particular device;
receive, at a receipt time, the packet, from the particular device after the particular device has performed the service,
the packet being identified based on the packet identifier;
associate, with the packet, a second time stamp,
the second time stamp representing the receipt time of the packet;
determine the latency of the service based on the first time stamp and the second time stamp; and
provide, to the client device, the packet and information identifying the latency of the service.

US Pat. No. 9,705,827

METHODS AND APPARATUS FOR VIRTUAL CHANNEL FLOW CONTROL ASSOCIATED WITH A SWITCH FABRIC

Juniper Networks, Inc., ...

1. A system, comprising:
a module associated with a first stage of a switch fabric; and
a module associated with a second stage of the switch fabric, the module associated with the first stage being directly coupled
to the module associated with the second stage via a single physical hop having a plurality of virtual channels,

the module associated with the first stage being configured to assign a virtual channel identifier associated with a virtual
channel from the plurality of virtual channels with a data packet using a hash function, the module associated with the first
stage configured to send the data packet through the virtual channel based on the virtual channel identifier, the module associated
with the second stage configured to store the data packet in a queue associated with the virtual channel based on the virtual
channel identifier, the first stage having a plurality of output queues, each output queue from the plurality of output queues
being associated with a virtual channel from the plurality of virtual channels, the module associated with the first stage
being configured to assign the virtual channel identifier based on an available capacity of each associated output queue from
the plurality of output queues,

the module associated with the second stage configured to send a flow control signal to the module associated with the first
stage when an available capacity of the queue is less than a predetermined threshold, the module associated with the first
stage configured to suspend sending data packets via the virtual channel in response to the flow control signal.

US Pat. No. 9,660,860

PATH COMPUTATION DELAY TIMER IN MULTI-PROTOCOL LABEL SWITCHED NETWORKS

Juniper Networks, Inc., ...

1. A method comprising:
receiving, with an ingress network device that acts as an ingress for a label switched path (LSP) traversing at least a portion
of a network, a message indicating an error along the LSP;

delaying an operation, with the ingress network device, performed to configure a replacement LSP to be used in place of the
LSP in order to provide time during which a cause of the error along the LSP is able to be determined;

determining that the cause of the error is a failure of a network device supporting operation of the LSP based on link state
advertisements (LSAs) received from multiple network devices adjacent to the failed network device in accordance with an interior
gateway protocol (IGP), each of the LSAs indicating a link error between a respective one of the network devices adjacent
to the failed network device and the failed network device; and

when the cause of the error is determined to be the failure of the network device supporting operation of the LSP, performing
the operation to configure the replacement LSP with the ingress network device such that the replacement LSP avoids the failed
network device.

US Pat. No. 9,608,939

METHODS AND APPARATUS TO REDUCE FORWARDING STATE ON AN FCOE-TO-FC GATEWAY USING PORT-SPECIFIC MAC ADDRESSES

Juniper Networks, Inc., ...

1. An apparatus, comprising:
an inbound Ethernet port at a gateway; and
an initialization module implemented in at least one of a processor or a memory at the gateway and operatively coupled to
the inbound Ethernet port, the initialization module configured to receive a Fibre Channel over Ethernet Initialization Protocol
(FIP) login request from a network device on the inbound Ethernet port of the gateway,

the initialization module configured to select a Fibre Channel port of the gateway from a plurality of Fibre Channel ports
of the gateway based at least in part on a load-balancing calculation, each Fibre Channel port of the plurality of Fibre Channel
ports of the gateway not being a virtual port,

the initialization module configured to define a destination Media Access Control (MAC) address, the initialization module
configured to define a mapping between a virtual Fibre Channel N port of the network device and the Fibre Channel port of
the gateway such that the gateway is configured to define a switching policy for the inbound Ethernet port of the gateway
and the Fibre Channel port of the gateway, the initialization module configured to associate the destination MAC address with
the Fibre Channel port of the gateway such that the gateway is configured to send out a data frame including the destination
MAC address via the Fibre Channel port of the gateway based on the association between the destination MAC address and the
Fibre Channel port of the gateway and based on the switching policy for the inbound Ethernet port of the gateway and the Fibre
Channel port of the gateway,

the initialization module configured to send, to the network device, a signal including the destination MAC address in response
to the FIP login request.

US Pat. No. 9,590,820

METHODS AND APPARATUS FOR IMPROVING LOAD BALANCING IN OVERLAY NETWORKS

Juniper Networks, Inc., ...

1. An apparatus, comprising:
a first network device, the first network device including a processor and a memory operatively coupled to the processor,
the memory configured to host a virtual switch,

the virtual switch configured to receive a data packet from a first virtual resource from a first plurality of virtual resources
hosted at the first network device to be sent to a second virtual resource from a second plurality of virtual resources hosted
at a second network device, the virtual switch configured to encapsulate the data packet to define an encapsulated data packet
using a tunnel header having (1) a first portion associated with the first network device and the second network device, and
(2) a second portion including an identifier, the identifier uniquely associated with traffic sent between the first virtual
resource and the second virtual resource, such that an Internet Protocol (IP) network selects, based at least in part on the
second portion of the tunnel header, a path from a plurality of paths to send the encapsulated data packet from the first
network device to the second network device, balancing traffic load between the first network device and the second network
device, the plurality of paths connecting the first network device and the second network device, the second portion of the
tunnel header including a transport protocol portion,

the virtual switch configured to define a value associated with the identifier included in the second portion of the tunnel
header, the value being an output of a hash function using at least one of an Internet Protocol (IP) address associated with
the first virtual resource or an IP address associated with the second virtual resource as an input of the hash function.

US Pat. No. 9,590,844

INTRA-AREA LDP NODE PROTECTION

Juniper Networks, Inc., ...

1. A method comprising:
by a network device, identifying, based on network topology information obtained by an interior gateway protocol (IGP) executed
by the network device, a potential next next hop merge point network device at least two hops from the network device that
is (i) in an IGP area in which the PLR network device is positioned and (ii) along a path that avoids a given protected node
within the IGP area;

by the network device, automatically establishing a bypass label switched path (LSP) to the potential next next hop merge
point network device, wherein the bypass LSP follows a path that avoids the protected node;

by the network device, automatically establishing a targeted label distribution protocol (LDP) session to the potential next
next hop merge point network device;

by the network device, obtaining a label mapping from the potential next next hop merge point network device using the targeted
LDP session; and

by the network device, programming forwarding information to include a backup path to the potential next next hop merge point
network device with a label stack having an inner label from the obtained label mapping for the potential next next hop merge
point network device and an outer label for the bypass LSP to the potential next next hop merge point network device.

US Pat. No. 9,590,894

ESTABLISHING LABEL SWITCHED PATHS HAVING REFRESH INTERVAL INDEPENDENT FAST REROUTE FACILITY PROTECTION

Juniper Networks, Inc., ...

1. A method comprising:
receiving, with a first network device and from a second network device, a first resource reservation path message for establishing
a label switched path between the second network device and a third network device by way of the first network device such
that the first network device is positioned between the second network device and the third network device along the label
switched path, wherein the first resource reservation path message specifies whether local protection is desired for the label
switched path;

sending, by the first network device, the first resource reservation path message to a next hop network device toward the
third network device along the label switched path; and

responsive to determining that the first resource reservation path message specifies that local protection is desired and
responsive to receiving a resource reservation resv message from the next hop network device:

establishing, by the first network device, a bypass label switched path between the first network device and a merge point
network device along the label switched path, wherein the bypass label switched path bypasses a protected network resource
positioned along the label switched path between the first network device and the merge point network device;

generating, by the first network device, a second resource reservation path message that specifies that local protection has
been established for the label switched path at the first network device; and

sending, by the first network device and to the next hop network device along the label switched path, the second resource
reservation path message.

US Pat. No. 9,577,879

METHODS AND APPARATUS FOR DYNAMIC AUTOMATED CONFIGURATION WITHIN A CONTROL PLANE OF A SWITCH FABRIC

Juniper Networks, Inc., ...

1. An apparatus, comprising:
a network interface;
a memory configured to store an access list; and
a processor operatively coupled to the network interface and the memory,
the processor configured to determine that the apparatus is a root network management module in a data center switch fabric
control plane based on a plurality of parameters of the apparatus and a plurality of parameters of a network management module
in the data center switch fabric control plane,

the processor configured to authenticate a first network device based on a first private key received via the network interface
from the first network device,

the processor configured to associate, after authenticating the first network device, a portion of the first network device
with a first virtual network segment within the data center switch fabric control plane in response to authenticating the
first network device,

the processor configured to authenticate a second network device based on a second private key received via the network interface
from the second network device, and

the processor configured to associate, after authenticating the second network device, a portion of the second network device
with a second virtual network segment within the data center switch fabric control plane in response to authenticating the
second network device.

US Pat. No. 9,563,774

APPARATUS AND METHOD FOR SECURELY LOGGING BOOT-TAMPERING ACTIONS

Juniper Networks, Inc., ...

1. An apparatus comprising:
a storage device; and
a tamper-logging component that:
includes a secure counter whose counter value represents the number of times that actions associated with booting untrusted
images from the storage device have occurred;

detects an action that is associated with booting untrusted images from the storage device, wherein the action comprises booting
an untrusted image from the storage device;

in response to detecting the action:
securely logs the action by incrementing the counter value of the secure counter;
creates and stores a change certificate that uniquely identifies both the untrusted image and the secure counter's present
value; and

detects a request from a user for the counter value of the secure counter;
in response to detecting the request, provides the counter value of the secure counter to the user to enable the user to verify
that an action associated with booting untrusted images from the storage device has occurred; and

refrains from incrementing the secure counter during subsequent boots of the untrusted image identified in the change certificate.

US Pat. No. 9,565,586

USAGE MONITORING CONTROL FOR MOBILE NETWORKS

Juniper Networks, Inc., ...

1. A method comprising:
establishing, by a service control gateway positioned between an access gateway for a mobile access network and a packet data
network, a session by which a mobile device accesses a service provided by the packet data network;

determining, by a processor of the service control gateway, that the service control gateway has received an incomplete indication
to activate usage monitoring of the service using the session based on a message indicating activation of the usage monitoring
without having received a previous message triggering reporting for the usage monitoring or the message triggering reporting
for the usage monitoring; and

in response to determining that the service control gateway has received the incomplete indication to activate the usage monitoring
of the service using the session, configuring, by the processor, at least a portion of the usage monitoring by the service
control gateway without activating the usage monitoring.

US Pat. No. 9,491,107

NON-STOP ROUTING WITH INTERNAL SESSION MIRRORING AND ADAPTIVE APPLICATION-LEVEL RATE LIMITING

Juniper Networks, Inc., ...

1. A method comprising:
by a primary routing engine of a network device, replicating data output by an application-layer routing process of the primary
routing engine for transmission to a routing peer network device via a routing communication session between the network device
and the routing peer network device;

sending the replicated data to a secondary routing engine of the network device;
by the secondary routing engine, in response to detecting that a socket buffer of the secondary routing engine for buffering
the replicated data has reached a predefined high occupancy threshold, outputting a notification to the primary routing engine
indicating that the socket buffer has reached the predefined high occupancy threshold;

by the primary routing engine and in response to receiving the notification, signaling the application-layer routing process
to notify the application-layer routing process that the socket buffer of the secondary routing engine has reached the predefined
high occupancy threshold; and

by the application-layer routing process of the primary routing engine and in response to receiving the signal, entering a
life-support mode in which the application-layer routing process refrains from sending at least some of a plurality of routing
updates to the routing peer network device via the routing communication session, and continues to send keepalive messages
for the routing communication session to the routing peer network device.

US Pat. No. 9,479,397

METHODS AND APPARATUS FOR AUTOMATIC CONFIGURATION OF VIRTUAL LOCAL AREA NETWORK ON A SWITCH DEVICE

Juniper Networks, Inc., ...

1. A method, comprising:
receiving at a switch an input from a user to actuate an automatic time mode configuration to start a first pre-set time period,
the switch including a plurality of ports including a first port and a second port;

after receiving the input to actuate the automatic time mode configuration, receiving during the first pre-set time period
an indication that a first cable has been received at the first port from the plurality of ports of the switch;

automatically assigning a first virtual local area network (VLAN) to a first compute device coupled to the first cable based
on the first cable being received during the first pre-set time period;

after automatically assigning the first VLAN, receiving an input from the user to actuate the automatic time mode configuration
to start a second pre-set time period, the second pre-set time period being different than the first pre-set time period;

receiving during the second pre-set time period an indication that a second cable has been received at the second port from
the plurality of ports of the switch; and

automatically assigning a second compute device coupled to the second cable to a second VLAN different than the first VLAN
based on the second cable being received during the second pre-set time period.

US Pat. No. 9,479,436

IN-LINE PACKET PROCESSING

Juniper Networks Inc., S...

1. A method comprising:
determining, by a device, information regarding a destination of a data packet,
the data packet including a plurality of headers,
each header, of the plurality of headers, corresponding to one of a plurality of network protocol layers;
retrieving, by the device, the data packet from a memory associated with the device;
retrieving, by the device, a common template associated with a common portion of a header of the plurality of headers;
retrieving, by the device, a custom template associated with a unique portion of the header;
constructing, by the device, header data associated with a network protocol layer, of the plurality of network protocol layers,
based on the information regarding the destination of the data packet and based on retrieving the common template and the
custom template,

the header data including the common portion and the unique portion, and
the header data being constructed while the data packet is being retrieved from the memory; and
transmitting, by the device and toward the destination, the data packet with the header data.

US Pat. No. 9,413,645

METHODS AND APPARATUS FOR ACCESSING ROUTE INFORMATION IN A DISTRIBUTED SWITCH

Juniper Networks, Inc., ...

1. An apparatus, comprising:
a network management module implemented in at least one of a memory or a processing device, the network management module
configured to be associated with a plurality of network control entities at a plurality of network devices, the network management
module configured to be operatively coupled to each network control entity from the plurality of network control entities,

the network management module configured to send a signal to a first network control entity from the plurality of network
control entities and at a first network device from the plurality of network devices such that a proxy module at the first
network device accesses, during a first time period, data plane information from a line card controlled by the first network
control entity and physically located at the first network device,

the network management module configured to send a signal to a second network control entity from the plurality of network
control entities and at a second network device from the plurality of network devices such that a proxy module at the second
network device accesses, during a second time period at least partially overlapping the first time period, data plane information
from a line card controlled by the second network control entity and physically located at the second network device,

the network management module configured to receive the data plane information from the line card controlled by the first
network control entity in response to the proxy module at the first network device accessing the data plane information at
the line card controlled by the first network control entity,

the network management module configured to receive the data plane information from the line card controlled by the second
network control entity in response to the proxy module at the second network device accessing the data plane information at
the line card controlled by the second network control entity,

the network management module configured to send a signal to output on an interface (1) the data plane information from the
line card controlled by the first network control entity, and (2) the data plane information from the line card controlled
by the second network control entity.

US Pat. No. 9,397,931

FAST CONVERGENCE IN SINGLY-HOMED ETHERNET VIRTUAL PRIVATE NETWORKS

Juniper Networks, Inc., ...

1. A method comprising:
determining, by a first provider edge network device to which a customer edge network device is singly-homed in a layer two
segment of an Ethernet Virtual Private Network (EVPN), a segment identifier of the layer two segment;

sending, by the first provider edge network device and using a layer three (L3) routing protocol, a route advertisement to
advertise a route for the segment identifier to a second provider edge network device included in the EVPN;

sending, by the first provider edge network device and to the second provider edge network device using the layer three L3
routing protocol, a route advertisement to advertise one or more media access control (MAC) routes for the layer two segment,
wherein each of the MAC routes specifies at least one MAC address reachable through the customer edge network that is singly-homed
to the first provider edge network device;

responsive to determining a link failure between the first provider edge network device and the customer edge network device:
flushing, by the first provider edge network device, one or more MAC routes associated with the segment identifier that were
previously learned by the first provider edge network device;

sending, by the first provider edge network device and using the L3 routing protocol, a withdrawal message to the second provider
edge network device for the route associated with the segment identifier to withdraw all of the plurality of MAC routes at
the second provider edge network device, wherein the segment identifier corresponds to the one or more MAC routes maintained
by the second provider edge network device that were previously learned by the first provider edge router; and

learning, by the first provider edge network device and after flushing the one or more MAC routes, a new MAC route associated
with the segment identifier.

US Pat. No. 9,374,270

MULTICAST SERVICE IN VIRTUAL NETWORKS

Juniper Networks, Inc., ...

1. A method comprising:
creating, with a virtual network controller of a virtual network, a multicast tree for endpoint servers of a multicast group
in the virtual network, wherein the virtual network includes respective virtual switches executing on the endpoint servers
to provide an emulated layer 2 network for virtual machines executing on the endpoint servers;

storing the multicast tree in a memory within the virtual network controller; and
communicating, with the virtual network controller, the multicast tree to one or more of the endpoint servers of the multicast
group in order to instruct the virtual switches executing on the endpoint servers to replicate and forward layer 2 multicast
packets according to the multicast tree, the layer 2 multicast packets destined for one or more of the virtual machines executing
on the endpoint servers.

US Pat. No. 9,258,267

HIGHLY SCALABLE DATA CENTER ARCHITECTURE WITH ADDRESS RESOLUTION PROTOCOL (ARP)-FREE SERVERS

Juniper Networks, Inc., ...

1. A method comprising:
associating a first network loopback Internet protocol (IP) address with a first logical communication channel;
associating a second network loopback IP address with a second logical communication channel;
replicating a particular packet to obtain a first packet and a second packet;
adding, by a device and to the first packet, a first identifier associated with the first logical communication channel,
the first identifier including a virtual local area network (VLAN) tag associated with the first logical communication channel;
adding, by the device and to the second packet, a second identifier associated with the second logical communication channel,
the second logical communication channel being different from the first logical communication channel;
providing, by the device, the first packet via the first logical communication channel based on the first identifier included
in the first packet; and

providing, by the device, the second packet via the second logical communication channel based on the second identifier included
in the second packet,

the first packet and the second packet being provided by the device without using or maintaining an Address Resolution Protocol
(ARP) table.

US Pat. No. 9,253,025

REQUESTING HIGH AVAILABILITY FOR NETWORK CONNECTIONS THROUGH CONTROL MESSAGES

Juniper Networks, Inc., ...

1. A method comprising:
receiving, in a message according to a protocol for reserving a public network address and port to be used for a network connection
associated with a client device, an indication that the network connection is to be checkpointed for high availability;

receiving one or more packets of a packet flow associated with the public network address and the port for the network connection;
and

based on the indication, checkpointing, by a primary service device, data of at least one of the received packets to a backup
service device for the primary service device.

US Pat. No. 9,253,084

NEIGHBOR-LABEL DISTRIBUTION WITH LABEL DISTRIBUTION PROTOCOL

Juniper Networks, Inc., ...

1. A method comprising:
allocating, with a router, neighbor-labels to be used by the router to label switch traffic destined for respective ones of
a plurality of neighbor routers directly connected to the router;

distributing, with the router to one or more Label Distribution Protocol (LDP) peer routers of the router, LDP neighbor-label
mapping messages indicating mappings between the allocated neighbor-labels and the neighbor routers, wherein each of the LDP
peer routers has one of a direct LDP session with the router or a targeted LDP session with the router;

receiving, with the router from one of the LDP peer routers, traffic encapsulated with one of the neighbor-labels; and
forwarding the traffic to one of the neighbor routers based on the one of the neighbor-labels.

US Pat. No. 9,202,783

SELECTIVE ANTIPAD BACKDRILLING FOR PRINTED CIRCUIT BOARDS

Juniper Networks, Inc., ...

1. A printed circuit board (PCB) comprising:
a plurality of pads to connect a component to the PCB;
a plurality of vertically disposed vias connected to at least some of the plurality of pads;
a plurality of horizontally disposed signal layers that create a stair step pattern in the PCB and are electrically connected
by the plurality of vertically disposed vias,

the plurality of horizontally disposed signal layers being to route signals from the component, received from the plurality
of vertically disposed vias, to an edge of the component,

the plurality of horizontally disposed signal layers including:
first signal layers,
second signal layers, and
third signal layers,
the first signal layers being higher than the second signal layers,
the second signal layers being higher than the third signal layers,
the signals including:
first signals that are associated with an inner row of the component,
second signals that are associated with a middle row of the component, and
third signals that are associated with an outer row of the component,
the inner row being closer to an inner portion of the component than the outer row,
the first signals being routed to the edge of the component on the first signal layers that are higher than the second signal
layers,

the second signals being routed to the edge of the component on the second signal layers that are higher than the third signal
layers, and

the third signals being routed to the edge of the component on the third signal layers;
a plurality of antipads formed in the plurality of horizontally disposed signal layers and around the plurality of vertically
disposed vias,

the plurality of antipads including:
first antipads that are formed around a location in the plurality of vertically disposed vias that is below where the signals
are routed to the edge of the component, and

second antipads that are formed in the signal layers above where the signals are routed to the edge of the component, and
the first antipads being larger than the second antipads;
a first area formed by first backdrilling from a bottom of the PCB up to the first signal layers and through a first via of
the plurality of vertically disposed vias;

a second area formed by second backdrilling from the bottom of the PCB up to the second signal layers and through a second
via of the plurality of vertically disposed vias; and

a third area formed by third backdrilling from the bottom of the PCB up to the third signal layers and through a third via
of the plurality of vertically disposed vias,

the first area, the second area, and the third area being in the stair step pattern,
the first backdrilling, the second backdrilling, and the third backdrilling forming via stubs in the PCB,
lengths of the via stubs decreasing in a direction from the inner row of the component to the outer row of the component,
and

the via stubs including:
first two via stubs that are formed during the first backdrilling,
second two via stubs that are formed during the second backdrilling,
the second two via stubs being closer to the edge of the component than the first two via stubs, and
the second two via stubs being shorter than the first two via stubs,
and
third two via stubs that are formed during the third backdrilling,
the third two via stubs being closer to the edge of the component than the second two via stubs and the first two via stubs,
and

the third two via stubs being shorter than the second two via stubs and the first two via stubs.

US Pat. No. 9,183,188

DYNAMIC TOOLBAR FOR MARKUP LANGUAGE DOCUMENT

Juniper Networks, Inc., ...

1. A method comprising:
receiving, by a device, a document that includes a plurality of sections,
two or more sections, of the plurality of sections, including an executable code;
determining, by the device, whether a size of each of the two or more sections of the document exceeds a threshold,
determining whether the size of each of the two or more sections exceeds the threshold including:
determining whether a height of a section, of the two or more sections, exceeds a threshold height or a width of the section
exceeds a threshold width; and

providing, by the device and using the executable code, a toolbar for one or more first sections, of the two or more sections,
having sizes that exceed the threshold,

providing the toolbar includes providing the toolbar for the section when the height of the section exceeds the threshold
height or when the width of the section exceeds the threshold width,

the toolbar being not provided for a second section, of the two or more sections, having a size that does not exceed the threshold.

US Pat. No. 10,567,181

BIT INDEX EXPLICIT REPLICATION (BIER) PENULTIMATE HOP POPPING

Juniper Networks, Inc., ...

1. A network device, comprising:one or more memories; and
one or more processors to:
receive, from a first neighbor network device, information indicating that the network device is to remove a bit indexed explicit replication (BIER) header from a multicast packet prior to transmitting the multicast packet to the first neighbor network device;
receive, after receiving the information from the first neighbor network device, the multicast packet from a second neighbor network device,
wherein the multicast packet includes the BIER header and is to be transmitted to the first neighbor network device, and
wherein the network device, the first neighbor network device, and the second neighbor network device are included in a same BIER domain;
remove the BIER header from the multicast packet based on the information indicating that the network device is to remove the BIER header from the multicast packet prior to transmitting the multicast packet to the first neighbor network device; and
transmit the multicast packet to the first neighbor network device, after removing the BIER header from the multicast packet, by using at least one of a multiprotocol label switching (MPLS) label associated with the first neighbor network device or an address associated with the first neighbor network device,
wherein the multicast packet includes the at least one of the MPLS label or the address.

US Pat. No. 10,567,279

EGRESS NODE PROTECTION FOR BROADCAST, UNKNOWN UNICAST, OR MULTICAST TRAFFIC IN EVPN TOPOLOGIES

Juniper Networks, Inc., ...

1. A first device, comprising:one or more memories; and
one or more processors to:
establish a peering session with a second device;
determine a failure associated with the second device,
the second device being a designated forwarder for an Ethernet segment associated with an Ethernet virtual private network instance;
receive network traffic including a first label,
the first label being a multicast label associated with the second device,
the network traffic being broadcast, unknown unicast, or multicast traffic associated with the Ethernet virtual private network instance;
receive information, from the second device, that identifies a second label,
the second label being used to route the network traffic to a customer edge device, via a third device rather than the second device, in an event of the failure associated with the second device;
store the information that identifies the second label based on receiving the information that identifies the second label;
determine the second label based on receiving the information that identifies the second label; and
provide the network traffic, including the second label, to the third device to permit the third device to provide, via the Ethernet segment, the network traffic to the customer edge device based on the information that identifies the second label.

US Pat. No. 10,505,340

INTEGRATED WAVELENGTH LOCKER

Juniper Networks, Inc., ...

1. An integrated photonic circuit (PIC) comprisinga tunable light source; and
a wavelength locker comprising an asymmetric Mach-Zehnder interferometer (AMZI) with an output coupler having a plurality of output ports and, placed at the plurality of output ports, a plurality of respective photodetectors for measuring respective optical interference signals exiting the plurality of output ports when light is coupled from the light source into the AMZI, wherein the output coupler and the plurality of photodetectors are configured as a coherent receiver in which relative phase shifts imparted between two signals being interfered to form the optical interference signals differ between at least two of the output ports by a value that is not a multiple of 180°.

US Pat. No. 10,474,817

DYNAMICALLY OPTIMIZING PERFORMANCE OF A SECURITY APPLIANCE

Juniper Networks, Inc., ...

8. A method, comprising:receiving, by a device, a training object associated with updating a threat prediction model,
the training object including information indicating that the training object is not malicious;
identifying, by the device, a set of features associated with the training object;
executing, by the device, a set of security functions on the training object to determine a set of threat scores associated with the set of security functions,
a threat score, of the set of threat scores, corresponding to a security function of the set of security functions;
determining, by the device and based on the set of threat scores and the information indicating that the training object is not malicious, a set of utility values associated with the set of security functions,
a utility value, of the set of utility values, corresponding to a security function of the set of security functions, and
each utility value, of the set of utility values, including information indicating how useful a corresponding security function, of the set of security functions, is in determining whether the training object is malicious;
updating, by the device, the threat prediction model based on the set of features, the set of threat scores, and the set of utility values;
identifying, by the device, a set of features associated with an unknown object; and
performing, by the device, a security function selection procedure including:
determining, by the device, a set of predicted threat scores associated with the unknown object based on providing information associated with the set of features and a current threat score for the unknown object as inputs to the updated threat prediction model,
the current threat score being a default threat score when no security function has yet been executed on the unknown object;
determining a set of predicted utility values associated with the set of security functions based on the set of predicted threat scores,
a predicted utility value, of the set of predicted utility values, identifying a predicted degree of usefulness for a respective predicted threat score, of the set of predicted threat scores, associated with the unknown object and a respective security function;
identifying, by the device and based on the set of predicted utility values, a particular security function, of the set of security functions, for execution on the unknown object;
causing, by the device, the particular security function to be executed on the unknown object;
updating, by the device, the current threat score to generate a revised current threat score based on the particular security function being executed on the unknown object;
determining, by the device, whether to cause another particular security function to be executed on the unknown object based on whether the revised current threat score satisfies a threshold; and
repeating, by the device, the security function selection procedure, using the revised current threat score as an input to the updated threat prediction model, to cause the other particular security function to be executed on the unknown object when the revised current threat score does not satisfy the threshold.

US Pat. No. 10,382,332

ROUTE SIGNALING AND CONVERGENCE IN EVPN OF PORT EXTENDERS

Juniper Networks, Inc., ...

1. A method comprising:receiving, by a first provider edge (PE) device of a plurality of PE devices and from a second PE device of the plurality of PE devices, an Ethernet Virtual Private Network (EVPN) route including information identifying an extended-port of a port-extender device associated with a port-extender Ethernet segment, wherein the plurality of PE devices is configured with an EVPN instance reachable by the port-extender Ethernet segment connecting the plurality of PE devices to the port-extender device;
storing, by the first PE device, the information identifying the extended-port of the port-extender device associated with the port-extender Ethernet segment;
receiving, by the first PE device and from a second PE device of the plurality of PE devices, a data packet comprising one or more labels identifying the port-extender Ethernet segment and the information identifying the extended-port; and
applying split-horizon, by the first PE device, based on the one or more labels identifying the port-extender Ethernet segment and the information identifying the extended-port, to process the received data packet.

US Pat. No. 10,178,006

LSP PING AND TRACEROUTE FOR BYPASS TUNNELS

Juniper Networks, Inc., ...

1. A method comprising:receiving, by a node, an echo request,
the echo request being a datagram,
the echo request including a plurality of headers, and
the plurality of headers including a first multiprotocol label switching (MPLS) header for a bypass and a second MPLS header for a trace;
identifying, by the node and in the plurality of headers, a time to live (TTL) value of the echo request;
determining, by the node, whether the TTL value matches a particular value; and
selectively routing, by the node, the echo request to a resource reservation protocol (RSVP) path designated for the node based on determining whether the TTL value matches the particular value.

US Pat. No. 10,148,550

METHODS AND APPARATUS FOR A SCALABLE NETWORK WITH EFFICIENT LINK UTILIZATION

Juniper Networks, Inc., ...

1. An apparatus, comprising:a network node configured to be included in a pod of network nodes including a plurality of network nodes operatively coupled to a core network node, each network node in the pod of network nodes being operatively coupled to a redundant set of core network nodes associated with a first set of redundant links, the network node configured to receive a first packet and a second packet from a host device operatively coupled to the network node,
the network node configured to send the first packet to the core network node via a first path of a tunnel between the network node and the core network node when the first packet includes a destination address of a network device outside of the pod, the first path of the tunnel having a cost and being associated with the first set of redundant links, the first path of the tunnel selected based on the destination address of the first packet,
the network node configured to send the second packet to the core network node via a second path of the tunnel when the second packet includes a destination address of a network device outside of the pod of network nodes operatively coupled to the redundant set of core network nodes, the second path having a cost different than the cost of the first path and being associated with a second set of redundant links, the second path of the tunnel selected based on the destination address of the second packet.

US Pat. No. 10,135,841

INTEGRATED SECURITY SYSTEM HAVING THREAT VISUALIZATION AND AUTOMATED SECURITY DEVICE CONTROL

Juniper Networks, Inc., ...

1. A method, comprising:receiving data on one or more threats;
displaying information on the one or more threats, wherein displaying information includes displaying one or more responses to the one or more threats;
selecting a response from the displayed one or more responses;
automatically generating configuration information for one or more security devices based on the selected response, wherein generating configuration information includes generating a security policy having automatically ordered rules for the one or more security devices and displaying the one or more security devices that will be affected by the security policy; and
deploying the configuration information to the one or more security devices.

US Pat. No. 10,091,103

EFFICIENT SYNCHRONIZATION OF STORED INFORMATION USING A PARALLEL RING NETWORK TOPOLOGY

Juniper Networks, Inc., ...

1. A primary device, comprising:a memory; and
one or more processors to:
generate or receive a synchronization message associated with synchronizing information stored by multiple devices;
identify a downstream primary device, included in a primary group with the primary device, to which the synchronization message is to be sent,
the primary group forming a ring network topology;
identify a downstream secondary device, included in a secondary group with the primary device, to which the synchronization message is to be sent,
the downstream secondary device being different from the downstream primary device, and
the secondary group forming another ring network topology;
send the synchronization message to the downstream primary device and the downstream secondary device;
receive a secondary completion message that indicates that all secondary devices, included in the secondary group, have received the synchronization message;
receive a first primary completion message from an upstream primary device included in the primary group; and
send a second primary completion message to the downstream primary device after receiving the secondary completion message and after receiving the first primary completion message to conserve bandwidth.

US Pat. No. 10,038,595

OVERLAY TUNNEL AND UNDERLAY PATH CORRELATION

Juniper Networks, Inc., ...

1. A computer-readable medium storing instructions, the instructions comprising:one or more instructions that, when executed by one or more processors, cause the one or more processors to:
generate an overlay probe packet,
the overlay probe packet including information associated with an overlay tunnel included in an overlay network,
the overlay tunnel including a first tunnel endpoint and a second tunnel endpoint, and
the overlay tunnel corresponding to an underlay path, associated with an underlay network, between the first tunnel endpoint and the second tunnel endpoint;
provide the overlay probe packet via the first tunnel endpoint,
the overlay probe packet being provided to cause the overlay probe packet to be parsed by a network device that lies on the underlay path;
receive a response packet that includes underlay path information,
the response packet being associated with the overlay probe packet and being provided by the network device, and
the underlay path information including information associated with the network device; and
store the underlay path information,
the underlay path information being stored to indicate that the network device lies on the underlay path.

US Pat. No. 10,021,022

PUBLIC NETWORK ADDRESS CONSERVATION

Juniper Networks, Inc., ...

1. A device, comprising:one or more memories; and
one or more processors, at least partially implemented in hardware, to:
receive a network traffic flow,
the network traffic flow being associated with a private network address and an external network address;
determine whether the external network address is identified in a data structure, the data structure identifying external network addresses and private network addresses of network traffic flows that are assigned a conservation public network address,
the conservation public network address including a particular Internet Protocol (IP) address and a particular network port, and
the conservation public network address being assigned to previously un-encountered IP address and network port combinations;
selectively assign, to the network traffic flow, the conservation public network address, or a second public network address selected from a pool of available public network addresses, based on determining whether the external network address is identified by the data structure,
the conservation public network address being assigned to the network traffic flow when the external network address is not identified by the data structure and previously un-encountered, and
the second public network address being assigned to the network traffic flow when the external network address is identified by the data structure and previously assigned to the conservation public network address;
selectively add, to the data structure, the private network address and the external network address,
the private network address and the external network address being added to the data structure when the conservation public network address is assigned to the network traffic flow, and
the private network address and the external network address not being added to the data structure otherwise; and
provide to the network traffic flow the conservation public network address or the second public network address, based on the external network address.

US Pat. No. 10,021,566

NON-MOBILE AUTHENTICATION FOR MOBILE NETWORK GATEWAY CONNECTIVITY

Juniper Networks, Inc., ...

1. A method comprising:receiving, by an authentication server from a wireless access gateway of an alternate access network that interfaces to a mobile service provider gateway of a mobile service provider network to provide the alternate access network with access to the mobile service provider network, a network access request originated by a wireless device, wherein the network access request does not include an International Mobile Subscriber Identity (IMSI) for the wireless device, and wherein the network access request comprises at least one of subscriber credentials and a media access control (MAC) address for the wireless device;
querying, by the authentication server in response to receiving the network access request, a subscriber database with the at least one of the subscriber credentials and the MAC address for the wireless device;
assigning, by the authentication server without accessing a Home Location Register (HLR) for the mobile service provider network and in response to determining the subscriber database does not store a virtual IMSI for the wireless device, a virtual IMSI usable by the wireless access gateway for establishing a subscriber session for the wireless device within the mobile service provider network; and
sending, by the authentication server to the wireless access gateway, the virtual IMSI.

US Pat. No. 9,940,160

MANAGED REBOOT OF A NETWORK OPERATING SYSTEM

Juniper Networks, Inc., ...

1. A method, comprising:receiving, by a device, an indication to perform a managed reboot associated with a network service being provided using a first virtual machine (VM) running on the device;
launching, by the device and based on the receiving of the indication, a second VM on the device,
the second VM, at the launching of the second VM, being prevented from accessing or initializing hardware on the device;
shutting down, by the device and based on the launching of the second VM, the first VM,
forwarding of control plane traffic being stopped when after the shutting down of the first VM, and
data plane traffic being able to be forwarded after the shutting down of the first VM based on a managed reboot mode being enabled and based on network ports associated with the first VM remaining open;
disabling, by the device, the managed reboot mode;
configuring, by the device, the second VM for the forwarding of the control plane traffic based on the shutting down of the first VM and based on the disabling of the managed reboot mode;
configuring, by the device and after the configuring of the second VM for the forwarding of the control plane traffic, the second VM for the forwarding of the data plane traffic; and
providing, by the device and based on the configuring of the second VM for the forwarding of the data plane traffic, the network service using the second VM.

US Pat. No. 9,935,980

ADDING FIREWALL SECURITY POLICY DYNAMICALLY TO SUPPORT GROUP VPN

Juniper Networks, Inc., ...

1. A method comprising:receiving, by a device, a packet;
determining, by the device, that the packet does not match a configured policy of the device;
determining, by the device, that the packet is within a scope of a template policy after determining that the packet does not match the configured policy;
identifying, by the device, a first dynamic policy based on determining that the packet is within the scope of the template policy;
determining, by the device, that the packet does not match the first dynamic policy;
identifying, by the device, a second dynamic policy, provided for a virtual private network (VPN), based on determining that the packet does not match the first dynamic policy;
determining, by the device, that the packet matches the second dynamic policy;
applying, by the device and without rebooting the device, the second dynamic policy to the packet based on determining that the packet matches the second dynamic policy;
receiving, by the device, a different packet;
determining, by the device, that the different packet does not match the second dynamic policy;
determining, by the device, that there are no more dynamic policies available to be searched after determining that the different packet does not match the second dynamic policy; and
applying, by the device, a default policy to the different packet based on determining that there are no more dynamic policies to be searched.

US Pat. No. 9,894,002

DOUBLE EXPERIMENTAL (EXP) QUALITY OF SERVICE (QOS) MARKINGS FOR MPLS PACKETS

Juniper Networks, Inc., ...

1. A method comprising:
receiving, by a routing device, a Multiprotocol Label Switching (MPLS) packet that includes a first label with a first experimental
(EXP) field and a second label with a second EXP field; and

identifying, by the routing device and based on the first EXP field and the second EXP field, a quality of service (QoS) profile
for use in selecting a next hop router for the MPLS packet.

US Pat. No. 9,769,197

MALWARE DETECTION USING EXTERNAL MALWARE DETECTION OPERATIONS

Juniper Networks, Inc., ...

1. A system, comprising:
one or more processors; and
a memory storing instructions that, when executed by the one or more processors, cause the one or more processors to:
determine to perform an external malware detection operation to detect malware executing on a client device;
perform the external malware detection operation,
the external malware detection operation being performed by a particular device, and
the external malware detection operation including a behavior invocation operation to attempt to trigger a particular behavior
of an artifact indicative of a malware infection,

the artifact being information stored by the client device, and
the behavior invocation operation including:
 monitoring a port of the client device; and
 attempting to, based on a result of monitoring the port,
establish a connection with another device via the port;
monitor a result of performing the external malware detection operation;
detect that the particular behavior has occurred based on monitoring the result of performing the external malware detection
operation;

provide a notification that the client device is infected with malware based on detecting that the particular behavior has
occurred,

the notification causing one or more network devices to block network traffic to or from the client device; and
initiate an action intended to crash the other device or to cause the other device to cease communication with the system.

US Pat. No. 9,762,622

FLOW CONTROL SCHEME FOR PARALLEL FLOWS

Juniper Networks, Inc., ...

1. A method comprising:
establishing, by a first proxy device, a flow to a second proxy device;
determining, by the first proxy device, that a first source port number, of a first source device connected to the first proxy
device, is a same value as a second source port number of a second source device connected to the first proxy device;

increasing, by the first proxy device, the first source port number to create a new first source port number after determining
that the first source port number is the same value as the second source port number;

monitoring, by the first proxy device, one or more round trip times associated with one or more acknowledgements occurring
in the flow;

selecting, by the first proxy device, a bandwidth based on the one or more round trip times;
determining, by the first proxy device, a sending rate for the flow based on the bandwidth;
applying, by the first proxy device, one or more policies based on the sending rate and the new first source port number;
and

sending, by the first proxy device, a data unit to the second proxy device via the flow after increasing the first source
port number and based on applying the one or more policies.

US Pat. No. 9,705,337

MITIGATING AN EFFECT OF A DOWNSTREAM FAILURE IN AN AUTOMATIC TRANSFER SWITCHING SYSTEM

Juniper Networks, Inc., ...

15. A method, comprising:
detecting, by a control device, a failure condition in a system that includes a load and at least four power sources,
the load including a device to be powered by the system, and
the system including at least a first switch and a second switch,
the first switch operating in a first state or a second state,
the first switch, when in the first state, powering the load using a first electrical current provided by a first power source
of the at least four power sources,

the first switch, when in the second state, powering the load using a second electrical current provided by a second power
source of the at least four power sources, and

the first switch being in the first state or the second state, and
the second switch causing the load to be powered using a third electrical current or a fourth electrical current,
the third electrical current and the fourth electrical current being provided by a third power source and a fourth power source,
respectively, of the at least four power sources;

determining, by the control device, that the failure condition is associated with a failure at the load; and
causing, by the control device, the first switch to maintain the first state or the second state without switching between
the first state and the second state based on determining that the failure condition is associated with the failure at the
load.

US Pat. No. 9,686,198

ENHANCING DOCSIS SERVICES THROUGH NETWORK FUNCTIONS VIRTUALIZATION

Juniper Networks, Inc., ...

1. A method comprising:
intercepting, by a network device, a transmission of a cable modem boot file from a second network device to a cable modem
by snooping on the transmission, wherein the cable modem boot file is for configuring a cable modem in a cable network;

identifying, with the network device, based on the intercepted and snooped transmission of the cable modem boot file from
the second network device to the cable modem, information in the cable modem boot file that specifies an association between
a specific Data Over Cable System Interface Specification (DOCSIS) service flow for the particular cable modem and a specific
Network Function Virtualization (NFV) service chain from among a plurality of NFV service chains, wherein the specific NFV
service chain enables a path of the specific DOCSIS service flow through a series of NFV instances in the specific NFV service
chain to be dynamically set up through software via a software defined network (SDN) controller;

determining that network traffic received from the cable modem matches the DOCSIS service flow; and
re-directing the network traffic onto one or more tunnels to the NFV service chain.

US Pat. No. 9,686,598

POWER OVER ETHERNET ELECTRICAL TO OPTICAL INTERFACE CONVERTER

Juniper Networks, Inc., ...

1. A device comprising:
a power-over-Ethernet (PoE) circuit,
the PoE circuit to provide power, via a pluggable connection, to an optical transceiver;
an electrical transceiver connected to the PoE circuit,
the electrical transceiver including a transmitter and a receiver,
the transmitter to:
amplify or filter a first signal for the PoE circuit, and
propagate the first signal to the PoE circuit, and
the receiver to propagate a second signal from the PoE circuit; and
a transcoder connected to the transmitter and the receiver of the electrical transceiver,
the receiver to amplify or filter the second signal for processing by the transcoder.

US Pat. No. 9,635,663

METHODS AND APPARATUS FOR CONTROLLING WIRELESS ACCESS POINTS

Juniper Networks, Inc., ...

1. An apparatus, comprising:
an access point controller implemented in at least one of a memory or a processor, the access point controller configured
to receive a first control packet from a wireless access point via a first channel having a first priority, the access point
controller configured to receive a second control packet from the wireless access point via a second channel having a second
priority different than the first priority,

the access point controller configured to send, in response to the first control packet, a third control packet to the wireless
access point via the first channel such that the wireless access point receives the third control packet within a period of
time after the third control packet is sent,

the access point controller configured to send, in response to the second control packet, a fourth control packet to the wireless
access point via the second channel such that the wireless access point receives the fourth control packet within a period
of time after the fourth control packet is sent, the period of time after the third control packet is sent being shorter than
the period of time after the fourth control packet is sent based on the first channel having the first priority and the second
channel having the second priority.

US Pat. No. 9,600,302

USING A PUBLIC KEY INFRASTRUCTURE FOR AUTOMATIC DEVICE CONFIGURATION

Juniper Networks, Inc., ...

1. A device, comprising:
one or more processors at least partially implemented in hardware to:
initiate an automatic device configuration process to automatically configure the device;
receive, based on initiating the automatic device configuration process, a digital voucher, a customer certificate, and configuration
information,

the digital voucher including:
a first customer identifier that identifies a customer associated with the device, and
a device identifier that identifies the device,
the customer certificate including:
a second customer identifier that identifies the customer, and
a customer public key associated with the customer, and
the configuration information including information that identifies a configuration for automatically configuring the device;
validate at least one of the digital voucher, the customer certificate, or the configuration information;
validate the first customer identifier based on determining that the first customer identifier matches the second customer
identifier; and

configure the device, using the configuration, based on validating the first customer identifier and at least one of the digital
voucher, the customer certificate, or the configuration information.

US Pat. No. 9,602,675

USAGE MONITORING CONTROL FOR MOBILE NETWORKS

Juniper Networks, Inc., ...

1. A method comprising:
transmitting, by a service control gateway positioned between an access gateway for a mobile access network and a packet data
network that provides a service, a usage monitoring report indicative of usage by a mobile device of the service provided
over a session for which usage monitoring was previously activated;

receiving, by the service control gateway and in response to transmitting the usage monitoring report, an indication to deactivate
usage monitoring of the service for the session; and

in response to the indication to deactivate the usage monitoring, removing a monitoring key that was configured as a part
of activating the usage monitoring of the service for the session.

US Pat. No. 9,571,566

TERMINATING CONNECTIONS AND SELECTING TARGET SOURCE DEVICES FOR RESOURCE REQUESTS

Juniper Networks, Inc., ...

1. A method performed by a network device, the method comprising:
receiving, at the network device and from a client device, a request for a resource,
the network device being an edge device that is an entry point to a network, and
the resource including a file;
accessing, by the network device, a table that includes one or more items of information,
the one or more items of information in the table being generated based on prior traffic provided to or received by the network
device, and

the one or more items of information including:
information identifying one or more applications,
address information associated with one or more client devices,
address information associated with one or more source devices,
information associated with one or more particular client devices, of the one or more client devices, that generate a first
number of requests for resources that satisfy a first threshold number of requests, and

information associated with one or more particular target devices that receive a second number of requests for resources that
satisfy a second threshold number of requests;

determining, by the network device, that information provided in the request matches at least one of the one or more items
of information provided in the table;

terminating, by the network device, a connection for the request based on determining that the information provided in the
request matches the at least one of the one or more items of information provided in the table;

providing, by the network device and to the client device, an indication that the connection is terminated based on terminating
the connection for the request;

selecting, by the network device and based on terminating the connection for the request, a target device for the resource
requested by the request; and

obtaining, by the network device, the resource from the target device via the network.

US Pat. No. 9,571,337

DERIVING CONTROL PLANE CONNECTIVITY DURING PROVISIONING OF A DISTRIBUTED CONTROL PLANE OF A SWITCH

Juniper Networks, Inc., ...

1. A system, comprising:
a compute device configured to send a configuration signal through a network control plane to a first network device such
that the first network device is associated with a first portion of a virtual network entity hosted at the first network device
and a second portion of the virtual network entity hosted at a second network device, the virtual network entity having a
virtual network entity identifier, a plurality of ports of the first network device being provisioned to the first portion
of the virtual network entity, a plurality of ports of the second network device being provisioned to the second portion of
the virtual network entity, the first network device associated with network control plane connectivity data that defines
a relationship between the virtual network entity identifier and the first network device,

the compute device configured to determine the network control plane connectivity data associated with the first network device
based on the virtual network entity identifier,

the compute device configured to send a control plane signal to the first network device using a path determined based on
the network control plane connectivity data associated with the first network device.

US Pat. No. 9,491,092

APPARATUS, SYSTEM, AND METHOD FOR PREVENTING UNINTENTIONAL FORWARDING RECONFIGURATION IN NETWORK ENVIRONMENTS

Juniper Networks, Inc., ...

1. An apparatus comprising:
a physical link that facilitates communication for a plurality of customer networks connected to a service provider network;
and

a network device communicatively coupled to the physical link, wherein the network device:
identifies a plurality of route-update messages that advertise a plurality of route targets representing the plurality of
customer networks to at least one other network device within the service provider network, the plurality of route-update
messages comprising:

a first route-update message whose configuration includes a threshold number of route targets from the plurality of route
targets;

a second route-update message whose configuration includes one or more other route targets from the plurality of route targets;
removes a route target from the configuration of the first route-update message due at least in part to the physical link
no longer facilitating communication for a customer network represented by the route target; and

maintains, despite the removal of the route target from the configuration of the first route-update message, the configuration
of the second route-update message without moving any of the route targets from the second route-update message to the first
route-update message.

US Pat. No. 9,485,149

ROUTING DEVICE HAVING MULTIPLE LOGICAL ROUTERS

Juniper Networks, Inc., ...

1. A device comprising:
one or more programmable processors configured to execute a plurality of software processes, wherein the plurality of software
processes operate as logical routers, wherein the logical routers include a first logical router and a second logical router;

a management process having a command line interface to receive commands from a plurality of clients by respective configuration
sessions over a network, wherein the command line interface of the management process supports a text-based command syntax
that allows each of the plurality of clients to specify a command to designate one of the logical routers for configuration
using the respective configuration session; and

a software multiplexer to receive the commands from the management process and to distribute the commands to at least one
of the first logical router and the second logical router in accordance with the designation by the clients.

US Pat. No. 9,450,817

SOFTWARE DEFINED NETWORK CONTROLLER

Juniper Networks, Inc., ...

1. A software-defined network (SDN) controller that manages a network of one or more network devices, the SDN controller comprising:
a memory;
one or more processors in communication with the memory;
one or more databases configured to store network topology information and network state information for the network devices;
a plurality of network device protocol interfaces comprising a path computation element protocol (PCEP) adapter and a software-defined
networking protocol adapter, wherein each of the network device protocol interfaces is configured to exchange state information
with at least one of the network devices, wherein the state information comprises at least one of network topology information
and network device state information;

one or more application interfaces configured to receive, from applications, requests for application-specific network configurations;
a plurality of core modules operable by the one or more processors and configured to receive the requests for application-specific
network configurations from the one or more application interfaces, and compute respective network configurations to conform
the network topology and network device states to satisfy the requests, wherein the plurality of core modules comprises a
path computation engine to compute a path for the network topology and a software-defined networking controller core module;
and

one or more core applications operable by the one or more processors and configured to receive the respective network configurations
from the plurality of core modules, generate network device state information to implement the computed network configurations,
and use respective ones of the plurality of network device protocol interfaces to program the network device state information
to the network devices to program the network configurations in the network, wherein the one or more core applications comprise
a path provisioning module, wherein the path provisioning module controls the PCEP adapter to provide an indication of the
path to a head-end network device of the path, and wherein one or more of the core applications uses the software-defined
networking protocol adapter to map a data stream to the path.

US Pat. No. 9,450,852

SYSTEMS AND METHODS FOR PREVENTING SPLIT-BRAIN SCENARIOS IN HIGH-AVAILABILITY CLUSTERS

Juniper Networks, Inc., ...

1. A computer-implemented method comprising:
detecting, at an active node of a high-availability cluster, a partitioning event that isolates the active node from a standby
node of the high-availability cluster;

after the partitioning event has occurred:
broadcasting, from a health-status server, a cluster-health message to at least the active node, wherein:
the health-status server is separate and distinct from the active node and the standby node;
the cluster-health message comprises at least a health status of the standby node;
the health status of the standby node is based at least in part on whether the health-status server received a node-health
message from the standby node after the partitioning event occurred;

reacting, at the active node, to the partitioning event such that the partitioning event does not result in a split-brain
scenario within the high-availability cluster by performing, based at least in part on whether the active node received the
cluster-health message from the health-status server, at least one of:

yielding, at the active node and in response to not receiving the cluster-health message from the health-status server, at
least one computing task assigned to the active node to the standby node;

continuing to perform, at the active node and in response to receiving the cluster-health message from the health-status server,
the at least one computing task assigned to the active node.

US Pat. No. 9,425,893

METHODS AND APPARATUS FOR IMPLEMENTING OPTICAL INTEGRATED ROUTING WITH TRAFFIC PROTECTION

Juniper Networks, Inc., ...

1. An apparatus, comprising:
a switch device configured to be operatively coupled to a network having a plurality of links, the switch device configured
to receive, from an optical switch device at a first time, a message having a plurality of physical coding sublayer (PCS)
lanes, the message including an error notification within a first subset of PCS lanes from the plurality of PCS lanes and
not within a second subset of PCS lanes from the plurality of PCS lanes mutually exclusive from the first subset of PCS lanes,
the error notification in response to signal degradation of a link from the plurality of links, the switch device configured
to send a first signal in response to receiving the message at the first time,

the switch device configured to receive at a second time a message without the error notification, the switch device configured
to send a second signal in response to receiving the message at the second time.

US Pat. No. 9,413,777

DETECTION OF NETWORK SECURITY BREACHES BASED ON ANALYSIS OF NETWORK RECORD LOGS

Juniper Networks, Inc., ...

1. A system comprising:
a device, including a memory, to:
obtain information relating to one or more network events;
determine, using the information relating to the one or more network events, an evaluation strategy associated with detecting
one or more attempted security breaches;

identify, using the evaluation strategy, a plurality of different tests;
generate using the evaluation strategy:
a first value for a first test of the plurality of different tests, and
a second value for a second test of the plurality of different tests;
update, using the first value, a first table that is associated with the first test;
update, using the second value, a second table that is associated with the second test,
the second table being different than the first table;
perform the first test, based on an evaluation of the updated first table, to determine whether a first security breach has
been attempted,

when performing the first test, the device is to compare one or more first values, associated with an entry in the updated
first table, to first criteria to determine whether the first security breach has been attempted,

the entry in the updated first table being associated with the first value,
the one or more first values including information identifying one or more first ports associated with the device,
each first value, of the one or more first values, being a unique port number and being tagged to expire after a first duration
of time,

the first criteria relating to a first quantity of ports, and
the first security breach being attempted when a quantity, of the one or more first ports identified by the one or more first
values, exceeds the first quantity of ports; and

perform the second test, based on an evaluation of the updated second table, to determine whether a second security breach
has been attempted,

when performing the second test, the device is to compare one or more second values, associated with an entry in the updated
second table, to second criteria to determine whether the second security breach has been attempted,

the entry in the updated second table being associated with the second value,
the one or more second values including information identifying one or more second ports associated with the device,
each second value, of the one or more second values, being a unique port number and being tagged to expire after a second
duration of time,

the second criteria relating to a second quantity of ports, and
the second security breach being attempted when a quantity, of the one or more second ports identified by the one or more
second values, exceeds the second quantity of ports.

US Pat. No. 9,404,615

SYSTEMS AND APPARATUS FOR MOUNTING A WIRELESS ACCESS POINT

Juniper Networks, Inc., ...

1. An apparatus, comprising:
a housing having a mount projection defining a first notch, a second notch and a recessed outer wall at least a portion of
which defines a substantially conical cross-sectional shape having a maximum width and a length between a leading portion
and a line associated with the maximum width; and

a bracket configured to complimentarily mate with the mount projection, the bracket
defining a recessed wall having a maximum width and a length between a leading portion of the recessed wall of the bracket
and a line associated with the maximum width of the recessed wall of the bracket, the maximum width of the recessed wall of
the bracket substantially corresponding to the maximum width of the recessed outer wall of the mount projection, the length
of the recessed wall of the bracket substantially corresponding to the length of the recessed wall of the mount projection,

the mount projection configured to be inserted into an opening (1) defined by the recessed wall of the bracket that is extended
substantially continuously between a first end portion and a second end portion of the recessed wall of the bracket, and (2)
being between a first end portion and a second end portion of the recessed wall of the bracket and along the line associated
with the maximum width of the recessed wall of the bracket,

the mount projection configured to be releasably retained within the bracket when a first latch of an actuator is disposed
within the first notch of the mount projection and a second latch of the actuator is disposed within the second notch of the
mount projection,

the mount projection configured to be released from the bracket when the actuator is moved (1) from a first position in which
an end portion of the first latch of the actuator is disposed within the first notch and an end portion of the second latch
of the actuator is disposed within the second notch (2) to a second position in which the end portion of the first latch is
not disposed within the first notch and the end portion of the second latch is not disposed within the second notch,

the mount projection configured to be released from the bracket when the actuator is moved from the first position to the
second position in response to a force being applied directly to a surface of an engagement portion of the actuator in a direction
substantially perpendicular to the surface, the engagement portion configured to move toward the first notch and the second
notch in the direction in response to the force.

US Pat. No. 9,398,043

APPLYING FINE-GRAIN POLICY ACTION TO ENCAPSULATED NETWORK ATTACKS

Juniper Networks, Inc., ...

1. A method comprising:
receiving, with an intrusion prevention device, a packet of a packet flow, the packet comprising a packet header and a plurality
of sub-packets encapsulated within a payload of the packet, each of the plurality of sub-packets corresponding to respective
encapsulated network sessions, wherein the intrusion prevention device is positioned between a source of the packet and a
destination for the packet;

analyzing, with the intrusion prevention device, each of the plurality of sub-packets encapsulated within the packet;
identifying, with the intrusion prevention device, one of the encapsulated network sessions as a malicious encapsulated network
session based on the analysis of the plurality of sub-packets;

executing, with the intrusion prevention device, a targeted policy action on the one of the sub-packets corresponding to the
malicious encapsulated network session based on the identification of the encapsulated network session as a malicious encapsulated
network session;

forming, with the intrusion prevention device, a reconstructed packet comprising the packet header and the plurality of sub-packets
excluding at least the sub-packet corresponding to the malicious encapsulated network session; and

forwarding the reconstructed packet with the intrusion prevention device.

US Pat. No. 9,361,225

CENTRALIZED MEMORY ALLOCATION WITH WRITE POINTER DRIFT CORRECTION

Juniper Networks, Inc., ...

1. A device comprising:
a memory controller, at least partially implemented in hardware, to:
receive a write request for storing data in a memory device;
determine a location for storing the data in the memory device;
store the data at the location;
determine whether an address value of a register, of a plurality of registers, associated with the memory device, is within
a predetermined address value range associated with the plurality of registers, other than the register,

each register of the plurality of registers, other than the register, being associated with a corresponding memory controller,
and

the predetermined address value range minimizing address value offsets between address values of the plurality of registers;
and

selectively increment, based on whether the address value of the register is within the predetermined address value range
associated with the plurality of registers, other than the register, the address value of the register by a first amount or
a second amount,

the address value of the register being incremented by the first amount when the address value of the register is within the
predetermined address value range associated with the plurality of registers, other than the register,

the address value of the register being incremented by the second amount when the address value of the register is not within
the predetermined address value range associated with the plurality of registers, other than the register, and

the second amount being different than the first amount.

US Pat. No. 9,363,327

NETWORK INTEGRATED DYNAMIC RESOURCE ROUTING

Juniper Networks, Inc., ...

1. A method comprising:
receiving, by a computing device and from a particular network device, a particular quantity of resources,
the particular quantity of resources, received from the particular network device, being greater than a threshold quantity
of resources,

resources, of the particular quantity of resources received from the particular network device, including video data, audio
data, image data, or text;

storing, by the computing device and in a data structure, information identifying the particular network device based on the
particular quantity of resources being greater than the threshold quantity of resources;

receiving, by the computing device and from a client device, a request for a resource;
determining, by the computing device, that the client device is requesting the resource from the particular network device
based on information provided in the request and the data structure;

terminating, by the computing device, a connection for the request at the computing device based on:
the information identifying the particular network device that is stored in the data structure based on the particular quantity
of resources being greater than the threshold quantity of resources, and

the client device requesting the resource from the particular network device;
selecting, by the computing device, a target device for the resource based on terminating the connection at the computing
device,

the target device being selected based on one or more conditions of a network associated with the computing device,
the one or more conditions including one or more of a bandwidth of the network or a load on the network;
providing, by the computing device, the request to the selected target device;
receiving, by the computing device, the resource from the selected target device; and
providing, by the computing device, the resource to the client device.

US Pat. No. 9,325,529

HYBRID TYPE TELEPHONY SYSTEM

Juniper Networks, Inc., ...

1. A method comprising:
controlling, by a control unit of a system, a first switch of the system to receive a first type of information;
controlling, by the control unit, a gateway of the system to convert the first type of information into a second type of information;
and

controlling, by the control unit, the gateway to forward the second type of information towards a second switch of the system,
the control unit being directly connected to the first switch, the second switch, and the gateway via a control bus.

US Pat. No. 9,258,384

DYNAMIC NETWORK DEVICE PROCESSING USING EXTERNAL COMPONENTS

Juniper Networks, Inc., ...

1. A method comprising:
receiving, by a network device, a data flow;
identifying, by the network device, a service to apply to the data flow based on information regarding a service set;
providing, by the network device, the data flow to a processing device,
the processing device being different than the network device,
the processing device processing the data flow, on behalf of the network device, to form a processed data flow,
the processed data flow including the data flow with the service applied to the data flow;
receiving, by the network device and from the processing device, the processed data flow; and
transmitting, by the network device, the processed data flow toward a destination device.

US Pat. No. 9,253,123

METHODS AND APPARATUS FOR LOAD BALANCING VLAN TRAFFIC

Juniper Networks, Inc., ...

1. An apparatus, comprising:
a first core device configured to be disposed within a first network having a plurality of access nodes and a second core
device, the first core device comprising,

a communication interface configured to communicate with at least one of the plurality of access nodes,
a memory configured to store a plurality of virtual group identifiers including a virtual group identifier, and
a processor operatively coupled to the communication interface and the memory, the processor configured to receive a first
signal designating the first core device as a master device for the virtual group identifier such that the second core device
is designated as a back-up device for that virtual group identifier, the virtual group identifier being associated with a
destination address of a data unit being communicated within the first network;

the processor configured to send to a second network a second signal (1) advertising the first core device being designated
as the master device for the virtual group identifier after receiving the first signal designating the first core device as
the master device of the virtual group identifier and (2) causing the second core device to not advertise to the second network
that the first core device is designated as the master device for the virtual group identifier.

US Pat. No. 9,185,055

COMMUNICATING NETWORK PATH AND STATUS INFORMATION IN MULTI-HOMED NETWORKS

Juniper Networks, Inc., ...

1. A method comprising:
learning, with a layer two (L2) device, a set of remote media access control (MAC) addresses reachable over a network link
connecting the L2 device to a layer three (L3) device;

storing, with the L2 device, the learned set of remote MAC addresses within the L2 device;
receiving, with the L2 device and from the L3 device, an L2 frame issued by an operations, administration, and management
(OAM) protocol executing on the L3 device, wherein the L2 frame carries a first type-length-value (TLV) field that indicates
a portion of the learned set of MAC addresses to remove and directs the L2 device to remove the portion of the learned set
of MAC addresses from the learned set of MAC addresses stored within the L2 device and a second TLV field that indicates a
network error, wherein the portion of the learned set of MAC addresses include MAC addresses impacted by the network error,
and wherein the L2 frame is a continuity check message used by the OAM protocol executing on the L3 device to detect connectivity
failures between a sending device and a destination device; and

in response to receiving the L2 frame from the L3 device, removing, with the L2 device, the portion of the learned set of
MAC addresses indicated by the L2 frame from the learned set of MAC addresses stored within the L2 device.

US Pat. No. 9,178,809

END-TO-END TRAFFIC ENGINEERING LABEL SWITCHED PATHS IN SEAMLESS MPLS

Juniper Networks, Inc., ...

1. A method comprising:
receiving, by an aggregation node, a label request message generated by an access node, wherein the label request message
specifies a forwarding equivalence class (FEC) for traffic to be sent by the access node, and data that indicates constraint
information for the traffic to be sent by the access node;

by the aggregation node, establishing a first session for a traffic-engineering label distribution protocol with a next hop
adjacent to the aggregation node and positioned within a same network as the aggregation node;

by the aggregation node, establishing a second session for the same traffic-engineering label distribution protocol, wherein
the second session has a remote next hop positioned at a border between the network and a second network; and

sending a message destined for the remote next hop over the second session for establishing an end-to-end traffic engineered
label switched path for the FEC specified in the label request message, wherein the message includes the data indicating the
constraint information, which was received by the aggregation node in the label request message from the access node.

US Pat. No. 9,178,816

CONTROL PLANE MESSAGING IN ALL-ACTIVE MULTI-HOMED ETHERNET VIRTUAL PRIVATE NETWORKS

Juniper Networks, Inc., ...

1. A method comprising:
receiving, by a first provider edge (PE) network device and from a second PE network device of a plurality of PE network devices
that provide an active-active configuration for an Ethernet segment, a control plane message comprising at least one address
that identifies that second PE network device;

configuring, by the first PE network device and based at least in part on the control plane message, a forwarding plane of
the first PE network device to identify network packets having respective destination addresses that match the at least one
address;

responsive to receiving a network packet, determining by the forwarding plane of the first PE network device, that at least
one address of the network packet matches the at least one address that identifies the second PE network device; and

responsive to the determination, skipping, by the forwarding plane of the first PE network device, a decrement of the Time-To-Live
(TTL) value of the network packet, and forwarding the network packet to the second PE network device.

US Pat. No. 9,094,308

FINDING LATENCY THROUGH A PHYSICAL NETWORK IN A VIRTUALIZED NETWORK

Juniper Networks, Inc., ...

1. A method for determining latency of a physical network path in a network, the method comprising:
receiving, by a virtual network controller, a plurality of messages from a plurality of network devices in a network, wherein
each of the messages includes (1) a packet signature comprising a hash of an invariant portion of an original packet that
uniquely identifies the original packet, (2) an identifier of one of the plurality of network devices from which the respective
message was received, and (3) a timestamp indicating a time an original packet was processed by the network device from which
the respective message was received;

identifying, by the virtual network controller, two or more of the plurality of messages having a common packet signature;
identifying distinct flows associated with the common packet signature;
generating a path map for one of the identified flows comprising a list of physical network devices that a packet in the flows
traversed based on a known physical topology of the network;

generating a hash on the path map;
for each path map hash, determining a time that a packet took in traversing a physical network path from a source to a destination
in the known physical topology of the network; and

determining, by the virtual network controller, a latency of a physical network path in the network based the determined time
the packet took in traversing the physical network path.

US Pat. No. 10,659,293

APPARATUS, SYSTEM, AND METHOD FOR DYNAMICALLY SCALING MEMORY FOR VIRTUAL ROUTERS

Juniper Networks, Inc, S...

1. A method comprising:executing a virtual router that services traffic within a network in connection with a specific network consumer; and
dynamically scaling memory of the virtual router to accommodate a networking need of the specific network consumer by:
installing, in a first component of a physical network device that hosts the virtual router, a first set of networking objects that facilitate servicing the traffic in connection with the specific network consumer;
installing, in a second component of the physical network device, a second set of networking objects that facilitate servicing the traffic in connection with the specific network consumer;
determining a first amount of memory that is consumed by the first set of networking objects at the first component of the physical network device;
determining a second amount of memory that is consumed by the second set of networking objects at the second component of the physical network device; and
modifying a configuration file of the virtual router such that the memory of the virtual router is scaled to store the first and second sets networking objects via the first and second components.

US Pat. No. 10,659,356

TRANSLATION BETWEEN A FIRST VERSION OF INTERNET PROTOCOL AND A SECOND VERSION OF INTERNET PROTOCOL WHEN AN APPLICATION LAYER GATEWAY (ALG) IS INVOLVED

Juniper Networks, Inc., ...

1. A device, comprising: amemory; and
one or more processors to:
receive, from a first device that supports internet protocol version 4 (IPv4), a port control protocol (PCP) request that includes a customer side translator (CLAT) prefix and one or more private IPv4 addresses,
the PCP request being received via an internet protocol version 6 (IPv6) network;
establish an association between the CLAT prefix and the one or more private IPv4 addresses;
receive, from the first device and via the IPv6 network, a packet that includes:
a private IPv4 address, of the one or more private IPv4 addresses, in a payload of the packet, and
an IPv6 address that includes the CLAT prefix and a second instance of the private IPv4 address,
the IPv6 address being associated with a header of the packet;
translate the private IPv4 address to a public IPv4 address using the CLAT prefix;
search the payload to identify the private IPv4 address;
replace, in the payload, the private IPv4 address with the public IPv4 address; and
provide, based on replacing, in the payload, the private IPv4 address with the public IPv4 address, the packet to a second device that supports IPv4.

US Pat. No. 10,601,727

METHODS AND APPARATUS FOR EFFICIENT USE OF LINK AGGREGATION GROUPS

Juniper Networks, Inc., ...

1. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the code comprising code to cause the processor to:receive, at a gateway device and in response to a first triggering event, a first indication to load balance a plurality of active sessions associated with a network node and a switch across a plurality of links between the gateway device and the switch at a first time, the plurality of active sessions being active before the first time;
receive, at the gateway device and in response to a second triggering event in which a link, from the plurality of links, changes from an inactive configuration to an active configuration, a second indication to load balance the plurality of active sessions across the plurality of links, the plurality of active sessions including (1) a first plurality of active sessions between the network node and the switch and (2) a second plurality of active sessions between a plurality of virtual ports and the switch, each session from the second plurality of active sessions being associated with a session from the first plurality of active sessions;
(1) in response to the first indication,
calculate, at a second time after the first time, a load that is a number of a set of sessions from the plurality of active sessions and associated with a first set of links (1) from the plurality of links and (2) in the active configuration before the first time, the set of sessions being associated with the first set of links at the second time;
calculate a threshold value based on the load; and
send, from the gateway device to the switch, a first login signal to initiate a reestablishment of the set of sessions from the plurality of active sessions with a second set of links from the plurality of links, at a third time after the second time and based on the threshold value, the second set of links being in the active configuration at the third time, the plurality of links including the first set of links and the second set of links different from the first set of links,
(2) in response to the second indication,
select a session from the first plurality of active sessions based on that session being associated with a greater number of sessions from the second plurality of active sessions than each remaining session from the first plurality of active sessions; and
send, from the gateway device to the switch, a second login signal to initiate a reestablishment of that session from the first plurality of active sessions with the link from the plurality of links.

US Pat. No. 10,568,112

PACKET PROCESSING IN A SOFTWARE DEFINED DATACENTER BASED ON PRIORITIES OF VIRTUAL END POINTS

Juniper Networks, Inc., ...

1. A device, comprising:a memory; and
one or more processors to:
receive priority information corresponding to a virtual machine interface of a virtual machine of a computing environment;
receive a packet associated with the virtual machine interface;
determine a priority associated with the virtual machine interface based on the priority information,
the priority information indicating the priority associated with virtual machine interface relative to other virtual machine interfaces of the computing environment;
assign the packet to a queue associated with a service node of the computing environment based on the virtual machine interface,
the packet to be output from the queue at a rate based on the priority associated with the virtual machine interface;
receive the packet from the service node after the packet is processed by the service node;
assign the packet to a transmit queue corresponding to the virtual machine interface; and
send the packet from the transmit queue toward a destination virtual machine interface at a rate based on the priority associated with the virtual machine interface.

US Pat. No. 10,554,684

CONTENT-BASED OPTIMIZATION AND PRE-FETCHING MECHANISM FOR SECURITY ANALYSIS ON A NETWORK DEVICE

Juniper Networks, Inc., ...

1. A first device, comprising:a memory; and
one or more processors to:
receive content from a second device based on a request for the content, the request being from a third device;
determine, based on receiving the content from the second device, a first value for a first pre-defined range of the content using a hash function,
the first value uniquely identifying the first pre-defined range of the content;
determine a second value for a second pre-defined range of the content using the hash function,
the second value uniquely identifying the second pre-defined range of the content, and
the second pre-defined range of the content comprising the first pre-defined range of the content;
perform a first lookup of the first value in a data store;
perform a second lookup of the second value in the data store;
verify a first result of the first lookup using a second result of the second lookup;
determine, based on verifying the first result and based on whether the first result indicates a match, whether a classification of the content can be determined,
the classification being associated with an action that the first device is to perform with respect to the content;
selectively:
determine, based on the first result not indicating a match, the classification of the content by providing the first value, or the first pre-defined range of the content corresponding to the first value, to a fourth device to permit the fourth device to determine the classification of the content; or
determine, based on the first result indicating a match, the classification of the content; and
perform the action with respect to the content based on the classification of the content after determining the classification.

US Pat. No. 10,534,601

IN-SERVICE SOFTWARE UPGRADE OF VIRTUAL ROUTER WITH REDUCED PACKET LOSS

Juniper Networks, Inc., ...

1. A method comprising:receiving, by at least one processor of a plurality of compute nodes configured to perform compute functions for a plurality of session instances of a cloud data center, a request to perform an in-services software upgrade (ISSU) of a first packet forwarding component for a virtual router, wherein the first packet forwarding component executes within a kernel space of a memory of the plurality of compute nodes and is configured to forward traffic flows for the plurality of session instances, and wherein a first virtual routing agent for the virtual router executes within a user space of the memory and is configured to maintain flow state information for the traffic flows forwarded by the first packet-forwarding component of the virtual router;
spawning, by the at least one processor, a second packet forwarding component for the virtual router within the kernel space of the memory;
spawning, by the at least one processor, a second virtual routing agent for the virtual router within the user space of the memory, wherein the second virtual routing agent is configured to maintain flow state information for the traffic flows forwarded by the second packet-forwarding component of the virtual router;
synchronizing, by the at least one processor, the flow state information of the first virtual routing agent and the flow state information of the second virtual routing agent; and
after synchronizing the flow state information of the first virtual routing agent and the flow state information of the second virtual routing agent, directing, by the at least one processor, the traffic flows for the plurality of session instances from the first packet forwarding component of the virtual router to the second packet forwarding component of the virtual router without interrupting traffic flow forwarding for the plurality of session instances by the virtual router.

US Pat. No. 10,536,400

METHODS AND APPARATUS RELATED TO VIRTUALIZATION OF DATA CENTER RESOURCES

Juniper Networks, Inc., ...

1. A method, comprising:assigning a first plurality of peripheral processing devices coupled to a first virtual switch core of a multi-stage switch fabric, to a first virtual application cluster (VAC) of the first virtual switch core, the first VAC of the first virtual switch core defining a first resource of a first resource type that includes a first set of physical resources that are interconnected;
assigning a second plurality of peripheral processing devices coupled to the first virtual switch core of the multi-stage switch fabric, to a second VAC of the first virtual switch core, the second VAC associated with the first virtual switch core and defining a resource of a second resource type that includes a second set of physical resources of the first virtual switch core that are different from the first set of physical resources, the second plurality of peripheral processing devices including a subset of the first plurality of peripheral processing devices coupled to the first virtual switch core; and
assigning a third plurality of peripheral processing devices coupled to the second virtual switch core of the multi-stage switch fabric, to a VAC of the second virtual switch core, the VAC of the second virtual switch core defining a second resource of the first resource type that includes a set of physical resources of the second virtual switch core that are interconnected;
the second VAC is associated with the first virtual switch core at a first time;
the second VAC is associated with the second virtual switch core at a second time different from the first time; and
the second plurality of peripheral processing devices is de-allocated from the first virtual switch core at the second time as a result of the second VAC being associated with the second virtual switch core.

US Pat. No. 10,397,085

OFFLOADING HEARTBEAT RESPONSES MESSAGE PROCESSING TO A KERNEL OF A NETWORK DEVICE

Juniper Networks, Inc., ...

1. In a network having a plurality of network devices, including a first network device, wherein the first network device includes a memory having a health check data structure, the health check data structure including a heartbeat response message field for each respective network device of the plurality of network devices, a method comprising:receiving, by the first network device, heartbeat response messages from two or more of the plurality of network devices, wherein each heartbeat response message respectively corresponds to one network device of the plurality of network devices;
processing the received heartbeat response messages in a kernel space of the first network device, wherein processing includes:
generating a hash value for each heartbeat response message received, each hash value based on identification information in the respective heartbeat response message, the identification information identifying the network device that sent the respective heartbeat response message; and
determining, for each of the plurality of heartbeat response messages and based at least in part on the corresponding hash value generated for the heartbeat response message, an index value, each index value associated with the network device that sent the respective heartbeat response message;
updating the health check data structure at the heartbeat response message fields indicated by the index values to indicate that heartbeat response messages were received from the network devices; and
processing, in a user space of the first network device, information received from at least one of the heartbeat response message fields of the health check data structure to obtain health status associated with one or more of the plurality of network devices.