Abstract: An application node advertises service(s), using a routing protocol, that it offers to other network nodes. For example, the routing protocol used to advertise service(s) in a Service Provider Network is typically an link-state, Interior Gateway Protocol (IGP), such as, but not limited to, Intermediate System to Intermediate System (IS-IS) or Open Shortest Path First (OSPF). Packets are encapsulated and sent from a service node (e.g., packet switching device) using one or more advertised services applied to a packet by an application node (e.g., a packet switching device and/or computing platform such as a Cisco ASR 1000).

Abstract: Packets are encapsulated and sent from a service node (e.g., packet switching device) using one or more services applied to a packet by an application node (e.g., a packet switching device and/or computing platform such as a Cisco ASR 1000) to generate a result, which is used by the service node to process packets of a flow of packets to which the packet belonged. An example of a service applied to a packet is a classification service, such as, but not limited to, using deep packet inspection on the packet to identify a classification result. The service node can, for example, use this classification result to process other packets in a same packet flow, such that all packets of a flow do not need to be, nor typically are, sent to an application node for processing.

Abstract: Packets are encapsulated and sent from a service node to one or more application nodes for applying one or more Layer-4 to Layer-7 services to the packets. Before which for a packet, the service node performs a lookup operation based on a destination address of the packet in a routing data structure derived from a exterior network protocol, such as, but not limited to Border Gateway Protocol (BGP). This lookup operation results in the identification of a next hop packet switching device to which the packet would be sent from the service node. The service node includes this identification of the next hop address in the request packet sent to the application node(s). After the service(s) are applied to the packet, an application node will send the services-applied packet to this next hop address. In this manner, application nodes do not need to run an exterior network protocol. Although, they typically will run an Interior Gateway Protocol for identifying how to forward packets to the next hop address.

Abstract: A service is applied in a packet switching device to both directions of a flow of packets through the packet switching device, with the application of this Layer-4 to layer-7 service to one direction requiring state information shared from the application of the service to packets traversing in the other direction. The service (e.g. firewall, network address translation) can be applied by different processing complexes which do not share memory; thus, state information is communicated between the processing complexes. When the service is applied by a single processing complex, packets can be directed explicitly to the single processing complex. The inline application of services in a packet switching system typically eliminates the need to change a packet's path through the packet switching system to that through a dedicated application server, and may eliminate the need for a dedicated services card or blade server.

Abstract: Policers receive packets of flows of packet traffic, which are to be communicated to monitored resource. The utilization levels of the monitored resource are induced by these flows of packet traffic. Based on the observed utilization levels (including possibly measured durations in one or more of these utilization levels), a determination is made if, and how to adjust policers for policing their respective flow, with policers being adjusted accordingly. In this manner, adaptive policers (typically located remotely from the monitored resource) are adjusted in response to one or more utilization levels (including possible durations at these utilization levels—i.e., a persistence of the congestion for the resource) of one or more monitored resources, with these identified utilization levels (and possibly durations) used in determining how much to modify a policing rate.

Abstract: Packets are encapsulated and sent from a service node to an application node for applying one or more Layer-4 to Layer-7 services to the packets, with service-applied packets being returned to the service node. An identification of a virtual private network (VPN) may be carried within a request packet, encapsulating a particular packet, sent by a service node to an application node for applying a service to the particular packet; with the corresponding response packet sent to the service node including an identification of the VPN for use by the service node node in forwarding the services-applied packet. Additionally, parameters may be included in a request packet to identify a particular service of a general service to be applied to a particular packet encapsulated in the request packet.

Abstract: Disclosed are, inter alia, methods, apparatus, computer-storage media, mechanisms, and means associated with the coordinated updating of forwarding information bases (FIBs) in a multistage packet switching device, which performs at least lookup operations on multiple different FIBs in determining how to forward a packet. One embodiment uses lookup operations on two different FIBs, with these being an ingress FIB on an ingress line card and an egress FIB on an egress line card. In response to a change in the forwarding information for a stream of packets, the egress FIBs are first updated to include both the old and new forwarding information. After all egress FIBs have been updated, the ingress FIBs are updated to use the new forwarding information. This update procedure is designed to eliminate loss or duplication of packets induced during the updating of these FIBs to use the new forwarding information.

Abstract: Non-Internet Protocol (IP) centric resources are accessed based on a value in the form of an IP address. This value (represented as the IP address) is converted to a non-IP address, which is to used access one or more non-IP address space resources. This value (represented as the IP address) typically includes an encoding of the non-IP address and/or an indirect reference (e.g., table index, pointer to a memory location) to the non-IP address.

Abstract: In providing seamless migration of virtual or physical devices among networks of a virtual local area network (VLAN) such as one spanning multiple data centers, a same virtual anycast Medium Access Control (VMAC) is used for reaching default gateways in virtual and/or physical devices. Each network is typically configured such that source MAC learning for the VMAC should happen only for packets coming from the local default gateway. In this manner, when a device is migrated between networks of the VLAN, the same IP address and corresponding MAC address (typically still residing in the MAC cache of the migrated device) can be used to reach the local default gateway.

Abstract: A particular networked machine broadcasts packets from its interfaces resulting in patterns of returned copies of the sent broadcast packets received on its interfaces. Based on these patterns, a determination is made to identify groupings of one or more of the interfaces that are considered by remote devices as being grouped together, as a broadcast packet transmitted from an interface belonging to a grouping will be received on, and only on, a single interface in each of the other groupings, with a grouping being one or more interfaces. In one implementation, a grouping is defined as a single independent interface, or an aggregation of two or more interfaces combined into a single logical interface, such as, but not limited to that of a PortChannel.

Abstract: A firewall, intrusion prevention or other device automatically and dynamically adjusts packets subjected to certain rate limiting based on the reputation level associated with their source. When measured traffic increases beyond a desired amount, the range of reputation scores causing their associated packets to be subjected to this rate limiting is adjusted to throttle the measured traffic to fall within desired limits. In this manner, packet traffic with a worse reputation can be singled out for this rate limiting during a period of increased traffic. When the measured traffic subsides, the range of reputation scores can be correspondingly changed to allow more measured traffic.

Abstract: The number of domain identifiers is incrementally increased for use by a switch in an established fibre channel switched fabric. In other words, the number of domains assigned to a switch by the Principal Switch of the fibre channel switched fabric is increased without triggering the reconfiguration of the established fibre channel switched fabric. In one implementation, incrementally adding one or more additional domain identifiers includes requesting said one or more additional domain identifiers from a Principal Switch of the fibre channel switched fabric using a different World Wide Name (WWN) than used to acquire the original one or more domain identifiers used by the switch.

Abstract: Ethernet Alarm Indication Signal (ETH-AIS) information for multiple Virtual Local Area Networks (VLANs) is consolidated and distributed to the multiple VLANs in a single Ethernet frame. Note, as used herein, “Alarm Indication Signal (ETH-AIS)” refers to an IEEE 802.x or ITU-T Y.1731 Ethernet Alarm Indication Signal. A device receiving the Ethernet frame with the consolidated ETH-AIS information typically forwards the frame out each port that communicates traffic for one of the VLANs included in the consolidated ETH-AIS information.

Abstract: An externally managed security and validation processing device includes a cryptographic processing subsystem configured for performing security or validation services; an application interface configured for communicating security or validation services with an application system; and a secure management interface configured for communicating information, including configuration information for the cryptographic processing system for performing said security or validation services, with a service profile system external to the apparatus without passing said configuration information through the application system. The service profile system can typically also migrate security services provided by one apparatus to another apparatus.

Abstract: In response to a detected loss of previously transmitted information by an apparatus communicating with a remote device (e.g., using TCP), the rate of transmission of information is increased by the apparatus in response to attributing the detected loss of previously transmitted information as not being caused by congestion. This attribution of the packet loss is typically determined based on roundtrip delays between sent information and received corresponding acknowledgments, which may be used directly or indirectly, such as by estimating network queuing delays based on the measured roundtrip delays.

Abstract: A graceful conversion of a security to a non-security transparent proxy is performed. A security transparent proxy is an intermediary between two end devices, with an established secure connection with each end device using different security keys. In response to a policy decision or other stimulus, the security transparent proxy is gracefully converted to a non-security transparent proxy such that it can forward, without decrypting and encrypting, the information received from a first endpoint on the first connection therewith to the second endpoint on the second connection therewith. This conversion is “graceful” in that it does not drop either of the two original sessions. In one embodiment, this graceful conversion is accomplished by triggering a key renegotiation on both of the two sessions such that the two connections will use the same encryption key.

Abstract: A hierarchical protection switching framework uses detectors and protectors. A protector registers with a detector to receive notifications. A detector identifies a condition and the interested protector, and notifies the interested protector. The protector in response to the notification, typically either performs protection switching or notifies another protector of the condition. This protection switching is an extensible operation, and typically may include, but is not limited to switching traffic to a backup facility from a facility corresponding to the condition and switching traffic to a backup component from a component corresponding to the condition. The decision of a protector whether to notify another protector of the condition can be made based on different factors, such as, but not limited to a failure of the protection switching by the protector, a database lookup operation to identify whether notification of another particular condition has been received or not received, etc.

Abstract: PortChannel groups are disclosed which include multiple PortChannel links of a PortChannel. Further, the selection of a particular PortChannel group, and possibly a PortChannel link within a selected PortChannel group, for a packet is provided by user-programmable matching of programmed values or rules to data extracted from the packet. In this manner, the forwarding of packets over PortChannel groups can be explicit. Moreover, packets of different flows of a packet session can be caused to be forwarded over a same PortChannel group, possibly leading to a service node for performing one or more applications based on the packets of the flow(s) of a packet session.

Abstract: Disclosed are, inter alia, methods, apparatus, computer-readable media, mechanisms used in one embodiment configured for, and means for, determining packet forwarding information for packets sent from a protocol offload engine in a packet switching device. The protocol offload engine performs the protocol processing for a protocol application (e.g., BGP) running on a separate control plane processing system, and generates packets to be sent to external devices. The protocol offload engine sends these packets to one of the line cards without using the routing information lookup facility of the control plane processing system, thereby, freeing the control plane processing system to use those processing cycles to perform other tasks.

Abstract: The propagation of virtual local area network (VLAN) declarations is controlled, to minimize or eliminate their propagation to packet switching devices which do not carry traffic for a corresponding VLAN. Initially and in response to a first time receipt of a VLAN declaration for a particular VLAN on a particular interface of a packet switching device, VLAN declarations for the particular VLAN is propagated out every interface of the packet switching device. After a predetermined time frame, if a VLAN declaration has not been received on a particular interface for an active VLAN, propagation of the VLAN declarations for the active VLAN will be suppressed for the particular interface.