Abstract: Switch-implemented methods of maintaining persistence of a session between a client node and a server node are described. A response from the server node to a first request from the client node is received. The first request includes a uniform resource identifier (URI). The response includes a cookie that includes a random session identifier. The response also includes rewritten uniform resource locators (URLs) that include the URI and the session identifier. The session identifier from the cookie and the identity of the server node are stored. A second request is received from the client node. The second request includes a rewritten URI (when the client node does not support or enable the use of cookies). The session identifier from the rewritten URI is matched to the session identifier in memory to identify the associated server node. The second request can then be directed to the server node.

Abstract: A system and method are provided to prevent the formation of loops in a network. The network device includes a plurality of ports for receiving and forwarding network messages and a spanning tree protocol engine. The spanning tree protocol engine, in one embodiment, implements the Rapid Spanning Tree Protocol (RSTP) to transitions the ports among a plurality port states, including a discarding state, a learning state and a forwarding state. The network device further includes a loop guard engine that is in a communicating relationship with the spanning tree protocol engine and the ports. The loop guard engine monitors the receipt of bridge protocol data units (BPDUs) by the ports. If a given port stops receiving BPDUs, the loop guard engine prevents the spanning tree protocol engine from transitioning the given port to the forwarding state. Instead, the loop guard engine causes the port to transition to loop inconsistent state.

Abstract: A system and method prevents the formation of loops that are not detected by the Spanning Tree Protocol (STP). An intermediate network device preferably includes a plurality of ports for receiving and forwarding network messages and a STP engine in communicating relationship with the ports. The STP engine transitions the ports among a plurality of spanning tree port states, including a discarding state, a learning state and a forwarding state. The device further includes a loop guard engine that is in communicating relationship with the STP engine and the ports. The loop guard engine monitors the receipt of configuration bridge protocol data unit (BPDU) messages by the ports. If a given port stops receiving BPDU messages, the loop guard engine prevents the STP engine from transitioning the given port to the forwarding state. Instead, the loop guard engine preferably causes the port to transition to a new state in which networks messages are explicitly blocked from being forwarded or received.

Abstract: An architecture, arrangement, system, and method for providing service access in a data center are disclosed. In one embodiment, an arrangement can include: an aggregation switch configured to transfer data between a network and an access layer; and service modules coupled to the aggregation switch, where each service module is configured to provide a service for the data when selected. The service modules can include: firewall, load balancer, secure sockets layer (SSL) offloader, intrusion detection system (IDS), and cache, for example. Further, the service selection can be substantially transparent to an associated server.

Abstract: A one-arm data center topology routes traffic between internal sub-nets and between a sub-net and an outside network through a common chain of services. The data center topology employs layer 4 services on a common chassis or platform to provide routing and firewall services while reducing the number of devices necessary to implement the data center and simplifying configuration. Load balancing is provided by a load balancing device. In the one-arm topology, policy based routing or client network address translations or NAT pushes traffic to the CSM.

Abstract: An architecture, arrangement, system, and method for or controlling traffic flow into and out of a server farm having active-active stateful devices. A symmetric Gateway Load Balancing Protocol (sGLBP) eliminates asymmetric traffic flow for out-bound traffic. Load distribution for in-bound traffic is balanced between a redundant pair of aggregation switches using either static host routes, Route Health Injection or in a more general manner, with external routes with a mask longer than the connected subnet advertised by the routing protocol. The return traffic is symmetric because it returns through the same aggregation switch that it came from. Similarly, traffic originating from a server farm exits from one of the redundant aggregation switches and returns from the same aggregation switch.

Abstract: An intrusion detection system (IDS) is capable of identifying the source of traffic, filtering the traffic to classify it as either safe or suspect and then applying sophisticated detection techniques such as stateful pattern recognition, protocol parsing, heuristic detection or anomaly detection either singularly or in combination based on the traffic type. In a network environment, each traffic source is provided with at least one IDS sensor that is dedicated to monitoring a specific type of traffic such as RPC, HTTP, SMTP, DNS, or others. Traffic from each traffic source is filtered to remove known safe traffic to improve efficiency and increase accuracy by keeping each IDS sensor focused on a specific traffic type.

Abstract: A data center provides secure handling of HTTPS traffic using backend SSL decryption and encryption in combination with a load balancer such as a content switch. The load balancer detects HTTPS traffic and redirects it to an SSL offloading device for decryption and return to the load balancer. The load balancer then uses the clear text traffic for load balancing purposes before it redirects the traffic back to the SSL offloading device for re-encryption. Thereafter, the re-encrypted traffic is sent to the destination servers in the data center. In one embodiment, the combination with the back-end SSL with an intrusion detection system improves security by performing intrusion detection on the decrypted HTTPS traffic.

Abstract: A data center topology routes traffic between internal sub-nets and between a sub-net and an outside network through a common chain of services. The data center topology employs transparent layer 7 and layer 4 services on a common chassis or platform to provide routing, load balancing and firewall services while reducing the number of devices necessary to implement the data center and simplifying configuration.