Abstract: A multilevel coupled policer is configured to police packets using at least two policing levels, including a first-level of class policers and a second-level aggregate policer. The multilevel coupled policer is configured to share bandwidth of the aggregate policer among packet traffic corresponding to the class policers based on the packet traffic. The multilevel coupled policer is configured to apply a particular class policer corresponding to a particular packet to identify a tentative policing action. The multilevel coupled policer is configured to apply the second-level aggregate policer to the particular packet based on the identified the tentative policing action and a result of a comparison operation of the number of tokens in one or more token buckets associated with the second-level aggregate policer and the length of the particular packet in order to determine a final policing action for marking and/or applying to the particular packet.

Abstract: Disclosed are, inter alia, methods, apparatus, computer-storage media, mechanisms, and means associated with loss of network layer connectivity triggering Dynamic Host Configuration Protocol (DHCP) initialization. According to one embodiment, a network device connected to a network initializes one or more network communication values of the network device using DHCP. The network device monitors Network Layer (Layer 3) connectivity with a remote network device; and in response to detecting a loss of said monitored Network Layer connectivity, DHCP initialization of the network device is performed.

Abstract: Schedules may use burst tolerance values to adjust the scheduling in a time-based schedule, such as, but not limited to, adjusting for accumulated but not used bandwidth, and/or adjusting eligibility of schedule entries. A best schedule item associated with an eligible schedule entry of a schedule is identified. Whether or not a particular schedule entry is eligible is typically determined based on the relationship of an associated timestamp with a current scheduling time, such as its timestamp being less than or equal to the current time. A burst tolerance time bound might also be used to allow certain priorities and/or types of items to be considered eligible if even its timestamp exceeds the current time by an amount, but less than or equal to the burst tolerance time bound.

Abstract: The designated forwarding device functionality for forwarding of packets originated on a broadcast link among layer 2 is shared among multiple forwarding devices of different adjacency networks. As these networks do not form adjacencies, the forwarding devices do not natively participate in a same spanning tree for determining how to forward packets, and a designated forwarding device is used for forwarding packets originated on the common broadcast link. Distributing the role of a designated forwarding device among multiple of the forwarding devices provides a means for more efficiently forwarding packets to their destinations.

Abstract: A packet is pre-dropped if its Time-To-Live (TTL) value is not large enough to reach a destination, such as, but not limited to, its destination if it is a unicast packet, or at least one more destination for a multicast packet. A packet switching device maintains associations between (a) nearest receiving node distances and (b) prefixes or complete addresses. If a packet does not have enough TTL to reach an intended recipient identified by a corresponding nearest receiving node distance, then the packet is dropped even though the TTL has not expired. In this manner, some bandwidth and other network resources are not wasted on traffic that will timeout via the TTL mechanism before reaching a subsequent intended recipient.

Abstract: Disclosed, inter alia, is a Physical Layer Transceiver (PHY) with integrated time synchronization, such as, but not limited to, IEEE 1588 Standard for a Precision Clock Synchronization Protocol for Networked Measurement and Control Systems. The PHY includes circuitry to maintain a current time, and to trigger the storage of timestamps corresponding to received frames. Typically, in response to a request from an external device, the timestamps are retrieved from storage and are communicated to the external device. By moving the triggering of the storage of the timestamps by the PHY itself, rather than by a monitoring of the traffic between the PHY and the Media Access Controller (MAC), higher accuracy can typically be achieved.

Abstract: Disclosed are, inter alia, methods, apparatus, computer-storage media, mechanisms, and means associated with a shift register with a dynamic entry point, which may particularly useful for aligning skewed data. The dynamic entry shift register typically includes a series of storage elements, with multiplexers distributed between the storage elements. Each of the multiplexers is configured to select between: (a) the output signal of a previous storage element, and (b) the input signal. A control is configured to configure the multiplexers for a data signal applied as the input signal to induce an appropriate delay of the data signal as the output signal. The dynamic entry shift register can be scaled to accommodate a longer delay while still using only 2:1 multiplexers between stages in the dynamic entry shift register(s).

Abstract: One or more firewalls are used to perform firewall functionality on packets based on the entry and exit accesses of each of the one or more firewalls being applied to a packet. For example, when firewalls are included in a router, the interfaces of the router are typically mapped to virtual firewalls and access thereof. Based on the determined routing of a particular packet, the firewalls to apply and their corresponding entry and exit accesses are identified. In order to decouple the application by the firewall itself of the security policies from the network topology and routing architecture (e.g., the network routing address information which is typically relied upon by current firewalls), the firewall functionality is defined based on the identified entry and exit accesses of a firewall, rather than based on network defined addresses, for example.

Abstract: Out-of-profile rate-limited traffic is sampled to provide data for analysis, such as for, but not limited to, identifying a threat condition such as a denial-of-service or other malicious attack, or a non-malicious attack such as an error in configuration. A rate limiter including at least three states is typically used, with one of these states being an out-of-profile sampling state wherein the packet traffic is sampled to identify one or more sampled packets on which analysis can be performed, with defensive action possibly taken in response to the analysis.

Abstract: Methods and apparatus are disclosed for sending a multicast packet from multiple network interfaces across multiple networks using the same media access source address (MAC source address). One implementation includes a processing element and a network interface for each of the multiple networks. The processing element generates and initiates sending of a multicast packet having a same media access source address (MAC source address) from at least two of the multiple network interfaces. In one implementation, a single copy of the multicast packet is buffered, and each of the network interfaces retrieves, such as via a direct memory access (DMA) request, the multicast packet and forwards it to an attached network.

Abstract: Disclosed are, inter alia, methods, apparatus, computer-storage media, mechanisms, and means associated with load balancing across multiple network address translation (NAT) instances and/or processors. N network address translation (NAT) processors and/or instances are each assigned a portion of the source address traffic in order to load balance the network address translation among them. Additionally, the address space of translated addresses is partitioned and uniquely assigned to the NAT processors and/or instances such that the identification of the assigned NAT processor and/or instance associated with a received translated address can be readily determined there from, and then used to network address translate that received packet.

Abstract: Real-time customer packet traffic is instrumented to determine measured delays between two or more points along a path actually traveled by a packet, such as within or external to one or more packet switching devices. These measurements may include delays within a packet switching device other than the ingress and egress time of a packet. These measured delays can be used to determine whether or not the performance of a packet switching device or network meets desired levels, especially for complying with a Service Level Agreement.

Abstract: Disclosed are, inter alia, methods, apparatus, computer-storage media, mechanisms, and means associated with determining and distributing routing paths for nodes in a network. For each route computational node of multiple route computational nodes in a network: a tree of paths between itself and each of multiple nodes in the network is determined. A particular tree of paths is determined for a particular node of these multiple nodes to the other nodes based on at least two of the determined trees of paths for the route computational nodes. The particular node then sends a packet towards a destination based on the particular tree of paths determined for the particular node.

Abstract: Methods and apparatus are disclosed for generating a result based on a lookup result from a lookup operation using an associative memory and processing based on a discriminator portion of a lookup word. A first lookup operation is performed to generate a lookup result. In one implementation, a second lookup operation is performed based on a discriminator or the lookup result depending on the result of an evaluation, such as whether there was a hit or the lookup result matches a predetermined value. In one implementation, a second lookup operation is performed based on the discriminator, and either the result of the first or second lookup operation is used for subsequent processing. One implementation performs a lookup operation based on a lookup word to generate a lookup result, which is used to retrieve a base address and a bitmap from a memory.

Abstract: A hierarchical protection switching framework uses detectors and protectors. A protector registers with a detector to receive notifications. A detector identifies a condition and the interested protector, and notifies the interested protector. The protector in response to the notification, typically either performs protection switching or notifies another protector of the condition. This protection switching is an extensible operation, and typically may include, but is not limited to switching traffic to a backup facility from a facility corresponding to the condition and switching traffic to a backup component from a component corresponding to the condition. The decision of a protector whether to notify another protector of the condition can be made based on different factors, such as, but not limited to a failure of the protection switching by the protector, a database lookup operation to identify whether notification of another particular condition has been received or not received, etc.

Abstract: Disclosed are, inter alia, methods, apparatus, data structures, computer-readable media, and mechanisms for limiting unauthorized multicast sources. One or more access control lists are typically configured in a switching device to a state that denies forwarding of multicast packets with a particular host as its source. In response to a received multicast application admission-control message identifying the particular host, the one or more access control lists in the switching device are updated to allow multicast messages sent from the particular host to be forwarded. In one system, the received multicast application admission-control message is an Internet Group Management Protocol (IGMP) message.

Abstract: Flow identification value masks are identified based on, and used to mask a flow identification value associated with packets in a router, packet switching or computer system, any other device. These masks may be specified in access control lists or using any other mechanism, and typically are added to an associative memory or other mechanism keyed on their corresponding flow identification values for performing fast lookup operations. A lookup operation is performed based on the flow identification value associated with a particular packet to identify the correspond mask, which is then used to produce a masked flow identification value, and based on which, a value is updated in a data structure and/or other processing of the packet is performed.

Abstract: Disclosed are, inter alia, methods, apparatus, computer-storage media, mechanisms, and means for transportation of IEEE 802.1ah frames over Multiprotocol Label Switching (MPLS) pseudowires for Virtual Private LAN Services (VPLS). The IEEE 802.1ah frames include a corresponding B-VLAN tag, while the MPLS packets including these frames do not include the corresponding B-VLAN tag, and disclosed are methods and apparatus for performing such translation.

Abstract: Disclosed are, inter alia, methods, apparatus, data structures, computer-readable media, mechanisms, and means for maintaining consistency among timestamp counters distributed among multiple devices. When timestamp counters are distributed among multiple physical devices, variances in their timestamp values can occur, such as, but not limited to those cause by variances among clocks in these different devices, different routing delays, different components, etc. These differences may be same, but still not allow high enough precision, especially as packet and processing rates continue to increase (which also causes clocking rates of devices to increase). One implementation distributes a time advance signal to each of these devices, which each device independently uses to determine when to advance its timestamp counter in response to its clock signal.

Abstract: Disclosed are, inter alia, methods, apparatus, computer-readable media, mechanisms used in one embodiment configured for, and means for, determining packet forwarding information for packets sent from a protocol offload engine in a packet switching device. The protocol offload engine performs the protocol processing for a protocol application (e.g., BGP) running on a separate control plane processing system, and generates packets to be sent to external devices. The protocol offload engine sends these packets to one of the line cards without using the routing information lookup facility of the control plane processing system, thereby, freeing the control plane processing system to use those processing cycles to perform other tasks.