Abstract: A system and method for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server, uses the proxy network address to establish a server side session, receives a data packet, assigns a central processing unit core from a plurality of central processing unit cores in a multi-core processor of the security gateway to process the data packet, processes the data packet according to security policies, and sends the processed data packet. The proxy network address is selected such that a same central processing unit core is assigned to process data packets from the server side session and the host side session. By assigning central processing unit cores in this manner, higher capable security gateways are provided.

Abstract: A service gateway includes a fast path module for processing data packets without using packet buffers and a normal path module for processing data packets using packet buffers. The fast path module receives a service request data packet from a client side session, determines that the service request data packet cannot be processed by the fast path module, and in response, sends the service request data packet to the normal path module. After receiving the service request data packet, the normal path module retrieves a first proxy session record created by the fast path module, where the first proxy session record is associated with a client session record for the client side session, creates a second proxy session record based on the service request data packet and the client session record, and processes the service request data packet according to the second proxy session record.

Abstract: A local network, such as a data center, includes a plurality of servers each of which are linked to a network switch. Some of the plurality of servers are network virtualization capable and some are not. The network virtualization capable servers include functionality that encapsulates a data frame, generated by one network virtualization servers that is to be sent to another network virtualization capable server, with a network virtualization identity. In the event that a network virtualization server generates a data frame for transmission to a server that is not capable of network virtualization, the network virtualization capable server does not encapsulate the data frame with the network virtualization identity.

Abstract: A stacked chassis comprising multiple physical switch/router chassis operates without any special stacking hardware or stacking channels. Instead, a stacking LAG is installed between front-end switch ports on the stacked chassis. The chassis controllers negotiate a master, which controls operation of all chassis in the stack. A stacked-chassis-wide port numbering scheme is used to distribute information to all line cards in the system. Each line card processes the information to distill physical-chassis significant information for operation of that chassis in the stack.

Abstract: A packet network device includes a route processor that operates to maintain one or more forwarding tables and it includes one or more line cards that operate to process information received by the packet network device from the network and to forward the information to its correct destination. The route processor also operates to identify which incoming prefixes can be used to update the forwarding tables or to identify prefixes stored in the packet network device that can be redistributed from one network protocol to another network protocol running on the route processor. A table management function running on the route processor operates to identify the best match between an incoming prefix and information included in policy statement associated with both an ordered prefix-list and a radix tree structure.

Abstract: The processing of data packets sent over a communication session between a host and a server by a service gateway, includes: processing a data packet using a current hybrid-stateful or hybrid-stateless, processing method; checking whether a hybrid-stateless, or hybrid-stateful, condition is satisfied; when the condition is satisfied, changing from a hybrid-stateful to a hybrid-stateless processing method, or vice versa, for a subsequently received data packet; and otherwise, continue processing the subsequently received data packet using the current hybrid processing method.

Abstract: Methods and apparatus for serial channel operation are disclosed. An N+1-level signaling scheme is used to transmit N staggered but overlapping NRZ sub-sequences concurrently on a serial channel. Each sequence has a bit rate R and an essential bandwidth of R Hz. The combined bit rate of the channel is N×R, but due to a lack of correlation between the sub-sequences, the essential bandwidth remains approximately R Hz. The signaling scheme also contains redundancy that allows some errors to be detected and/or corrected. Other embodiments are also described and claimed.

Abstract: The inventive system includes a host, a network including a security gateway, and a public application. Established are an access session between the network and the host and an application session between the public application and the network. An application session record is created for the application session, and includes the user's public user identity used to access the public application, the user's private user identity used to access the network, a host identity, and an application session time. To determine the private user identity for the application session, the security gateway sends a query with the host identity and the application session time. These are compared with the host identity and access session time in an access session record. If they match, then the private user identity in the access session record is returned, and it is stored as the private user identity in the application session record.

Abstract: A network switch suitable for receiving packets of information from and the packets of information to a communications network includes a plurality of physical ports, packet processing functionality and memory. The packet processing functionality operates on information stored in memory to determine the LAG, from among two or more LAGs, over which a packet received by the switch should be correctly forwarded. The switch memory stores a plurality of LAG tables, each one of which can include one or more entries comprising a physical port number and a packet parameter that are used by the packet processing functionality to determinately identify the correct LAG over which to forward a packet.

Abstract: Systems, methods, and apparatuses are provided that enable streaming of ATM cells between a transmit/receive data processing application and a transmission convergence function. Data to be segmented into an ATM cell is received at a SAR engine, and provided to a transmission convergence function, with the first cells transmitted to the transmission convergence function before the SAR function receives an end-of-packet indication from the optimization engine. Data received at a transmission convergence function is placed in a received packet queue at the SAR function, with packets provided to an application after a start-of-packet indication is received, and before an end-of-packet indication is received, at the SAR function.

Abstract: A system and method for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server, uses the proxy network address to establish a server side session, receives a data packet, assigns a central processing unit core from a plurality of central processing unit cores in a multi-core processor of the security gateway to process the data packet, processes the data packet according to security policies, and sends the processed data packet. The proxy network address is selected such that a same central processing unit core is assigned to process data packets from the server side session and the host side session. By assigning central processing unit cores in this manner, higher capable security gateways are provided.

Abstract: A distributed-forwarding router platform contains a master and a standby route processing manager (RPM). The master RPM uses dynamic internal routing codes to facilitate the replication of multicast packets within the router. As internal routing codes are assigned, the assignments are shared with the standby RPM. Should the standby RPM have to take over as the master RPM, the new master consults the internal routing codes assigned by the previous master as the new master builds multicast state, insuring that the internal routing codes the new master assigns are consistent with those used by the prior master. This allows the multicast forwarding plane to remain available during RPM failover, without a shutdown or unstable period while the new master RPM propagates internal routing codes. Other embodiments are also described and claimed.

Abstract: A modular packet network device has a chassis in which multiple logic cards mate to the front side of an electrical signaling backplane. Logic power for the logic cards is supplied from a group of power converter cards that convert primary power to the logic voltages required by the logic cards. The power converter cards lie in a separate cooling path behind the backplane. Advantages achieved in at least some of the embodiments include removing primary power planes from the signaling backplane or portion of the backplane, providing redundant, upgradeable power modules whose individual failure does not cause logic card failure, and providing cool air to power converter circuits that would be subject to only heated air if located on the logic cards. Other embodiments are also described and claimed.

Abstract: A stacked chassis comprising multiple physical switch/router chassis operates without any special stacking hardware or stacking channels. Instead, a stacking LAG is installed between front-end switch ports on the stacked chassis. The chassis controllers negotiate a master, which controls operation of all chassis in the stack. A stacked-chassis-wide port numbering scheme is used to distribute information to all line cards in the system. Each line card processes the information to distill physical-chassis significant information for operation of that chassis in the stack.

Abstract: A stacked switch includes two or more individual network switches connected to each other in a ring or daisy chain topology over stacking links, and at least one port on two or more of the individual switches comprising the stacked switch is a member of a LAG configured on the stacked switch. Each of the individual switches comprising the stacked switch include control plane and data plane functionality that operates to maintain switching tables and to process network data ingressing to the switch to determine how to forward the network data through the switch to an egress point. The control functionality included in each of the switches comprising the stacked switch also includes an enhanced ECMP functionality that operates to optimize the use of stacking link bandwidth on the stacking links connecting the two or more individual switches to each other.

Abstract: A system and method for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server based on network information, and using the proxy network address to establish a server side session. The proxy network address is selected such that a same processing element is assigned to process data packets from the server side session and the host side session. The network information includes a security gateway network address and a host network address. By assigning processing elements in this manner, higher capable security gateways are provided.

Abstract: Synchronization of configuration files of a virtual application distribution chassis, includes: processing a configuration command received by a master blade; updating a first configuration file with the configuration command and an updated tag by the master blade; sending a configuration message by the master blade to the slave blades informing of the updated configuration file, the configuration message comprising the updated tag; in response to receiving the configuration message by a given slave blade of the one or more slave blades, comparing the updated tag in the configuration message with a tag in a second configuration file stored at the given slave blade; and in response to determining that the updated tag in the configuration message is more recent than the tag in the second configuration file stored at the given slave blade, sending a request for the updated configuration file to the master blade by the given slave blade.

Abstract: A method for electing a master blade in a virtual application distribution chassis (VADC), includes: sending by each blade a VADC message to each of the other blades; determining by each blade that the VADC message was not received from the master blade within a predetermined period of time; in response, sending a master claim message including a blade priority by each blade to the other blades; determining by each blade whether any of the blade priorities obtained from the received master claim messages is higher than the blade priority of the receiving blade; in response to determining that none of the blade priorities obtained is higher, setting a status of a given receiving blade to a new master blade; and sending by the given receiving blade a second VADC message to the other blades indicating the status of the new master blade of the given receiving blade.

Abstract: Method for applying a security policy to an application session, includes: recognizing the application session between a network and an application via a security gateway; determining by the security gateway a user identity of the application session using information about the application session; obtaining by the security gateway the security policy comprising network parameters mapped to the user identity; and applying the security policy to the application session by the security gateway. The user identity may be a network user identity or an application user identity recognized from packets of the application session. The security policy may comprise a network traffic policy mapped and/or a document access policy mapped to the user identity, where the network traffic policy is applied to the application session. The security gateway may further generate a security report concerning the application of the security policy to the application session.

Abstract: Circuit boards and methods for their manufacture are disclosed. The circuit boards carry high-speed signals using conductors formed to include lengthwise channels. The channels increase the surface area of the conductors, and therefore enhance the ability of the conductors to carry high-speed signals. In at least some embodiments, a discontinuity also exists between the dielectric constant within the channels and just outside the channels, which is believed to reduce signal loss into the dielectric material.