Abstract: A system and method for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server, uses the proxy network address to establish a server side session, receives a data packet, assigns a central processing unit core from a plurality of central processing unit cores in a multi-core processor of the security gateway to process the data packet, processes the data packet according to security policies, and sends the processed data packet. The proxy network address is selected such that a same central processing unit core is assigned to process data packets from the server side session and the host side session. By assigning central processing unit cores in this manner, higher capable security gateways are provided.

Abstract: Two network switches are configured in a stacked relationship to each other and include link aggregation sub-layer functionality. Switching tables are programmed on each switch with information used to forward packets ingressing to them over a redundant LAG that is identified in the switching table by a port that is a member of the redundant LAG.

Abstract: A method for electing a master blade in a virtual application distribution chassis (VADC), includes: sending by each blade a VADC message to each of the other blades; determining by each blade that the VADC message was not received from the master blade within a predetermined period of time; in response, sending a master claim message including a blade priority by each blade to the other blades; determining by each blade whether any of the blade priorities obtained from the received master claim messages is higher than the blade priority of the receiving blade; in response to determining that none of the blade priorities obtained is higher, setting a status of a given receiving blade to a new master blade; and sending by the given receiving blade a second VADC message to the other blades indicating the status of the new master blade of the given receiving blade.

Abstract: A LAN includes a router that is connected to two or more racks of servers and each of the servers can support a plurality of virtual machines. The router is configured to forward data packets based on IP destination addresses or based on destination MAC addresses and builds and maintains forwarding tables in support of data packet forwarding in the layer 3 and the layer 2 network environment. In support of layer 2 forwarding, the router builds and maintains an aggregated MAC switching table that is comprise of a subset of the table entries typically needed to switch packets to their destination, and in support of layer 3 forwarding, the router or switch builds and maintains an aggregated ARP forwarding table that is comprised of a subset of the table entries typically needed to forward packets to their destination.

Abstract: Methods and apparatus for serial channel operation are disclosed. An N+1-level signaling scheme is used to transmit N staggered but overlapping NRZ sub-sequences concurrently on a serial channel. Each sequence has a bit rate R and an essential bandwidth of R Hz. The combined bit rate of the channel is N×R, but due to a lack of correlation between the sub-sequences, the essential bandwidth remains approximately R Hz. The signaling scheme also contains redundancy that allows some errors to be detected and/or corrected. Other embodiments are also described and claimed.

Abstract: The inventive system includes a host, a network including a security gateway, and a public application. Established are an access session between the network and the host and an application session between the public application and the network. An application session record is created for the application session, and includes the user's public user identity used to access the public application, the user's private user identity used to access the network, a host identity, and an application session time. To determine the private user identity for the application session, the security gateway sends a query with the host identity and the application session time. These are compared with the host identity and access session time in an access session record. If they match, then the private user identity in the access session record is returned, and it is stored as the private user identity in the application session record.

Abstract: A packet switch contains a link state group manager that forms supergroups from multiple link aggregations. The link state group manager collects state information for the link aggregations in a supergroup, and uses state criteria to determine whether the link aggregations are allowed to be up, as a supergroup, for data traffic. This allows a supergroup of links to only come up when it meets a minimum performance criteria, with traffic routed around the supergroup when the supergroup cannot meet the minimum performance criteria, even if some link aggregations in the group are functional.

Abstract: A stacked chassis comprising multiple physical switch/router chassis operates without any special stacking hardware or stacking channels. Instead, a stacking LAG is installed between front-end switch ports on the stacked chassis. The chassis controllers negotiate a master, which controls operation of all chassis in the stack. A stacked-chassis-wide port numbering scheme is used to distribute information to all line cards in the system. Each line card processes the information to distill physical-chassis significant information for operation of that chassis in the stack.

Abstract: A packet network device, such as a router or switch, includes functionality that operates to receive network traffic, process the traffic as needed and to forward the traffic to its destination. Additionally, each router includes a weighted equal cost multipath routing function that operates to identify equal cost paths over which to forward the network traffic, to calculate a path weighting that is dependent upon the path bandwidth and to forward the traffic ingressing to it over each of the equal cost paths according to the calculated path weighting.

Abstract: A network switch is comprised of a control processor and one or more line cards. The control processor includes functionality to register interest with a hypervisor, operating in conjunction with a network host connected to the switch, in data object attributes maintained on the network host by the hypervisor. The hypervisor associated with the network host sends changes in the host attributes to the switch which the switch maintains in a listing of attributes. The switch traps and copies particular packets to the switch control processor where a provisioning function operates on the attribute information in the list with source information included in the packet header in order to configure a forwarding table on the line card.

Abstract: A packet network system, such as an autonomous system, includes a plurality of packet network devices some of which are edge routers and some of which are core routers. Each of the edge and core routers include functionality that operates to receive network traffic, process the traffic as needed and to forward the traffic to its destination. Additionally, each router includes a traffic distribution function that operates to calculate path bandwidths for all of the paths over which the traffic can be forwarding through the system and to use the volume of traffic ingressing to the system, link utilization information and the calculated path bandwidth to redistribute the traffic in the system such that traffic loss in the system in minimized.

Abstract: Systems and methods of authenticating user access based on an access point to a secure data network include a secure data network having a plurality of a network access points serving as entry points for a user to access the secure data network using a user device. The user is associated with a user identity, each network access point with a network access point identity. The user uses a user device to send an access request, requesting access to the secure data network, to the network access point, which then sends an authentication request to an identity server. The identity server processes the authentication request, by validating the combination of the user identity and the network access point identity, and responds with an authentication response, granting or denying access, as communicated to the user device via an access response.

Abstract: Methods of operating a packet network device having multiple serial channels crossing a backplane are disclosed. In at least one embodiment, a management function performs dynamic modifications to the packet network device configuration in response to detected backplane errors. These modifications can directly alter a characteristic of a channel that is generating errors, or can indirectly affect such a channel by directly altering a characteristic of an “aggressor” channel that is indicated as producing crosstalk on that channel. Other embodiments are also described and claimed.

Abstract: A method for electing a master blade in a virtual application distribution chassis (VADC), includes: sending by each blade a VADC message to each of the other blades; determining by each blade that the VADC message was not received from the master blade within a predetermined period of time; in response, sending a master claim message including a blade priority by each blade to the other blades; determining by each blade whether any of the blade priorities obtained from the received master claim messages is higher than the blade priority of the receiving blade; in response to determining that none of the blade priorities obtained is higher, setting a status of a given receiving blade to a new master blade; and sending by the given receiving blade a second VADC message to the other blades indicating the status of the new master blade of the given receiving blade.

Abstract: A standoff joins a circuit board to a chassis member using a rivet. The standoff has a cap surface with a hole that allows the body of an unexpanded blind rivet to pass into an inner cavity of the standoff. The rivet is then expanded against the underside of the cap. In use, the standoff rests against the underside of a circuit board, and the rivet passes through a hole in the circuit board and into the standoff. The rivet head engages the circuit board to hold the circuit board against the standoff.

Abstract: A serial channel switch circuit and modular packet switch using the serial channel switch circuits are disclosed. The serial channel switch circuit has a reconfigurable table for internal logical-to-physical channel switch translation. Depending on the slot in which a card containing such a serial channel switch circuit is inserted in the modular packet switch, its serial channel switch circuit may receive a different set of reconfigurable table values that are specific to that location. A global set of logical channel values can be applied to each card, which performs logical-to-physical channel mapping according to its location in the modular packet switch. Other embodiments are also described and claimed.

Abstract: A network processing device, such as a router, is implemented in a thin form factor chassis that encloses a primary printed circuit board. The router chassis has elongated openings on its top surface that permit access to connectors mounted on the printed circuit board. The printed circuit board includes all of the necessary electronic components that operate to receive, process, and transmit information over the network.

Abstract: A modular packet network device has a chassis in which multiple logic cards mate to the front side of an electrical signaling backplane. Logic power for the logic cards is supplied from a group of power converter cards that convert primary power to the logic voltages required by the logic cards. The power converter cards lie in a separate cooling path behind the backplane. Advantages achieved in at least some of the embodiments include removing primary power planes from the signaling backplane or portion of the backplane, providing redundant, upgradeable power modules whose individual failure does not cause logic card failure, and providing cool air to power converter circuits that would be subject to only heated air if located on the logic cards. Other embodiments are also described and claimed.

Abstract: An autonomous system includes at least some packet network devices that are capable of operating in a virtual route aggregation environment and some packet network devices that are not capable of operating in a virtual route aggregation environment. The autonomous system includes at least one egress border router, at least one aggregation router and at least one intermediate router. The egress border router uses an interior border gateway protocol to distribute a label message to the other routers in the autonomous system, the label message including a next hop MAC address associated with either an external router or the egress border router. The egress border router and the intermediate router using information included in the label message to contrast layer 2 table entries and the aggregation router using information included in the label message to construct a layer 3 table entry.

Abstract: A service gateway processes a service request received from a host by: relaying the service request from the service gateway to a server over a service session between the service gateway and the server; determining a service request time for the service session; receiving by the service gateway a service response from the server; determining by the service gateway a service response time; calculating by the service gateway a service processing time for the service request from the service request time and the service response time; comparing the service processing time with an expected service processing time; and updating a server busy indicator for the server in response to the comparing. If the service processing time exceeds the expected service processing time, the server busy indicator is updated to indicate that the server is busy. Otherwise, the server busy indicator is updated to indicate that the server is not busy.