Abstract: A method for performing aggregation at one or more layers starts with an AP placing at a first layer one or more received frames in a queue at the AP. When a transmit scheduler is ready to transmit an aggregated frame corresponding to the queue, the AP may iteratively select a plurality of frames selected from the one or more received frames, and aggregate at the first layer the plurality of frames into the aggregated frame. The number of frames included in an aggregated frame may be based on at least one of: a dynamically updated rate of transmission associated with a size of the frames, a class of the frames, a transmission opportunity value associated with the class of the frames and a total projected airtime for transmitting the aggregated frame. Other embodiments are also described.

Abstract: A method includes steering client devices to access points that potentially increase capacity of communications using beamformed transmissions. In particular, this includes determining the best access points for beamforming to a particular client or a group of clients in the network for an improved throughput performance in the deployment or a subset of access points.

Abstract: A method includes determining an optimized channel width between client devices and access points based on network conditions in a wireless network. In particular, the channel widths may be optimized to reduce airtime usage on access points and eliminate a high density condition while the client devices are steered to access points that provide the greatest channel capacity gains based on signal-to-noise-ratios for each spatial stream in a beamformed transmission.

Abstract: A method for load balancing traffic from controller to destination access point (AP) via switch across multiple physical ports starts with controller receiving a packet from a source client device that is destined for destination client device associated with destination AP. The controller may select, based on an identifier associated with source or destination client device, a first or a second controller IP address. Controller may encapsulate the packet to generate an encapsulated packet including an outer header that includes the selected controller IP address. Controller may transmit the encapsulated packet to the switch that may distribute traffic to destination AP across multiple physical ports based on the selected controller IP address. Controller may also select a destination port based on destination client device of a packet and may encapsulate the packet using CAPWAP to generate an encapsulated packet including the destination port in a header of the encapsulated packet.

Abstract: The present disclosure discloses a method and network device for offloading cryptographic functions to support a large number of clients. Specifically, a network device receives a packet corresponding to a client device via an interface, and determines whether a first hardware module that performs cryptographic operations on a per-client basis overflows. If first hardware module overflows, the network device retrieves a cryptographic key for the packet, and sends the received packet with the retrieved cryptographic key to a second hardware module that performs cryptographic operations on a per-packet basis to perform one or more cryptographic operations. If not, the network device sends the packet to the first hardware module to perform the one or more cryptographic operations.

Abstract: Initiating peer-to-peer tunnels between clients in a mobility domain. Client traffic in a mobility domain normally passes from the initiating client to an access node, and from the access node through a tunnel to a controller, and then through another tunnel from the controller to the destination access node, and the destination client. When initiated by the controller, the access nodes establish a peer-to-peer tunnel for suitable client traffic, bypassing the “slow” tunnels through the controller with a “fast” peer-to-peer tunnel. Traffic through this “fast” tunnel may be initiated once the tunnel is established, or traffic for the “fast” tunnel may be queued up until traffic has completed passing through the “slow” tunnel.

Abstract: According to one embodiment of the invention, a method comprises an operation of commencing a first phrase and passing control of an authentication handshaking protocol. The first phase is commenced for establishing a secure communication path by a data path processor within a first network device. The first phrase comprises an exchange of data during an authentication handshaking protocol. The passing of control for authentication handshaking protocol by the data path processor to a control path processor is conducted to complete the authentication handshaking protocol.

Abstract: According to one embodiment, a method comprises an operation of identifying a plurality of network devices, and detecting a presence of firewall processing functionality in a subset of the network devices. At least one of the network devices not in the firewall subset is configured to forward packets to a network device of the subset for firewall processing.

Abstract: The secure configuration of a headless networking device is described. A label associated with the headless networking device is scanned and a public key is determined. scanning a label associated with a networking device. A configuration process is initiated for the networking device using the public key associated with the networking device that was determined based on the scanned label.

Abstract: An access point device that is adapted to a wireless network and a wired network is disclosed. The access point includes a transceiver to receive wireless frames from a plurality of wireless devices of the wireless network, respectively, and at least one component to process information extracted from the wireless frames and to control channel scanning based upon at least one of an amount of wireless device traffic and a type of call.

Abstract: A method includes identifying internal links or forwarding elements within other network devices. The method further includes selecting a route for forwarding a packet through the other network devices based, at least in part, on link costs associated with the internal links within the other network devices.

Abstract: Client traffic normally passes from a client to an access node, and from the access node through a tunnel to a controller, and then through another tunnel from the controller to the destination access node, and the destination client. When initiated by the controller, the access nodes establish a peer-to-peer tunnel for suitable client traffic, bypassing the “slow” tunnels through the controller with a “fast” peer-to-peer tunnel. Traffic through this “fast” tunnel may be initiated once the tunnel is established, or traffic for the “fast” tunnel may be queued up until traffic has completed passing through the “slow” tunnel. Slow tunnel traffic may be timed out, and queued traffic released after a preset time since the last packet was sent through the slow tunnel. The identity of the last packet sent through the slow tunnel may be retained, and queued traffic released when an acknowledgement for that packet is received.

Abstract: The present disclosure discloses a method and network device for network failover and/or network selection with a multi-mode modem in remote access points. A RAP initially is set to allow the modem's firmware to select an ISP-preferred available network. Then, the RAP collects network selection attributes, including RSSI, for the selected network, derives a NSC value based on the attributes, and determines whether the derived NSC value is within an expected range. If so, the device establishes a secure tunnel connection through the modem on the modem-selected network. Otherwise, the RAP commands the modem connect to an alternative network, and derives the NSC value for the alternative network selected by the RAP. If the NSC value for the alternative network is within an expected range, the RAP establishes a secure connection on the alternative network. On rebootstrap, the RAP repeats the above operations until a stable network is selected.

Abstract: According to one embodiment of the invention, a method comprises transmitting a Layer 2 (L2) frame from a first wireless device. Upon receipt of a frame in response to the L2 frame, the first wireless device uses information conveyed in the frame to modify its functionality.

Abstract: Determining whether a station is at the edge of wireless local area network (WLAN) coverage. In an IEEE 802.11 wireless network comprising one or more access points (APs) which may optionally be connected to one or more controllers, with wireless clients connected to those APs. Station S connected to AP A collects reports such as beacon reports which contains information on all APs station S can hear, including signal strengths. AP A collects a neighbor report which contains information on all APs in its neighborhood including signal strengths. These reports from A and S are observed and compared over time to determine when S is at or is moving to the edge of WLAN coverage. For example, if the only entry in the beacon list for client S is AP A to which it is connected, and the signal strength is decreasing over time, S is at the edge of WLAN coverage and is moving away from the WLAN. The process may be implemented at a controller, at a client, or both.

Abstract: In one embodiment of the invention, a wireless network is adapted with a wireless network switch in communication with a plurality of access points, which are in communication with one or more stations. Coupled to the access points over an interconnect, the wireless network switch is adapted to receive a DEAUTHENTICATION message sent by one of the plurality of access points in the same coverage area of the station so as to detect the DEAUTHENTICATION message and to block communications between the plurality of access points and the station in response to determining that the DEAUTHENTICATION message is invalid.

Abstract: Authentication of parties through a trusted intermediary is described. The standard Ottway-Rees authentication protocol is modified to provide authentication between A and B using intermediary T such that T serves only as an authenticator, and does not participate in the generation of the key shared between A and B.

Abstract: A first data set is derived from a second data set. The first data set is stored in a database of derived data sets. The second data set is updated without updating the first data set, such that the first data set and the second data are inconsistent. The first data set is deleted or updated during batch processing of the database of the derived data sets.

Abstract: Handover of a call to a dual-mode phone from cellular to Wi-Fi. When handing over a call mediated by a mobility controller to a dual-mode phone and switching the call from a cellular to a Wi-Fi call, the mobility controller initiates a Wi-Fi connection to the dual mode phone. When the Wi-Fi connection is established, and with the cellular connection through the mobility controller still in place, the mobility controller starts a timer with a predetermined value and the dual-mode phone initiates release of the cellular connection. When the timer expires, the mobility controller switches the call from the cellular connection to the Wi-Fi connection.

Abstract: According to one embodiment, a non-transitory computer readable medium is described that comprises instructions which, when executed by one or more hardware processors, cause dynamic determination of one or more transmission parameters for transmitting a particular network packet of a plurality of network packets. The transmission parameters are determined based on (a) a classification associated with the particular network packet and (b) one or more current conditions. Subsequent to this determination, the particular network packet is transmitted using the one or more transmission parameters.