Abstract: A network architecture system that expands the control network administrators have on existing networks. The system provides application identification and usage data by user, by device and network location. Dynamic traffic mirroring of the system allows for the efficient use of a tool to identify computer applications running on the network. The system includes the ability to embed the tool where needed rather than pervasively based on the use of the dynamic mirroring to bring the packets to the tool. The architecture implemented functions allow the ability to start small with a single application identification tool added to a network management server, examine flows from throughout the network (via mirroring) and upgrade policy control based on real application identification data and usage, then grow to pervasive deployment where virtually all new flows could be identified and controlled via policy. This architecture enables substantially complete application visibility and control.

Abstract: A request for network access is received from a client device at a network entry device of a network infrastructure. The network infrastructure determines a physical location of the client device and determines authorization of the client device based on the physical location. The approach can include providing the physical location along with other user credentials to an authorizing device. The method can also include determining a level of service based on the physical location. Communication for the approach can make use of the IEEE 802.1X protocol.

Abstract: A function is provided for identifying computer applications running on a network. Information obtained from frames having content associated with computer applications is examined and compared to information stored on the network. The stored information is obtained from a plurality of mechanisms including computer application signatures. An application identification engine of the function compares examined content with the known application information and determines an indication of the likely computer application associated with the examined frames. The determination output may include a level of confidence in the accuracy of the determination. The function includes an application programming interface to allow the introduction into the engine of custom mechanisms for application identification. The different mechanisms may be weighted. The function may be provided in one or more devices of the network including a standalone appliance.

Abstract: A function is provided in a network system for the dynamic mirroring of network traffic for a variety of purposes including the identification of characteristics of the traffic. Multiple criteria are established for when, what and where to mirror the traffic. The criteria include what frames of traffic to mirror, what portions of the selected frames to mirror, one or more portals through which to mirror the selected frames, a destination for the mirroring and the establishment of a mirror in a device to carry out the mirroring. The criteria may also include when to stop the mirroring. The mirroring instructions can be changed based on the detection of a triggering event, such as authentication, device type or status, ownership of an attached function attached to the device, flow status, but not limited to that. The function may be established in one or more devices of the network.

Abstract: Connection-oriented services for packet switched data communications networks are provided, including distributed MAC and protocol alias addresses discovery. Link state topology exchanges provide each switch with network topology graphs to determine paths from source to destination end systems. Broadcast frames are resolved to unicast frames to reduce broadcast traffic. Policy restrictions may be applied prior to connection setup. Connection management includes source-routed mapping of connections on the desired path. Distributed call rerouting is provided so switches receive topology change notifications and unmap failed link connections. Broadcast/unknown services provide non-resolvable packet restricted flooding. Connection-oriented switching is provided based on source and destination MAC addresses. Resolution of networks outside the switch domain is enabled by listening for network and server route advertisements and maintaining best routes to the networks and servers.

Abstract: The intrusion detection function monitors for and reports detected intrusion signatures. The dynamic intrusion signatures function determines whether reported intrusion signatures exist in a library of signatures associated with a particular intrusion detection function. If the reported signature does not exist in the library, the library is updated. Detected intrusion signatures are reported to similarly enabled devices for library analysis and updating, if necessary. The related method includes the steps of monitoring for intrusion signatures or other triggering events, analyzing the events and updating IDS signature libraries as necessary.

Abstract: Systems and methods are provided for preserving the privacy of data contained in mirrored network traffic. The mirrored network traffic may comprise data that may be considered confidential, privileged, private, or otherwise sensitive data. For example, the data payload of a frame of mirrored network traffic may include private Voice over IP (VoIP) communications between users on one or more networks. The present invention provides various techniques for securing the privacy of data contained in the mirrored network traffic. Using the techniques of the present invention, network traffic comprising confidential, privileged, private, or otherwise sensitive data may be mirrored in such a manner as to provide for the privacy of such data over at least a portion if not all of the mirrored communications between the mirror source point and the mirror destination point.

Abstract: A lost contact policy response system and related method for adjusting the operation of one or more network infrastructure devices upon detection of a loss of contact with a policy server function. The response system includes a policy enforcement function (“PEF”), a policy manager function, and either or both of policy set(s) and policy enforcement rule (“PER”) set(s). The PEF implements stored or generated PER set(s). The policy manager function includes a monitoring function and an analysis function. The monitoring function monitors for continuing connectivity or signal exchange contact with a network policy server function. The analysis function selects a designated policy, policy set, PER or PER set, and instructs the PEF to implement the selected policy, PER or set. The policy and/or PER sets may be pre-installed, updated, re-installed, revised, or otherwise changed when and as desired. The related method includes corresponding steps for implementing the operations of the functions described.

Abstract: It is realized that the use of a spanning tree protocol in particular portions of a network may not necessarily be desired due to performance and stability reasons. A method and system is provided for executing a revised spanning tree algorithm that performs more optimally in particular network topologies. In one aspect, a spanning tree protocol is executed over a first and second network connected by a third network, wherein the spanning tree network is disabled in the third network. The third network may be, for example, a core network through which first and second Layer 2 networks are bridged. The first and second networks may be coupled by another network or network connection, and it may be preferable to allow the operation of the spanning tree network between the first and second coupled networks for the purpose of fail over to redundant paths.

Abstract: A scanning method, computer readable medium, and device for suspending, during a first data scanning sequence including a plurality of discrete data scanning intervals, data scanning operations during at least one discrete data scanning interval chosen from the plurality of discrete data scanning intervals. A data transmission operation is performed during the at least one discrete data scanning interval.

Abstract: A method and apparatus are provided for creating a virtual hierarchical local area network. The method and apparatus provide a hierarchical framing technique that allows a network architecture to realize a local area network hierarchy within the network. In this manner, a first local area network hierarchy is defined by communication in a first frame format between a first set of network devices and a second set of network devices. A second local area network hierarchy is defined by communication in a second frame format between members of the second set of network devices. The second frame format includes the fields of a frame in the first frame format that is used to communicate between the first set of communication devices and the second set of communication devices.

Abstract: Methods and apparatus for the provision of differentiated services in a packet-based network may be provided in a communications device such as a switch or router having input ports and output ports. Each output port is associated with a set of configurable queues that store incoming data packets from one or more input ports. A scheduling mechanism retrieves data packets from individual queues in accord with a specified configuration, providing both pure priority and proportionate de-queuing to achieve a guaranteed QoS over a connectionless network.

Abstract: Connection-oriented services for packet switched data communications networks are provided, including distributed MAC and protocol alias addresses discovery. Link state topology exchanges provide each switch with network topology graphs to determine paths from source to destination end systems. Broadcast frames are resolved to unicast frames to reduce broadcast traffic. Policy restrictions may be applied prior to connection setup. Connection management includes source-routed mapping of connections on the desired path. Distributed call rerouting is provided so switches receive topology change notifications and unmap failed link connections. Broadcast/unknown services provide non-resolvable packet restricted flooding. Connection-oriented switching is provided based on source and destination MAC addresses. Resolution of networks outside the switch domain is enabled by listening for network and server route advertisements and maintaining best routes to the networks and servers.

Abstract: Connection-oriented services for packet switched data communications networks are provided, including distributed MAC and protocol alias addresses discovery. Link state topology exchanges provide each switch with network topology graphs to determine paths from source to destination end systems. Broadcast frames are resolved to unicast frames to reduce broadcast traffic. Policy restrictions may be applied prior to connection setup. Connection management includes source-routed mapping of connections on the desired path. Distributed call rerouting is provided so switches receive topology change notifications and unmap failed link connections. Broadcast/unknown services provide non-resolvable packet restricted flooding. Connection-oriented switching is provided based on source and destination MAC addresses. Resolution of networks outside the switch domain is enabled by listening for network and server route advertisements and maintaining best routes to the networks and servers.

Abstract: A method, computer readable medium, and system for acquiring address block information for an attached function that initiates network access on a distributed computing network. Additional policy information in acquired concerning the attached function. One or more access policies are set based, at least in part, on the address block information and the additional policy information.

Abstract: A method and apparatus are provided that allows for the representation of a larger number of classes of network traffic and logical queues than is physically available on a per port basis within a network device. A number of logical queues, whose number can match the number of classes of network traffic a network device handles, may be supported across an aggregated set of ports even though the network device has fewer physical queues per port than there are classes of network traffic. The method and apparatus improve the management of network traffic sensitive to time delay and jitter, and further facilitates the operation of these applications in a simultaneous or near simultaneous manner.

Abstract: The present invention provides method and systems for activating or deactivating network devices by managing the power of the network device. By controlling the power for network devices, the size and coverage of the network can be adjusted to meet the needs for the current usage. This can be particularly advantageous in wireless networks where multiple wireless access points may be provided to provide coverage during peak usage but present the additional security concern of the network being accessible to unauthorized users. Being able to power down unneeded wireless access points during off-peak usage allows for the minimization of such potential security concerns.

Abstract: A method of determining a physical location of a device connected to a data network infrastructure including a plurality of connection points at different physical locations, the method including establishing a connection with the data network infrastructure via a cable-based transmission medium, wherein a communication signal passes via the cable-based transmission medium including at least one of the plurality of connection points. A connection point identifier is determined based, at least in part, upon the at least one of the plurality of connection points. A signal characteristic of the communication signal passing via the cable-based transmission medium between the device and the data network infrastructure through the at least one of the plurality of connection points is measured.

Abstract: The present invention provides a method and system for controlling usage of network resources on a communications network. The method comprising acts of: (a) creating one or more packet rules for analyzing packets received at one or more devices of the communications network, each rule including a condition and action to be taken if a packet received at a device satisfies the condition; and (b) creating one or more service abstractions associated with a user of the communication network, each service abstraction representing a named set of one or more of the packet rules. In some embodiments one or more role abstractions may be created, each role abstraction representing a role of a user with respect to the communications network, and each role abstraction including a set of one or more packet rules, and possibly one or more service abstractions.

Abstract: Systems and methods are provided for preserving the privacy of data contained in mirrored network traffic. The mirrored network traffic may comprise data that may be considered confidential, privileged, private, or otherwise sensitive data. For example, the data payload of a frame of mirrored network traffic may include private Voice over IP (VoIP) communications between users on one or more networks. The present invention provides various techniques for securing the privacy of data contained in the mirrored network traffic. Using the techniques of the present invention, network traffic comprising confidential, privileged, private, or otherwise sensitive data may be mirrored in such a manner as to provide for the privacy of such data over at least a portion if not all of the mirrored communications between the mirror source point and the minor destination point.