Abstract: A method of determining a physical location of a device connected to a data network infrastructure including a plurality of connection points at different physical locations, the method including establishing a connection with the data network infrastructure via a cable-based transmission medium, wherein a communication signal passes via the cable-based transmission medium including at least one of the plurality of connection points. A connection point identifier is determined based, at least in part, upon the at least one of the plurality of connection points. A signal characteristic of the communication signal passing via the cable-based transmission medium between the device and the data network infrastructure through the at least one of the plurality of connection points is measured.

Abstract: The present invention provides a method and system for controlling usage of network resources on a communications network. The method comprising acts of: (a) creating one or more packet rules for analyzing packets received at one or more devices of the communications network, each rule including a condition and action to be taken if a packet received at a device satisfies the condition; and (b) creating one or more service abstractions associated with a user of the communication network, each service abstraction representing a named set of one or more of the packet rules. In some embodiments one or more role abstractions may be created, each role abstraction representing a role of a user with respect to the communications network, and each role abstraction including a set of one or more packet rules, and possibly one or more service abstractions.

Abstract: Systems and methods are provided for preserving the privacy of data contained in mirrored network traffic. The mirrored network traffic may comprise data that may be considered confidential, privileged, private, or otherwise sensitive data. For example, the data payload of a frame of mirrored network traffic may include private Voice over IP (VoIP) communications between users on one or more networks. The present invention provides various techniques for securing the privacy of data contained in the mirrored network traffic. Using the techniques of the present invention, network traffic comprising confidential, privileged, private, or otherwise sensitive data may be mirrored in such a manner as to provide for the privacy of such data over at least a portion if not all of the mirrored communications between the mirror source point and the minor destination point.

Abstract: Method and apparatus providing connection-oriented services for packet switched data communications networks. Directory services include distributed discovery of MAC addresses and protocol alias addresses. Topology services include a link state topology exchange among switches, which provides each switch with a complete topology graph of the network. This enables an access switch receiving a data packet to determine a complete path from a source end system to a destination end system. Another service includes resolution of broadcast frames to unicast frames, in order to reduce the amount of broadcast traffic. Policy restrictions may be applied prior to connection setup. Path determination services enable multiple paths from a source to a destination. Connection management includes source routed mapping of connections on the desired path.

Abstract: Methods and apparatus relating to intermediate system recovery to reduce the required amount of computational resources and network bandwidth to recover an intermediate system after an operational failure. The intermediate system conceals its operational failure from neighboring systems and queries them for information sufficient to simplify the reconstruction of its routing information. The intermediate system can interoperate with existing neighbor intermediate systems that have not implemented the invention allowing the benefit and convenience of incrementally deploying embodiments of the present invention. Embodiments of the present invention include but are not limited to intermediate systems that use IS-IS and BGP protocols.

Abstract: Method and apparatus providing connection-oriented services for packet switched data communications networks. Directory services include distributed discovery of MAC addresses and protocol alias addresses. Topology services include a link state topology exchange among switches, which provides each switch with a complete topology graph of the network. This enables an access switch receiving a data packet to determine a complete path from a source end system to a destination end system. Another service includes resolution of broadcast frames to unicast frames, in order to reduce the amount of broadcast traffic. Policy restrictions may be applied prior to connection setup. Path determination services enable multiple paths from a source to a destination. Connection management includes source routed mapping of connections on the desired path.

Abstract: The present invention provides method and systems for activating or deactivating network devices by managing the power of the network device. By controlling the power for network devices, the size and coverage of the network can be adjusted to meet the needs for the current usage. This can be particularly advantageous in wireless networks where multiple wireless access points may be provided to provide coverage during peak usage but present the additional security concern of the network being accessible to unauthorized users. Being able to power down unneeded wireless access points during off-peak usage allows for the minimization of such potential security concerns.

Abstract: A system that associates physical locations with network-linked devices in a network to which such devices are connected. This system employs a variety of techniques for establishing device location. The system configuration can vary and can include any type of data network, including LANs, MANs, Wide Area Networks (WANs), Personal Area Networks (PANs), and Home Networks. The system provides location information for particular devices to the network devices and management, and may be used in any of a variety of ways to improve configuration accuracy, control, and security. The location information may also be used to control or secure a device itself.

Abstract: A system and method that provides dynamic network policy management. The system enables a network administrator to regulate usage of network services upon initiation of and throughout network sessions. The system employs a method of identifying selectable characteristics of attached functions to establish static and dynamic policies, which policies may be amended before, during and after any session throughout the network based on the monitored detection of any of a number of specified triggering events or activities. Particular policies associated with a particular identified attached function in prior sessions may be cached or saved and employed in subsequent sessions to provide network usage permissions more rapidly in such subsequent sessions. The cached or saved policy information may also be used to identify network usage, control, and security. The system and method of the present invention provides static and dynamic policy allocation for network usage provisioning.

Abstract: A method for location discovery in a data network includes receiving, at a first device, connection information from a neighboring network device and determining a physical location of the first device based on the connection information. The method can include receiving, at the first device, the physical location transmitted from the neighboring network device. The method can further include associating a level of trust with the physical location based on the neighboring network device. The first device be one of a variety of devices, such as a router, a switch, a network entry device, a firewall device, or a gateway.

Abstract: Systems and methods are provided for preserving the privacy of data contained in mirrored network traffic. The mirrored network traffic may comprise data that may be considered confidential, privileged, private, or otherwise sensitive data. For example, the data payload of a frame of mirrored network traffic may include private Voice over IP (VoIP) communications between users on one or more networks. The present invention provides various techniques for securing the privacy of data contained in the mirrored network traffic. Using the techniques of the present invention, network traffic comprising confidential, privileged, private, or otherwise sensitive data may be mirrored in such a manner as to provide for the privacy of such data over at least a portion if not all of the mirrored communications between the mirror source point and the mirror destination point.

Abstract: An approach to rapid failover of a communication path between computers that are linked by redundant virtual links in a virtual private network (VPN) features detection of communication link and device failures through an active monitoring approach and re-routing of communication through a redundant link of the VPN when a failure is detected.

Abstract: A method and apparatus are provided for creating a virtual hierarchical local area network. The method and apparatus provide a hierarchical framing technique that allows a network architecture to realize a local area network hierarchy within the network. In this manner, a first local area network hierarchy is defined by communication in a first frame format between a first set of network devices and a second set of network devices. A second local area network hierarchy is defined by communication in a second frame format between members of the second set of network devices. The second frame format includes the fields of a frame in the first frame format that is used to communicate between the first set of communication devices and the second set of communication devices.

Abstract: A connector assembly, configured to releasably couple a socket assembly, includes zero or more data conductors. An optical pathway is configured to: receive an optical signal from an optical light source positioned within the socket assembly; and provide at least a portion of the optical signal to an optical light target positioned within the socket assembly.

Abstract: One or more trusted network devices within a data network infrastructure determine a physical location of a client device requesting access to the data network infrastructure. A trusted physical location is generated and associated with the client device. The approach can include determining whether a candidate network device is a trusted network device based on a likelihood that the candidate network device can be modified to provide false physical location data. The approach also can include determining a response for an access request by the client and controlling network resources provided to the client based on the trusted physical location.

Abstract: A system and method to respond to intrusions detected on a network system including attached functions and a network infrastructure. The system includes means for receiving from an intrusion detection function information about intrusions, a directory service function for gathering and reporting at least the physical and logical addresses of devices of the network infrastructure associated with the detected intrusions, and a plurality of distributed enforcement devices of the network infrastructure for enforcing policies responsive to the detected intrusions. A policy decision function evaluates the reported detected intrusions and makes a determination whether one or more policy changes are required on the enforcement devices in response to a detected intrusion. A policy manager function configures the distributed enforcement devices with the responsive changed policy or policies.

Abstract: A method includes receiving, on a first network device, an announcement message from an endpoint device connected to the first network device via a network connection. The announcement message, which includes at least one connection criteria, is transmitted to one or more downstream network devices.

Abstract: A system and method that provides dynamic network policy management. The system enables a network administrator to regulate usage of network services upon initiation of and throughout network sessions. The system employs a method of identifying selectable characteristics of attached functions to establish static and dynamic policies, which policies may be amended before, during and after any session throughout the network based on the monitored detection of any of a number of specified triggering events or activities. Particular policies associated with a particular identified attached function in prior sessions may be cached or saved and employed in subsequent sessions to provide network usage permissions more rapidly in such subsequent sessions. The cached or saved policy information may also be used to identify network usage, control, and security. The system and method of the present invention provides static and dynamic policy allocation for network usage provisioning.

Abstract: Methods and apparatus for the provision of differentiated services in a packet-based network may be provided in a communications device such as a switch or router having input ports and output ports. Each output port is associated with a set of configurable queues that store incoming data packets from one or more input ports. A scheduling mechanism retrieves data packets from individual queues in accord with a specified configuration, providing both pure priority and proportionate de-queuing to achieve a guaranteed QoS over a connectionless network.

Abstract: A method and apparatus are provided for creating a virtual hierarchical local area network. The method and apparatus provide a hierarchical framing technique that allows a network architecture to realize a local area network hierarchy within the network. In this manner, a first local area network hierarchy is defined by communication in a first frame format between a first set of network devices and a second set of network devices. A second local area network hierarchy is defined by communication in a second frame format between members of the second set of network devices. The second frame format includes the fields of a frame in the first frame format that is used to communicate between the first set of communication devices and the second set of communication devices.