Abstract: Embodiments disclosed herein provide redundant connectivity between an Ethernet Automatic Protection Switching (EAPS) access network and a Virtual Private LAN Service (VPLS) network. A first VPLS node is provided to function as an EAPS controller node. A second VPLS node is provided to function as an EAPS partner node. The first and second VPLS nodes are linked by a pseudowire and an EAPS shared-link. Additional EAPS nodes are also provided. The additional EAPS nodes are linked to each other and one of the additional EAPS nodes is designated as a master node. Links are also established between the VPLS nodes and the EAPS nodes such that one or more EAPS rings are formed. Each EAPS ring includes the shared-link between the first and second VPLS nodes. The EAPS rings are monitored to detect link failures.

Abstract: A method and apparatus is provided to control the admission of a user to a network by preventing a port through which the user connects to the network from forwarding data packets until the user is authorized. A network login controller operates in conjunction with a user interface to receive a user identification data from the port user. The network login controller further operates in conjunction with an authorization server to authenticate the user by sending a user authentication request containing the user identification data to the authentication server. The network login controller grants or denies permission to the user to access the network based on the user authentication response from the authentication server. If permission is granted, then the network login controller unblocks the port through which the user is connected to place it in packet-forwarding mode. If permission is denied, then the port remains in packet non-forwarding mode (i.e. it remains blocked).

Abstract: A method is provided for a port management system in which a switch is automatically provisioned with network resources. A command or set of commands are stored and automatically executed on the switch upon the occurrence of a defined network event. The command or set of commands may be associated with one or more ports on the switch. When executed, the commands cause a change to a port configuration and/or policy on the switch to control access to a network resource. The network resource may include any device or service accessible on the network. The defined network event may include any network event associated with a device or user connected to the network. The command or set of commands may reference variables, control structures, and functions to modify command execution.

Abstract: Systems and methods are described for analyzing the content of resource requests. A tokenizer parses the resource request and derives a key therefrom. A database associates values of the key with categories of service. An association engine uses the key to obtain one or more matching entries from the database, and derive therefrom the desired category of service for the resource request. A cookie engine derives cookie information from a cookie located in the resource request. A session engine derives session information from a session identifier located in a handshake message associated with the resource request. The desired category of service, the cookie information, and the session information are each useful for allocating a resource to the resource request.

Abstract: Techniques for providing location information describing a communication device configured to exchange telephony information over a computer network. A switching device of the computer network receives a first message according to a node-to-node communication protocol, the first message indicating that the endpoint communication device includes a configuration for a mode of operation on behalf of a telephone service account. The switching device determines from the first message an identifier of the telephone service account and sends the determined identifier in a second message via the computer network, the second message in support of a location service.

Abstract: A wireless computer network includes components cooperating together to prevent access intrusions by detecting unauthorized devices connected to the network, disabling the network connections to the devices, and then physically locating the devices. The network can detect both unauthorized client stations and unauthorized edge devices such as wireless access points (APs). The network can detect intruders by monitoring information transferred over wireless channels, identifying protocol state machine violations, tracking roaming behavior of clients, and detecting network addresses being improperly used in multiple locations. Upon detecting an intruder, the network can automatically locate and shut off the physical/logical port to which the intruder is connected.

Abstract: A method and apparatus is provided to restore the configuration of a network device. A configuration manager in a network device saves a version of the configuration of the network device by storing the configuration data in an format that conforms to a standard markup language such as the extended markup language (XML). The format includes a sequence of corresponding tags and values that represent the content of the internal data structures in the memory of the router that comprise the saved version of the configuration. At the time of restoration, an parser is used to parse the values from the tags and the configuration manager restores the contents of the internal data structures in the memory of the router to the parsed values in accordance with the corresponding tags.

Abstract: A connection pacer and method for performing connection pacing in a network of servers and clients using a first-in-first-out (“FIFO”) buffer.

Abstract: A method is provided to convert network management protocol request into a markup language representation. In one embodiment, the present invention includes receiving a network management protocol request at a network device, generating a plurality of markup language tags and content embedded in the markup language tags based on the received request, and responding to the request using the plurality of markup language tags and content embedded in the markup language tags using a unified backend interface. In one embodiment, routines used to generate the plurality of markup language tags and content are generated automatically using an instrumentation module.

Abstract: A layer-2 network switch device forwarding database implementation and method to access the forwarding database. A forwarding database (FDB) is implemented as a tree. A separate VLAN database is also structured as a tree. Each node in the tree represents a separate VLAN. For each VLAN, all associated ports are maintained in a data structure organized as a tree. Likewise, all port information is maintained in a tree-based data structure, and for each port, all VLAN information associated with the port is maintained in a tree data structure. Each node in a VLAN's port tree data structure is linked with each corresponding node in the port's VLAN tree data structure. Each pair of nodes maintains a linked list of all FDB entries relating to the node pair. Operations are quickly and efficiently performed on the FDB using the data structure architecture.

Abstract: Preventing a loop in a virtual network that spans at least two rings when there is a failure in two or more segments shared between the rings. A node connected to one of the shared segments is designated as the root blocker node and prevents transmitting data traffic between the node and all the ports connected thereto that have not failed except for one, in response to detecting the failure. For one embodiment the root blocker node periodically transmits a path detect signal to validate its blocking status.

Abstract: A method and system is provided to enable quality of service across a backplane switch. An egress queue manager on one blade communicates with an ingress queue manager on the same or on another blade where each blade is connected via a backplane switch. The egress queue managers communicate the congestion to ingress queue managers using a messaging scheme. The ingress queue managers determine when to reduce or resume the packet sending rates of ingress queues mapped to congested egress queues or to destinations on congested blades. Each ingress queue manager maintains information about the status of egress queue congestion on its own blades. Normal rates of dequeuing packets from ingress queues are resumed only when the related congestion on all of the egress queues or related destinations has subsided.

Abstract: A system for and method of allocating a resource to a service request based on application of a persistence policy is described. In one embodiment, upon or after allocation of a resource to a resource request, an entry representing the allocation is made in a data structure using a first index derived from information relating to the resource request if such is available. An entry representing the allocation is also made in the data structure using a second index derived from information relating to the resource request. When a resource request is received, the data structure is accessed using the first index if such is available. If an entry corresponding to the first index is available, the resource corresponding to the entry is allocated to the request. If the first index or an entry corresponding to the first index is unavailable, the data structure is accessed using the second index.

Abstract: A method and system is provided for increasing participation in a standby router protocol (SRP) without increasing the amount of network traffic due to SRP messaging. One or more domain master VLANs participate in an SRP on behalf of numerous member VLANs belonging to the domain master VLAN's domain. The domain master VLANs are associated with at least one virtual router. Each domain member VLAN follows the current default routing configuration for the domain master VLAN as determined in accordance with the SRP election process defined for that virtual router. An end-host attached to a host-specific port on an SRP router participates in the SRP by using a router bridge connection established between the SRP router and other SRP routers supporting the virtual router. Each end-host on a host-specific port follows the current default routing configuration implemented by the current master SRP router as determined in accordance with the SRP election process defined for that virtual router.

Abstract: Devices, systems and related methods are disclosed for improving operational security of a network and/or network devices, such as wireless access points (APs). In the disclosed systems, a network device is not fully operational until it is attached to a network and downloads sensitive information. The information is stored in the network device so that when the device is disconnected from the network, the sensitive information is erased from the device, making the device inoperative and removing sensitive information, such as passwords, network security keys, or the like. Disabling the network device in this manner not only prevents the theft of sensitive network access information, by also discourages theft of the device itself because it cannot be used on another network without the configuration information. In addition to downloading configuration information, the network device can also download an executable image that is likewise not permanently resident on the device.

Abstract: A program may be extended to another program in accordance with information stored in a meta data file. A parent program is associated with the meta data file, and a child program is associated with a child description file created to conform to the information provided in the meta data file. The child description file is stored in a well-known location where it may be accessed by the parent program to learn how communicate with the child program, including which arguments and parameters to use, advantageously providing parent programs with a consistent user interface when interfacing with various child programs as well as the flexibility to add or change child description files to describe new or changed child programs as the need arises.

Abstract: Systems and related methods are described for handling one or more resource requests. A protocol engine receives a resource request in accordance with a prescribed protocol, and a classification engine determines a desired class of service for the request. An analysis engine optionally analyzes the request, and, responsive thereto, determines a desired sub-class of service for the request. A policy engine then allocates a resource to the request responsive to one or both of the desired class of service, and the desired sub-class of service.

Abstract: A method and system is provided to enable quality of service across a backplane switch. An egress queue manager on one blade communicates with an egress queue manager on another blade where each blade is connected via a backplane switch. When a blade becomes congested, egress queues mapped to a destination on the congested blade also become congested. The egress queue managers determine when to reduce or resume the packet sending rates of egress queues mapped to destinations on congested blades using a messaging scheme. Each egress queue manager maintains notifications of the status of egress queue congestion on its own and other blades. Normal rates of dequeuing packets are resumed only when the related congestion on all of the blades has subsided.

Abstract: A Point-to-Point Protocol (PPP) identifier (PPP ID) value of a PPP frame, including data, is converted to an associated Ethernet Virtual Local Area Network (VLAN) tag identifier (ID) value to enable the PPP ID value information to be communicated in an Ethernet frame to the next transmission layer for use in routing the data from the PPP frame.

Abstract: A method and system is provided to control and check run-time process dependencies. When a process manager receives a request to start a new process, the process manager accesses a configuration file to check if the new process depends on any other processes to be running and what versions of these prerequisite processes are required. If an exact version is specified in the configuration file, the prerequisite process version must match the exact version specified to be compatible with the new process. If a range of acceptable versions is specified in the configuration file, the prerequisite process version must fall within the range of acceptable versions to be compatible with the new process. If a minimum acceptable version is specified in the configuration file, then the prerequisite process version must be greater than or equal to the minimum acceptable version specified.