Abstract: Methods and systems for selectively processing VLAN traffic from different networks while allowing flexible VLAN identifier assignment are disclosed. According to one aspect, a layer 2 switch includes a virtual switch identifier data structure that associates a VLAN identifier extracted from a layer 2 frame and a port identifier corresponding to a port on which a frame is received with a virtual switch identifier. The virtual switch identifier is used to select a per-virtual-switch data structure, such as a forwarding table. The per-virtual-switch data structure is used to control processing of the layer 2 frame on a per-virtual-switch basis. The per-virtual-switch data structure may also be updated separately from the data structures assigned to other virtual switches.

Abstract: Methods, systems, and computer program products for selective layer 2 port blocking using layer 2 source addresses are disclosed. According to one method, a layer 2 frame is received. An I/O port block list is identified based on a layer 2 source address in the layer 2 frame. A set of ports to which the layer 2 fame should be forwarded is identified. The frame is blocked from being forwarded to ports in the set that are also in the I/O port block list.

Abstract: A wireless computer network includes components cooperating together to prevent access intrusions by detecting unauthorized devices connected to the network, disabling the network connections to the devices, and then physically locating the devices. The network can detect both unauthorized client stations and unauthorized edge devices such as wireless access points (APs). The network can detect intruders by monitoring information transferred over wireless channels, identifying protocol state machine violations, tracking roaming behavior of clients, and detecting network addresses being improperly used in multiple locations. Upon detecting an intruder, the network can automatically locate and shut off the physical/logical port to which the intruder is connected.

Abstract: The subject matter described herein includes a packet forwarding device that implements next hop scaling. Rather than storing a complete set of next hop bindings at each packet processor, the storage of next hop bindings is distributed among packet processors in the packet forwarding device such that each packet processor stores next hop bindings for the hosts that are directly connected to the packet processor. For hosts that are not directly connected to a packet processor, the packet processor stores relay entries. Because of the distributed storage of next hop bindings, the number of hosts that can be served by a single packet forwarding device is increased over packet forwarding devices where each packet processor stores a complete set of next hop bindings for all connected hosts.

Abstract: Embodiments of the invention describe apparatus, systems and methods for creating a protection switching domain having a control virtual local area network (vlan), a first set of high priority protected data vlans, and a second set of lower priority protected data vlans. When a fault is detected at a ring network, indicating a failed link between adjacent nodes, said fault is communicated to a master node of the ring network via the control vlan. Embodiments of the invention allow a user to specify a priority for each of its domains on a given set of ring ports. The higher priority protected data domains are serviced to completion prior to servicing the lower priority protected data domains, ensuring that data traffic convergence time does not increase across these vlans.

Abstract: A network switch automatically detects undesired network traffic and mirrors the undesired traffic to a security management device. The security management device determines the source of the undesired traffic and redirects traffic from the source to itself. The security management device also automatically sends a policy to a switch to block traffic from the source.

Abstract: The subject matter described herein includes methods, systems, and computer readable media for next hop scaling with link aggregation. According to one aspect of the subject matter described herein, a system for next hop scaling is provided. The system includes a packet forwarding device including a plurality of packet processors for performing next hop and link aggregation group (LAG) selection operations. Within this plurality of packet processors, ingress packet processors are configured to indicate, for received packets that have a next hop on a different packet processor, that an egress next hop selection operation is needed. Egress packet processors of the plurality of packet processors are configured to perform the egress next hop and member selection operations for the packets for which an egress next hop selection operation is indicated, wherein forwarding of the packets is limited to active LAG group members local to the egress packet processor.

Abstract: A method of presenting different virtual routers to different end users, classes of service, or packets is provided. An incoming packet is received having a VLAN field and at least one additional field. A key is formed from the VLAN field and at least one other packet field, and mapped into a virtual router identifier (VRID) using an indirection mapping process. The VRID identifies a particular virtual router configuration from a plurality of possible virtual router configurations. A networking device is configured to have the particular virtual router configuration identified by the VRID, and the packet is then forwarded by the configured device.

Abstract: A method is provided for determining the integrity of a domain defined in a network. The method includes processes and systems to facilitate the discovery a conceptual ring topology of the domain in the network, and the determination of the integrity of the domain based on the conceptual ring topology that was discovered.

Abstract: A system for and method of allocating a resource to a service request based on application of a persistence policy is described. In one embodiment, upon or after allocation of a resource to a resource request, an entry representing the allocation is made in a data structure using a first index derived from information relating to the resource request if such is available. An entry representing the allocation is also made in the data structure using a second index derived from information relating to the resource request. When a resource request is received, the data structure is accessed using the first index if such is available. If an entry corresponding to the first index is available, the resource corresponding to the entry is allocated to the request. If the first index or an entry corresponding to the first index is unavailable, the data structure is accessed using the second index.

Abstract: Preventing a loop in a virtual network that spans at least two rings when there is a failure in a segment shared between the rings. A node connected to the shared segment and the rings detects a failure in the segment to transmit data traffic; and prevents transmitting data traffic between the node and all the rings except for one ring, in response to detecting the failure.

Abstract: Methods, systems, and computer readable media for performing stateless load balancing of network traffic flows are disclosed. According to one aspect, the subject matter described herein includes a method for performing stateless load balancing of network traffic flows. The method occurs at a layer 3 packet forwarding and layer 2 switching device. The method includes responding to address resolution protocol (ARP) requests from clients, the ARP requests including a virtual IP (VIP) address shared by the device and a plurality of servers coupled to the device, with the medium access control (MAC) address of the device. The method also includes receiving, from the clients, packets addressed to the VIP address and having the MAC address of the device. The method further includes load sharing the packets among the servers using a layer 3 forwarding operation that appears to the clients as a layer 2 switching operation.

Abstract: A memory array comprises N+1 memory elements. N memory elements store data and one or more error check bits respectively derived from the stored data. A separate N+1 memory element stores parity bits generated from the data stored in the N memory elements. These parity bits are stored in. To recover from data errors, data in each N memory element are first checked using their respective error check bits. If faulty data are detected in one of the N memory elements, an exclusive-or operation is performed involving data in the remaining N?1 memory elements and parity bits in the N+1 memory element. This recovers the faulty data in the one memory element.

Abstract: A method and system for integrating network policy enforcement into an existing network infrastructure comprises a communications bus that links expert policy devices, such as intrusion prevention devices, with one or more connection points. The connection points are network devices that are equipped with enforcement logic for receiving reports of events via a published interface on the communications bus about the existing network infrastructure from either the policy devices or the connection points themselves, and enforcing policy at the connection points by generating an action in response to the reported events, including actions to block traffic, remediate devices, limit bandwidth, and the like, until the reported event has been addressed in a manner that ensures the security of the existing network infrastructure.

Abstract: A Provider Network Controller (PNC) addresses the challenges in building services across Next Generation Network (NGN) architectures and creates an abstraction layer as a bridge, or glue, between the network transport and applications running over it. The PNC is a multi-layer, multi-vendor dynamic control plane that implements service activation and Layer 0-2 management tools for multiple transport technologies including Carrier Ethernet, Provider Backbone Transport (PBT), Multi-protocol Label Switching (MPLS), Transport MPLS (T-MPLS), optical and integrated networking platforms. Decoupling transport controls and services from the network equipment simplifies service creation and provides options for carriers to choose best-in-class equipment that leverages the PNC to enable rapid creation and management of transports and services.

Abstract: A method is provided for pseudo wire processing in a packet forwarding device in which a packet is processed based on whether the ports through which the packet is transmitted are real or pseudo wire ports. The inbound and outbound port information is encoded using a predefined range of index values such that index values falling within one range of values are used for passing real port information, and index values falling within another range of values are used for passing pseudo wire port information. The index values are used in a manner that facilitates efficient performance of pseudowire processing for the packets in the switch fabric component of the packet forwarding device.

Abstract: A network switch includes a plurality of isolated ports, each associated with a private domain. The switch also includes a network port associated with the private domain. A memory in the switch maintains a hardware-based forwarding table for the private domain. Processing logic in the network switch prevents forwarding of packets between isolated ports within the private domain based at least in part on a privacy level associated with each entry in the hardware-based forwarding table for the private domain.

Abstract: The subject mailer described herein includes methods, systems, and computer readable media for automatically selecting between Internet protocol switching modes on a per-module basis in a packet forwarding device. According to one aspect, a method may include determining capacities of hardware longest prefix matching (LPM) tables located on each input/output (I/O) module in a multi-module IP packet forward device. The number of routes currently stored in a software LPM table may be determined. If the software LPM table can be stored within the hardware LPM table for an I/O module, an LPM mode may be automatically selected for that I/O module. If the contents of software LPM table cannot be stored within the hardware LPM table for a particular I/O module, the I/O module may be automatically transitioned to operate in an Internet protocol forwarding database (IPFDB) mode.

Abstract: A network switch automatically detects Voice over Internet Protocol (VoIP) traffic and mirrors the VoIP traffic to a security management device. The security management device measures a rate of call setup packets in the VoIP traffic. The security management device detects an attack based on a comparison of the measured rate of call setup packets to a threshold rate. Detected attacks are mitigated.

Abstract: A self-configuring network comprises network devices that are automatically provisioned with appropriate network resources upon the occurrence of a network event. A profile containing one or more commands to provision a network device with appropriate network resources is deployed to selected connecting devices. The selected connecting devices are targeted for deployment based on the network device and/or port groups to which they belong as determined from a network management system. The profile is bound to the selected connecting devices and affected ports as well as the network events that will trigger execution of the profile on the devices where they are deployed. A graphical user interface and profile information database may be used to facilitate managing the profiles, targeted devices/ports and associated network events.