Abstract: On-switch methods for enforcing a policy relating to one or more network switch resources, for detecting and mitigating a network anomaly, and for selectively filtering packets to an externally-accessible port, are provided. The methods may each be embodied as one or more rules held by one or more processor readable media, with one or more of the rules defining one or more conditions to be met by one or more usage-derived packet statistics, and one or more actions to be performed if the one or more conditions are met.

Abstract: A method and apparatus is provided to control the admission of a user to a network by preventing a port through which the user connects to the network from forwarding data packets until the user is authorized. A network login controller operates in conjunction with a user interface to receive a user identification data from the port user. The network login controller further operates in conjunction with an authorization server to authenticate the user by sending a user authentication request containing the user identification data to the authentication server. The network login controller grants or denies permission to the user to access the network based on the user authentication response from the authentication server. If permission is granted, then the network login controller unblocks the port through which the user is connected to place it in packet-forwarding mode. If permission is denied, then the port remains in packet non-forwarding mode (i.e. it remains blocked).

Abstract: A method is provided for a port management system in which a switch is automatically provisioned with network resources. A command or set of commands are stored and automatically executed on the switch upon the occurrence of a defined network event. The command or set of commands may be associated with one or more ports on the switch. When executed, the commands cause a change to a port configuration and/or policy on the switch to control access to a network resource. The network resource may include any device or service accessible on the network. The defined network event may include any network event associated with a device or user connected to the network. The command or set of commands may reference variables, control structures, and functions to modify command execution.

Abstract: The subject matter described herein includes methods, systems, and computer readable media for improved multi-switch link aggregation group (MLAG) convergence. According to one aspect of the subject matter described herein, a system for improved multi-switch link aggregation group (MLAG) convergence is provided. The system includes a packet forwarding device. The packet forwarding device includes a packet processor for receiving a packet and determining that the packet is destined for a port of the packet forwarding device associated with an MLAG group. The packet forwarding device further includes an MLAG module associated with the packet processor for determining that the port is inactive, and in response to determining that the port is inactive, performing a convergence operation, wherein the convergence operation includes redirecting, using a redirection filter, the received packet towards an active port associated with the MLAG group.

Abstract: Methods and systems for selectively processing VLAN traffic from different networks while allowing flexible VLAN identifier assignment are disclosed. According to one aspect, a layer 2 switch includes a virtual switch identifier data structure that associates a VLAN identifier extracted from a layer 2 frame and a port identifier corresponding to a port on which a frame is received with a virtual switch identifier. The virtual switch identifier is used to select a per-virtual-switch data structure, such as a forwarding table. The per-virtual-switch data structure is used to control processing of the layer 2 frame on a per-virtual-switch basis. The per-virtual-switch data structure may also be updated separately from the data structures assigned to other virtual switches.

Abstract: Methods, systems, and computer program products for selective layer 2 port blocking using layer 2 source addresses are disclosed. According to one method, a layer 2 frame is received. An I/O port block list is identified based on a layer 2 source address in the layer 2 frame. A set of ports to which the layer 2 fame should be forwarded is identified. The frame is blocked from being forwarded to ports in the set that are also in the I/O port block list.

Abstract: A wireless computer network includes components cooperating together to prevent access intrusions by detecting unauthorized devices connected to the network, disabling the network connections to the devices, and then physically locating the devices. The network can detect both unauthorized client stations and unauthorized edge devices such as wireless access points (APs). The network can detect intruders by monitoring information transferred over wireless channels, identifying protocol state machine violations, tracking roaming behavior of clients, and detecting network addresses being improperly used in multiple locations. Upon detecting an intruder, the network can automatically locate and shut off the physical/logical port to which the intruder is connected.

Abstract: The subject matter described herein includes a packet forwarding device that implements next hop scaling. Rather than storing a complete set of next hop bindings at each packet processor, the storage of next hop bindings is distributed among packet processors in the packet forwarding device such that each packet processor stores next hop bindings for the hosts that are directly connected to the packet processor. For hosts that are not directly connected to a packet processor, the packet processor stores relay entries. Because of the distributed storage of next hop bindings, the number of hosts that can be served by a single packet forwarding device is increased over packet forwarding devices where each packet processor stores a complete set of next hop bindings for all connected hosts.

Abstract: Embodiments of the invention describe apparatus, systems and methods for creating a protection switching domain having a control virtual local area network (vlan), a first set of high priority protected data vlans, and a second set of lower priority protected data vlans. When a fault is detected at a ring network, indicating a failed link between adjacent nodes, said fault is communicated to a master node of the ring network via the control vlan. Embodiments of the invention allow a user to specify a priority for each of its domains on a given set of ring ports. The higher priority protected data domains are serviced to completion prior to servicing the lower priority protected data domains, ensuring that data traffic convergence time does not increase across these vlans.

Abstract: A network switch automatically detects undesired network traffic and mirrors the undesired traffic to a security management device. The security management device determines the source of the undesired traffic and redirects traffic from the source to itself. The security management device also automatically sends a policy to a switch to block traffic from the source.

Abstract: The subject matter described herein includes methods, systems, and computer readable media for next hop scaling with link aggregation. According to one aspect of the subject matter described herein, a system for next hop scaling is provided. The system includes a packet forwarding device including a plurality of packet processors for performing next hop and link aggregation group (LAG) selection operations. Within this plurality of packet processors, ingress packet processors are configured to indicate, for received packets that have a next hop on a different packet processor, that an egress next hop selection operation is needed. Egress packet processors of the plurality of packet processors are configured to perform the egress next hop and member selection operations for the packets for which an egress next hop selection operation is indicated, wherein forwarding of the packets is limited to active LAG group members local to the egress packet processor.

Abstract: A method of presenting different virtual routers to different end users, classes of service, or packets is provided. An incoming packet is received having a VLAN field and at least one additional field. A key is formed from the VLAN field and at least one other packet field, and mapped into a virtual router identifier (VRID) using an indirection mapping process. The VRID identifies a particular virtual router configuration from a plurality of possible virtual router configurations. A networking device is configured to have the particular virtual router configuration identified by the VRID, and the packet is then forwarded by the configured device.

Abstract: A method is provided for determining the integrity of a domain defined in a network. The method includes processes and systems to facilitate the discovery a conceptual ring topology of the domain in the network, and the determination of the integrity of the domain based on the conceptual ring topology that was discovered.

Abstract: A system for and method of allocating a resource to a service request based on application of a persistence policy is described. In one embodiment, upon or after allocation of a resource to a resource request, an entry representing the allocation is made in a data structure using a first index derived from information relating to the resource request if such is available. An entry representing the allocation is also made in the data structure using a second index derived from information relating to the resource request. When a resource request is received, the data structure is accessed using the first index if such is available. If an entry corresponding to the first index is available, the resource corresponding to the entry is allocated to the request. If the first index or an entry corresponding to the first index is unavailable, the data structure is accessed using the second index.

Abstract: Preventing a loop in a virtual network that spans at least two rings when there is a failure in a segment shared between the rings. A node connected to the shared segment and the rings detects a failure in the segment to transmit data traffic; and prevents transmitting data traffic between the node and all the rings except for one ring, in response to detecting the failure.

Abstract: Methods, systems, and computer readable media for performing stateless load balancing of network traffic flows are disclosed. According to one aspect, the subject matter described herein includes a method for performing stateless load balancing of network traffic flows. The method occurs at a layer 3 packet forwarding and layer 2 switching device. The method includes responding to address resolution protocol (ARP) requests from clients, the ARP requests including a virtual IP (VIP) address shared by the device and a plurality of servers coupled to the device, with the medium access control (MAC) address of the device. The method also includes receiving, from the clients, packets addressed to the VIP address and having the MAC address of the device. The method further includes load sharing the packets among the servers using a layer 3 forwarding operation that appears to the clients as a layer 2 switching operation.

Abstract: A memory array comprises N+1 memory elements. N memory elements store data and one or more error check bits respectively derived from the stored data. A separate N+1 memory element stores parity bits generated from the data stored in the N memory elements. These parity bits are stored in. To recover from data errors, data in each N memory element are first checked using their respective error check bits. If faulty data are detected in one of the N memory elements, an exclusive-or operation is performed involving data in the remaining N?1 memory elements and parity bits in the N+1 memory element. This recovers the faulty data in the one memory element.

Abstract: A method and system for integrating network policy enforcement into an existing network infrastructure comprises a communications bus that links expert policy devices, such as intrusion prevention devices, with one or more connection points. The connection points are network devices that are equipped with enforcement logic for receiving reports of events via a published interface on the communications bus about the existing network infrastructure from either the policy devices or the connection points themselves, and enforcing policy at the connection points by generating an action in response to the reported events, including actions to block traffic, remediate devices, limit bandwidth, and the like, until the reported event has been addressed in a manner that ensures the security of the existing network infrastructure.

Abstract: A Provider Network Controller (PNC) addresses the challenges in building services across Next Generation Network (NGN) architectures and creates an abstraction layer as a bridge, or glue, between the network transport and applications running over it. The PNC is a multi-layer, multi-vendor dynamic control plane that implements service activation and Layer 0-2 management tools for multiple transport technologies including Carrier Ethernet, Provider Backbone Transport (PBT), Multi-protocol Label Switching (MPLS), Transport MPLS (T-MPLS), optical and integrated networking platforms. Decoupling transport controls and services from the network equipment simplifies service creation and provides options for carriers to choose best-in-class equipment that leverages the PNC to enable rapid creation and management of transports and services.

Abstract: A method is provided for pseudo wire processing in a packet forwarding device in which a packet is processed based on whether the ports through which the packet is transmitted are real or pseudo wire ports. The inbound and outbound port information is encoded using a predefined range of index values such that index values falling within one range of values are used for passing real port information, and index values falling within another range of values are used for passing pseudo wire port information. The index values are used in a manner that facilitates efficient performance of pseudowire processing for the packets in the switch fabric component of the packet forwarding device.