Abstract: A network switch detects at least two simultaneous connections on a single network port. The simultaneous connections use different protocols despite using the same port. The network switch mirrors network traffic associated with the simultaneous connections to a security management device on the network. The security management device then determines a source or destination of the network traffic.

Abstract: A ring network with an automatic protection switching domain includes a control VLAN and at least one data VLAN. A master node in the ring is connected to at least one transit node. Each node in the ring network is linked to an adjacent node by a primary port or a secondary port. The master node receives notification of a fault via the control VLAN, the fault indicating a failed link between adjacent nodes. In response, the master node unblocks its secondary port to traffic on the data VLAN(s). The forwarding database entries on the master node and on the transit node(s) are flushed. Data traffic is flooded to the ring network until forwarding database entries on the master node and on the transit node(s) have been reestablished.

Abstract: Several systems for supporting packet processing are described. A first system supports virtual routing of a packet. A second system supports de-multiplexing of a packet. A third system supports advanced MPLS label processing of a packet.

Abstract: Methods, systems, and computer program products for controlling enqueuing of packets in an aggregated queue including a plurality of virtual queues are disclosed. According to one method, packets are received at the input side of a queuing system. Each packet is classified into a virtual queue corresponding to one of a plurality of output queues. The output queue sends backpressure messages to the enqueue controller. The enqueue controller determines whether to place the packets in the aggregated queue based on the backpressure messages.

Abstract: An indication of a host route to be added to a forwarding database table as an entry is received. The host route is added to a first hardware table or a second hardware table if a space is available in the second hardware table or in a first storage area of the first hardware table. The first hardware table has both a first storage area and a second storage area. If a space is not available in the second hardware table or the first storage area of the first hardware table, the first storage area of the first hardware table is automatically expanded to include unused space in the second storage area of the first hardware table. The host route is then added to a space in the expanded first storage area of the first hardware table.

Abstract: A method and system for enforcing host routing settings in a network device comprises network devices having enforcement logic for extracting host routing settings from a DHCP packet issued by a DHCP server to a DHCP client connecting to a network. The network devices generate enforcement rules based on the host routing settings and apply those rules to ports through which the DHCP client connects to the network. The enforcement rules include access control lists having one or more match conditions generated based on the host routing settings.

Abstract: Methods, systems, and computer program products for sending and receiving frames associated with different VLANs over a secure layer 2 broadcast transport network are disclosed. According to one method, a layer 2 frame is received at a transmit port of a layer 2 forwarding device. The layer 2 frame is to be sent over a secure layer 2 broadcast transport network. A VLAN identifier corresponding to a first VLAN is extracted from the layer 2 frame. The first VLAN identifier is mapped to a second VLAN identifier used by the secure broadcast transport layer 2 network to identify the first VLAN. A portion of the layer 2 frame including the first VLAN identifier is encrypted. The layer 2 frame is transmitted over the secure layer 2 broadcast transport network with the second VLAN identifier in a cleartext portion of the frame.

Abstract: Embodiments disclosed herein provide redundant connectivity between an Ethernet Automatic Protection Switching (EAPS) access network and a Virtual Private LAN Service (VPLS) network. A first VPLS node is provided to function as an EAPS controller node. A second VPLS node is provided to function as an EAPS partner node. The first and second VPLS nodes are linked by a pseudowire and an EAPS shared-link. Additional EAPS nodes are also provided. The additional EAPS nodes are linked to each other and one of the additional EAPS nodes is designated as a master node. Links are also established between the VPLS nodes and the EAPS nodes such that one or more EAPS rings are formed. Each EAPS ring includes the shared-link between the first and second VPLS nodes. The EAPS rings are monitored to detect link failures.

Abstract: Implementation of non-blocking switch stacking capability for a switch device using a plug-in stacking module to connect to the switch device. In one embodiment, the plug-in stacking module receives switched data from one switch means of the connected switch device and switches the received switch data to another switch means of the same switch device. In another embodiment, switching configurations are changed so that operation of the switch device in combination with the plug-in stacking module increases a total number of ports for which non-blocking switching is supported.

Abstract: On-switch methods for enforcing a policy relating to one or more network switch resources, for detecting and mitigating a network anomaly, and for selectively filtering packets to an externally-accessible port, are provided. The methods may each be embodied as one or more rules held by one or more processor readable media, with one or more of the rules defining one or more conditions to be met by one or more usage-derived packet statistics, and one or more actions to be performed if the one or more conditions are met.

Abstract: A Point-to-Point Protocol (PPP) identifier (PPP ID) value of a PPP frame, including data, is converted to an associated Ethernet Virtual Local Area Network (VLAN) tag identifier (ID) value to enable the PPP ID value information to be communicated in an Ethernet frame to the next transmission layer for use in routing the data from the PPP frame.

Abstract: A system for statistically sampling packets is described. In this system, upon or after the occurrence of a predefined statistical event in relation to a packet, a pseudo-random value is obtained and compared to a predetermined threshold. Responsive to this comparison, the system selectively arranges to have the packet statistically sampled. A system for compiling statistics for packets undergoing processing by a packet processing system is described. In this system, upon or after the occurrence of a predefined statistical event in relation to a packet, a cumulative index for the packet is updated to reflect the current processing cycle for the packet. Upon or after completion of processing of the packet, whereupon the cumulative index may reflect more than one processing cycle, packet statistics are updated responsive to the cumulative index for the packet. A second system for compiling statistics for packets undergoing processing by a packet processing system is described.

Abstract: A subset of route entries having the same next hop is identified in a route table. The subset of entries falls within a range of prefixes. Gaps in the subset of route entries that prevent the subset from being contiguous are identified. The gaps in the subset are filled with route entries to make the subset contiguous. All of the route entries in the contiguous subset of route entries have the same next hop, thus the contiguous subset can be aggregated into a single route entry in a forwarding table. For each gap-filling entry added to the route table, an additional route entry having forwarding priority over the gap-filling entry is added to the forwarding table.

Abstract: A data packet is received at a network switch. The packet has a destination address that is reached via a Link Aggregation group on a virtual local area network (VLAN). A forwarding database lookup is performed to determine a Link Aggregation port reference number for the data packet on the VLAN. A Link Aggregation port table is then searched to determine the primary Link Aggregation port and a backup Link Aggregation port for forwarding the packet. A port array for ports in the Link Aggregation group is searched to determine if the primary Link Aggregation port is valid. If the primary port is valid, then the packet is forwarded on the primary Link Aggregation port. If the primary port is not valid, then the packet is forwarded on the backup Link Aggregation port.

Abstract: In a packet switching device or system, such as a router, switch, combination router/switch, or component thereof, a method of and system for performing a table lookup operation using a lookup table index that exceeds a CAM key size is provided. Multiple CAM accesses are performed, each using a CAM key derived from a subset of lookup table index, resulting in one or more CAM entries. One or more matching table entries are derived from the one or more CAM entries resulting from the multiple CAM accesses.

Abstract: A route compression algorithm is applied to route entries of a route table. The route entries are maintained as nodes in a routing tree. The compression algorithm compresses child nodes having a common gateway with their respective parent nodes. The route entries associated with uncompressed nodes are installed into a forwarding table of a routing device that employs longest prefix match (LPM) lookup to forward data packets.

Abstract: A method of presenting different virtual routers to different end users, classes of service, or packets is provided. An incoming packet is received having a VLAN field and at least one additional field. A key is formed from the VLAN field and at least one other packet field, and mapped into a virtual router identifier (VRID) using an indirection mapping process. The VRID identifies a particular virtual router configuration from a plurality of possible virtual router configurations. A networking device is configured to have the particular virtual router configuration identified by the VRID, and the packet is then forwarded by the configured device.

Abstract: A method of and system for transferring overhead data from a sender to a receiver over a serial interface is provided. The overhead data is transferred over one or more data lines of the interface during one or more time periods in which excess bandwidth is available on the one or more data lines or while the transfer of the overhead data does not substantially impede the throughput of the payload transfer.

Abstract: In a packet processing system, where a packet processor normally performs a fixed number of processing cycles on a packet as it progresses through a processing pipeline, a method of extending the fixed number of processing cycles for a particular packet is provided. During the processing of a packet, an extension bit associated with the packet is set to an “on” state if extended processing of the packet is needed. While the extension bit is set to that state, updating of a count, indicating the number of processing cycles that has been undertaken for the packet, is inhibited. When the extended processing of the packet has been completed, the extension bit for the packet is set to an “off” state, and the updating of the count resumed. When that count indicates the number of processing cycles the packet has undergone equals or exceeds the fixed number, the packet is exited from the pipeline.

Abstract: On-switch methods for enforcing a policy relating to one or more network switch resources, for detecting and mitigating a network anomaly, and for selectively filtering packets to an externally-accessible port, are provided. The methods may each be embodied as one or more rules held by one or more processor readable media, with one or more of the rules defining one or more conditions to be met by one or more usage-derived packet statistics, and one or more actions to be performed if the one or more conditions are met.