Abstract: A site switch determines the mapping between public and private IP addresses of VIPs configured on the site switch. The site switch then transmits the public IP address, rather than the private IP address, to a load balancing switch that performs the load balancing for network resources accessible via the site switch. This public IP address has also been configured on an authoritative DNS server for which the load balancing switch serves as a proxy. The load balancing switch updates its address records, containing the VIPs configured on the site switch, with the public address of the VIP. When the load balancing switch reorders a DNS reply from the authoritative DNS server for a domain containing the public address, the load balancing switch correctly identifies the IP address as a VIP on the site switch and applies appropriate load balancing metrics to the received IP address.

Abstract: Provided are methods, non-transitory computer-readable medium, and network devices for duplicating network traffic through transparent VLAN flooding. In some implementations, a network device comprises a plurality of ports. The plurality of ports may include a first port configured as a receiving port for a VLAN configured for the network device. The plurality of ports may further include a set of ports configured as I/O ports of the VLAN. MAC learning may be disabled for the receiving port. In some implementations, the network device is configured to determine, based on contents of a packet received at the receiving port, that the packet is to be sent to one or more monitoring devices. The network device may further be configure to, upon receiving the packet at the receiving port of the VLAN, cause a copy of the packet to be sent to each of one or more I/O ports of the VLAN.

Abstract: The present invention provides systems and methods for providing data transmission speeds at or in excess of 10 gigabits per second between one or more source devices and one or more destination devices. According to one embodiment, the system of the present invention comprises a first and second media access control (MAC) interfaces to facilitate receipt and transmission of packets over an associated set of physical interfaces. The system also contemplates a first and second field programmable gate arrays (FPGA) coupled to the MAC interfaces and an associated first and second memory structures, the first and second FPGAs are configured to perform initial processing of packets received from the first and second MAC interfaces and to schedule the transmission of packets to the first and second MAC interface for transmission to one or more destination devices. The first and second FPGAs are further operative to dispatch and retrieve packets to and from the first and second memory structures.

Abstract: The system, method, and article of manufacture of the present invention allows multiple customers connected to a common external network to each implement a layer 2 redundancy protocol, such as the spanning tree protocol, in order to prevent layer 2 loops. Accordingly, a method is presented for providing an independent loop free layer 2 topology between a external network and a customer network comprising tagging control packets originating on the customer network with a unique identifier and tunneling the control packets received from the customer network between a plurality of boundary interface devices at the external network such that the control packets are routed back to the customer network based on the presence of the unique identifier in the control packet. The layer 2 redundancy protocol on the customer network converges based at least in part on the presence of control packets appearing on more than one port on the customer network.

Abstract: Disclosed is a technique for facilitating software upgrade for a switching system comprising a first management processor and a second management processor and a set of one or more line processors, the techniques comprising receiving a signal to perform a software upgrade for a line processor from the set of line processors, and performing a software upgrade for the line processor without substantially affecting packet switching performed by the switching system.

Abstract: A method and apparatus aggregate a plurality of input data streams from first processors into one data stream for a second processor, the circuit and the first and second processors being provided on an electronic circuit substrate. The aggregation circuit includes (a) a plurality of ingress data ports, each ingress data port adapted to receive an input data stream from a corresponding first processor, each input data stream formed of ingress data packets, each ingress data packet including priority factors coded therein, (b) an aggregation module coupled to the ingress data ports, adapted to analyze and combine the plurality of input data steams into one aggregated data stream in response to the priority factors, (c) a memory coupled to the aggregation module, adapted to store analyzed data packets, and (d) an output data port coupled to the aggregation module, adapted to output the aggregated data stream to the second processor.

Abstract: Each service in a computer network may have a connection rate limit. The number of new connections per time period may be limited by using a series of rules. In a specific embodiment of the present invention, a counter is increased each time a server is selected to handle a connection request. For each service, connections coming in are tracked. Therefore, the source of connection-request packets need not be examined. Only the destination service is important. This saves significant time in the examination of the incoming requests. Each service may have its own set of rules to best handle the new traffic for its particular situation. For server load balancing, a reset may be sent to the source address of the new connection request. For transparent cache switching, the connection request may be forwarded to the Internet.

Abstract: An approach to duplicating network traffic is described. In one approach, a method of creating multiple copies of network traffic is detailed. The method involves receiving network traffic, producing a duplicate copy of the network traffic, and forwarding the duplicate copy to a monitoring port. The monitoring port forwards copies to a number of indicated ports.

Abstract: To secure an accessible computer system, the computer system is monitored for connection transactions. An access requestor is denied access to the computer system when the access requestor initiates a number of connection transactions that exceed a configurable threshold number during a first configurable period of time. The monitoring may include detecting connection transactions initiated by the access requestor, counting the number of connection transactions initiated by the access requestor during the first configurable period of time, and comparing the number of connection transactions initiated by the access requestor during the first configurable period of time to the configurable threshold number.

Abstract: One embodiment provides a system that facilitates bandwidth-profile enforcement. During operation, the system indicates a packet's compliance with a bandwidth profile based at least on available high-compliance tokens and medium-compliance tokens. The system further accounts for overflow tokens from a respective class of service (CoS) and distribute an overflow token to another CoS priority level based on the overflow token's CoS information.

Abstract: A network search function is disclosed. A network administrator enters a search term. The search function determines whether any items or network devices listed in a network control user interface match the search term. The network administrator can stipulate whether the match be either an explicit match or an implicit match. All of the matches, if any, are automatically highlighted and selected. Thereby, the network administrator can perform an operation on these matches based on the search function, without having to manually locate and then manually click to select the desired items or network devices.

Abstract: A routing system utilizes a layer 2 switch interconnecting several routers to intelligently forward multicast packets throughout an interne exchange carrying multicast content. The layer 2 switch performs protocol snooping to extract a lookup key that is based on network layer protocol information. The lookup key is uniquely formulated to support either shared or explicit source distribution trees. The lookup key is used to query a forwarding memory that returns an outgoing port index. The outgoing port index points to one or more outgoing ports that are eligible to receive the multicast packet. The outgoing ports are also connected to the neighboring device(s) that are designated to receive the multicast packet. The routing system also supports real time maintenance and updating of the forwarding memory based on the periodic exchange of control messages. The routing system is configured to support PIM routers operating in PIM SM or PIM SSM modes.

Abstract: Techniques that assist in processing of failure detection protocol (FDP) packets. Techniques are provided that assist a CPU of a network device in processing incoming FDP packets. In one embodiment, only a subset of FDP packets received by the network device is forwarded to the CPU for processing, the other FDP packets are dropped and not forwarded to the CPU. In this manner, the amount of processing that a CPU of the network device has to perform for incoming FDP packets is reduced. This enables the network device to support newer FDPs with shorter periodic interval requirements.

Abstract: A technique to load balance network packet traffic using content switching is provided. Packets are routed to a particular server or otherwise processed based on the HTTP header content of the packets. In an embodiment, the HTTP header contents of the packets are used in such processing. Content switching decisions are based on any field in the HTTP header, including both known and unknown fields. A plurality of content switching policies is provided. A policy includes a set of rules and actions associated with these rules. Complex nested rules are defined. The evaluation of these nested rules is simplified by converting the nested rules in to their sum of products or minterm representations, and then a bit mask technique is used in conjunction with the minterm representations to determine which set of complex rules in a policy is valid and thus require the corresponding content switching action.

Abstract: Multicast capability in a virtual private LAN service (VPLS) is provided in a provider IP/MPLS infrastructure without headend replications by encapsulating a customer data packet to use an established multicast protocol, such as IP multicast. In one example, the customer data packet is encapsulated by an IP header having an IP multicast group address and an Ethernet header. In one implementation, a DNS type mechanism is provided to distribute the IP multicast addresses for VPLS use. Such IP multicast group address can be set aside from an administratively scoped address range. An efficient IP routing algorithm running on the provider's network provides an efficient distribution tree for routing IP-encapsulated customer packet for the VPLS.

Abstract: A backplane interface adapter with error control and redundant fabric for a high-performance network switch. The error control may be provided by an administrative module that includes a level monitor, a stripe synchronization error detector, a flow controller, and a control character presence tracker. The redundant fabric transceiver of the backplane interface adapter improves the adapter's ability to properly and consistently receive narrow input cells carrying packets of data and output wide striped cells to a switching fabric.

Abstract: Methods of detecting and recovering from communication failures within an operating network switching device that is switching packets in a communication network, and associated structures. The communication failures addressed involve communications between the packet processors and a host CPU over a shared communications bus, e.g., PCI bus. The affected packet processor(s)—which may be all or a subset of the packet processors of the network switch—may be recovered without affecting hardware packet forwarding through the affected packet processors. This maximizes the up time of the network switching device. Other packet processor(s), if any, of the network switching device, which are not affected by the communication failure, may continue their normal packet forwarding, i.e., hardware forwarding that does not involve communications with the host CPU as well as forwarding or other operations that do involve communications with the host CPU.

Abstract: A switching device comprising one or more processors coupled to a media access control (MAC) interface and a memory structure for switching packets rapidly between one or more source devices and one or more destination devices. Packets are pipelined through a series of first processing segments to perform a plurality of first sub-operations involving the initial processing of packets received from source devices to be buffered in the memory structure. Packets are pipelined through a series of second processing segments to perform a plurality of second sub-operations involved in retrieving packets from the memory structure and preparing packets for transmission. Packets are pipelined through a series of third processing segments to perform a plurality of third sub-operations involved in scheduling transmission of packets to the MAC interface for transmission to one or more destination devices.

Abstract: A backplane interface adapter with error control and redundant fabric for a high-performance network switch. The error control may be provided by an administrative module that includes a level monitor, a stripe synchronization error detector, a flow controller, and a control character presence tracker. The redundant fabric transceiver of the backplane interface adapter improves the adapter's ability to properly and consistently receive narrow input cells carrying packets of data and output wide striped cells to a switching fabric.

Abstract: A system and method that provides for copying ARP replies, and generating data packets which include the ARP reply, and other information such as an identification of the port on the ARP reply was received. These data packets are then transmitted to an ARP collector which stores the ARP reply and port information. The ARP collector then uses this stored information, and analyzes future data packets relative to the stored information to detect occurrences of ARP spoofing. The ARP collector further provides for generating alerts and taking security actions when ARP reply spoofing is detected.