Abstract: To secure an accessible computer system, the computer system is monitored for connection transactions. An access requestor is denied access to the computer system when the access requestor initiates a number of connection transactions that exceed a configurable threshold number during a first configurable period of time. The monitoring may include detecting connection transactions initiated by the access requestor, counting the number of connection transactions initiated by the access requestor during the first configurable period of time, and comparing the number of connection transactions initiated by the access requestor during the first configurable period of time to the configurable threshold number.

Abstract: In a multi-QOS level queuing structure, packet payload pointers are stored in multiple queues and packet payloads in a common memory pool. Algorithms control the drop probability of packets entering the queuing structure. Instantaneous drop probabilities are obtained by comparing measured instantaneous queue size with calculated minimum and maximum queue sizes. Non-utilized common memory space is allocated simultaneously to all queues. Time averaged drop probabilities follow a traditional Weighted Random Early Discard mechanism. Algorithms are adapted to a multi-level QOS structure, floating point format, and hardware implementation. Packet flow from a router egress queuing structure into a single egress port tributary is controlled by an arbitration algorithm using a rate metering mechanism. The queuing structure is replicated for each egress tributary in the router system.

Abstract: Multicast capability in a virtual private LAN service (VPLS) is provided in a provider IP/MPLS infrastructure without headend replications by encapsulating a customer data packet to use an established multicast protocol, such as IP multicast. In one example, the customer data packet is encapsulated by an IP header having an IP multicast group address and an Ethernet header. In one implementation, a DNS type mechanism is provided to distribute the IP multicast addresses for VPLS use. Such IP multicast group address can be set aside from an administratively scoped address range. An efficient IP routing algorithm running on the provider's network provides an efficient distribution tree for routing IP-encapsulated customer packet for the VPLS.

Abstract: Server load-balancing operation-related data, such as data associated with a system configured for global server load balancing (GSLB) that orders IP addresses into a list based on a set of performance metrics, is tracked. Such operation-related data includes inbound source IP addresses (e.g., the address of the originator of a DNS request), the requested host and zone, identification of the selected “best” IP addresses resulting from application of a GSLB algorithm and the selection metric used to decide on an IP address as the “best” one. Furthermore, the data includes a count of the selected “best” IP addresses selected via application of the GSLB algorithm, and for each of these IP addresses, the list of deciding performance metrics, along with a count of the number of times each of these metrics in the list was used as a deciding factor in selection of this IP address as the best one.

Abstract: The real-time aspects of keep-alive generation are removed from the dynamic routing protocol (DRP) application and are embedded within a Unix-based operating system, which is programmed by DRP. A keep-alive control provides the ability to create a keep-alive message and a timeout interval on a TCP socket. Each socket can have an independent keep-alive message and timeout interval. A keep-alive message is sent whenever the TCP socket sends no normal user output for a duration exceeding the timeout interval. A timeout interval is normally specified in seconds and a keep-alive message is user definable and must not exceed a predetermined length in bytes. System calls are used to set the timeout interval and keep-alive message independently. Both a timeout and a keep-alive message must be set before the timeout becomes active.

Abstract: To secure an access provider, communications to/from the access provider are monitored for a partially-completed connection transaction. Detected partially-completed connection transactions are terminated when they remain in existence for a period of time that exceeds a threshold period of time. The monitoring may include detecting partially-completed connection transactions initiated by an access requestor, measuring the period of time that a partially-completed connection transaction remains in existence, comparing the period of time with the threshold period of time, and resetting a communication port located on the access provider.

Abstract: A host router is logically partitioned into virtual router domains that manage independent processes and routing application copies but share a common operating system. Each v-net manages an independent set of sockets and host router interfaces, each associated with only one v-net at one time, but interchangeably repartitionable Traffic is removed from an interface during repartitioning. Duplicate arrays of global variables copied to each v-net are accessed by macro references. A v-net facility can separate route tables used internally from the externally visible route tables and can avoid conflicts between internal and external IP addresses that share the same identifier. For example a common FreeBSD operating system supports a dynamic routing protocol (DRP) application. Each v-net runs an independent copy of the DRP software and is logically independent. A failure in one DRP copy does not adversely affect other copies.

Abstract: A hypertext transfer protocol (HTTP) connection between a client terminal and a server includes a client-side connection and a server-side connection. Different techniques are used to extend the persistence of the HTTP connection. These techniques include keeping the server-side connection persistent if the client terminal sends a RESET to the server, keeping the server-side connection persistent but closing the client-side connection if the client terminal sends a RESET or a FIN packet to the server, rewriting a “Connection: Close” header in a request to a “Connection: Keep-Alive,” inserting a “Connection: Keep-Alive” in a header of a request, modifying a “Connection: Close” header in a request, and changing the HTTP version value in a request.

Abstract: Each service in a computer network may have a connection rate limit. The number of new connections per time period may be limited by using a series of rules. In a specific embodiment of the present invention, a counter is increased each time a server is selected to handle a connection request. For each service, connections coming in are tracked. Therefore, the source of connection-request packets need not be examined. Only the destination service is important. This saves significant time in the examination of the incoming requests. Each service may have its own set of rules to best handle the new traffic for its particular situation. For server load balancing, a reset may be sent to the source address of the new connection request. For transparent cache switching, the connection request may be forwarded to the Internet.

Abstract: An Ethernet switch includes 12-Volt and 48-Volt power sourcing modules, system software, Ethernet interface modules and optional power over Ethernet (PoE) modules. The Ethernet interface modules are motherboards that include the circuitry required to implement a non-PoE system. The PoE modules are daughter boards that include the circuitry required to supply powered devices in a PoE subsystem. A PoE module may be connected to a corresponding Ethernet interface module. During start up, all of the Ethernet interface modules are first powered up in response to the 12-Volt power sourcing module. If the system software subsequently determines that the 48-Volt power sourcing module is operational, then (and only then) the system software attempts to detect the presence of any PoE modules. Upon detecting one or more PoE modules, the PoE modules are initialized and configured, thereby enabling PoE operation.

Abstract: A system and method that provides for protection of a CPU of a router, by establishing a management port on a router. Hosts which are connected to a non-management ports of the router are denied access to management functions of a CPU of the router. The system and method can utilize an application specific integrated circuit, in conjunction with a CAM-ACL, which analyzes data packets received on the ports of router, and the ASIC operates to drop data packets which are directed to the CPU of the router. This system and method operates to filter data packets which may be generated in attempts to hack in to control functions of a network device, and the operation does not require that the CPU analyze all received data packets in connection with determining access to the control functions of the router.

Abstract: A method for supporting dynamic configuration changes comprises receiving a message from a current root bridge, comparing a bridge media access control (MAC) address of a receiving port to a bridge MAC address of the received message, if the bridge MAC addresses are the same, then comparing a current priority value with a previous priority value of the current root bridge, determining if the receiving port is a qualified root port, and if the port is a qualified root port, then returning a superior designated message to execute an RSTP calculation.

Abstract: Solutions are provided that allow a network device to apply flow control on the MAC layer while taking into account the priority of the frame of traffic. This may be accomplished by generating a frame indicating that traffic flow should be paused, while utilizing a new opcode value, or alternatively by utilizing a new type/length value (possibly combined with a new opcode value). A receiving device may then examine the fields of the frame to determine whether it should it should use priority-based pausing, and then examine other fields to determine which priority-levels to pause and for how long. This allows for improved efficiency in flow control at the MAC layer. Additionally, the tagged pause frames can be forwarded over multiple hops on Local Area Networks across a Metropolitan Area Network or Wide Area Network.

Abstract: In a load balancing system, user-configurable geographic prefixes are provided. IP address prefix allocations provided by the Internet Assigned Numbers Authority (IANA) and associated geographic locations are stored in a first, static database in a load balancing switch, along with other possible default geographic location settings. A second, non-static database stores user-configured geographic settings. In particular, the second database stores Internet Protocol (IP) address prefixes and user-specified geographic regions for those prefixes. The specified geographic region can be continent, country, state, city, or other user-defined region. The geographic settings in the second database can override the information in the first database. These geographic entries help determine the geographic location of a client and host IP addresses, and aid in directing the client to a host server that is geographically the closest to that client.

Abstract: The number of content addressable memory (CAM) lookups is reduced from two to one. Each side (left and right sides) of a CAM is programmed with network addresses, such as IP addresses, based on certain bits of the network addresses. These bits of the network addresses (which represent packet routes) are examined and used to determine whether the particular network address is to be placed on the left or right sides of the CAM. The grouping of certain network addresses either on the left or right sides of the CAM can be performed by examining an individual bit of each network address, by performing an exclusive OR (XOR) operation on a plurality of bits of each network address, and/or by searching for bit patterns of the network address in a decision table. Network addresses that cannot be readily assigned to a particular side of the CAM using these grouping techniques are programmed into both sides of the CAM.

Abstract: To secure an access provider, communications to/from the access provider are monitored for a partially-completed connection transaction. Detected partially-completed connection transactions are terminated when they remain in existence for a period of time that exceeds a threshold period of time. The monitoring may include detecting partially-completed connection transactions initiated by an access requestor, measuring the period of time that a partially-completed connection transaction remains in existence, comparing the period of time with the threshold period of time, and resetting a communication port located on the access provider.

Abstract: A global server load-balancing (GSLB) switch serves as a proxy to an authoritative DNS and communicates with numerous site switches that are coupled to host servers serving specific applications. The GSLB switch receives from site switches operational information regarding host servers within the site switches neighborhood. When a client program requests a resolution of a host name, the GSLB switch, acting as a proxy of an authoritative DNS, returns one or more ordered IP addresses for the host name. The IP addresses are ordered using metrics that include the information collected from the site switches or based on other metric information. Examples of metrics include weighted site, weighted IP, and active bindings metrics. The GSLB switch places the address that is deemed “best” at the top of the list.

Abstract: In a network, packets are fragmented into head and non-head fragments. Non-head fragments are saved up front at an entry point, while a network switch forwards only the head fragment to Layer 4-Layer 7 (L4-L7) features for processing. The switch records changes that are performed on the head fragment's fields by the L4-L7 features while they process the head fragment. At an exit point, fields of the saved non-head fragments are overwritten with information that was recorded for the head fragment. This can include updating or modifying the source and destination parameters of the non-head fragments in an intelligent manner by reusing the results of the packet processing that was performed on the head fragment. This fragmentation handling technique avoids having to redundantly process the non-head fragments in the same manner as the head fragments.

Abstract: A host router is logically partitioned into virtual router domains that manage independent processes and routing application copies but share a common operating system. Each v-net manages an independent set of sockets and host router interfaces, each associated with only one v-net at one time, but interchangeably repartitionable Traffic is removed from an interface during repartitioning. Duplicate arrays of global variables copied to each v-net are accessed by macro references. A v-net facility can separate route tables used internally from the externally visible route tables and can avoid conflicts between internal and external IP addresses that share the same identifier. For example a common FreeBSD operating system supports a dynamic routing protocol (DRP) application. Each v-net runs an independent copy of the DRP software and is logically independent. A failure in one DRP copy does not adversely affect other copies.

Abstract: The system of the present invention provides data transmission speeds at or in excess of 10 gigabits per second between one or more source devices and one or more destination devices. The system comprises a media access control (MAC) interface to facilitate receipt and transmission of packets over a physical interface. A first field programmable gate array is coupled to the MAC interface and operative to receive packets from the MAC interface and configured to perform initial processing of packets, which are dispatched to a first memory. A second field programmable gate array is operative to retrieve packets from the first memory and configured to compute an appropriate destination, which is used to dispatch packets to a backplane. A third field programmable gate array is provided that is operative to receive packets from the backplane and configured to organize the packets for transmission, which are dispatched to a second memory.