Abstract: A multiple key, multiple tiered network security system, method and apparatus provides at least three levels of security. The first level of security includes physical (MAC) address authentication of a user device being attached to the network, such as a user device being attached to a port of a network access device. The second level includes authentication of the user of the user device, such as user authentication in accordance with the IEEE 802.1x standard. The third level includes dynamic assignment of a user policy to the port based on the identity of the user, wherein the user policy is used to selectively control access to the port. The user policy may identify or include an access control list (ACL) or MAC address filter. Also, the user policy is not dynamically assigned if insufficient system resources are available to do so. Failure to pass a lower security level results in a denial of access to subsequent levels of authentication.

Abstract: According to an embodiment of the invention, a network device such as a router or switch provides efficient data packet handling capability. The network device includes one or more input ports for receiving data packets to be routed, as well as one or more output ports for transmitting data packets. The network device includes an integrated port controller integrated circuit for routing packets. The integrated circuit includes an interface circuit, a received packets circuit, a buffer manager circuit for receiving data packets from the received packets circuit and transmitting data packets in one or more buffers and reading data packets from the one or more buffers. The integrated circuit also includes a rate shaper counter for storing credit for a traffic class, so that the integrated circuit can support input and/or output rate shaping.

Abstract: Dynamic rate limiting adjustment may be provided by sampling actual output rates from a rate limited device and utilizing this information to modify configured traffic limits. This allows the device to achieve actual output rates much closer to the desired rate limits for users and services.

Abstract: In an embodiment, a method for supporting dynamic configuration changes, includes: receiving a message from a current root bridge; comparing the bridge media access control (MAC) address of a receiving port to the bridge MAC address of the received message; if the bridge MAC addresses are not the same, then comparing a current priority value to a previous priority value of the current root bridge; if the current priority value is inferior, then determining if the port receiving the message is a qualified root port; and if the port is a qualified root port, then returning a superior designated message to permit each bridge to execute a rapid spanning tree calculation for use in a dynamic configuration change.

Abstract: A switch may be used to force the expiration of a cookie on a user's system by inserting an expiration field into the cookie contained in a network response packet. Additionally, a mechanism is provided to delete or damage a cookie contained in a network request packet, so that server software is not disrupted by the receipt of a cookie. Deleting a cookie results in a cleaner request, but damaging a cookie may be more efficient in certain circumstances. By providing these features, an efficient cookie switching design is provided.

Abstract: A global server load-balancing (GSLB) switch serves as a proxy to an authoritative DNS and communicates with numerous site switches that are coupled to host servers serving specific applications. The GSLB switch receives from site switches operational information regarding host servers within the site switches neighborhood. This operational information includes health check information that is remotely obtained in a distributed manner from remote metric agents at the site switches. When a client program requests a resolution of a host name, the GSLB switch, acting as a proxy of an authoritative DNS, returns one or more ordered IP addresses for the host name. The IP addresses are ordered using metrics, including the health check metric that evaluates these IP addresses based on the health check information communicated to the GSLB switch in a distributed manner by the distributed health check site switches. In one instance, the GSLB switch places the address that is deemed “best” at the top of the list.

Abstract: Stateful failover redundancy support is provided for network address translation (NAT). A master NAT device is backed-up with at least one back-up NAT device. Existing sessions are synchronized between the two NAT devices, such as via a dedicated link between them. In the event of a failover where the master NAT device is unable to perform its NAT functions, ownership of Internet protocol (IP) addresses is transferred from the master NAT device to the back-up NAT device. The back-up NAT device, which is now owner of the IP addresses, assumes the NAT functionality associated with these IP addresses and continues the existing sessions, as well as processing new sessions.

Abstract: In a load balancing system, user-configurable geographic prefixes are provided. IP address prefix allocations provided by the Internet Assigned Numbers Authority (IANA) and associated geographic locations are stored in a first, static database in a load balancing switch, along with other possible default geographic location settings. A second, non-static database stores user-configured geographic settings. In particular, the second database stores Internet Protocol (IP) address prefixes and user-specified geographic regions for those prefixes. The specified geographic region can be continent, country, state, city, or other user-defined region. The geographic settings in the second database can override the information in the first database. These geographic entries help determine the geographic location of a client and host IP addresses, and aid in directing the client to a host server that is geographically the closest to that client.

Abstract: To secure an accessible computer system, the computer system is monitored for connection transactions. An access requestor is denied access to the computer system when the access requestor initiates a number of connection transactions that exceed a configurable threshold number during a first configurable period of time. The monitoring may include detecting connection transactions initiated by the access requestor, counting the number of connection transactions initiated by the access requestor during the first configurable period of time, and comparing the number of connection transactions initiated by the access requester during the first configurable period of time to the configurable threshold number.

Abstract: Techniques for computing a path for a local repair connection to be used to protect a connection traversing an original path from an ingress node to an egress node. The computed path originates at a node (start node) in the original path and terminates at another node (end node) in the original path that is downstream from the start node. A Constraint Shortest Path First (CSPF) algorithm may be used to compute the path. The computed path is such that it satisfies one or more constraints and does not traverse a path from a first node in the original path to a second node in the original path, wherein the first and second nodes are upstream from the start node in the original path and the second node is downstream from the first node in the original path. A local repair connection may then be signaled using the computed path.

Abstract: Each service in a computer network may have a connection rate limit. The number of new connections per time period may be limited by using a series of rules. In a specific embodiment of the present invention, a counter is increased each time a server is selected to handle a connection request. For each service, connections coming in are tracked. Therefore, the source of connection-request packets need not be examined. Only the destination service is important. This saves significant time in the examination of the incoming requests. Each service may have its own set of rules to best handle the new traffic for its particular situation.

Abstract: The number of content addressable memory (CAM) lookups is reduced from two to one. Each side (left and right sides) of a CAM is programmed with network addresses, such as IP addresses, based on certain bits of the network addresses. These bits of the network addresses (which represent packet routes) are examined and used to determine whether the particular network address is to be placed on the left or right sides of the CAM. The grouping of certain network addresses either on the left or right sides of the CAM can be performed by examining an individual bit of each network address, by performing an exclusive OR (XOR) operation on a plurality of bits of each network address, and/or by searching for bit patterns of the network address in a decision table. Network addresses that cannot be readily assigned to a particular side of the CAM using these grouping techniques are programmed into both sides of the CAM.

Abstract: A site switch determines the mapping between public and private IP addresses of VIPs configured on the site switch. The site switch then transmits the public IP address, rather than the private IP address, to a load balancing switch that performs the load balancing for network resources accessible via the site switch. This public IP address has also been configured on an authoritative DNS server for which the load balancing switch serves as a proxy. The load balancing switch updates its address records, containing the VIPs configured on the site switch, with the public address of the VIP. When the load balancing switch reorders a DNS reply from the authoritative DNS server for a domain containing the public address, the load balancing switch correctly identifies the IP address as a VIP on the site switch and applies appropriate load balancing metrics to the received IP address.

Abstract: Multicast capability in a virtual private LAN service (VPLS) is provided in a provider IP/MPLS infrastructure without headend replications by encapsulating a customer data packet to use an established multicast protocol, such as IP multicast. In one example, the customer data packet is encapsulated by an IP header having an IP multicast group address and an Ethernet header. In one implementation, a DNS type mechanism is provided to distribute the IP multicast addresses for VPLS use. Such IP multicast group address can be set aside from an administratively scoped address range. An efficient IP routing algorithm running on the provider's network provides an efficient distribution tree for routing IP-encapsulated customer packet for the VPLS.

Abstract: A global server load-balancing (GSLB) switch serves as a proxy to an authoritative DNS and communicates with numerous site switches that are coupled to host servers serving specific applications. The GSLB switch receives from site switches operational information regarding host servers within the site switches neighborhood. When a client program requests a resolution of a host name, the GSLB switch, acting as a proxy of an authoritative DNS, returns one or more ordered IP addresses for the host name. The IP addresses are ordered using metrics that include the information collected from the site switches. In one instance, the GSLB switch places the address that is deemed “best” at the top of the list.

Abstract: Techniques for authenticating clients of differing capabilities in an efficient manner. Two or more authentication techniques, including one preferred authentication technique, are initiated to run in parallel to authenticate a client. Upon determining that the client can support the preferred authentication technique, the preferred technique is used to authenticate the client and the other authentication techniques are aborted. If it is determined that the client cannot support the preferred authentication technique, then one of the other authentication techniques is used to authenticate the client. In this manner, based upon the capabilities of the client, an appropriate authentication technique is used to authenticate the client in an efficient manner.

Abstract: A smoothing algorithm for round trip time (RTT) measurements is provided to a network device to effectively deal with variations or other potential anomalies that may occur in RTT measurements. The algorithm involves: first determining what should be considered a very high or a very small value for a RTT sample. If a new RTT sample is in an acceptable range, then the network device performs a relatively basic smoothing. If the new RTT sample is much higher than a current RTT value, then the network device ignores the value of this RTT sample a few times. If the network device still detects this large value after ignoring that value for some time, then the network device factors this value into the current RTT value using an additive increase. Similarly, if the value of the new RTT sample is much lower than current RTT value, the network device ignores the value of the new RTT sample a few times.

Abstract: The present invention provides systems and methods for providing data transmission speeds at or in excess of 10 gigabits per second between one or more source devices and one or more destination devices. According to one embodiment, the system of the present invention comprises a first and second media access control (MAC) interfaces to facilitate receipt and transmission of packets over an associated set of physical interfaces. The system also contemplates a first and second field programmable gate arrays (FPGA) coupled to the MAC interfaces and an associated first and second memory structures, the first and second FPGAs are configured to perform initial processing of packets received from the first and second MAC interfaces and to schedule the transmission of packets to the first and second MAC interface for transmission to one or more destination devices. The first and second FPGAs are further operative to dispatch and retrieve packets to and from the first and second memory structures.

Abstract: Server load-balancing operation-related data, such as data associated with a system configured for global server load balancing (GSLB) that orders IP addresses into a list based on a set of performance metrics, is tracked. Such operation-related data includes inbound source IP addresses (e.g., the address of the originator of a DNS request), the requested host and zone, identification of the selected “best” IP addresses resulting from application of a GSLB algorithm, and the selection metric used to decide on an IP address as the “best” one. The data includes a count of the selected “best” IP addresses selected via application of the GSLB algorithm, and for each of these IP addresses, the list of deciding performance metrics, along with a count of the number of times each of these metrics in the list was used as a deciding factor in selection of this IP address as the best one.

Abstract: A method of allocating power to ports in an Ethernet switch, including: (1) determining the available capacity of a power pool used to supply the ports, (2) assigning a configuration power to each of the ports, (3) selecting a port to be enabled, (4) determining whether the available capacity of the power pool exceeds the configuration power assigned to the selected port, and, if the available capacity of the power pool exceeds the configuration power assigned to the selected port, then (4) subtracting the configuration power assigned to the selected port from the available capacity of the power pool, (5) enabling and powering the selected port and simultaneously detecting whether the selected port is connected to a powered device, and (6) adding the configuration power assigned to the selected port to the available capacity of the power pool if the port is not connected to a powered device.