Abstract: An embodiment includes a method of minimizing the delay in convergence time for a complex STP topology following a topology change in the network system in the spanning tree protocol (STP) standard, including: receiving, by a root port of a first bridge, a data message that includes identification of a current root bridge and a priority value of the current root bridge; receiving, by a second port of the first bridge, a second data message from a second bridge; and if a message age timer of the first bridge has less than a limiting message age time value remaining before expiry, then blocking a reply, by the second port of the first bridge, to the second data message from the second bridge.

Abstract: A technique to load balance network packet traffic using content switching is provided. Packets are routed to a particular server or otherwise processed based on the XML-related content identified in a header or body of the packet. Rules can be defined that specify an action to undertake with regards to the packet if certain pieces of XML-related content are identified therein. These actions can include forwarding of the packet to a particular server or servers that best process the transaction associated with the packet.

Abstract: The method of the present invention comprises initiating a connection to a port on an access device by a supplicant and associating supplicant identification information with the port. The access device may comprise any network connectivity device, including a wireless access point. Data packets transmitted over the port by the supplicant are statistically sampled as they are transmitted, with each of the sample data packets also associated with the supplicant identification information. The sample data packets are stored according to their associated supplicant identification information in order to perform accounting. The sample data packets, with the supplicant identification information, are sent to a network management system where the data is archived and presented in a human readable form, e.g., charts, etc.

Abstract: In a network, a user can configure host-level policies usable for load balancing traffic to servers of a domain. A global server load balancing (GSLB) switch provides load balancing to the servers, and is configured with the GSLB host-level policies. Users can define a host-level policy (alternatively or additionally to a globally applied GSLB policy) and apply the host-level policy to hosts in domains configured on the GSLB switch. Thus, the user can enable different policies for different hosts. This allows the user to have the flexibility to control metrics used for selection of a best address for querying clients, as well as the metric order and additional parameters used in the GSLB process, at the host level.

Abstract: A global server load balancing (GSLB) switch serves as a proxy to an authoritative DNS communicates with numerous site switches which are coupled to host servers serving specific applications. The GSLB switch receives from site switches operational information regarding host servers within the site switches neighborhood. When a client program requests a resolution of a host name, the GSLB switch, acting as a proxy of an authoritative DNS, returns one or more ordered IP addresses for the host name. The IP addresses are ordered using metrics that include the information collected from the site switches. In one instance, the GSLB switch places the address that is deemed “best” at the top of the list.

Abstract: Canonical name (CNAME) handling is performed in a system configured for global server load balancing (GSLB), which orders IP addresses into a list based on a set of performance metrics. When the GSLB switch receives a reply from an authoritative DNS server, the GSLB switch scans the reply for CNAME records. If a CNAME record is detected and it points to a host name configured for GSLB, then a GSLB algorithm is applied to the reply. This involves identifying the host name (pointed to by the CNAME record) in the reply and applying the metrics to the list of returned IP addresses corresponding to that host name, to reorder the list to place the “best” IP address at the top. If the CNAME record in the reply points to a host name that is not configured for GSLB, then the GSLB sends the reply unaltered to the inquiring client.

Abstract: A system and method which enables a provider network to run a loop detection protocol in a customer network communicably coupled to it. The provider network runs a loop detection protocol and the customer network either runs a different protocol or none. The provider network determines its root bridge, or designated customer bridge, which is used to control loop detection decisions for the customer network. A BPDU or other protocol packet received from the customer network is tunneled through the provider network to the designated customer bridge. The designated customer network then processes the received BPDU in accordance with a loop detection instance for the customer network. The designated customer bridge then produces control messages in response to the processing and forwards those messages to the customer network. The control messages may include port state controls for ports in the customer network.

Abstract: A system and method that provides for copying ARP replies, and generating data packets which include the ARP reply, and other information such as an identification of the port on the ARP reply was received. These data packets are then transmitted to an ARP collector which stores the ARP reply and port information. The ARP collector then uses this stored information, and analyzes future data packets relative to the stored information to detect occurrences of ARP spoofing. The ARP collector further provides for generating alerts and taking security actions when ARP reply spoofing is detected.

Abstract: A system and method are provided for enabling a first network to detect a loop in a second network connected thereto. The first network runs a first instance of a Spanning Tree Protocol and the second network runs either a different instance or no instance. The method includes sending a Remote Loop Detection Packet (“RLDP”) from the ports in bridges of the first network which are connected to the second network. The RLDP includes identifiers such as the source bridge, port and VLAN. The system and method further includes checking for receipt of the RLDP on the same bridge which sent the RLDP. If such a receipt occurs, a loop is detected and one of the ports of the receiving/sending bridge is blocked.

Abstract: Systems and methods are described for providing network route redundancy through Layer 2 devices, such as a loop free Layer 2 network having a plurality of switching devices. A virtual switch is coupled to the loop free Layer 2 network, the virtual switch having two or more switches configured to transition between master and backup modes to provide redundant support for the loop free Layer 2 network, the switches communicating their status through use of a plurality of redundancy control packets. The system also includes means for allowing the redundancy control packets to be flooded through the Layer 2 network. The means may include time-to-live data attached to the redundancy control packet which is decremented only when the packets are transferred through devices which are configured to recognize the protocol used in redundancy control packets.

Abstract: High availability BGP4 is based on redundant hardware as well as redundant software that replicates the RUN state of BGP4. There are two copies, respectively active and backup, of BGP4 running on two separate redundant hardware platforms. All BGP4 internal implementations apply various methods to replicate the running state of BGP4 independently of peer network routers. When this hardware or software fails on one redundant hardware platform, peer routers are unaware of the failure. Internally, based on duplicative states, the local router recovers from the failure and keeps the protocol running. During the recovery period, the local router can bring up a backup again. In the HA architecture, these activities are not detected by peer routers, such that there is no instability to the Internet backbone caused by BGP4 failure.

Abstract: A system and method that provides for using source IP addresses and MAC addresses in a network to provide security against attempts by users of the network to use false source IP addresses in data packets. The system and method provide for analyzing MAC addresses and source IP addresses at the datalink (layer 2) level, and to use the information derived from such analysis to block access through a port where a host device is using a false, or spoofed, source IP address in transmitted data packets.

Abstract: Web-based authentication includes receiving a packet in a network switch having at least one associative store configured to forward packet traffic to a first one or more processors of the switch that are dedicated to cryptographic processing if a destination port of the packet indicates a secure transport protocol, and to a second one or more processors of the switch that are not dedicated to cryptographic processing if the destination port does not indicate a secure transport protocol. If a source of the packet is an authenticated user, the packet is forwarded via an output port of the switch, based on the associative store. If the source is an unauthenticated user, the packet is forwarded to the first one or more processors if the destination port indicates a secure transport protocol, and to the second one or more processors if the destination port does not indicate a secure transport protocol.

Abstract: Employing an asymmetric protocol, multiple sources reliably broadcast dynamically changing routing tables incrementally across multiple consumers from a single distributor. Each of multiple sources send current tables to the distributor using a snapshot mechanism. Message are buffered, segmented, paced by timers, and broadcast to the consumers repetitively at the distributor. Negative acknowledgments from the consumer request missing messages from the distributor after receipt of a keepalive message from the distributor. The distributor marks the missing messages and retransmits replacements from a history buffer only after firing of a resend timer. A unique Session ID included in all messages originating from each particular source facilitates reliable table distribution from multiple sources to multiple consumers via a single distributor.

Abstract: A system and method that provides for using source IP addresses and MAC addresses in a network to provide security against attempts by users of the network to use false source IP addresses in data packets. The system and method provide for analyzing MAC addresses and source IP addresses at the datalink (layer 2) level, and to use the information derived from such analysis to block access through a port where a host device is using a false, or spoofed, source IP address in transmitted data packets. Further, the system and method provide for validating initially learned source IP addresses, and for determining whether the number of unsuccessful attempts to validate new source IP addresses exceeds a threshold level, and where the number does exceed the threshold number the system and method can provide for operation in a possible attack mode.

Abstract: A backplane interface adapter for a network switch. The backplane interface adapter includes at least one receiver that receives input cells carrying packets of data; at least one cell generator that generates encoded cells which include the packets of data from the input cells; and at least one transmitter that transmits the generated cells to a switching fabric. The cell includes a destination slot identifier that identifies a slot of the switching fabric towards which the respective input cell is being sent. The generated cells include in-band control information.

Abstract: High availability BGP4 is based on redundant hardware as well as redundant software that replicates the RUN state of BGP4. There are two copies, respectively active and backup, of BGP4 running on two separate redundant hardware platforms. All BGP4 internal implementations apply various methods to replicate the running state of BGP4 independently of peer network routers. When this hardware or software fails on one redundant hardware platform, peer routers are unaware of the failure. Internally, based on duplicative states, the local router recovers from the failure and keeps the protocol running. During the recovery period, the local router can bring up a backup again. In the HA architecture, these activities are not detected by peer routers, such that there is no instability to the Internet backbone caused by BGP4 failure.

Abstract: In a load balancing system, user-configurable geographic prefixes are provided. IP address prefix allocations provided by the Internet Assigned Numbers Authority (IANA) and associated geographic locations are stored in a first, static database in a load balancing switch, along with other possible default geographic location settings. A second, non-static database stores user-configured geographic settings. In particular, the second database stores Internet Protocol (IP) address prefixes and user-specified geographic regions for those prefixes. The specified geographic region can be continent, country, state, city, or other user-defined region. The geographic settings in the second database can override the information in the first database. These geographic entries help determine the geographic location of a client and host IP addresses, and aid in directing the client to a host server that is geographically the closest to that client.

Abstract: Employing an asymmetric protocol, multiple sources reliably broadcast dynamically changing routing tables incrementally across multiple consumers from a single distributor. Each of multiple sources sends current tables to the distributor using a snapshot mechanism. Messages are buffered, segmented, paced by timers, and broadcast to the consumers repetitively at the distributor. Negative acknowledgments from the consumer request missing messages from the distributor after receipt of a keepalive message from the distributor. The distributor marks the missing messages and retransmits replacements from a history buffer only after firing of a resend timer. A unique Session ID included in all messages originating from each particular source facilitates reliable table distribution from multiple sources to multiple consumers via a single distributor.

Abstract: Wireless roaming in a computer network may be handled through a solution provided on one or more switches in the network. A roam request sent by a switch corresponding to the user's new location may be received by the other switches in the network. If the user is known to any of these switches, then they may execute steps to accommodate the roaming. The tasks performed may vary based on whether the roaming is on layer 2 or layer 3, whether the switch is a home agent for the client, and/or whether the switch already corresponds to the user's new location.