Abstract: To secure an access provider, communications to/from the access provider are monitored for a partially-completed connection transaction. Detected partially-completed connection transactions are terminated when they remain in existence for a period of time that exceeds a threshold period of time. The monitoring may include detecting partially-completed connection transactions initiated by an access requestor, measuring the period of time that a partially-completed connection transaction remains in existence, comparing the period of time with the threshold period of time, and resetting a communication port located on the access provider.

Abstract: Techniques for configuring a local repair connection for a protected connection including determining a path for the local repair connection. The path traversed by a local repair connection starts at a node in the path associated with the protected connection and ends at a merge point node in the path associated with the protected connection that is downstream from the start node. In one embodiment, the merge point node may even be more than two hops downstream from the start node in the path associated with the protected connection. The local repair path may include zero or more nodes that are not included in the path associated with the protected connection. Techniques are also described for optimizing the path associated with a local repair connection.

Abstract: Transaction rate limiting is provided to monitor new connections. If the number of new connections requested by a particular client exceeds a predetermined threshold value, then the client may be frozen out for a configured period of time. By denying access for the configured period of time, the client is prevented from monopolizing a particular client. Additionally, if the client does have malicious intent, a denial of service attack may be thwarted. The denial of service may be accomplished without alerting the client. This prevents a malicious client from regrouping and attempting an assault via a different mechanism.

Abstract: A system and method that modifies the behavior of the IEEE 802.1D STP standard to thereby decouple the one data domain from the one control domain involves managing multiple spanning tree protocol (STP) instances in a virtual local area network (VLAN). The method includes the step of assigning a unique set of ports within the VLAN to each of the multiple STP instances. Then, each of the multiple STP instances are managed to keep each of the multiple STP instances separate. Finally, when a topology change is detected in one of the multiple STP instances, entries that have been learned on the unique set of ports assigned to the STP protocol instance where the topology change is detected are fast-aged or transitioned from one state to another.

Abstract: Solutions are provided that allow a network device to apply flow control on the MAC layer while taking into account the priority of the frame of traffic. This may be accomplished by generating a frame indicating that traffic flow should be paused, while utilizing a new opcode value, or alternatively by utilizing a new type/length value (possibly combined with a new opcode value). A receiving device may then examine the fields of the frame to determine whether it should use priority-based pausing, and then examine other fields to determine which priority-levels to pause and for how long. This allows for improved efficiency in flow control at the MAC layer. Additionally, the tagged pause frames can be forwarded over multiple hops on Local Area Networks across a Metropolitan Area Network or Wide Area Network.

Abstract: The present invention provides systems and methods for providing data transmission speeds at or in excess of 10 gigabits per second between one or more source devices and one or more destination devices. According to one embodiment, the system of the present invention comprises a first and second media access control (MAC) interfaces to facilitate receipt and transmission of packets over an associated set of physical interfaces. The system also contemplates a first and second field programmable gate arrays (FPGA) coupled to the MAC interfaces and an associated first and second memory structures, the first and second FPGAs are configured to perform initial processing of packets received from the first and second MAC interfaces and to schedule the transmission of packets to the first and second MAC interface for transmission to one or more destination devices. The first and second FPGAs are further operative to dispatch and retrieve packets to and from the first and second memory structures.

Abstract: Web-based authentication includes receiving a packet in a network switch having at least one associative store configured to forward packet traffic to a first one or more processors of the switch that are dedicated to cryptographic processing if a destination port of the packet indicates a secure transport protocol, and to a second one or more processors of the switch that are not dedicated to cryptographic processing if the destination port does not indicate a secure transport protocol. If a source of the packet is an authenticated user, the packet is forwarded via an output port of the switch, based on the associative store. If the source is an unauthenticated user, the packet is forwarded to the first one or more processors if the destination port indicates a secure transport protocol, and to the second one or more processors if the destination port does not indicate a secure transport protocol.

Abstract: An approach to generating device-specific configurations is described. In one approach, a method of generating a device-specific configuration for a target device is described. The method involves receiving a configuration parameter, and receiving command syntax information. A state description is generated from the configuration parameter, with reference to a configuration library. Device information is retrieved from the target device, and the device-specific configuration is generated with reference to the command syntax information, the device information, the state description, and a command library.

Abstract: Wireless roaming in a computer network may be handled through a solution provided on one or more switches in the network. A roam request sent by a switch corresponding to the user's new location may be received by the other switches in the network. If the user is known to any of these switches, then they may execute steps to accommodate the roaming. The tasks performed may vary based on whether the roaming is on layer 2 or layer 3, whether the switch is a home agent for the client, and/or whether the switch already corresponds to the user's new location.

Abstract: The system, method, and article of manufacture of the present invention allows multiple customers connected to a common external network to each implement a layer 2 redundancy protocol, such as the spanning tree protocol, in order to prevent layer 2 loops. Accordingly, a method is presented for providing an independent loop free layer 2 topology between a external network and a customer network comprising tagging control packets originating on the customer network with a unique identifier and tunneling the control packets received from the customer network between a plurality of boundary interface devices at the external network such that the control packets are routed back to the customer network based on the presence of the unique identifier in the control packet. The layer 2 redundancy protocol on the customer network converges based at least in part on the presence of control packets appearing on more than one port on the customer network.

Abstract: Solutions are provided that allow a network device to apply flow control on the MAC layer while taking into account the priority of the frame of traffic. This may be accomplished by generating a frame indicating that traffic flow should be paused, while utilizing a new opcode value, or alternatively by utilizing a new type/length value (possibly combined with a new opcode value). A receiving device may then examine the fields of the frame to determine whether it should use priority-based pausing, and then examine other fields to determine which priority-levels to pause and for how long. This allows for improved efficiency in flow control on the MAC layer.

Abstract: A system and method for reducing the number of cycles used in CAM lookup. A network comprises a plurality of network devices connected to a router. The router comprises a media access controller which is effective to receive an input packet and a packet processor which is effective to receive the input packet from the media access controller and to extract data stored in the input packet. The router further comprises a CAM which is effective to receive the data stored in the input packet from the packet processor, a PRAM, a control processor and a bus. The control processor controls the packet processor and the CAM so that the packet processor extracts a destination address from the input packet and forwards the destination address to the CAM. The packet processor extracts a source address from the input packet and forwards the source address to the CAM. The CAM performs a lookup of the destination and source addresses in parallel.

Abstract: The present invention provides systems and methods for providing data transmission speeds at or in excess of 10 gigabits per second between one or more source devices and one or more destination devices. According to one embodiment, the system of the present invention comprises a first and second media access control (MAC) interfaces to facilitate receipt and transmission of packets over an associated set of physical interfaces. The system also contemplates a first and second field programmable gate arrays (FPGA) coupled to the MAC interfaces and an associated first and second memory structures, the first and second FPGAs are configured to perform initial processing of packets received from the first and second MAC interfaces and to schedule the transmission of packets to the first and second MAC interface for transmission to one or more destination devices. The first and second FPGAs are further operative to dispatch and retrieve packets to and from the first and second memory structures.

Abstract: Techniques for finding an optimized local repair path that may be used to signal a local repair connection for a protected connection. The optimized local repair path starts at a node in the path associated with the protected connection and ends at a merge point node in the path associated with the protected connection that is downstream from the start node. Various techniques may be used for finding an optimized local repair path.

Abstract: A system, method and apparatus for providing multiple access modes in a data communications network includes a network access device having a plurality of input ports, a plurality of output ports, and a switching fabric for routing data received on the plurality of input ports to at least one of the plurality of output ports. Control logic within the network access device is adapted to determine whether a user device coupled to one of the plurality of input ports supports a user authentication protocol used by a host network. If the user authentication protocol is not supported, then the input port to which the network access device is coupled is placed in a semi-authorized access state that limits access to a pre-configured network accessible via the host network.

Abstract: A method of allocating power to ports in an Ethernet switch, including: (1) assigning a configuration power to a selected port, wherein the assigned configuration power is less than a power supplied by the selected port to a powered, (2) enabling and powering the selected port in a single indivisible step, (3) determining the power limit of a device coupled to the selected port, (4) comparing the power supplied by the selected port to the device with the configuration power assigned to the selected port, and (5) if the power supplied by the selected port to the device is greater than the configuration power assigned to the selected port, then increasing the configuration power of the selected port to correspond with the power limit of the device.

Abstract: According to an embodiment of the invention, a network device such as a router or switch provides efficient data packet handling capability. The network device includes one or more input ports for receiving data packets to be routed, as well as one or more output ports for transmitting data packets. The network device includes an integrated port controller integrated circuit for routing packets. The integrated circuit includes an interface circuit, a received packets circuit, a buffer manager circuit for receiving data packets from the received packets circuit and transmitting data packets in one or more buffers and reading data packets from the one or more buffers. The integrated circuit also includes a rate shaper counter for storing credit for a traffic class, so that the integrated circuit can support input and/or output rate shaping.

Abstract: Web-based authentication includes receiving a packet in a network switch having at least one associative store configured to forward packet traffic to a first one or more processors of the switch that are dedicated to cryptographic processing if a destination port of the packet indicates a secure transport protocol, and to a second one or more processors of the switch that are not dedicated to cryptographic processing if the destination port does not indicate a secure transport protocol. If a source of the packet is an authenticated user, the packet is forwarded via an output port of the switch, based on the associative store. If the source is an unauthenticated user, the packet is forwarded to the first one or more processors if the destination port indicates a secure transport protocol, and to the second one or more processors if the destination port does not indicate a secure transport protocol.

Abstract: Technology for network security is disclosed. In one embodiment, a method of managing network security includes receiving sampled packets. The sampled packets represent packets being sampled from network packet traffic in at least one location in a network. The sampled packets are converted into an appropriate format for analysis to form converted packets. Moreover, the converted packets are sent to a first group including at least one security device for analysis. If an event message is generated by the at least one security device as a result of analysis of the converted packets, the event message is received from the at least one security device. Network security is evaluated based on the event message and security policies and is adjusted based on that evaluation. The method may be implemented with a network manager.

Abstract: An approach to duplicating network traffic is described. In one approach, a method of creating multiple copies of network traffic is detailed. The method involves receiving network traffic, producing a duplicate copy of the network traffic, and forwarding the duplicate copy to a monitoring port. The monitoring port forwards copies to a number of indicated ports.