Abstract: A virtual router spans a number of physical routing devices. A set of physical ports on one of the physical routing devices is logically represented as a trunk. A respective port priority value is associated with each of those ports, and a device priority value is associated with the physical routing device. If a port in the trunk is out-of-service, then the device priority value can be adjusted by the port priority value associated with the out-of-service port. A corrective action can be implemented if the device priority value fails to satisfy a condition. For example, the physical routing device may failover to another one of the physical routing devices spanned by the virtual router.

Abstract: A backplane interface adapter with error control and redundant fabric for a high-performance network switch. The error control may be provided by an administrative module that includes a level monitor, a stripe synchronization error detector, a flow controller, and a control character presence tracker. The redundant fabric transceiver of the backplane interface adapter improves the adapter's ability to properly and consistently receive narrow input cells carrying packets of data and output wide striped cells to a switching fabric.

Abstract: Techniques that assist in processing of failure detection protocol (FDP) packets. Techniques are provided that assist a CPU of a network device in processing incoming FDP packets. In one embodiment, only a subset of FDP packets received by the network device is forwarded to the CPU for processing, the other FDP packets are dropped and not forwarded to the CPU. In this manner, the amount of processing that a CPU of the network device has to perform for incoming FDP packets is reduced. This enables the network device to support newer FDPs with shorter periodic interval requirements.

Abstract: An approach to duplicating network traffic is described. In one approach, a method of creating multiple copies of network traffic is detailed. The method involves receiving network traffic, producing a duplicate copy of the network traffic, and forwarding the duplicate copy to a monitoring port. The monitoring port forwards copies to a number of indicated ports.

Abstract: Techniques for computing a path for a local repair connection to be used to protect a connection traversing an original path from an ingress node to an egress node. The computed path originates at a node (start node) in the original path and terminates at another node (end node) in the original path that is downstream from the start node. A Constraint Shortest Path First (CSPF) algorithm may be used to compute the path. The computed path is such that it satisfies one or more constraints and does not traverse a path from a first node in the original path to a second node in the original path, wherein the first and second nodes are upstream from the start node in the original path and the second node is downstream from the first node in the original path. A local repair connection may then be signaled using the computed path.

Abstract: Disclosed is a technique for facilitating software upgrade for a switching system comprising a first management processor and a second management processor and a set of one or more line processors, the techniques comprising receiving a signal to perform a software upgrade for a line processor from the set of line processors, and performing a software upgrade for the line processor without substantially affecting packet switching performed by the switching system.

Abstract: Techniques for incrementing counters in an efficient manner. In one set of embodiments, counter logic circuits are provided that can operate at higher frequencies than existing counter logic circuits, while being capable of being implemented in currently available field programmable gate arrays (FPGAs) or fabricated using currently available process technologies. The counter logic circuits of the present invention may be used to increment statistics counters in network devices that support line speeds of 40 Gbps, 100 Gbps, and greater.

Abstract: Each service in a computer network may have a connection rate limit. The number of new connections per time period may be limited by using a series of rules. In a specific embodiment of the present invention, a counter is increased each time a server is selected to handle a connection request. For each service, connections coming in are tracked. Therefore, the source of connection-request packets need not be examined. Only the destination service is important. This saves significant time in the examination of the incoming requests. Each service may have its own set of rules to best handle the new traffic for its particular situation. For server load balancing, a reset may be sent to the source address of the new connection request. For transparent cache switching, the connection request may be forwarded to the Internet.

Abstract: Each service in a computer network may have a connection rate limit. The number of new connections per time period may be limited by using a series of rules. In a specific embodiment of the present invention, a counter is increased each time a server is selected to handle a connection request. For each service, connections coming in are tracked. Therefore, the source of connection-request packets need not be examined. Only the destination service is important. This saves significant time in the examination of the incoming requests. Each service may have its own set of rules to best handle the new traffic for its particular situation. For server load balancing, a reset may be sent to the source address of the new connection request. For transparent cache switching, the connection request may be forwarded to the Internet.

Abstract: A system and method that provides for using source IP addresses and MAC addresses in a network to provide security against attempts by users of the network to use false source IP addresses in data packets. The system and method provide for analyzing MAC addresses and source IP addresses at the datalink (layer 2) level, and to use the information derived from such analysis to block access through a port where a host device is using a false, or spoofed, source IP address in transmitted data packets. Further, the system and method provide for validating initially learned source IP addresses, and for determining whether the number of unsuccessful attempts to validate new source IP addresses exceeds a threshold level, and where the number does exceed the threshold number the system and method can provide for operation in a possible attack mode.

Abstract: A system and method for providing for a number of different authentication methods. The system and method can be used in conjunction with a data communications network, where client devices gain access to the data communications network through a network access device. The different authentication methods can allow for authentication based on a physical address for the client device, and can allow for authentication based on a web authentication procedure, and can provide for an authentication method which utilizes a combination of authentication methods which includes authentication based on both the physical address of the client device and based on user credential information.

Abstract: Techniques for authenticating clients of differing capabilities in an efficient manner. Two or more authentication techniques, including one preferred authentication technique, are initiated to run in parallel to authenticate a client. Upon determining that the client can support the preferred authentication technique, the preferred technique is used to authenticate the client and the other authentication techniques are aborted. If it is determined that the client cannot support the preferred authentication technique, then one of the other authentication techniques is used to authenticate the client. In this manner, based upon the capabilities of the client, an appropriate authentication technique is used to authenticate the client in an efficient manner.

Abstract: A backplane interface adapter with error control and redundant fabric for a high-performance network switch. The error control may be provided by an administrative module that includes a level monitor, a stripe synchronization error detector, a flow controller, and a control character presence tracker. The redundant fabric transceiver of the backplane interface adapter improves the adapter's ability to properly and consistently receive narrow input cells carrying packets of data and output wide striped cells to a switching fabric.

Abstract: Solutions are provided that allow a network device to apply flow control on the MAC layer while taking into account the priority of the frame of traffic. This may be accomplished by generating a frame indicating that traffic flow should be paused, while utilizing a new opcode value, or alternatively by utilizing a new type/length value (possibly combined with a new opcode value). A receiving device may then examine the fields of the frame to determine whether it should use priority-based pausing, and then examine other fields to determine which priority-levels to pause and for how long. This allows for improved efficiency in flow control at the MAC layer. Additionally, the tagged pause frames can be forwarded over multiple hops on Local Area Networks across a Metropolitan Area Network or Wide Area Network.

Abstract: Techniques for detecting and responding to attacks on computer and network systems including denial-of-service (DoS) attacks. A packet is classified as potentially being an attack packet if it matches an access control list (ACL) specifying one or more conditions. One or more actions may be performed responsive to packets identified as potential attack packets. These actions may include dropping packets identified as potential attack packets for a period of time, rate limiting a port over which the potential attack packets are received for a period of time, and other actions.

Abstract: Techniques that offer enhanced diversity in the selection of paths (e.g., ECMP paths) and/or ports from ports associated with trunks for forwarding data traffic. In one embodiment, one or more functions are used to generate a result. A first portion of the generated result may be used as an index (e.g., ECMP index) for selecting a path (e.g., an ECMP path) from multiple possible paths for forwarding a packet. A second portion of the generated result, different from the first portion, may be used as an index (trunk index) for selecting an output port from multiple output ports associated with a trunk for forwarding a packet. In this manner, selected portions of the generated result may be used as indices, one for selecting a path and another for selecting a trunk port for forwarding packets such that the two indices are not the same and are not dependent upon one another.

Abstract: A method and apparatus aggregate a plurality of input data streams from first processors into one data stream for a second processor, the circuit and the first and second processors being provided on an electronic circuit substrate. The aggregation circuit includes (a) a plurality of ingress data ports, each ingress data port adapted to receive an input data stream from a corresponding first processor, each input data stream formed of ingress data packets, each ingress data packet including priority factors coded therein, (b) an aggregation module coupled to the ingress data ports, adapted to analyze and combine the plurality of input data steams into one aggregated data stream in response to the priority factors, (c) a memory coupled to the aggregation module, adapted to store analyzed data packets, and (d) an output data port coupled to the aggregation module, adapted to output the aggregated data stream to the second processor.

Abstract: Techniques for computing a path for a local repair connection to be used to protect a connection traversing an original path from an ingress node to an egress node. The computed path originates at a node (start node) in the original path and terminates at another node (end node) in the original path that is downstream from the start node. A Constraint Shortest Path First (CSPF) algorithm may be used to compute the path. The computed path is such that it satisfies one or more constraints and does not traverse a path from a first node in the original path to a second node in the original path, wherein the first and second nodes are upstream from the start node in the original path and the second node is downstream from the first node in the original path. A local repair connection may then be signaled using the computed path.

Abstract: High availability BGP4 is based on redundant hardware as well as redundant software that replicates the RUN state of BGP4. There are two copies, respectively active and backup, of BGP4 running on two separate redundant hardware platforms. All BGP4 internal implementations apply various methods to replicate the running state of BGP4 independently of peer network routers. When this hardware or software fails on one redundant hardware platform, peer routers are unaware of the failure. Internally, based on duplicative states, the local router recovers from the failure and keeps the protocol running. During the recovery period, the local router can bring up a backup again. In the HA architecture, these activities are not detected by peer routers, such that there is no instability to the Internet backbone caused by BGP4 failure.

Abstract: One embodiment provides a system that facilitates bandwidth-profile enforcement. During operation, the system indicates a packet's compliance with a bandwidth profile based at least on available high-compliance tokens and medium-compliance tokens. The system further accounts for overflow tokens from a respective class of service (CoS) and distribute an overflow token to another CoS priority level based on the overflow token's CoS information.