Abstract: The system, method, and article of manufacture of the present invention allows multiple customers connected to a common external network to each implement a layer 2 redundancy protocol, such as the spanning tree protocol, in order to prevent layer 2 loops. Accordingly, a method is presented for providing an independent loop free layer 2 topology between a external network and a customer network comprising tagging control packets originating on the customer network with a unique identifier and tunneling the control packets received from the customer network between a plurality of boundary interface devices at the external network such that the control packets are routed back to the customer network based on the presence of the unique identifier in the control packet. The layer 2 redundancy protocol on the customer network converges based at least in part on the presence of control packets appearing on more than one port on the customer network.

Abstract: Disclosed is a technique for facilitating software upgrade for a switching system comprising a first management processor and a second management processor and a set of one or more line processors, the techniques comprising receiving a signal to perform a software upgrade for a line processor from the set of line processors, and performing a software upgrade for the line processor without substantially affecting packet switching performed by the switching system.

Abstract: A system and method are provided for enabling a first network to detect a loop in a second network connected thereto. The first network runs a first instance of a Spanning Tree Protocol and the second network runs either a different instance or no instance. The method includes sending a Remote Loop Detection Packet (“RLDP”) from the ports in bridges of the first network which are connected to the second network. The RLDP includes identifiers such as the source bridge, port and VLAN. The system and method further includes checking for receipt of the RLDP on the same bridge which sent the RLDP. If such a receipt occurs, a loop is detected and one of the ports of the receiving/sending bridge is blocked.

Abstract: A routing system utilizes a layer 2 switch interconnecting several routers to intelligently forward multicast packets throughout an internet exchange carrying multicast content. The layer 2 switch performs protocol snooping to extract a lookup key that is based on network layer protocol information. The lookup key is uniquely formulated to support either shared or explicit source distribution trees. The lookup key is used to query a forwarding memory that returns an outgoing port index. The outgoing port index points to one or more outgoing ports that are eligible to receive the multicast packet. The outgoing ports are also connected to the neighboring device(s) that are designated to receive the multicast packet. The routing system also supports real time maintenance and updating of the forwarding memory based on the periodic exchange of control messages. The routing system is configured to support PIM routers operating in PIM SM or PIM SSM modes.

Abstract: A system, method and apparatus for supporting enhanced 911 (E911) emergency services, in a data communications network that includes Voice over Internet Protocol (VoIP) telephones. A network system includes a host network communicatively coupled to an E911 database management system, a network access device, and a VoIP telephone communicatively coupled to an input port of the network access device. The network access device is adapted to assign a physical location identifier to an input port, to authenticate the VoIP telephone, wherein the authentication includes receiving a unique device identifier from the VoIP telephone, and to transmit the location identifier and the unique device identifier to the E911 database management system. The E911 database management system is permitted to store the physical location identifier in association with the unique device identifier.

Abstract: Techniques that assist in processing of failure detection protocol (FDP) packets. Techniques are provided that assist a CPU of a network device in processing incoming FDP packets. In one embodiment, only a subset of FDP packets received by the network device is forwarded to the CPU for processing, the other FDP packets are dropped and not forwarded to the CPU. In this manner, the amount of processing that a CPU of the network device has to perform for incoming FDP packets is reduced. This enables the network device to support newer FDPs with shorter periodic interval requirements.

Abstract: According to an embodiment of the invention, a network device such as a router or switch provides efficient data packet handling capability. The network device includes one or more input ports for receiving data packets to be routed, as well as one or more output ports for transmitting data packets. The network device includes an integrated port controller integrated circuit for routing packets. The integrated circuit includes an interface circuit, a received packets circuit, a buffer manager circuit for receiving data packets from the received packets circuit and transmitting data packets in one or more buffers and reading data packets from the one or more buffers. The integrated circuit also includes a rate shaper counter for storing credit for a traffic class, so that the integrated circuit can support input and/or output rate shaping.

Abstract: Techniques for computing a path for a local repair connection to be used to protect a connection traversing an original path from an ingress node to an egress node. The computed path originates at a node (start node) in the original path and terminates at another node (end node) in the original path that is downstream from the start node. A Constraint Shortest Path First (CSPF) algorithm may be used to compute the path. The computed path is such that it satisfies one or more constraints and does not traverse a path from a first node in the original path to a second node in the original path, wherein the first and second nodes are upstream from the start node in the original path and the second node is downstream from the first node in the original path. A local repair connection may then be signaled using the computed path.

Abstract: A system and method which enables a provider network to run a loop detection protocol in a customer network communicably coupled to it. The provider network runs a loop detection protocol and the customer network either runs a different protocol or none. The provider network determines its root bridge, or designated customer bridge, which is used to control loop detection decisions for the customer network. A BPDU or other protocol packet received from the customer network is tunneled through the provider network to the designated customer bridge. The designated customer network then processes the received BPDU in accordance with a loop detection instance for the customer network. The designated customer bridge then produces control messages in response to the processing and forwards those messages to the customer network. The control messages may include port state controls for ports in the customer network.

Abstract: Technology for network security is disclosed. In one embodiment, a method of managing network security includes receiving sampled packets. The sampled packets represent packets being sampled from network packet traffic in at least one location in a network. The sampled packets are converted into an appropriate format for analysis to form converted packets. Moreover, the converted packets are sent to a first group including at least one security device for analysis. If an event message is generated by the at least one security device as a result of analysis of the converted packets, the event message is received from the at least one security device. Network security is evaluated based on the event message and security policies and is adjusted based on that evaluation. The method may be implemented with a network manager.

Abstract: A configurable timer may be used for seamless authentication administration. A network administrator may set the timer value. Then the network administrator may begin to update the authentication configuration or key and the timer may begin to count down. While the timer counts down, the network device may still send outgoing packets using the old authentication configuration or key and may begin to authenticate incoming packets using both the old authentication configuration or key and the new authentication configuration or key. Once it expires, the network device may begin to send outgoing packets using just the new authentication configuration or key. The counter may then be reset and counted down again. Once the counter expires a second time, the new authentication configuration or key may be used for both incoming and outgoing packets. Two-timer implementations are also possible.

Abstract: A virtual router spans a number of physical routing devices. One of the physical routing devices is designated as master, and the other physical routing devices are designated as backups to the master. A failover protocol that includes both a non-dampened state and a dampened state can be implemented. According to the failover protocol, an attempt to designate one of the backups as master in place of the current master is permitted while the virtual router is in the non-dampened state, while such an attempt is suppressed while the virtual router is in the dampened state.

Abstract: Employing an asymmetric protocol, multiple sources reliably broadcast dynamically changing routing tables incrementally across multiple consumers from a single distributor. Each of multiple sources send current tables to the distributor using a snapshot mechanism. Message are buffered, segmented, paced by timers, and broadcast to the consumers repetitively at the distributor. Negative acknowledgments from the consumer request missing messages from the distributor after receipt of a keepalive message from the distributor. The distributor marks the missing messages and retransmits replacements from a history buffer only after firing of a resend timer. A unique Session ID included in all messages originating from each particular source facilitates reliable table distribution from multiple sources to multiple consumers via a single distributor.

Abstract: A method of allocating power to ports in an Ethernet switch, including: (1) assigning a configuration power to a selected port, wherein the assigned configuration power is less than a power supplied by the selected port to a powered, (2) enabling and powering the selected port in a single indivisible step, (3) determining the power limit of a device coupled to the selected port, (4) comparing the power supplied by the selected port to the device with the configuration power assigned to the selected port, and (5) if the power supplied by the selected port to the device is greater than the configuration power assigned to the selected port, then increasing the configuration power of the selected port to correspond with the power limit of the device.

Abstract: In a network, packets are fragmented into head and non-head fragments. Non-head fragments are saved up front at an entry point, while a network switch forwards only the head fragment to Layer 4-Layer 7 (L4-L7) features for processing. The switch records changes that are performed on the head fragment's fields by the L4-L7 features while they process the head fragment. At an exit point, fields of the saved non-head fragments are overwritten with information that was recorded for the head fragment. This can include updating or modifying the source and destination parameters of the non-head fragments in an intelligent manner by reusing the results of the packet processing that was performed on the head fragment. This fragmentation handling technique avoids having to redundantly process the non-head fragments in the same manner as the head fragments.

Abstract: High-speed transceiver devices, such as GBIC-type transceivers, are accessed and addressed. Identification information (including manufacturer name, model, compliance codes) is placed in data fields of the transceivers. An algorithm checks each port in each module of a host system to determine if a transceiver is present. If a particular transceiver is present, then algorithms store the port address of the transceiver in memory and enable the transceiver to be read from or written to. Reading from the transceiver includes reading the identification information, and writing to the transceiver includes writing the identification information. If a transceiver is initially determined not to be present or if the reading/writing/enabling processes fail, then a recovery process determines if the transceiver was present the last time it was checked. If it was present the last time, then the process continues to try to recover the transceiver data—otherwise, the port is marked as empty.

Abstract: A switching device comprising one or more processors coupled to a media access control (MAC) interface and a memory structure for switching packets rapidly between one or more source devices and one or more destination devices. Packets are pipelined through a series of first processing segments to perform a plurality of first sub-operations involving the initial processing of packets received from source devices to be buffered in the memory structure. Packets are pipelined through a series of second processing segments to perform a plurality of second sub-operations involved in retrieving packets from the memory structure and preparing packets for transmission. Packets are pipelined through a series of third processing segments to perform a plurality of third sub-operations involved in scheduling transmission of packets to the MAC interface for transmission to one or more destination devices.

Abstract: Techniques for authenticating clients of differing capabilities in an efficient manner. Two or more authentication techniques, including one preferred authentication technique, are initiated to run in parallel to authenticate a client. Upon determining that the client can support the preferred authentication technique, the preferred technique is used to authenticate the client and the other authentication techniques are aborted. If it is determined that the client cannot support the preferred authentication technique, then one of the other authentication techniques is used to authenticate the client. In this manner, based upon the capabilities of the client, an appropriate authentication technique is used to authenticate the client in an efficient manner.

Abstract: Instead of alternatively utilizing only one fabric or the other fabric of a redundant pair, both fabrics simultaneously transmit duplicate information, such that each packet forwarding module (PFM) receives the output of both fabrics simultaneously. In real time, an internal optics module (IOM) analyzes each information chunk coming out of a working zero switch fabric; simultaneously examines a parallel output of a working one duplicate switch fabric; and compares on a chunk-by-chunk basis the validity of each and every chunk from both switch fabrics. The IOM does this by examining forward error correction (FEC) check symbols encapsulated into each chunk. FEC check symbols allow correcting a predetermined number of bit errors within a chunk. If the chunk cannot be corrected, then the IOM provides indication to all PFMs downstream that the chunk is defective. Under such conditions, the PFMs select a chunk from the non-defective switch fabric.

Abstract: Methods of detecting and recovering from communication failures within an operating network switching device that is switching packets in a communication network, and associated structures. The communication failures addressed involve communications between the packet processors and a host CPU over a shared communications bus, e.g., PCI bus. The affected packet processor(s)—which may be all or a subset of the packet processors of the network switch—may be recovered without affecting hardware packet forwarding through the affected packet processors. This maximizes the up time of the network switching device. Other packet processor(s), if any, of the network switching device, which are not affected by the communication failure, may continue their normal packet forwarding, i.e., hardware forwarding that does not involve communications with the host CPU as well as forwarding or other operations that do involve communications with the host CPU.