Abstract: A system, method and apparatus for providing multiple access modes in a data communications network includes a network access device having a plurality of input ports, a plurality of output ports, and a switching fabric for routing data received on the plurality of input ports to at least one of the plurality of output ports. Control logic within the network access device is adapted to determine whether a user device coupled to one of the plurality of input ports supports a user authentication protocol used by a host network. If the user authentication protocol is not supported, then the input port to which the network access device is coupled is placed in a semi-authorized access state that limits access to a pre-configured network accessible via the host network.

Abstract: Embodiments described herein discuss an approach to implementing load-balancing across multiple monitoring servers. One such embodiment describes a network monitoring device. The network monitoring device includes an ingress port, for receiving mirrored network packets, and a number of egress ports. The egress ports are associated with a number of monitoring servers, and used to forward the mirrored network packets to the monitoring servers. A packet classifier, coupled to the ingress port, examines the mirrored network packets, and determines which of the monitoring servers should receive the packets.

Abstract: A system and method that provides for copying ARP replies, and generating data packets which include the ARP reply, and other information such as an identification of the port on the ARP reply was received. These data packets are then transmitted to an ARP collector which stores the ARP reply and port information. The ARP collector then uses this stored information, and analyzes future data packets relative to the stored information to detect occurrences of ARP spoofing. The ARP collector further provides for generating alerts and taking security actions when ARP reply spoofing is detected.

Abstract: Methods of detecting and recovering from communication failures within an operating network switching device that is switching packets in a communication network, and associated structures. The communication failures addressed involve communications between the packet processors and a host CPU over a shared communications bus, e.g., PCI bus. The affected packet processor(s)—which may be all or a subset of the packet processors of the network switch—may be recovered without affecting hardware packet forwarding through the affected packet processors. This maximizes the up time of the network switching device. Other packet processor(s), if any, of the network switching device, which are not affected by the communication failure, may continue their normal packet forwarding, i.e., hardware forwarding that does not involve communications with the host CPU as well as forwarding or other operations that do involve communications with the host CPU.

Abstract: A multiple key, multiple tiered network security system, method and apparatus provides at least three levels of security. The first level of security includes physical (MAC) address authentication of a user device being attached to the network, such as a user device being attached to a port of a network access device. The second level includes authentication of the user of the user device, such as user authentication in accordance with the IEEE 802.1x standard. The third level includes dynamic assignment of a user policy to the port based on the identity of the user, wherein the user policy is used to selectively control access to the port. The user policy may identify or include an access control list (ACL) or MAC address filter. Also, the user policy is not dynamically assigned if insufficient system resources are available to do so. Failure to pass a lower security level results in a denial of access to subsequent levels of authentication.

Abstract: According to an embodiment of the invention, a network device such as a router or switch provides efficient data packet handling capability. The network device includes one or more input ports for receiving data packets to be routed, as well as one or more output ports for transmitting data packets. The network device includes an integrated port controller integrated circuit for routing packets. The integrated circuit includes an interface circuit, a received packets circuit, a buffer manager circuit for receiving data packets from the received packets circuit and transmitting data packets in one or more buffers and reading data packets from the one or more buffers. The integrated circuit also includes a rate shaper counter for storing credit for a traffic class, so that the integrated circuit can support input and/or output rate shaping.

Abstract: Web-based authentication includes receiving a packet in a network switch having at least one associative store configured to forward packet traffic to a first one or more processors of the switch that are dedicated to cryptographic processing if a destination port of the packet indicates a secure transport protocol, and to a second one or more processors of the switch that are not dedicated to cryptographic processing if the destination port does not indicate a secure transport protocol. If a source of the packet is an authenticated user, the packet is forwarded via an output port of the switch, based on the associative store. If the source is an unauthenticated user, the packet is forwarded to the first one or more processors if the destination port indicates a secure transport protocol, and to the second one or more processors if the destination port does not indicate a secure transport protocol.

Abstract: Multicast capability in a virtual private LAN service (VPLS) is provided in a provider IP/MPLS infrastructure without headend replications by encapsulating a customer data packet to use an established multicast protocol, such as IP multicast. In one example, the customer data packet is encapsulated by an IP header having an IP multicast group address and an Ethernet header. In one implementation, a DNS type mechanism is provided to distribute the IP multicast addresses for VPLS use. Such IP multicast group address can be set aside from an administratively scoped address range. An efficient IP routing algorithm running on the provider's network provides an efficient distribution tree for routing IP-encapsulated customer packet for the VPLS.

Abstract: A switching device comprising one or more processors coupled to a media access control (MAC) interface and a memory structure for switching packets rapidly between one or more source devices and one or more destination devices. Packets are pipelined through a series of first processing segments to perform a plurality of first sub-operations involving the initial processing of packets received from source devices to be buffered in the memory structure. Packets are pipelined through a series of second processing segments to perform a plurality of second sub-operations involved in retrieving packets from the memory structure and preparing packets for transmission. Packets are pipelined through a series of third processing segments to perform a plurality of third sub-operations involved in scheduling transmission of packets to the MAC interface for transmission to one or more destination devices.

Abstract: Techniques are provided for assisting in the processing of failure detection protocol (FDP) packets. Techniques are provided that assist a CPU of a network device in processing incoming FDP packets. In one embodiment, only a subset of FDP packets received by the network device is forwarded to the CPU for processing, the other FDP packets are dropped and not forwarded to the CPU. The processing is performed using dual memory structures that enable receipt of FDP packets by the network device to be decoupled from the processing of FDP packets by the CPU of the network device.

Abstract: Techniques that offer enhanced diversity in the selection of paths (e.g., ECMP paths) and/or ports from ports associated with trunks for forwarding network data traffic. In one embodiment, a network device uses a rotate function to generate a rotated index (path index) that is used to select a path (e.g., an ECMP) path from multiple paths (e.g., multiple ECMP paths) for forwarding a packet. A network device may also generate a rotated index (trunk index) that is used to select an output port from multiple output ports associated with a trunk for forwarding the packet.

Abstract: A method for supporting dynamic configuration changes comprises receiving a message from a current root bridge, comparing a bridge media access control (MAC) address of a receiving port to a bridge MAC address of the received message, if the bridge MAC addresses are the same, then comparing a current priority value with a previous priority value of the current root bridge, determining if the receiving port is a qualified root port, and if the port is a qualified root port, then returning a superior designated message to execute an RSTP calculation.

Abstract: A system and method for dynamically managing groups of power supplies for a computer system has a plurality of first circuits, each of the first circuits responsive to an electrical condition of each of the plurality of power sources. A second circuit is coupled to the plurality of first circuits, and is responsive to the plurality of first circuits. The second circuit identifies a state associated with any one of the plurality of power supplies. A third circuit is coupled and responsive to the second circuit. The third circuit communicates the states of the plurality of power supplies to a user.

Abstract: Techniques for authenticating clients of differing capabilities in an efficient manner. Two or more authentication techniques, including one preferred authentication technique, are initiated to run in parallel to authenticate a client. Upon determining that the client can support the preferred authentication technique, the preferred technique is used to authenticate the client and the other authentication techniques are aborted. If it is determined that the client cannot support the preferred authentication technique, then one of the other authentication techniques is used to authenticate the client. In this manner, based upon the capabilities of the client, an appropriate authentication technique is used to authenticate the client in an efficient manner.

Abstract: Techniques for configuring a local repair connection for a protected connection including determining a path for the local repair connection. The path traversed by a local repair connection starts at a node in the path associated with the protected connection and ends at a merge point node in the path associated with the protected connection that is downstream from the start node. In one embodiment, the merge point node may even be more than two hops downstream from the start node in the path associated with the protected connection. The local repair path may include zero or more nodes that are not included in the path associated with the protected connection. Techniques are also described for optimizing the path associated with a local repair connection.

Abstract: A backplane interface adapter for a network switch. The backplane interface adapter includes at least one receiver that receives input cells carrying packets of data; at least one cell generator that generates encoded cells which include the packets of data from the input cells; and at least one transmitter that transmits the generated cells to a switching fabric. The cell includes a destination slot identifier that identifies a slot of the switching fabric towards which the respective input cell is being sent. The generated cells include in-band control information.

Abstract: A system and method that provides for copying ARP replies, and generating data packets which include the ARP reply, and other information such as an identification of the port on the ARP reply was received. These data packets are then transmitted to an ARP collector which stores the ARP reply and port information. The ARP collector then uses this stored information, and analyzes future data packets relative to the stored information to detect occurrences of ARP spoofing. The ARP collector further provides for generating alerts and taking security actions when ARP reply spoofing is detected.

Abstract: A backplane interface adapter with error control and redundant fabric for a high-performance network switch. The error control may be provided by an administrative module that includes a level monitor, a stripe synchronization error detector, a flow controller, and a control character presence tracker. The redundant fabric transceiver of the backplane interface adapter improves the adapter's ability to properly and consistently receive narrow input cells carrying packets of data and output wide striped cells to a switching fabric.

Abstract: Multicast capability in a virtual private LAN service (VPLS) is provided in a provider IP/MPLS infrastructure without headend replications by encapsulating a customer data packet to use an established multicast protocol, such as IP multicast. In one example, the customer data packet is encapsulated by an IP header having an IP multicast group address and an Ethernet header. In one implementation, a DNS type mechanism is provided to distribute the IP multicast addresses for VPLS use. Such IP multicast group address can be set aside from an administratively scoped address range. An efficient IP routing algorithm running on the provider's network provides an efficient distribution tree for routing IP-encapsulated customer packet for the VPLS.

Abstract: In an embodiment, a A method for supporting dynamic configuration changes,includes: comprises receiving a message from a current root bridge;, comparing the a bridge media access control (MAC) address of a receiving port to the a bridge MAC address of the received message;, if the bridge MAC addresses are not the same, then comparing a current priority value to with a previous priority value of the current root bridge; if the current priority value is inferior, then, determining if the port receiving the message port is a qualified root port;, and if the port is a qualified root port, then returning a superior designated message to permit each bridge to execute a rapid spanning tree calculation for use in a dynamic configuration change an RSTP calculation.