Abstract: The number of content addressable memory (CAM) lookups is reduced from two to one. Each side (left and right sides) of a CAM is programmed with network addresses, such as IP addresses, based on certain bits of the network addresses. These bits of the network addresses (which represent packet routes) are examined and used to determine whether the particular network address is to be placed on the left or right sides of the CAM. The grouping of certain network addresses either on the left or right sides of the CAM can be performed by examining an individual bit of each network address, by performing an exclusive OR (XOR) operation on a plurality of bits of each network address, and/or by searching for bit patterns of the network address in a decision table. Network addresses that cannot be readily assigned to a particular side of the CAM using these grouping techniques are programmed into both sides of the CAM.

Abstract: High-speed transceiver devices, such as GBIC-type transceivers, are accessed and addressed. Identification information (including manufacturer name, model, compliance codes) is placed in data fields of the transceivers. An algorithm checks each port in each module of a host system to determine if a transceiver is present. If a particular transceiver is present, then algorithms store the port address of the transceiver in memory and enable the transceiver to be read from or written to. Reading from the transceiver includes reading the identification information, and writing to the transceiver includes writing the identification information. If a transceiver is initially determined not to be present or if the reading/writing/enabling processes fail, then a recovery process determines if the transceiver was present the last time it was checked. If it was present the last time, then the process continues to try to recover the transceiver data—otherwise, the port is marked as empty.

Abstract: A backplane interface adapter with error control and redundant fabric for a high-performance network switch. The error control may be provided by an administrative module that includes a level monitor, a stripe synchronization error detector, a flow controller, and a control character presence tracker. The redundant fabric transceiver of the backplane interface adapter improves the adapter's ability to properly and consistently receive narrow input cells carrying packets of data and output wide striped cells to a switching fabric.

Abstract: A system, method and apparatus for supporting enhanced 911 (E911) emergency services, in a data communications network that includes Voice over Internet Protocol (VoIP) telephones. A network system includes a host network communicatively coupled to an E911 database management system, a network access device, and a VoIP telephone communicatively coupled to an input port of the network access device. The network access device is adapted to assign a physical location identifier to an input port, to authenticate the VoIP telephone, wherein the authentication includes receiving a unique device identifier from the VoIP telephone, and to transmit the location identifier and the unique device identifier to the E911 database management system. The E911 database management system is permitted to store the physical location identifier in association with the unique device identifier.

Abstract: A system and method are provided for enabling a first network to detect a loop in a second network connected thereto. The first network runs a first instance of a Spanning Tree Protocol and the second network runs either a different instance or no instance. The method includes sending a Remote Loop Detection Packet (“RLDP”) from the ports in bridges of the first network which are connected to the second network. The RLDP includes identifiers such as the source bridge, port and VLAN. The system and method further includes checking for receipt of the RLDP on the same bridge which sent the RLDP. If such a receipt occurs, a loop is detected and one of the ports of the receiving/sending bridge is blocked.

Abstract: Techniques for detecting and responding to attacks on computer and network systems including denial-of-service (DoS) attacks. A packet is classified as potentially being an attack packet if it matches an access control list (ACL) specifying one or more conditions. One or more actions may be performed responsive to packets identified as potential attack packets. These actions may include dropping packets identified as potential attack packets for a period of time, rate limiting a port over which the potential attack packets are received for a period of time, and other actions.

Abstract: A method and apparatus aggregate a plurality of input data streams from first processors into one data stream for a second processor, the circuit and the first and second processors being provided on an electronic circuit substrate. The aggregation circuit includes (a) a plurality of ingress data ports, each ingress data port adapted to receive an input data stream from a corresponding first processor, each input data stream formed of ingress data packets, each ingress data packet including priority factors coded therein, (b) an aggregation module coupled to the ingress data ports, adapted to analyze and combine the plurality of input data steams into one aggregated data stream in response to the priority factors, (c) a memory coupled to the aggregation module, adapted to store analyzed data packets, and (d) an output data port coupled to the aggregation module, adapted to output the aggregated data stream to the second processor.

Abstract: Techniques for authenticating clients of differing capabilities in an efficient manner. Two or more authentication techniques, including one preferred authentication technique, are initiated to run in parallel to authenticate a client. Upon determining that the client can support the preferred authentication technique, the preferred technique is used to authenticate the client and the other authentication techniques are aborted. If it is determined that the client cannot support the preferred authentication technique, then one of the other authentication techniques is used to authenticate the client. In this manner, based upon the capabilities of the client, an appropriate authentication technique is used to authenticate the client in an efficient manner.

Abstract: A virtual router spans a number of physical routing devices. A set of physical ports on one of the physical routing devices is logically represented as a trunk. A respective port priority value is associated with each of those ports, and a device priority value is associated with the physical routing device. If a port in the trunk is out-of-service, then the device priority value can be adjusted by the port priority value associated with the out-of-service port. A corrective action can be implemented if the device priority value fails to satisfy a condition. For example, the physical routing device may failover to another one of the physical routing devices spanned by the virtual router.

Abstract: A virtual router spans a number of physical routing devices. One of the physical routing devices is designated as master, and the other physical routing devices are designated as backups to the master. A failover protocol that includes both a non-dampened state and a dampened state can be implemented. According to the failover protocol, an attempt to designate one of the backups as master in place of the current master is permitted while the virtual router is in the non-dampened state, while such an attempt is suppressed while the virtual router is in the dampened state.

Abstract: A packet classifier and a method for routing a data packet are provided. The packet classifier includes a content addressable memory, a translation table and a parameter memory. The method includes looking up a content addressable memory for a base address into a parameter memory using a header of the data packet. The base address is related to the routes under ECMP for forwarding the data packet. From among these addresses, using multiple headers of the data packet, an adjustment to the base address is computed. The adjustment specifies an actual address to the parameter memory corresponding to a selected route for forwarding the data packet. The parameter memory is then accessed using the actual address to obtain parameter values relevant to the selected route. The data packet is then forwarded according to the parameter values thus obtained.

Abstract: In a load balancing system, user-configurable geographic prefixes are provided. IP address prefix allocations provided by the Internet Assigned Numbers Authority (IANA) and associated geographic locations are stored in a first, static database in a load balancing switch, along with other possible default geographic location settings. A second, non-static database stores user-configured geographic settings. In particular, the second database stores Internet Protocol (IP) address prefixes and user-specified geographic regions for those prefixes. The specified geographic region can be continent, country, state, city, or other user-defined region. The geographic settings in the second database can override the information in the first database. These geographic entries help determine the geographic location of a client and host IP addresses, and aid in directing the client to a host server that is geographically the closest to that client.

Abstract: A packet classifier and a method for routing a data packet are provided. The packet classifier includes a content addressable memory, a translation table and a parameter memory. The method includes looking up a content addressable memory for a base address into a parameter memory using a header of the data packet. The base address is related to the routes under ECMP for forwarding the data packet. From among these addresses, using multiple headers of the data packet, an adjustment to the base address is computed. The adjustment specifies an actual address to the parameter memory corresponding to a selected route for forwarding the data packet. The parameter memory is then accessed using the actual address to obtain parameter values relevant to the selected route. The data packet is then forwarded according to the parameter values thus obtained.

Abstract: A routing system utilizes a layer 2 switch interconnecting several routers to intelligently forward multicast packets throughout an internet exchange carrying multicast content. The layer 2 switch performs protocol snooping to extract a lookup key that is based on network layer protocol information. The lookup key is uniquely formulated to support either shared or explicit source distribution trees. The lookup key is used to query a forwarding memory that returns an outgoing port index. The outgoing port index points to one or more outgoing ports that are eligible to receive the multicast packet. The outgoing ports are also connected to the neighboring device(s) that are designated to receive the multicast packet. The routing system also supports real time maintenance and updating of the forwarding memory based on the periodic exchange of control messages. The routing system is configured to support PIM routers operating in PIM SM or PIM SSM modes.

Abstract: A system, method and apparatus for providing multiple access modes in a data communications network includes a network access device having a plurality of input ports, a plurality of output ports, and a switching fabric for routing data received on the plurality of input ports to at least one of the plurality of output ports. Control logic within the network access device is adapted to determine whether a user device coupled to one of the plurality of input ports supports a user authentication protocol used by a host network. If the user authentication protocol is not supported, then the input port to which the network access device is coupled is placed in a semi-authorized access state that limits access to a pre-configured network accessible via the host network.

Abstract: High-speed transceiver devices, such as GBIC-type transceivers, are accessed and addressed. Identification information (including manufacturer name, model, compliance codes) is placed in data fields of the transceivers. An algorithm checks each port in each module of a host system to determine if a transceiver is present. If a particular transceiver is present, then algorithms store the port address of the transceiver in memory and enable the transceiver to be read from or written to. Reading from the transceiver includes reading the identification information, and writing to the transceiver includes writing the identification information. If a transceiver is initially determined not to be present or if the reading/writing/enabling processes fail, then a recovery process determines if the transceiver was present the last time it was checked. If it was present the last time, then the process continues to try to recover the transceiver data—otherwise, the port is marked as empty.

Abstract: A system and method that modifies the behavior of the IEEE 802.1D STP standard to thereby decouple the one data domain from the one control domain involves managing multiple spanning tree protocol (STP) instances in a virtual local area network (VLAN). The method includes the step of assigning a unique set of ports within the VLAN to each of the multiple STP instances. Then, each of the multiple STP instances are managed to keep each of the multiple STP instances separate. Finally, when a topology change is detected in one of the multiple STP instances, entries that have been learned on the unique set of ports assigned to the STP protocol instance where the topology change is detected are fast-aged or transitioned from one state to another.

Abstract: Techniques for authenticating clients of differing capabilities in an efficient manner. Two or more authentication techniques, including one preferred authentication technique, are initiated to run in parallel to authenticate a client. Upon determining that the client can support the preferred authentication technique, the preferred technique is used to authenticate the client and the other authentication techniques are aborted. If it is determined that the client cannot support the preferred authentication technique, then one of the other authentication techniques is used to authenticate the client. In this manner, based upon the capabilities of the client, an appropriate authentication technique is used to authenticate the client in an efficient manner.

Abstract: According to an embodiment of the invention, a network device such as a router or switch provides efficient data packet handling capability. The network device includes one or more input ports for receiving data packets to be routed, as well as one or more output ports for transmitting data packets. The network device includes an integrated port controller integrated circuit for routing packets. The integrated circuit includes an interface circuit, a received packets circuit, a buffer manager circuit for receiving data packets from the received packets circuit and transmitting data packets in one or more buffers and reading data packets from the one or more buffers. The integrated circuit also includes a rate shaper counter for storing credit for a traffic class, so that the integrated circuit can support input and/or output rate shaping.

Abstract: A method for supporting dynamic configuration changes comprises receiving a message from a current root bridge, comparing a bridge media access control (MAC) address of a receiving port to a bridge MAC address of the received message, if the bridge MAC addresses are not the same, then comparing a current priority value with a previous priority value of the current root bridge, determining if the receiving port is a qualified root port, and if the port is a qualified root port, then returning a superior designated message to execute an RSTP calculation.