Abstract: Systems and methods for detecting and preventing network security breaches are described. The systems and methods present a gateway-based packet-forwarding network security solution to not only detect security breaches but also prevent them by directly dropping suspicious packets and connections. The systems and methods employ multiple techniques to detect and prevent network security breaches, including stateful signature detection, traffic signature detection, and protocol anomaly detection.

Abstract: Methods and apparatuses for inspecting packets are provided. A primary security system may be configured for processing packets. The primary security system may be operable to maintain flow information for a group of devices to facilitate processing of the packets. A secondary security system may be designated for processing packets upon a failover event. Flow records may be shared from the primary security system with the secondary security system.

Abstract: A method may include receiving, in a first server from a second server, a request for a service of a network by a device; sending, from the first server to the second server, a response to the request for the service to permit access to the service; and sending state information about the response to a third server for storage in a database.

Abstract: The invention provides an arbitration method and an arbiter circuit by which equal arbitration of output cells can be achieved with a comparatively simple configuration even where a very great number of queues are involved. The arbiter circuit includes a plurality of queues for storing output cells, and a plurality of round robins for successively providing the right of outputting output cells to the queues. The round robins are arranged in a multi-stage tree link configuration, and the queues are distributed under those of the round robins which are in the lowest order stage. Each of the round robins in the lowest order stage has a rate information holding function of holding rate information representative of a rate of cells inputted thereto.

Abstract: Output logic generates read requests using a programmable schedule that controls read bandwidth for multiple data streams and stores the read requests in a queuing device. The output logic also dequeues the read requests based on a similar programmable schedule, forwards the read requests to the memory, and reads data units from the memory based on the read requests.

Abstract: Techniques are described for forwarding packets in a VPLS using multi-homing PE routers configured in an “active-active” link topology. As described herein, a PE router receives a packet from a multi-homed VPLS customer site, and processes the packet to determine a portion of a MAC domain to which the packet corresponds. When the packet is determined to correspond to a portion associated with the PE router, the PE router forwards the packet to the destination in accordance with forwarding protocols executing on the PE router. When the packet is determined to correspond to a portion associated with a second PE router, the PE router forwards the packet to the second PE router via a pseudowire that is external to the VPLS domain, and the second PE router forwards the packet to the destination in accordance with forwarding protocols executing on the second PE router.

Abstract: A method, computer readable medium, and system for generating a composite image map includes obtaining a plurality of sprites for an application page and determining coordinates of each of the obtained plurality of sprites. A composite image map is generated based on the obtained plurality of sprites and the determined coordinates.

Abstract: A storage server in a distributed content storage and access system provides a mechanism for dynamically establishing storage resources, such as buffers, with specified semantic models. For example, the semantic models support distributed control of single buffering and double buffering during a content transfer that makes use of the buffer for intermediate storage. In some examples, a method includes examining characteristics associated with a desired transfer of data, such as a unit of content, and then selecting characteristics of a first storage resource based on results of the examining. The desired transfer of the data is then affected to use the first storage resource element.

Abstract: Network devices, such as a router and a downstream multicast distribution device, may use multiple control channels when setting up a multicast stream for a multicast request. For example, first messages may be transmitted using a first protocol to an upstream device over a first channel, the first messages indicating when a first multicast media stream is being requested by at least one of a number of client devices. Second messages may be transmitted using a second protocol over a second channel, the second messages being transmitted on a per-client basis and each identifying a one of the client devices as requesting the first multicast media stream. By using two control channels to convey the multicast channel requests, the router may obtain visibility into the action of the subscriber and can consequently perform per-subscriber operations such as access-control, bandwidth based admission control, statistics, and QoS adjustment for multicast IPTV streams received by the subscriber.

Abstract: A method includes installing an interface card having a first module of a switch fabric and a second module of the switch fabric, and an interface card having a third module of the switch fabric in a first chassis, within a first time period. The switch fabric is in a first configuration and is operable as a three-stage switch fabric after the first time period and before a second time period. The interface card having the third module is removed from the first chassis within the second time period. An interface card having a fourth module of the switch fabric and a fifth module of the switch fabric is installed in the first chassis within the second time period. The switch fabric is in a transitional configuration and is operable as a three-stage switch fabric after the second time period but before the third time period. The interface card having the third module is installed in a second chassis and the first chassis is operatively coupled with the second chassis within the third time period.

Abstract: A network device assigns unique encoded values, represented by mnemonics, to protocol headers supported by the network device, and defines a plurality of templates, where each template includes a set of the mnemonics. The network device also stores the plurality of templates in a template table, where the template table enables the network device to create one or more protocol headers for packets transmitted by the network device.

Abstract: In general, techniques are described in which a plurality of network switches automatically configure themselves to operate as a single virtual network switch. A virtual switch is a collection of individual switch devices that operate like as single network switch. As described herein, network switches in a network that are capable of participating in a virtual switch may automatically discover one another. The participating network switches may then elect one of the participating switches as a master switch. The master switch may generate forwarding information and store the forwarding information in the participating switches, including the master switch. The forwarding information causes the participating switches to act like a single network switch.

Abstract: A method may include detecting a presence of a first server device; communicating, with the first server device, to obtain information associated with the first server device; sending, to a second server device, a request for authentication services, where the request includes the information associated with the first server device; receiving, from the second server device, a notification that the first server device has been authenticated, where the notification includes a session threshold; and establishing, based on the notification, a session with the first server device by associating the first server device with a virtual local area network (VLAN), where the associating permits network traffic to be received from or sent to the first server device via the VLAN, and where the network node uses the session threshold received from the second server device, instead of a threshold associated with the VLAN, to determine a duration permitted for the session.

Abstract: Techniques are described for providing secure network address translation (NAT) in a NAT device that provides endpoint-independent mapping (EIM) and endpoint-independent filtering (EIF) operations.

Abstract: A multi-chassis network device includes a plurality of nodes that operate as a single device within the network and a switch fabric that forwards data plane packets between the plurality of nodes. The switch fabric includes a set of multiplexed optical interconnects coupling the nodes. For example, a multi-chassis router includes a plurality of routing nodes that operate as a single router within a network and a switch fabric that forwards packets between the plurality of routing nodes. The switch fabric includes at least one multiplexed optical interconnect coupling the routing nodes. The nodes of the multi-chassis router may direct portions of the optical signal over the multiplexed optical interconnect to different each other using wave-division multiplexing.

Abstract: In general, techniques are described for using routing information obtained by operation of network routing protocols to dynamically generate network and cost maps for an application-layer traffic optimization (ALTO) service. For example, an ALTO server of an autonomous system (AS) receives routing information from routers of the AS by listening for routing protocol updates outputted by the routers and uses the received topology information to dynamically generate a network map of PIDs that reflects a current topology of the AS and/or of the broader network that includes the AS. Additionally, the ALTO server dynamically calculates inter-PID costs using received routing information that reflects current link metrics. The ALTO server then assembles the inter-PID costs into a cost map that the ALTO server may provide, along with the network map, to clients of the ALTO service.

Abstract: Techniques for handling multicast over link aggregated (LAG) interfaces and integrated routing and bridging (IRB) interfaces in a network device are described in which interfaces, at which a data unit is to be transmitted, may be represented hierarchically in which the LAG interfaces and IRB interfaces are represented as pointers. In one implementation, a device may determine routes for data units, where a route for a multicast data unit is represented as a set of interfaces of the device at which the data unit is to be output. Entries in the set of interfaces may include physical interfaces of the device and pointers to LAG interfaces or pointers to the IRB interfaces. The device may generate tokens to represent routes for data units and resolve the pointers to the LAG interfaces or the IRB interfaces to obtain physical interfaces of the router corresponding to a LAG or an IRB.

Abstract: A method includes receiving multicast traffic intended for host devices; identifying a flow associated with the multicast traffic; retrieving information associated with a group of multicast trees, where the group of multicast trees includes information associated with a group of I/O units, associated with a network node; identifying a particular tree that corresponds to the identified flow, where the particular tree includes information associated with a set of I/O units; and transferring the multicast traffic to an I/O unit, of the set of I/O units, based on the identification of the particular tree, where the transferring enables the I/O unit to send a copy of the multicast traffic to other I/O units of the set of I/O units, and the set of I/O units to process the multicast traffic in a manner that utilizes bandwidth or processing resources in a controlled manner and to send a copy of the multicast traffic to each of the host devices.

Abstract: Using the ALTO Service, networking applications can request through the ALTO protocol information about the underlying network topology from the ISP or Content Provider. The ALTO Service provides information such as preferences of network resources with the goal of modifying network resource consumption patterns while maintaining or improving application performance. This document describes, in one example, an ALTO server that implements enhancements to the ALTO service to enable initiating incremental updates of network and cost maps to ALTO clients upon receiving status information from a content delivery network (CDN) node.

Abstract: In one embodiment, an apparatus includes a first network control entity associated with at least a portion of multiple physical ports at a first access switch that are operatively coupled to a peripheral processing device and a switch fabric. The first network control entity can receive a host protocol request from the peripheral processing device, the first network control entity to transmit the host protocol request to a second network control entity associated with at least a portion of multiple physical ports at a second access switch, such that the host protocol request causes the second network control entity to obtain a response to the host protocol request. The first network control entity can receive the response to the host protocol request from the second network control entity and transmit the response to the host protocol request to the peripheral processing device.