Abstract: A method may include receiving a packet at an ingress line interface in a forwarding plane of a network element, the packet including header information. The method may also include conducting a flow table lookup in the forwarding plane to identify an existing flow for the packet and determining, in the forwarding plane and based on the header information, whether a predicted flow can be identified for the packet if an existing flow can not be identified. The method may further include performing a service access control list (ACL) lookup in the forwarding plane if a predicted flow can not be identified; and forwarding the packet to one of a services plane or an egress line interface in the forwarding plane based on one of the existing flow, the predicted flow, or the service ACL lookup.

Abstract: In one embodiment, a processor-readable medium can store code representing instructions that when executed by a processor cause the processor to receive a value representing a congestion level of a receive queue and a value representing a state of a transmit queue. At least a portion of the transmit queue can be defined by a plurality of packets addressed to the receive queue. A rate value for the transmit queue can be defined based on the value representing the congestion level of the receive queue and the value representing the state of the transmit queue. The processor-readable medium can store code representing instructions that when executed by the processor cause the processor to define a suspension time value for the transmit queue based on the value representing the congestion level of the receive queue and the value representing the state of the transmit queue.

Abstract: A method may include receiving a packet; identifying the packet as a multicast packet for sending to a plurality of destination nodes; selecting a first forwarding table or a second forwarding table for sending the packet to each of the plurality of destination nodes, wherein the first forwarding table includes first port information associated with a first destination and second port information associated with a second destination, and wherein the second forwarding table includes third port information associated with the second destination; sending the packet to the first destination using the first port; and sending the packet to the second destination using the second port when the first forwarding table is selected and sending the packet to the second destination using the third port when the second forwarding table is selected.

Abstract: A device receives network traffic and bypass traffic, performs a first weighting operation on the network traffic and the bypass traffic to produce weighted network traffic and weighted bypass traffic, performs a second weighting operation on the weighted network traffic and the weighted bypass traffic to produce additionally weighted traffic, and transmits the additionally weighted traffic based on weights assigned by the second weighting operation.

Abstract: A system comprises a plurality of processing modules, one of which is designated to be the primary processing module and the others are designated to be secondary processing modules. During operation, state is maintained in the primary processing module and at least one of the secondary processing modules. A switchover controller causes outputs from the secondary modules to be discarded. When the switchover controller receives an indication that the primary processing module has failed, it designates one of the secondary processing modules to be the primary processing module. Because the newly designated primary processing module already has current state information at switchover, the module is able to operate with minimal delay.

Abstract: A device includes one or more network interfaces to receive layer two (L2) communications from an L2 network having a plurality of L2 devices; and a control unit to forward the L2 communications in accordance with forwarding information defining a plurality of flooding next hops. Each of the flooding next hops stored by the control unit specifies a set of the L2 devices within the L2 network to which to forward L2 communications in accordance with a plurality of trees, where each of the trees has a different one of the plurality of L2 devices as a root node. The control unit of the device computes a corresponding one of flooding next hops for each of the trees using only a subset of the trees without computing all of the trees having all of the different L2 network devices as root nodes.

Abstract: Techniques are described for initiating a video conference between two video conferencing devices by leveraging information obtained from two mobile phones that are engaged in a mobile phone session with one another and are each associated with a respective one of the video conferencing devices. A video conferencing device may obtain the information, including the telephone numbers for both mobile phones, using a Bluetooth connection between the mobile phone and the video conferencing device. A data center receives and maintains the mobile phone session information, determines whether each mobile phone engaged in the mobile phone session is associated with an available video conferencing device, and, if so, invites the associated video conferencing devices to initiate a video conference with one another.

Abstract: A method may include receiving, at a service server, a request for services from a requesting device. The service server may identify one or more service options responsive to the request and send a list of the identified service options to the requesting device. The service server may receive a selected service option from the requesting device.

Abstract: A network device constructs a notification corresponding to a received multicast data unit, where the notification includes administrative data associated with the multicast data unit that does not include a payload of the multicast data unit. The network device replicates the notification at at least three different processing elements at different locations in a processing path of the network device to produce multiple replicated data items and produces a copy of the multicast data unit for each of replicated notifications. The network device forwards each copy of the multicast data unit towards a multicast destination.

Abstract: A data processing architecture includes multiple processors connected in series between a load balancer and reorder logic. The load balancer is configured to receive data and distribute the data across the processors. Appropriate ones of the processors are configured to process the data. The reorder logic is configured to receive the data processed by the processors, reorder the data, and output the reordered data.

Abstract: In one example, a backup intrusion detection and prevention (IDP) device includes one or more network interfaces to receive a state update message from a primary IDP device, wherein the state update message indicates a network session being inspected by the primary IDP device and an identified application-layer protocol for the device, to receive an indication that the primary device has switched over or failed over to the backup device, and to receive a plurality of packets of the network session after receiving the indication, each of the plurality of packets comprising a respective payload including application-layer data, a protocol decoder to detect a beginning of a new transaction from the application-layer data of one of the plurality of packets, and a control unit to statefully process only the application-layer data of the network session that include and follow the beginning of the new transaction.

Abstract: A device may maintain, in a database, a plurality of data items, each data item of the plurality of data items being associated with a respective category and supplemental information relating to deletion of the data item. The device may associate a group of counters with at least one of the categories and receive a deletion request corresponding to one of the group of categories, the deletion request including the supplemental information. The device may identify a counter associated with the category corresponding to the deletion request based on the supplemental information. The device may then increment the identified counters and selectively delete the data items based on values of the counters.

Abstract: Methods and apparatus for transferring packets in a packet switched communication system. A system is provided that includes an L2 device including a controller determining for each packet received whether the received packet is to be inspected, an inspection device operable to inspect and filter packets identified by the controller including using a zone specific policy and an L2 controller for transferring inspected packets in accordance with L2 header information using L2 protocols.

Abstract: An intrusion detection system (“IDS”) device is described that includes a flow analysis module to receive a first packet flow from a client and to receive a second packet flow from a server. The IDS includes a forwarding component to send the first packet flow to the server and the second packet flow to the client and a stateful inspection engine to apply one or more sets of patterns to the first packet flow to determine whether the first packet flow represents a network attack. The IDS also includes an application identification module to perform an initial identification of a type of software application and communication protocol associated with the first packet flow and to reevaluate the identification of the type of software application and protocol according to the second packet flow. The IDS may help eliminate false positive and false negative attack identifications.

Abstract: In general, techniques are described for performing distributed network address translation (NAT) with a network device. The network device includes an interface card and a control unit. The interface card receives a packet including a source address. The control unit includes NAT modules. each of which stores a local pool of unallocated NAT resources that have not yet been allocated for use in performing network address translation. The NAT resources each include a network address and a network port number. One of the NAT modules receives the packet, determines whether any of the NAT resources from the local pool of NAT resources are available, in response to the determination that none of the NAT resources from the local pool of NAT resources are available, requests additional NAT resources, and performs NAT to obscure the source address of the packet using one of the additional NAT resources to generate a modified packet. The interface card forwards the modified packet.

Abstract: Configuration information for a network device may be associated with a protection state that may restrict the modification of portions of the configuration information that are set to the protected state. The network device may be configured using configuration information defined as a group of hierarchically arranged configuration statements. Permissions may be stored for the network device relating to users permitted to modify the configuration information. The permissions may include permission tags, or other information defining the protection state, associated with the configuration statements. Intended modifications to the configuration information may be processed based on whether the intended modifications affect configuration statements associated with one of the permission tags.

Abstract: Techniques are described for resynchronizing mutually shared data stored on network devices of a computer network. Upon receiving change instruction and globally unique identifier (GUID) messages, each of the network devices records the change instructions and GUIDs in a journal of the network device. When communication is lost for a period of time between a first network device and a second network device, the mutually shared data of the first network device may need to be resynchronized with the mutually shared data of the second network device. The techniques described herein allow resynchronization of the mutually shared data of the first network device based on a common GUID recorded in the journals of both first and second network devices, the journal of the first network device, and the journal of the second network device.

Abstract: In general, techniques are described for translating authorization information within computer networks. For example, a first network device of a computer network may receive authentication information from an endpoint device requesting access to the computer network. The first network device authenticates the endpoint device based on this authentication information and stores authorization information in accordance with a first vendor-specific authorization data model. The first network device stores and applies an export translation policy to translate this information from the vendor-specific data model to a vendor-neutral authorization data model, which it then publishes to an intermediate storage device that implements the vendor-neutral data model. A second network device of the computer network may store an import translation policy to translate this same authorization information from the vendor-neutral authorization data model to a different vendor-specific data model.

Abstract: The present invention provides an efficient system and method for routing information through a dynamic network. The system includes at least one ingress point and one egress point. The ingress and egress point cooperate to form a virtual circuit for routing packets to destination subnets directly reachable by the egress point. The egress point automatically discovers which subnets are directly accessible via its local ports and summarizes this information for the ingress point. The ingress point receives this information, compiles it into a routing table, and verifies that those subnets are best accessed by the egress point. Verification is accomplished by sending probe packets to select addresses on the subnet. Additionally, the egress point may continue to monitor the local topology and incrementally update the information to the ingress to allow the ingress to adjust its compiled routing table.

Abstract: A computer-implemented method includes detecting an actual workload representative of a pattern of access of a plurality of items of content; comparing the actual workload against a prescriptive workload to determine an occurrence of a substantial deviation from the prescriptive workload; and upon determining the occurrence of the substantial deviation, revising the prescriptive workload based at least in part on the actual workload. The plurality of items is stored on resources of a storage environment according to one of a plurality of resource allocation arrangements. The prescriptive workload including a plurality of categories, each category being associated with a respective one of the plurality of resource allocation arrangements.