Abstract: To address shortcomings in the prior art, the invention uses fate sharing information to compute backup paths. Fate sharing information relates groups of nodes or links according to common characteristics, attributes, or shared resources (e.g., a shared power supply, close proximity, same physical link). In one embodiment, fate-sharing information includes costs associated with groups of nodes or links. When a primary path contains a link or node that is in a fate-sharing group, the other links or nodes in the fate-sharing group are assigned the cost associated with that fate-sharing group. The node computing the backup path takes into account the assigned cost together with other node and link costs. Discovering the existence of the relationships and assigning costs to the groups may be done manually or automatically.

Abstract: In general, the invention is directed to techniques for verifying the integrity of a file system and individually verifying files contained therein based on the integrity of the file system. For example, a computer-based device is described in which a computer-readable storage medium stores a file system stored as an image file. The device comprises a virtual file system comprising a mount list entry that corresponds to the file system, wherein the file system is mounted on the virtual file system, and wherein the mount list entry comprises a first verified flag that indicates whether the file system is verified. A verified execution module determines whether the image file is corrupt, and a kernel module sets the first verified flag when the image file is not corrupt. An image verify module verifies the integrity of files stored by the file system by determining whether the file system is verified.

Abstract: Principles of the invention are described for providing multicast virtual private networks (MVPNs) across a public network that are capable of carrying high-bandwidth multicast traffic with increased scalability. In particular, the MVPNs may transport layer three (L3) multicast traffic, such as Internet Protocol (IP) packets, between remote sites via the public network. The principles described herein may reduce the overhead of protocol independent multicast (PIM) neighbor adjacencies and customer control information maintained for MVPNs. The principles may also reduce the state and the overhead of maintaining the state in the network by removing the need to maintain at least one dedicated multicast tree per each MVPN.

Abstract: Methods and systems consistent with the present invention provide dynamic buffer allocation to a plurality of queues of differing priority levels. Each queue is allocated fixed minimum number of buffers that will not be de-allocated during buffer reassignment. The rest of the buffers are intelligently and dynamically assigned to each queue depending on their current need. The system then monitors and learns the incoming traffic pattern and resulting drops in each queue due to traffic bursts. Based on this information, the system readjusts allocation of buffers to each traffic class. If a higher priority queue does not need the buffers, it gradually relinquishes them. These buffers are then assigned to other queues based on the input traffic pattern and resultant drops. These buffers are aggressively reclaimed and reassigned to higher priority queues when needed.

Abstract: A device may monitor a security policy that governs a user access to a zone in a private network, propagate a change in status of the security policy to one or more devices that coordinate with each other to implement a super policy, detect whether conditions for triggering actions that are associated with the super policy are present based on the change in status, and perform the actions if the conditions for triggering the actions are present.

Abstract: A communication session over a network is facilitated. A signaling datagram from a source device having a source identity may be intercepted by a network device, and a response datagram may be generated for instructing the source device to send a subsequent datagram to the network device. The signaling datagram may be forwarded to a SIP server, where the SIP server associates the source identity with the network device acting on behalf of the source device, and where the SIP server operates to connect a destination device with the source device to establish a communication session over the network. The subsequent datagram may be received from the source device, and the subsequent datagram may be made available to the destination device via the network.

Abstract: A method may include detecting a presence of a first server device; communicating, with the first server device, to obtain information associated with the first server device; sending, to a second server device, a request for authentication services, where the request includes the information associated with the first server device; receiving, from the second server device, a notification that the first server device has been authenticated, where the notification includes a session threshold; and establishing, based on the notification, a session with the first server device by associating the first server device with a virtual local area network (VLAN), where the associating permits network traffic to be received from or sent to the first server device via the VLAN, and where the network node uses the session threshold received from the second server device, instead of a threshold associated with the VLAN, to determine a duration permitted for the session.

Abstract: A pipelined reorder engine reorders data items received over a network on a per-source basis. Context memories correspond to each of the possible sources. The pipeline includes a plurality of pipeline stages that together simultaneously operate on the data items. The context memories are operatively coupled to the pipeline stages and store information relating to a state of reordering for each of the sources. The pipeline stages read from and update the context memories based on the source of the data item being processed.

Abstract: Techniques for centrally controlling client-side domain name resolution are described. A virtual private network (VPN) client installed on a client device may establish a VPN connection to a load-balancing server that balances load from client devices among a set of data centers that provide a resource. The VPN client may obtain and cache load-balancing information from the load-balancing server. The VPN client may then intercept a Domain Name System (DNS) request to resolve a hostname of a device in the data centers. The VPN client may use the load-balancing information to locally generate a DNS response to the DNS request. In addition, the load-balancing server may cause the VPN client to update its cached list of network addresses when one of the data centers fails.

Abstract: A method may be performed by a device in a network, the device including multiple security process units (SPUs). The method includes receiving a packet over the network, the packet including a media access control (MAC) address, and assigning one SPU as the MAC address owner. The method also includes sending information about the MAC address to other SPUs within the device, storing the MAC address in a MAC table within each SPU, and initiating a MAC age query to confirm the MAC address has timed out among all SPUs. The MAC age query is passed via a logical ring of the SPUs beginning with the MAC address owner. If the MAC address is aged out at each SPU, the MAC address is deleted from each MAC table. If the MAC entry is still active, a different SPU is assigned as the MAC address owner.

Abstract: Techniques are described for merging device schemas to manage different versions of network devices in the same device family. In one example, a computing device includes an interface to receive a first schema to be used for managing a first version of a device in a device family and a second, different schema to be used for managing a second version of the device, a computer-readable medium encoded with instructions for a schema merger module, and a processor to execute the schema merger module to merge the first schema and the second schema to produce a resulting merged schema to be used for managing both the first version of the device and the second version of the device, wherein the resulting merged schema expresses differences between the first schema and the second schema and includes a single instance of each common portion between the first schema and the second schema.

Abstract: A header conversion device allowing reduced amount of hardware and memory and high-speed line switching is disclosed. In an ATM switching device having redundant incoming line systems, a header conversion table stores a set of header conversion information for one of the redundant incoming line systems. A header converter converts the header of an ATM cell received from each of the redundant incoming line systems by referring the same set of header conversion information.

Abstract: In one embodiment, a method, comprising receiving at a receive side of a physical link a request to suspend transmission of data from a queue within a transmit side of a first stage of queues and to suspend transmission via a path including the physical link, a portion of the first stage of queues, and a portion of a second stage of queues. The method includes sending, in response to the request, a flow control signal to a flow control module configured to schedule transmission of the data from the queue within the transmit side of the first stage of queues. The flow control signal is associated with a first control loop including the path and differing from a second control loop that excludes the first stage of queues.

Abstract: A first network client requests initiation of a data transfer with a second network client. An admission control facility (ACF) responds to the initiation request by performing admission analysis to determine whether to initiate the data transfer. The ACF sends one or more packets to the second network client. In response, the second network client sends acknowledgment packets back to the ACF. The ACF performs admission analysis based on the packets sent and the acknowledgment packets, and determines whether the data transfer should be initiated based on the analysis. The admission analysis may be based on a variety of factors, such as the average time to receive an acknowledgment for each packet, the variance of the time to receive an acknowledgment for each packet, a combination of these factors, or a combination of these and other factors.

Abstract: Packet processing is provided in a multiple processor system including a first processor to processing a packet and to create a tag associated with the packet. The tag includes information about the processing of the packet. A second processor receives the packet subsequent to the first processor and processes the packet using the tag information.

Abstract: A key engine that performs route lookups for a plurality of keys may include a data processing portion configured to process one data item at a time and to request data when needed. A buffer may be configured to store a partial result from the data processing portion. A controller may be configured to load the partial result from the data processing portion into the buffer. The controller also may be configured to input another data item into the data processing portion for processing while requested data is obtained for a prior data item. A number of these key engines may be used by a routing unit to perform a large number of route lookups at the same time.

Abstract: Methods and systems consistent with the present invention provide a programmable table which allows software to define a plurality of branching functions, each of which maps a vector of condition codes to a branch offset. This technique allows for a flexible multi-way branching functionality, using a conditional branch outcome table that can be specified by a programmer. Any instruction can specify the evaluation of arbitrary conditional expressions to compute the values for the condition codes, and can choose a particular branching function. When the processor executes the instruction, the processor's arithmetic/logical functional units evaluate the conditional expressions and then the processor performs the branch operation, according to the specified branching function.

Abstract: A network device is described in which a dedicated resource scheduler monitors memory consumption to provide for improved processing of communication sessions. The scheduler maintains a dependency list of communication sessions, and reserves memory for communication sessions as requests for memory are received. The amount of memory reserved is determined based on the amount of memory currently reserved for the communication sessions in the dependency list. The network device may control ongoing communication sessions by way of window manipulation. Communication sessions are processed in a first mode when available memory has not reached a predetermined amount, while communication sessions are processed in a second mode when available memory reaches a predetermined amount.

Abstract: In one embodiment, an apparatus includes a packet generation module that has a set of general purpose processing modules and is configured to define a test packet configured to emulate at least a portion of network traffic. The apparatus also includes a switch device configured to receive the test packet from the packet generation module. The switch device is configured to multi-cast the test packet via a set of ports of the switch device to a target entity based on a routing policy.

Abstract: The present invention teaches a compact and highly integrated multiple-channel digital tuner and receiver architecture, suitable for widespread field deployment, wherein each receiver demodulator channel may be remotely, automatically, dynamically, and economically configured for a particular cable, carrier frequency, and signaling baud-rate, from an option universe that includes a plurality of input cables, a plurality of carrier frequencies, and a plurality of available baud-rates. A multiple coax input, multiple channel output, digital tuner is partitioned into a multiple coax input digitizer portion and a multiple channel output front-end portion. The digitizer portion consists of N digitizers and accepts input signals from N coax cables and digitizes them with respective A/D converters. The front-end portion consists of M front-ends and provides M channel outputs suitable for subsequent processing by M respective digital demodulators.