Abstract: A network analyzer includes a hardware-based accounting engine that generates accurate statistics for traffic within a computer network. As the network analyzer receives packets, the accounting engine associates the network packets with respective routing prefixes, and updates flow statistics for the routing prefixes. In this manner, the accounting engine maintains accurate flow statistics for all packets received by network analyzer. The network analyzer includes a control unit that generates prefix data to control the granularity of the traffic analysis. The control unit analyzes the flow statistics maintained by the accounting engine, and adaptively updates the set of prefixes to control the granularity of the statistics. The control unit may generate the prefix data as a forwarding tree having resolution nodes. Each node may associate a network prefix with forwarding next hop data, as well as respective analysis control data to enable or disable flow analysis for the prefix.

Abstract: A fiber-to-fiber connector system that includes a first connector for housing a portion of a first fiber, where the first fiber is terminated by a first end-face. The fiber-to-fiber connection system also includes a second connector for housing a portion of a second fiber, where the second fiber is terminated by a second end-face, where the first connector and the second connector permit the first fiber and the second fiber to be interconnected to form an air gap interface between the first end-face and the second end-face; the air gap interface defines a spacing between the first end-face and the second end-face; and the air gap interface enables, based on the defined spacing, an optical signal to be transmitted between the first fiber and the second fiber with a fixed quantity of attenuation.

Abstract: In general, techniques are described for automatically releasing network resources reserved for use by network devices within a network. In particular, a network device, such as a router, may include an interface card that receives a first and a second message from respective first and second client devices requesting reservation of network resources. The first message may include a first identifier, while the second message may include a second identifier. Both messages however may also include the same additional context information that identifies the same context in which the first client device operates. The router may include a control unit that determines whether the additional context information included within the first and second messages is the same. Based on a determination that this information is the same, the control unit may automatically release resources reserved for use by the first client device within the network.

Abstract: The invention is directed towards techniques for forwarding subscriber frames through a Multi-Protocol Label Switching (MPLS) aggregation network using MPLS labels. Layer two (L2) network devices, such as access nodes, of a service provider (SP) network implement MPLS functionality in the data plane, but do not implement an MPLS signaling protocol in the control plane. The L2 network devices include a pool of labels applied in the data plane of the L2 network device to output MPLS communications to the MPLS network, and a protocol that allows a layer three (L3) device to control provision of L2 functionality by the L2 device. The pool of labels is dynamically configured by the L3 device via the protocol. The access nodes distribute the subscriber labels and MPLS labels as upstream assigned labels.

Abstract: A wireless intrusion prevention system and method to prevent, detect, and stop malware attacks is presented. The wireless intrusion prevention system monitors network communications for events characteristic of a malware attack, correlates a plurality of events to detect a malware attack, and performs mitigating actions to stop the malware attack.

Abstract: A network device may include logic configured to receive a problem report from a second network device, store and analyze data included in the problem report, filter data in the problem report to determine when the problem report is to be transmitted to a third network device, and transmit the problem report to the third network device when the filtering determines that the problem report is to be transmitted.

Abstract: A packet header processing engine includes a level 2 (L2) header generation unit and a level 3 (L3) header generation unit. The L2 and L3 header generation units are implemented in parallel with one another. The L2 generation unit writes L2 header information to a first buffer and the L3 generation unit writes L3 header information to a second buffer. When the L2 and L3 header generation units finish processing a packet, the packet may be unloaded from the first and second buffer while a new packet is simultaneously loaded to the packet header processing engine.

Abstract: A routing device may be connected to multiple spoke site networks, and may receive local routes from these spoke site networks. The routing device may include routing information and forwarding information. The routing device may update the routing information to include the local routes, and selectively generate the forwarding information to exclude the local routes. The routing device may associate labels with the local routes and advertise the labels and local routes to other routing devices. The labels may be associated with interfaces of the routing device or access links that connect the routing device to a spoke site network, and the associations of labels with interfaces or access links may be stored in the forwarding information. The routing device may forward received packets that include the labels according to the labels, and may forward other received packets according to the routes within the forwarding information.

Abstract: In one aspect the invention provides a method for allocating bandwidth in a network appliance where the network appliance includes a plurality of guaranteed bandwidth buckets used to evaluate when to pass traffic through the network appliance. The method includes providing a shared bandwidth bucket associated with a plurality of the guaranteed bandwidth buckets, allocating bandwidth to the shared bandwidth bucket based on the underutilization of bandwidth in the plurality of guaranteed bandwidth buckets and sharing excess bandwidth developed from the underutilization of the guaranteed bandwidth allocated to the individual guaranteed bandwidth buckets. The step of sharing includes borrowing bandwidth from the shared bandwidth bucket by a respective guaranteed bandwidth bucket to allow traffic to pass immediately through the network appliance.

Abstract: An apparatus and method are described for compensating for frequency and phase variations of electronic components by processing packet delay values. In one embodiment, a packet delay determination module determines packet delay values based on time values associated with a first and a second electronic component. A packet delay selection module selects a subset of the packet delay values based on the maximum frequency drift of the first electronic component. A statistical parameter determination module evaluates a first and a second parameter based on portions of the subset of packet delay values. A validation module validates the parameters when each portion the subset of packet delay values includes a minimum of at least two packet delay values. An adjustment module compensates for at least one of a frequency variation and a phase variation of the first electronic component based on the parameters if the parameters are both validated.

Abstract: A data center management device determines that a virtual machine should be moved from a first physical system to a second physical system. The data center management device instructs a first service appliance at the first physical system to perform state synchronization with a second service appliance at the second physical system in order to continue providing the services offered prior to the move. The data center management device instructs the virtual machine to be instantiated at the second physical system.

Abstract: A device may include logic configured to receive a data unit intended for a destination device and to obtain information from the data unit. The logic may be configured to identify a window using the obtained information, where the window has a range determined by a lower boundary and an upper boundary. The logic may be configured to forward the data unit to the destination device when a portion of the data unit information is within the window.

Abstract: A network device constructs an outgoing resource reservation message and determines an authentication value, using, for example, a cryptographic algorithm and at least a portion of the outgoing message. The network device identifies a destination node for the message and inserts the authentication value in the message. The network device sends the message across a network to the destination node for authentication at the destination node using the authentication value.

Abstract: In general, techniques are described for performing session layer pinhole management within a network security device. In accordance with the techniques, the network device includes a resource manager module and a Session Initiation Protocol (SIP) module. The SIP module receives a SIP message from a private server, the SIP message requesting a SIP session. In response to the SIP message, the SIP module via the resource manager module opens a pinhole to permit the SIP session and assigns via the resource manager module resources included within the resource pool to monitor each call occurring over the SIP session. The SIP module further determines whether each of the calls has completed based on an session layer characteristic of a subsequent SIP message associated with each call and based on the determination, returns via the resource manager module the resources assigned to monitor each completed call to the resource pool.

Abstract: A network device may manage communication sessions with clients so that attempts at the client to automatically keep the session alive can be ignored for purposes of timing out the session. The device may examine resource requests received from the client as uniform resource locators (URLs) and determine whether the URLs include a context variable. The device may determine whether to reset a timeout period for the communication session based on a presence of the context variable in the URL. At the client side, the context variable may be attached to URLs that are part of functions configured to automatically access the network device.

Abstract: A memory controller may implement variable delay elements, on a per-bit basis, in both the read and write paths. The memory controller may include multiple adjustable delay circuits associated with data lines and a strobe line, each of the adjustable delay circuits inserting an adjustable amount of delay into a signal destined to or received from one of the data lines or the strobe line. The memory controller may additionally include control logic to determine the delay amount for each of the adjustable delay circuits, the delay amount being determined to reduce static skew between each of the data lines and the strobe line.

Abstract: A bandwidth divider and method for allocating bandwidth between a plurality of packet processors. The bandwidth divider includes a plurality of counters for measuring the bandwidth of data packets transferred from the bandwidth divider to a respective packet processor; and a controller for analyzing the plurality of counters and transferring a data packet to a selected packet processor based on the contents of the counters. The method monitors the bandwidth consumed by the packet processors; determines, based on the bandwidth consumed by the packet processors, which packet processor has consumed the least amount of bandwidth; and allocates a next data packet to the packet processor which has consumed the least amount of bandwidth.

Abstract: A software module operating within a router, such as an operating system, manages state information within a hierarchically ordered and temporally-linked data structure. The software module sends state change messages to other software modules within the router, referred to as consumers, in an order that corresponds to the hierarchical order and the temporal linking. The data structure may comprise a plurality of objects to store state information. The operating system may receive event messages that indicate a change to the state information. The objects may be hierarchically linked in accordance with a hierarchy representing relationships of event messages. The objects may be temporally linked in accordance with the order in which the operating system receives event messages. The operating system may traverse the data structure according to the temporal and hierarchical links to select state change messages to send to a consumer.

Abstract: A packet scheduler may include logic configured to receive packet information. The packet scheduler may include logic to receive an operating parameter associated with a downstream device that operates with cell-based traffic. The packet scheduler may include logic perform a packet to cell transformation to produce an output based on the operating parameter. The packet scheduler may include logic to use the output to compensate for the downstream device.

Abstract: A controller may include a measurement circuit configured to generate a proxy signal representing delay variations in the controller. The measurement circuit may also generate a measurement value from the proxy signal. A control circuit may be configured to convert the measurement value into a control value. A delay circuit may be adjusted by the control value to alter an amount of delay of a signal.