Abstract: A unicast/multicast system has an internal cell generating section that generates an internal cell to include its output index information based on user data, and an output port conversion table that stores the relation of output index information and output port number for the internal cell in the form of one-to-one for the unicast and one-to-multiple for the multicast.

Abstract: A method and a network device for sharing bandwidth among a group of classes of traffic for an interface are provided. Bandwidth may be allocated to at least one traffic class of a first priority for the interface. At least some unused bandwidth of the at least one traffic class may be allocated to at least one other traffic class of a second priority for the interface. In some implementations, weighted constituents may be allocated unused interface bandwidth based on an assigned weight of each of the weighted constituents of the interface.

Abstract: A buffer memory may be configured to temporarily store data in a number of queues. A processor may be configured to measure a fullness of the buffer memory. The processor may also be configured to assign sizes to the number of queues based on the fullness of the buffer memory. The processor may also adjust thresholds of drop profiles associated with the number of queues based on the sizes assigned to the number of queues.

Abstract: In general, the invention is directed to techniques of identifying an infected network device in a computer network where traffic to and from the infected network device is not necessarily routed through a single point on the computer network. For example, individual line cards in network devices count incoming network flows from network devices in host tables. The host tables of all line cards of all participating network devices are then correlated. It is then determined whether the number of flows from a network device outweighs the number of flows to the network device to a significant degree. If so, the network device may be considered suspicious. Packets from a suspicious network device may be rerouted to a network security device for more thorough inspection.

Abstract: An LSP control unit checks whether or not there is a label switching path of a hundred to thousand times of a band necessary for transferring a VoIP packet between a pair of edge label switch routers in response to notification from a VoIP packet control unit. When there is not a label switching path between the edge label switch routers, the LSP control units establishes a label switching path between the pair of edge label switch routers. When there is a label switching path between the edge label switch routers, the LSP control units checks whether or not it is possible to ensure a band necessary for transferring the VoIP packet in the label switching path. When it is not possible to ensure a band necessary for transferring the VoIP packet in the label switching path, a label switching path is established between the pair of edge label switch routers. This label switching path has a band of a hundred to a thousand times of a band necessary for transferring the VoIP packet.

Abstract: Routing techniques are described that separate network topology information and management from network protocol addressing information, e.g., network prefixes, that network routers typically use during the packet forwarding process. The techniques provide separate topological identifiers to identify individual topological elements of the network, referred to as aggregates. A router within a network exchanges topological information with other routers that specifies routes for reaching destinations within a set of aggregates that represent topological elements of a network. In accordance with the topological information, the router generates forwarding information that associates the destinations with respective next hops within the network, and forwarding packets in accordance with the forwarding information.

Abstract: A network router management interface for use in configuring a router and obtaining operational information provides an application programming interface (API) that permits clients to formulate requests and receive replies according to an extensible markup language such as XML. The router may transform a login stream at a router command line interface (CLI) to implement the XML-based API. For example, the management server accepts input from the CLI and, upon receipt of a particular command from the client, transforms the CLI into a programmatic interface for exchange of XML-tagged requests and XML-tagged replies according to the XML-based API. Providing access to the XML-based API via the CLI login shell enables the use of standard login, security, authentication and authorization techniques.

Abstract: An architecture for controlling a multiprocessing system to provide at least one network service to subscriber data packets transmitted in the system using a plurality of compute elements, comprising a management compute element including service set-up information for at least one service and at least one processing compute element applying said at least one network service to said data packets and communicating service set-up information with the management compute element in order to perform service specific operations on data packets. In a further embodiment, a method of controlling a processing system including a plurality of processors is disclosed.

Abstract: Systems and methods for preventing a Man-in-the-Middle attack on a communications network, without combining encryption keys of an inner authentication protocol and a tunneling protocol encapsulating the inner authentication protocol. The performance of a hash function may be split between two network devices on the communications network. For example, in response to a challenge issued by a tunnel server, a client may initiate performance of a hash function using only a first part only of the challenge and generate an intermediate result of the hash function (i.e., a preliminary hash). The client then may transmit the preliminary hash to the tunnel server as part of a response to the challenge. The tunnel server then may complete the hash function using the preliminary hash and the remaining part of the challenge to produce a final hash. The final hash then may be used to authenticate a user.

Abstract: A gateway for screening packets transferred over a network. The gateway includes a plurality of network interfaces, a memory and a memory controller. Each network interface receives and forwards messages from a network through the gateway. The memory temporarily stores packets received from a network. The memory controller couples each of the network interfaces and is configured to coordinate the transfer of received packets to and from the memory using a memory bus. The gateway includes a firewall engine coupled to the memory bus. The firewall engine is operable to retrieve packets from the memory and screen each packet prior to forwarding a given packet through the gateway and out an appropriate network interface. A local bus is coupled between the firewall engine and the memory providing a second path for retrieving packets from memory when the memory bus is busy.

Abstract: When a node has to restart its control component, or a (e.g., label-switched path signaling) part of its control component, if that node can preserve its forwarding information across the restart, the effects of such restarts on label switched path(s) the include the restarting node are minimized. A node's ability to preserve forwarding information across a control component (part) restart is advertised. In the event of a restart, stale forwarding information can be used for an limited time before. The restarting node can use its forwarding information, as well as received label-path advertisements, to determine which of its labels should be associated with the path, for advertisement to its peers.

Abstract: A system provides congestion control and includes multiple queues that temporarily store data and a drop engine. The system associates a value with each of the queues, where each of the values relates to an amount of memory associated with the queue. The drop engine compares the value associated with a particular one of the queues to one or more programmable thresholds and selectively performs explicit congestion notification or packet dropping on data in the particular queue based on a result of the comparison.

Abstract: A controller may include a measurement circuit configured to generate a proxy signal representing delay variations in the controller. The measurement circuit may also generate a measurement value from the proxy signal. A control circuit may be configured to convert the measurement value into a control value. A delay circuit may be adjusted by the control value to alter an amount of delay of a signal.

Abstract: Techniques are described for dynamically constructing a label switching protocol interface in a network device. For example, the techniques allow dynamic construction of a Multi-Protocol Label Switching (MPLS) interface. According to some embodiments, upon receiving a network communication from a subscriber, a network device determines whether the subscriber requires support for the label switching protocol. If the subscriber requires such support, the network device creates an interface stack for the subscriber that includes an interface for the label switching protocol. In this way, the network device may route packets from the subscriber across a network of computing devices that use the label switching protocol, and forward packets from such a network to the subscriber. The subscriber and the network device need not communicate according to the label switching protocol and, in example embodiments, instead communicate according to a layer 2 communication protocol.

Abstract: A system and method for managing connections between a server and a plurality of clients at a network connection management device is provided. The method comprises maintaining at least one connection to the server, receiving requests from the clients, transmitting the requests to the server, receiving responses to the requests from the server, and monitoring a server response time for a selected request sent to the server, the server response time for the selected request being the time elapsed between transmitting the selected request to the server and receiving a corresponding response from the server. A method according to the present invention may also include basing the number of connections to the server on the server response time.

Abstract: A method for processing high priority packets and low priority packets in a network device includes performing arbitration on high priority packets until no high priority packets remain. Arbitration then is enabled on low priority packets. A packet size associated with the selected low priority packet is compared with a programmable threshold. Low priority packets are excluded from subsequent arbitration for a programmable duration when the packet size exceeds the programmable threshold.

Abstract: A system includes a group of devices and a shared memory that is partitioned into blocks that are capable of being allocated to the group of devices using linked lists. The system also includes check logic configured to store a group of bits, where each bit corresponds to one of the blocks, and counter logic configured to count for a predetermined period of time. The system further includes logic configured to clear the group of bits stored in the check logic, cause the counter logic to count for the predetermined period of time, monitor a de-allocation of the blocks in the shared memory, set, for each of the blocks that is de-allocated during the predetermined period of time, the corresponding bit in the check logic, identify, after the predetermined period of time, one or more bits that have not been set, and mark the blocks corresponding to the one or more bits as available for allocation.

Abstract: Techniques are described that increase the reliability and quality of data transmissions of computer networks. The techniques provide for the generation of at least two duplicate data flows for carrying data in a computer network. The duplicate data flows are transmitted to a receiving device along paths within one or more intermediate networks. In addition, network devices, such as routers or switches within the network, for example, may cooperate to select paths for the data flows that have reduced or minimal common network elements. The network devices may share “fate-sharing” information that relates groups of network elements according to common characteristics, attributes or shared resources, e.g., a shared power supply, close proximity, common physical interface, for the purposes of facilitating selection of independent paths.

Abstract: A switching device in a network system for transferring data includes one or more source line cards, one or more destination line cards and a switching fabric coupled to the source line cards and the destination line cards to enable data communication between any source line card and destination line card. Each source line card includes a request generator to generate a request signal to be transmitted in order to obtain an authorization to transmit data. Each destination line card includes a grant generator to generate and send back a grant signal to the source line card in response to the request signal received at the destination line card to authorize the source line card to transmit a data cell to the destination line card.

Abstract: A hierarchical traffic policer may include a first policer configured to pass first packets when a first condition is met. The first policer also may alter selection information within the passed first packets. A second policer may be configured to pass second packets when a second condition is met. The second policer may be further configured to pass all of the passed first packets from the first policer based on the altered selection information within the passed first packets.