Abstract: A network node that includes a memory to store a multicast forwarding table that contains entries that govern how multicast traffic is to be forwarded from a multicast virtual local area network (MVLAN) associated with the network node, to receiver VLANs associated with the network node, where each entry includes a multicast group, that is associated with a group of ports on the multicast VLAN via which the multicast traffic is received, and information associated with the receiver VLANs to which the received multicast traffic is to be sent.

Abstract: A disaster response system receives location data and status data from participating devices in an area affected by a disaster. The disaster response system provides data to client devices outside the affected area. The data indicate statuses of people within the affected area. Disaster response system also instructs routers to perform actions to adjust bandwidth available for a particular use during and after the disaster.

Abstract: Techniques are described for managing failover in redundant network devices. In particular, each device in a set of redundant network devices includes redundant processing modules. Each module provides a separate operating environment for a set of network services. Each network device includes a control unit that receives configuration information that specifies individual weight values for each of the modules and a threshold value for the network device. The control unit detects failures of the modules and transfers primary responsibility for performing the network service to a second network device when the threshold value is exceeded by a weighted sum of the weight values for the failed modules.

Abstract: In some embodiments, a system includes a chassis having a group of horizontal slots in which a first group of line cards is disposed and a group of vertical slots in which a second group of line cards is disposed. Each port of a line card from the first group of line cards is operatively coupled to a different line card from the second group of line cards when the system is in a first configuration. A first set of ports and a second set of ports of a line card from the first group of line cards are operatively coupled to a first line card and a second line card from the second group of line cards, respectively, when the system is in a second configuration.

Abstract: Systems and methods for detecting and preventing network security breaches are described. The systems and methods present a gateway-based packet-forwarding network security solution to not only detect security breaches but also prevent them by directly dropping suspicious packets and connections. The systems and methods employ multiple techniques to detect and prevent network security breaches, including stateful signature detection, traffic signature detection, and protocol anomaly detection.

Abstract: An endpoint integrity system controls access to resources of a protected network for endpoint devices attempting to access the protected network. The system may include a number of evaluation modules that communicate with an endpoint device. The evaluation modules generate policy results for the endpoint device, in which each of the policy results assume one of three or more states, called a multi-state policy result. The multi-state policy results are combined to produce a combined Boolean policy result.

Abstract: A device may receive a fragment of a fragmented data unit, determine a flow identifier that identifies a data flow with which the fragment is associated, and create a flow entry, based on the flow identifier, to store information associated with the data flow. The device may also determine a fragment key associated with the fragment, store a pointer to the flow entry based on the fragment key, correlate the fragment and another fragment, associated with the data flow, based on the fragment key and the pointer to the flow entry, and accumulate statistics associated with the fragment and the other fragment after correlating the fragment and the other fragment.

Abstract: A network content service apparatus includes a set of compute elements adapted to perform a set of network services; and a switching fabric coupling compute elements in said set of compute elements. The set of network services includes firewall protection, Network Address Translation, Internet Protocol forwarding, bandwidth management, Secure Sockets Layer operations, Web caching, Web switching, and virtual private networking. Code operable on the compute elements enables the network services, and the compute elements are provided on blades which further include at least one input/output port.

Abstract: Packet sequence number checking through a VPN tunnel may be performed by assigning sequence numbers on a per-priority class basis to packets traversing the VPN tunnel. In one implementation, a network device may receive a packet that is to be transmitted over a VPN tunnel, the packet including control information that includes at least a QoS priority class of the packet. The network device may extract the priority class of the packet from the control information and generate a sequence value that describes an arrival sequence of the packet relative to other received packets of the same priority class as the packet. The network device may additionally generate an IPsec header for the packet, the IPsec header including the sequence value and the priority class of the packet; attach the IPsec header to the packet; and transmit the packet through the VPN tunnel.

Abstract: An ATM multiplexing apparatus of the present invention is the apparatus for selectively performing cell discard processing in the case of congestion on the basis of a use state of the same connection formed by cells from the side of an ATM switching unit and subscribers without installing UPC units, and the ATM multiplexing apparatus, which is connected to the ATM switching unit and each of plural subscribers through ATM communication lines and performs multiplexing processing to ATM cells sent from the plural subscribers, comprises: detection means 118 for detecting a level of a congestion state corresponding to the received ATM 157 from the subscribers; and discard means (111, 115 and 117) for selectively discarding the received ATM cells from the subscribers on the basis of a communication state determined by the received ATM cells 155 from the ATM switching unit and the received ATM cells from the subscribers and a level value of a warning signal 129 indicating the detected congestion state.

Abstract: A network access device is described that uses a modified lower layer two (L2) software interface that is enhanced to operate as a proxy for a dynamic upper L2 software interface when the upper L2 software interface has been torn down, i.e., terminated unbeknownst to a subscriber device. The lower L2 software interface may, for example, be extended to incorporate certain features of the upper L2 software interface to detect such a condition. In the absence of the upper L2 software interface, the lower L2 interface may output a simulated termination request on behalf of the upper L2 interface and in accordance with the upper L2 protocol.

Abstract: A multi-chassis router allows an administrator to install software from a single user interface. The multi-chassis router automatically forwards the software to each chassis within the multi-chassis router when given a single command to install the software from an administrator. The multi-chassis router also automatically validates the software on each chassis. After reporting the results of the validations, the multi-chassis router may wait for the administrator to issue a commit command before committing each chassis within the multi-chassis router to the software. Alternatively, in response to a failed validation or for other reason, an administrator can issue a single ROLLBACK command. This allows each chassis within the multi-chassis router to have the same software during all stages of a software installation and ensures software on each chassis is compatible with software on every other chassis.

Abstract: A network meeting application for providing network meetings, such as web conference meetings, runs on a presenter device. In response to a request for a network meeting from an attendee device, the presenter device creates a secure desktop separate from a working desktop. The presenter may use the secure desktop to share documents, presentations, or other applications with the attendee device. The attendee device is blocked from accessing the working desktop of the presenter device. A presenter using the presenter device may switch between the working desktop and the secure desktop. Security policies, downloaded to the presenter device from a server, determine the applications the attendee may run on the secure desktop. The secure desktop thereby protects the integrity of the presenter's working desktop during a web conference meeting, while allowing documents, presentations, or other applications to be shared with attendees via the secure desktop.

Abstract: A method performed by network devices that includes operating in a normal mode, where the network devices form a virtual chassis that corresponds to a single logical network device; detecting when a failure within the virtual chassis occurs; executing a splitting process to form one or more new virtual chassis in correspondence to the failure; determining whether one of the one or more new virtual chassis operates as a functioning virtual chassis based on whether at least one of a set of criteria is satisfied, where the functioning virtual chassis operates according to resources configured for the virtual chassis; and operating as a nonfunctioning virtual chassis when it is determined that the one of the one or more virtual chassis does not satisfy the at least one of the set of criteria, where the nonfunctioning virtual chassis operates in a pass-through mode.

Abstract: A method and apparatus stores media content in a variety of storage devices, with at least a portion of the storage devices having different performance characteristics. The system can deliver media to a large number of clients while maintaining a high level of viewing experience for each client by automatically adapting the bit rate of a media being delivered to a client using the client's last mile bit rate variation. The system provides clients with smooth viewing of video without buffering stops. The client does not need a custom video content player to communicate with the system.

Abstract: This disclosure relates to managing voice-based data communications within a clustered network environment using application-layer functionality, and more particularly to a primary network device within a cluster that manages transmissions related to a communication and synchronizes state information associated with the communication to other network devices within the cluster. One exemplary method includes receiving, by a network device in a cluster, information associated with a data communication between a first user device and a second user device, and analyzing, by the network device, the received information using application-layer functionality to identify a primary network device that manages the data communication. When the network device is not the primary network device, the network device forwards the received information to the primary network device.

Abstract: A multi-router system is described in which hardware and software components of one or more standalone routers can be partitioned into multiple logical routers. The multiple logical routers are isolated from each other in terms of routing and forwarding functions yet allow network interfaces to be shared between the logical routers. Moreover, different logical routers can share network interfaces without impacting the ability of any of the logical routers to be independently scaled to meet the bandwidth demands of the customers serviced by the logical router.

Abstract: A layer 1 network frame is disclosed that includes data of a layer 2 frame. A header of the layer 1 frame header includes: a packet length field to indicate a size of a payload portion of the layer 1 frame, a priority field to indicate a priority of the layer 1 frame, a protocol field to identify a protocol of the data in the layer 2 frame, a frame mode field to indicate a correspondence between the layer 1 frame and the layer 2 frame included within the payload, a stuff field to indicate whether stuff data is contained in the layer 1 frame, and a cyclic redundancy check (CRC) field to indicate a CRC result.

Abstract: A call admission control technique allowing flexible and reliable call admissions at an ATM switch in the case of an ATM network including both QoS-specified and QoS-unspecified virtual connections is disclosed. In the case where a QoS (Quality of Service) specified connection request occurs, an estimated bandwidth is calculated which is to be assigned to an existing QoS-unspecified traffic on the link associated with the QoS-specified connection request. A call control processor of the ATM switch determines whether the QoS-specified connection request is accepted, depending on whether a requested bandwidth is smaller than an available bandwidth that is obtained by subtracting an assigned bandwidth and the estimated bandwidth from a full bandwidth of the link.

Abstract: In general, a mobile virtual private network (VPN) is described in which service provider networks cooperate to dynamically extend a virtual routing area of a home service provider network to the edge of a visited service provider network and thereby enable IP address continuity for a roaming wireless device. In one example, a home service provider network allocates an IP address to a wireless device and establishes a mobile VPN. The home service provider network dynamically provisions a visited service provider network with the mobile VPN, when the wireless device attaches to an access network served by the visited service provider network, to enable the wireless device to exchange network traffic with the visited service provider network using the IP address allocated by the home service provider network.