Abstract: A network device is capable of recognizing and blocking network attacks associated with packet flows regardless of whether the packet flows are encapsulated within network tunnels. For example, the network device includes a filter module that receives packets associated with a network tunnel from an ingress device to an egress device. The filter module applies heuristics to determine whether the packets encapsulate encrypted data units. If the data units are not encrypted, the filter module extracts the data units and generates temporary packets for use within the network device. An attack detection engine within the device analyzes the temporary packets to detect any network attacks carried by the encapsulated data units. A forwarding component selectively forwards the packets to the egress device based on whether any network attacks are detected.

Abstract: In one embodiment, a method includes receiving a key associated with a portion of a data packet, comparing the key to a first range extreme, selecting a second range extreme, and comparing the key with the second range. The first range extreme is associated with a first range and the second range is associated with a second range. The second range is selected based on the comparing the key to the first range extreme. The method includes producing a policy vector associated with the first or second range.

Abstract: A server includes first logic to receive a message identifying a subscriber device and including information relating to content requested by the subscriber device; and second logic to determine whether adequate network resources exist for providing the requested content to the subscriber device, and to reserve the network resources when adequate network resources are determined to exist.

Abstract: A method includes receiving a data unit, determining whether a current state, associated with a deterministic finite automata (DFA) that includes a portion of states in a bitmap and a remaining portion of states in a DFA table, is a bitmap state or not, and determining whether a value corresponding to the data unit is greater than a threshold value, when it is determined that the current state is not a bitmap state. The method further includes determining whether the current state is insensitive, when it is determined that the value corresponding to the data unit is greater than the threshold value, where insensitive means that each next state is a same state for the current state, and selecting a default state, as a next state for the current, when it is determined that the current state is insensitive.

Abstract: A network acceleration device is described that caches resources (e.g., files or other content) to a cache space organized into logically separate views. The views represent an abstraction that defines sets of the cached resources according to the client devices that requested the resources. The network acceleration device associates each view with a specific client device or user, and caches content requested by that specific user to the user's associated view. The network acceleration device herein may achieve a higher level of caching and increased network acceleration over a conventional network acceleration device that maintains a single cache space and shares content among multiple client devices.

Abstract: A set of network devices having varying device attributes, such as varying attributes due to different operating system versions, different hardware versions, or different hardware platforms, may be efficiently managed. A syntax file may be used to describe constraints relating to attributes of multiple versions of the network devices. At least one device configuration file (DCF) stores version-based differences relating to the different versions of the network devices, the syntax file and at least one the one DCF collectively describe a set of constraints for the attributes of the network devices.

Abstract: Virtual Private Networks (VPNs) are supported in which customers may use popular internet gateway protocol (IGPs) without the need to convert such IGPs, running on customer devices to a single protocol, such as the border gateway protocol (BGP). Scaling problems, which might otherwise occur when multiple instances of an IGP flood link state information, are avoided by using a flooding topology which is smaller than a forwarding topology. The flooding topology may be a fully connected sub-set of the forwarding topology.

Abstract: A device includes a primary control unit and a standby control unit. The standby control unit records routing communications exchanged between the primary control unit and an external routing device in accordance with a routing protocol. A standby routing process executing on the standby control unit processes the recorded routing communications when the primary control unit fails. The standby routing process generates state information for executing the routing protocol on the standby control unit without requiring that routing sessions be reestablished with the external routing device.

Abstract: Arbitration is performed in a packet exchanger. In one implementation, a device for performing the arbitration may include input ports configured to each receive sequences that define a packet and output ports. A packet switch concurrently process multiple ones of the received sequences to select an output port for each of the received sequences, the packet switch transferring the received sequences to the selected output ports for output from the device at different times from one another.

Abstract: The invention is directed toward techniques for Multi-Protocol Label Switching (MPLS) upstream label assignment for the Resource Reservation Protocol with Traffic Engineering (RSVP-TE). The techniques include extensions to the RSVP-TE that enable distribution of upstream assigned labels in Path messages from an upstream router to two or more downstream routers of tunnel established over a network. The tunnel may comprise a RSVP-TE P2MP Label Switched Path (LSP) or an Internet Protocol (IP) multicast tunnel. The techniques also include extensions to the RSVP-TE that enable a router to advertise upstream label assignment capability to neighboring routers in the network. The MPLS upstream label assignment using RSVP-TE described herein enables a branch router to avoid traffic replication on a Local Area Network (LAN) for RSVP-TE P2MP LSPs.

Abstract: In an asynchronous transfer mode switch, a plurality of queues is provided for accumulating transfer cells, and a queue assignment processing section, receives a message for establishing a connection and assigns to the connection one of the queues having a forwarding rate close to a declared rate included in the message and not exceeding the declared rate.

Abstract: Techniques are described for multicast content usage data collection and accounting within a network device. For example, the network device, such as a router, comprises an interface card to receive requests from one or more consumer devices. The requests specify actions concerning multicast content. The requests may include a join request that allows a consumer to join a multicast group and consume content provided by that group, a leave request that allows a user to leave a multicast group and the like. The network device further includes a routing engine to asynchronously collect the requests and create a multicast usage report. The multicast usage report describes multicast content usage by each of the consumer devices. Content providers may access the usage report and derive accounting information from the usage report to update consumer accounts based on the derived accounting information.

Abstract: A router receives destination address information for a packet and determines, among entries in a first forwarding table, a closest match for the received destination address information. The router receives a pointer to a second forwarding table in accordance with the closest match determined in the first forwarding table and determines, among entries in the second forwarding table, a closest match for the received destination address information.

Abstract: A hierarchical traffic policer may include a first policer configured to pass first packets when a first condition is met. The first policer also may alter selection information within the passed first packets. A second policer may be configured to pass second packets when a second condition is met. The second policer may be further configured to pass all of the passed first packets from the first policer based on the altered selection information within the passed first packets.

Abstract: Methods, apparatus, and products are disclosed for routing frames in a TRILL network using service VLAN identifiers by: receiving a frame from an ingress bridge node for transmission through the TRILL network to a destination node that connects to the TRILL network through an egress node, the received frame including a customer VLAN identifier, a service VLAN identifier uniquely assigned to the ingress bridge node, and a destination node address for the destination node, the received frame not having mac-in-mac encapsulation; adding, in dependence upon the service VLAN identifier and the destination node address, a TRILL header conforming to the TRILL protocol, the TRILL header including an ingress bridge nickname and an egress bridge nickname; and routing, to the egress bridge node through which the destination node connects to the network, the frame in dependence upon the ingress bridge nickname and the egress bridge nickname.

Abstract: Techniques are describe for establishing an overall label switched path (LSP) for load balancing network traffic being sent across a network using the a resource reservation protocol such as Resource Reservation Protocol with Traffic Engineering (RSVP-TE). The techniques include extensions to the RSVP-TE protocol that enable a router to send Path messages for establishing a tunnel that includes a plurality of sub-paths for the overall LSP. The tunnel may comprise a single RSVP-TE Label Switched Path (LSP) that is configured to load balance network traffic across different sub-paths of the RSVP-TE LSP over the network.

Abstract: To provide a method and network system, wherein the proper VPI values are allocated, after the user devices are connected with the network device. A user device transmits a first specific ATM cell, while a network device receives the first specific ATM cell and transmits toward the user device a second specific ATM cell which carries a proper VPI value in the information field of ATM cell. The proper VPI value in the second specific ATM cell is memorized and used by the user device for its own VPI value for communication.

Abstract: A packet header processing engine includes a memory having a number of distinct portions for respectively storing different types of descriptor information for a header of a packet. A packet header processing unit includes a number of pointers corresponding to the number of distinct memory portions. The packet header processing unit is configured to retrieve the different types of descriptor information from the number of distinct memory portions and to generate header information from the different types of descriptor information.

Abstract: A method for communicating packet multimedia data between a source endpoint and a destination endpoint is disclosed, wherein at least the source endpoint is within a virtual private network, and comprises the steps of receiving, at a signaling controller, a first signaling packet from the source endpoint, wherein the source endpoint is within a virtual private network; determining whether the source endpoint and destination endpoint may communicate directly over the same virtual private network; when the source endpoint and destination endpoint cannot communicate directly over the same virtual private network, associating a unique identifier of the source endpoint with a virtual private network identification marker; when the source endpoint and destination endpoint can communicate directly over the same virtual private network, instructing the source endpoint and destination endpoint to communicate media packets directly.

Abstract: A network device includes multiple packet processing engines implemented in parallel with one another. A spraying component distributes incoming packets to the packet processing engines using a spraying technique that load balances the packet processing engines. In particular, the spraying component distributes the incoming packets based on queue lengths associated with the packet processing engines and based on a random component. In one implementation, the random component is a random selection from all the candidate processing engines. In another implementation, the random component is a weighted random selection in which the weights are inversely proportional to the queue lengths.