Abstract: In one embodiment, ports of a network device are assigned to virtual service domains (VSDs). The ports are coupled to a virtual Ethernet module (VEM) of the network device. Each VSD is associated with one or more virtual service engines (VSEs) in a particular order. Each VSE is configured to apply a particular service to traffic traversing the VSE. Traffic received at a virtual Ethernet module (VEM) of the network device that is destined for a particular VSD, and is received on a port that has not been assigned to the particular VSD, is forwarded to the particular VSD via the one or more VSEs associated with the particular VSD such that the traffic traverses the one or more VSEs in the particular order.

Abstract: In one embodiment, layer-2 (L2) ports of a network device may each be assigned to a particular virtual service domain (VSD). One or more virtual service engines (VSEs) may also be assigned in a particular order to each VSD, where each VSE is configured to apply a particular service to traffic traversing the VSE between ingress and egress service ports. Interconnecting the L2 ports and the ingress and egress service ports is an illustrative virtual Ethernet module (VEM), which directs traffic it receives according to rules as follows: a) into a destination VSD via the one or more correspondingly assigned VSEs in the particular order; b) out of a current VSD via the one or more correspondingly assigned VSEs in a reverse order from the particular order; or c) within a current VSD without redirection through a VSE.

Abstract: In one embodiment, a method for providing secure communications using a proxy is provided. The proxy negotiates with a client and a server to determine a session key to use with communications between the client and the proxy and between the proxy and the server. Encrypted data may then be received from the client at the proxy. The proxy can decrypt the encrypted data for processing using the session key. In one embodiment, the decrypted data is not altered. The proxy then sends the encrypted data that was received from the client to the server without re-encrypting the data that was decrypted. Because the proxy did not alter the data in its processing of the decrypted data and the same session key is used between communications for the proxy and the server, the encrypted data stream that was received from the client can be forwarded to the server.

Abstract: A detection-based defense to a wireless network. Elements of the infrastructure, e.g., access points or scanning-only access points, detect intruders by detecting spoofed frames, such as from rogue access points. Access points include a signature, such as a message integrity check, with their management frames in a manner that enables neighboring access points to be able to validate the management frames, and to detect spoofed frames. When a neighboring access point receives a management frame, obtains a key for the access point sending the frame, and validates the management frame using the key.

Abstract: A detection-based defense to a wireless network. Elements of the infrastructure, e.g., access points or scanning-only access points, detect intruders by detecting spoofed frames, such as from rogue access points. Access points include a signature, such as a message integrity check, with their management frames in a manner that enables neighboring access points to be able to validate the management frames, and to detect spoofed frames. When a neighboring access point receives a management frame, obtains a key for the access point sending the frame, and validates the management frame using the key.

Abstract: In one embodiment, a method for providing secure communications using a proxy is provided. The proxy negotiates with a client and a server to determine a session key to use with communications between the client and the proxy and between the proxy and the server. Encrypted data may then be received from the client at the proxy. The proxy can decrypt the encrypted data for processing using the session key. In one embodiment, the decrypted data is not altered. The proxy then sends the encrypted data that was received from the client to the server without re-encrypting the data that was decrypted. Because the proxy did not alter the data in its processing of the decrypted data and the same session key is used between communications for the proxy and the server, the encrypted data stream that was received from the client can be forwarded to the server.

Abstract: A method of controlling and managing a plurality of system managers, a plurality of lights and devices, including human interfaces and building automation devices is disclosed. The method includes a system manager collecting data from the plurality of lights and devices. The system manager uses the collected data to determine an adjacency of lights and devices. The system manager dynamically places the plurality of lights and devices into zones and binding human interface devices to the zones, and a dynamically configures the devices to control the zones. The devices perform self-calibration and self-commissioning. The system manager and devices perform ongoing calibration and commissioning. The system manager and devices operate resiliently in case of failure of the system manager, other devices, or software or hardware failures in the devices. The system manager and the devices operate on the collected data to determine usage patterns, and to efficiently manage the plurality of lights and devices.

Abstract: In one embodiment, layer-2 (L2) ports of a network device may each be assigned to a particular virtual service domain (VSD). One or more virtual service engines (VSEs) may also be assigned in a particular order to each VSD, where each VSE is configured to apply a particular service to traffic traversing the VSE between ingress and egress service ports. Interconnecting the L2 ports and the ingress and egress service ports is an illustrative virtual Ethernet module (VEM), which directs traffic it receives according to rules as follows: a) into a destination VSD via the one or more correspondingly assigned VSEs in the particular order; b) out of a current VSD via the one or more correspondingly assigned VSEs in a reverse order from the particular order; or c) within a current VSD without redirection through a VSE.

Abstract: In one embodiment, detecting a wireless network access request, forwarding data associated with the detected wireless network access request to a first multipoint Generic Routing Encapsulation (mGRE) tunnel, receiving authentication information associated with the detected wireless network access request, receiving authentication status information for the detected wireless network access request, and forwarding data associated with the detected wireless network access request to a second multipoint Generic Routing Encapsulation (mGRE) tunnel connected to a predetermined internet protocol (IP) subnet when the received authentication status information includes a successful authentication, are provided.

Abstract: Enhanced tunnel communication mode creation, management and tuning in a network that includes wireless access points (APs) and user authentication. Tunnels can be dynamically managed to adapt to the changing topology of a network with APs. User devices such as mobile phones, laptop computers, personal digital assistants, or other devices can be added or dropped from an assigned AP. APs, routers, switches or other devices can also be added, removed, or modified in their network characteristics. Special control is also provided for IP multicast, Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol (ARP) and other network features.

Abstract: A detection-based defense to a wireless network. Elements of the infrastructure, e.g., access points or scanning-only access points, detect intruders by detecting spoofed frames, such as from rogue access points. Access points include a signature, such as a message integrity check, with their management frames in a manner that enables neighboring access points to be able to validate the management frames, and to detect spoofed frames. When a neighboring access point receives a management frame, obtains a key for the access point sending the frame, and validates the management frame using the key.

Abstract: A detection-based defense to a wireless network. Elements of the infrastructure, e.g., access points or scanning-only access points, detect intruders by detecting spoofed frames, such as from rogue access points. Access points include a signature, such as a message integrity check, with their management frames in a manner that enables neighboring access points to be able to validate the management frames, and to detect spoofed frames. When a neighboring access point receives a management frame, obtains a key for the access point sending the frame, and validates the management frame using the key.

Abstract: In one embodiment, detecting a wireless network access request, forwarding data associated with the detected wireless network access request to a first multipoint Generic Routing Encapsulation (mGRE) tunnel, receiving authentication information associated with the detected wireless network access request, receiving authentication status information for the detected wireless network access request, and forwarding data associated with the detected wireless network access request to a second multipoint Generic Routing Encapsulation (mGRE) tunnel connected to a predetermined internet protocol (IP) subnet when the received authentication status information includes a successful authentication, are provided.

Abstract: In one embodiment, a method for providing secure communications using a proxy is provided. The proxy negotiates with a client and a server to determine a session key to use with communications between the client and the proxy and between the proxy and the server. Encrypted data may then be received from the client at the proxy. The proxy can decrypt the encrypted data for processing using the session key. In one embodiment, the decrypted data is not altered. The proxy then sends the encrypted data that was received from the client to the server without re-encrypting the data that was decrypted. Because the proxy did not alter the data in its processing of the decrypted data and the same session key is used between communications for the proxy and the server, the encrypted data stream that was received from the client can be forwarded to the server.

Abstract: Embodiments of the present invention provide for switchover from an active processor to a standby processor in a route processor system. An up-to-date copy of information used by a supervisor process at the active processor is ensured by determining necessary event states. One type of event state includes message requests, processing and replies. Three basic types of communication between three different entities (blade, wireless domain services (WDS) and supervisor) are governed by three types of communication protocols: WLCCP between a blade and WDS, LCP between a supervisor and a blade, and checkpoint-type messages between two supervisors.

Abstract: Methods and apparatus are disclosed for locating and disabling the switch port of a rogue wireless access point. In one embodiment, a network management device is configured to detect the presence of a rogue access point on a managed wireless network. Once detected, the management device may then instruct a special client, such as a scanning AP, to associate with the rogue access point and send a discovery packet through the rogue access point to network management device. The network management device upon receiving the discovery packet may thereby determine that the rogue access point is connected to a network managed by said network device. The network device may then utilize information contained in the discovery packet to locate the switch port to which the rogue access point is connected, and ultimately disable the switch port to which the rogue access point is connected.

Abstract: Methods and apparatus are disclosed for locating and disabling the switch port of a rogue wireless access point. In one embodiment, a network management device is configured to detect the presence of a rogue access point on a managed wireless network. Once detected, the management device may then instruct a special client, such as a scanning AP, to associate with the rogue access point and send a discovery packet through the rogue access point to network management device. The network management device upon receiving the discovery packet may thereby determine that the rogue access point is connected to a network managed by said network device. The network device may then utilize information contained in the discovery packet to locate the switch port to which the rogue access point is connected, and ultimately disable the switch port to which the rogue access point is connected.

Abstract: A method for protecting a wireless network against spoofed MAC address attacks. A database is used for storing MAC address and user identity bindings. When a new request to access the network is received, the MAC address and user identity of the request is compared to the stored MAC address and user identity bindings. If a new request has an existing MAC address, but not the corresponding user identity, then the request will be denied. The bindings database contains the MAC Address, User identity bindings for wireless nodes and/or, for wired nodes. The MAC address, User identity bindings contained in the bindings database may be automatically learned or statically configured.

Abstract: Embodiments of the present invention provide for switchover from an active processor to a standby processor in a route processor system. An up-to-date copy of information used by a supervisor process at the active processor is ensured by determining necessary event states. One type of event state includes message requests, processing and replies. Three basic types of communication between three different entities (blade, wireless domain services (WDS) and supervisor) are governed by three types of communication protocols: WLCCP between a blade and WDS, LCP between a supervisor and a blade, and checkpoint-type messages between two supervisors.

Abstract: Enhanced tunnel communication mode creation, management and tuning in a network that includes wireless access points (APs) and user authentication. Tunnels can be dynamically managed to adapt to the changing topology of a network with APs. User devices such as mobile phones, laptop computers, personal digital assistants, or other devices can be added or dropped from an assigned AP. APs, routers, switches or other devices can also be added, removed, or modified in their network characteristics. Special control is also provided for IP multicast, Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol (ARP) and other network features.