Abstract: Various systems and methods for determining whether to allow or continue to allow access to a protected data asset are disclosed herein. For example, one method involves receiving a request to access a protected data asset, wherein the request is received from a first user device; determining whether to grant access to the protected data asset, wherein the determining comprises evaluating one or more criteria associated with the first user device, and the criteria comprises first information associated with a first policy constraint; and in response to a determination that access to the protected data asset is to be granted, granting access to the protected data asset.

Abstract: Presented herein are techniques to reduce the number of redirected subscriber packet flows while performing sticky hierarchical load balancing. An Nth head end network element may be activated such that a plurality of N head end network elements are active and capable of receiving and processing one or more packet flows. A primary load balancer may then be directed to overwrite a portion of pointers of a hash table in an evenly distributed manner with pointers to the Nth head end network element such that packet flows are forwarded to the Nth head end network element, wherein the hash table retains a static number of entries as the number of head end network elements is modified.

Abstract: In one embodiment, a physical device (e.g., packet switching device, computer, server) is booted using custom-created frozen partially-booted virtual machines, avoiding the time required for an end-to-end boot process. In one embodiment while the system is operating under a current version, a partially-booted virtual image of a new operating version for each of multiple processing elements of the device is produced according to static configuration information specific to the device, with each of these partially-booted virtual machines frozen. The device is rebooted to a fully operational device by unfreezing these partially-booted virtual machines, thus removing this portion of a boot process from the real-time booting of the device. The generation of the frozen partially-booted virtual machines is advantageously performed by the device itself based on current static configuration information and the availability of the specific hardware configuration of the device.

Abstract: Various systems and methods for determining whether to allow or continue to allow access to a protected data asset are disclosed herein. For example, one method involves receiving a request to access a protected data asset, wherein the request is received from a first user device; determining whether to grant access to the protected data asset, wherein the determining comprises evaluating one or more criteria associated with the first user device, and the criteria comprises first information associated with a first policy constraint; and in response to a determination that access to the protected data asset is to be granted, granting access to the protected data asset.

Abstract: In one embodiment, a packet switching device creates multiple virtual packet switching devices within the same physical packet switching device using virtual machines and sharing particular physical resources of the packet switching device. One embodiment uses this functionality to change the operating version (e.g., upgrade or downgrade) of the packet switching device by originally operating according to a first operating version, operating according to both a first and second operating version, and then ceasing operating according to the first operating version. Using such a technique, a packet switching device can be upgraded or downgraded while fully operating (e.g., without having to reboot line cards and route processing engines).

Abstract: An example method for load balancing in a network environment is provided and includes receiving a packet from a first stage load-balancer in a network environment, where the packet is forwarded from the first stage load-balancer to one of a plurality of second stage load-balancers in the network according to a hash based forwarding scheme, and routing the packet from the second stage load-balancer to one of a plurality of servers in the network according to a per-session routing scheme. The per-session routing scheme includes retrieving a session routing state from a distributed hash table in the network. In a specific embodiment, the hash based forwarding scheme includes equal cost multi path routing. The session routing state can include an association between a next hop for the packet and the packet's 5-tuple representing a session to which the packet belongs.

Abstract: In one embodiment, an apparatus cascades groups of serialized data streams through devices, and performs operations based on information communicated therein. A received group of serialized data streams is aligned, but not framed, and forwarded to a next device (e.g., a next stage in a linear or tree cascaded formation of devices). Eliminating the framing and subsequent serialization operations performed on the received group of serialized data streams reduces the latency of communications through the cascaded devices, which can be significant when considered in relation to the high-speed communication rates. The received group of serialized data streams is also framed to create a sequence of data frames for processing (e.g., associative memory lookup operations, controlling multiplexing of received downstream serialized data streams, general or other processing) within the device.

Abstract: In one embodiment, a packet switching device creates multiple virtual packet switching devices within the same physical packet switching device using virtual machines and sharing particular physical resources of the packet switching device. One embodiment uses this functionality to change the operating version (e.g., upgrade or downgrade) of the packet switching device by originally operating according to a first operating version, operating according to both a first and second operating version, and then ceasing operating according to the first operating version. Using such a technique, a packet switching device can be upgraded or downgraded while fully operating (e.g., without having to reboot line cards and route processing engines).

Abstract: In one embodiment, a packet switching device creates multiple virtual packet switching devices within the same physical packet switching device using virtual machines and sharing particular physical resources of the packet switching device. One embodiment uses this functionality to change the operating version (e.g., upgrade or downgrade) of the packet switching device by originally operating according to a first operating version, operating according to both a first and second operating version, and then ceasing operating according to the first operating version. Using such a technique, a packet switching device can be upgraded or downgraded while fully operating (e.g., without having to reboot line cards and route processing engines).

Abstract: In one embodiment, a physical device (e.g., packet switching device, computer, server) is booted using custom-created frozen partially-booted virtual machines, avoiding the time required for an end-to-end boot process. In one embodiment while the system is operating under a current version, a partially-booted virtual image of a new operating version for each of multiple processing elements of the device is produced according to static configuration information specific to the device, with each of these partially-booted virtual machines frozen. The device is rebooted to a fully operational device by unfreezing these partially-booted virtual machines, thus removing this portion of a boot process from the real-time booting of the device. The generation of the frozen partially-booted virtual machines is advantageously performed by the device itself based on current static configuration information and the availability of the specific hardware configuration of the device.

Abstract: Presented herein are techniques to reduce the number of redirected subscriber packet flows while performing sticky hierarchical load balancing. An Nth head end network element may be activated such that a plurality of N head end network elements are active and capable of receiving and processing one or more packet flows. A primary load balancer may then be directed to overwrite a portion of pointers of a hash table in an evenly distributed manner with pointers to the Nth head end network element such that packet flows are forwarded to the Nth head end network element, wherein the hash table retains a static number of entries as the number of head end network elements is modified.

Abstract: An example method for load balancing in a network environment is provided and includes receiving a packet from a first stage load-balancer in a network environment, where the packet is forwarded from the first stage load-balancer to one of a plurality of second stage load-balancers in the network according to a hash based forwarding scheme, and routing the packet from the second stage load-balancer to one of a plurality of servers in the network according to a per-session routing scheme. The per-session routing scheme includes retrieving a session routing state from a distributed hash table in the network. In a specific embodiment, the hash based forwarding scheme includes equal cost multi path routing. The session routing state can include an association between a next hop for the packet and the packet's 5-tuple representing a session to which the packet belongs.

Abstract: A service is applied in a packet switching device to both directions of a flow of packets through the packet switching device, with the application of this Layer-4 to layer-7 service to one direction requiring state information shared from the application of the service to packets traversing in the other direction. The service (e.g. firewall, network address translation) can be applied by different processing complexes which do not share memory; thus, state information is communicated between the processing complexes. When the service is applied by a single processing complex, packets can be directed explicitly to the single processing complex. The inline application of services in a packet switching system typically eliminates the need to change a packet's path through the packet switching system to that through a dedicated application server, and may eliminate the need for a dedicated services card or blade server.

Abstract: A data processing architecture includes multiple processors connected in series between a load balancer and reorder logic. The load balancer is configured to receive data and distribute the data across the processors. Appropriate ones of the processors are configured to process the data. The reorder logic is configured to receive the data processed by the processors, reorder the data, and output the reordered data.

Abstract: In one embodiment, an apparatus cascades groups of serialized data streams through devices, and performs operations based on information communicated therein. A received group of serialized data streams is aligned, but not framed, and forwarded to a next device (e.g., a next stage in a linear or tree cascaded formation of devices). Eliminating the framing and subsequent serialization operations performed on the received group of serialized data streams reduces the latency of communications through the cascaded devices, which can be significant when considered in relation to the high-speed communication rates. The received group of serialized data streams is also framed to create a sequence of data frames for processing (e.g., associative memory lookup operations, controlling multiplexing of received downstream serialized data streams, general or other processing) within the device.

Abstract: In one embodiment, a packet switching device creates multiple virtual packet switching devices within the same physical packet switching device using virtual machines and sharing particular physical resources of the packet switching device. One embodiment uses this functionality to change the operating version (e.g., upgrade or downgrade) of the packet switching device by originally operating according to a first operating version, operating according to both a first and second operating version, and then ceasing operating according to the first operating version. Using such a technique, a packet switching device can be upgraded or downgraded while fully operating (e.g., without having to reboot line cards and route processing engines).

Abstract: A data processing architecture includes multiple processors connected in series between a load balancer and reorder logic. The load balancer is configured to receive data and distribute the data across the processors. Appropriate ones of the processors are configured to process the data. The reorder logic is configured to receive the data processed by the processors, reorder the data, and output the reordered data.

Abstract: A data processing architecture includes multiple processors connected in series between a load balancer and reorder logic. The load balancer is configured to receive data and distribute the data across the processors. Appropriate ones of the processors are configured to process the data. The reorder logic is configured to receive the data processed by the processors, reorder the data, and output the reordered data.

Abstract: A service is applied in a packet switching device to both directions of a flow of packets through the packet switching device, with the application of this Layer-4 to layer-7 service to one direction requiring state information shared from the application of the service to packets traversing in the other direction. The service (e.g. firewall, network address translation) can be applied by different processing complexes which do not share memory; thus, state information is communicated between the processing complexes. When the service is applied by a single processing complex, packets can be directed explicitly to the single processing complex. The inline application of services in a packet switching system typically eliminates the need to change a packet's path through the packet switching system to that through a dedicated application server, and may eliminate the need for a dedicated services card or blade server.

Abstract: A buffer memory may be configured to temporarily store data in a number of queues. A processor may be configured to measure a fullness of the buffer memory. The processor may also be configured to assign sizes to the number of queues based on the fullness of the buffer memory. The processor may also adjust thresholds of drop profiles associated with the number of queues based on the sizes assigned to the number of queues.