Abstract: The present disclosure provides solutions that may enable an enterprise providing services to a number of clients to determine whether to establish a client based SSL VPN session or a clientless SSL VPN session with a client based on an information associated with the client. An intermediary establishing SSL VPN sessions between clients and servers may receive a request from a client to access a server. The intermediary may identify a session policy based on the request. The session policy may indicate whether to establish a client based SSL VPN session or clientless SSL VPN session with the server. The intermediary may determine, responsive to the policy, to establish a clientless or client based SSL VPN session between the client and the server.

Abstract: The systems and methods described herein allow for the scaling of output-buffered switches by decoupling the data path from the control path. Some embodiment of the invention include a switch with a memory management unit (MMU), in which the MMU enqueues data packets to an egress queue at a rate that is less than the maximum ingress rate of the switch. Other embodiments include switches that employ pre-enqueue work queues, with an arbiter that selects a data packet for forwarding from one of the pre-enqueue work queues to an egress queue.

Abstract: Processing techniques in a network switch help reduce latency in the delivery of data packets to a recipient. The processing techniques include speculative flow status messaging, for example. The speculative flow status messaging may alert an egress tile or output port of an incoming packet before the incoming packet is fully received. The processing techniques may also include implementing a separate accelerated credit pool which provides controlled push capability for the ingress tile or input port to send packets to the egress tile or output port without waiting for a bandwidth credit from the egress tile or output port.

Abstract: Disclosed are various embodiments for improving hash table utilization. A key corresponding to a data item to be inserted into a hash table can be transformed to improve the entropy of the key space and the resultant hash codes that can generated. Transformation data can be inserted into the key in various ways, which can result in a greater degree of variance in the resultant hash code calculated based upon the transformed key.

Abstract: A system forwards congestion management messages to a source host updating the source address in the management message. The system may determine that the congestion management message was triggered responsive to an initial communication that was previously forwarded by the system. The system may use header translation within a single addressing scheme and/or may translate the congestion management message into a different type to support forwarding to the source of the initial communication. The system may use portions of the payload of the congestion management message to determine the source of the initial communication and to derive a different header for the translated congestion management message.

Abstract: The present application enables the enterprise to configure various policies to address various subsets of the traffic based on various information relating the client, the server, or the details and nature of the interactions between the client and the server. An intermediary deployed between clients and servers may establish an SSL VPN session between a client and a server. The intermediary may receiving a response from a server to a request of a client via the clientless SSL VPN session. The response may comprise one or more cookies. The intermediary may identify an access profile for the clientless SSL VPN session. The access profile may identify one or more policies for proxying cookies. The intermediary may determine, responsive to the one or more policies of the access profile, whether to proxy or bypass proxying for the client the one or more cookies.

Abstract: Disclosed are various embodiments for providing a data packet with timestamp information. A data packet is generated such that it comprises a payload and a header. The payload comprises a first timestamp field that comprises data indicating when a network device processed the data packet. The payload also comprises a body data field and a body data protocol field. The body data protocol field comprises data identifying a protocol used by body data in the body data field. The header comprises a payload protocol field that comprises data identifying that the payload comprises timestamp data.

Abstract: Network devices perform multiple stage path resolution. The path resolution may be ECMP resolution. Any particular stage of the multiple stage path resolution may be skipped under certain conditions. Further, the network device facilitate redistribution of traffic when a next hop goes down in a fast, efficient manner, and without reassigning traffic that was going to other unaffected next hops, using multiple stage ECMP resolution.

Abstract: The present invention provides a system and method of managing traffic traversing an intermediary based on a result of end point auditing. An authentication virtual server of an intermediary may determine a result of an end point analysis scan of a client. Responsive to the determination, the traffic management virtual server can obtain the result from the authentication virtual server. Further, the traffic management virtual server may apply the result in one or more traffic management policies to manage network traffic of a connection of the client traversing the intermediary. In some embodiments, the authentication virtual server may receive one or more expressions evaluated by the client. The one or more expressions identifies one or more attributes of the client. The traffic management virtual server can also determine a type of compression or encryption for the connection based on applying the one or more traffic management policies using the result.

Abstract: In various embodiments, a system includes a switch comprising a resource that is shared between multiple objects. The switch comprises circuitry that determines a congestion metric for the switch in response to an amount of used of the resource by the objects. The circuitry determines a feedback parameter that is responsive to the congestion metric. The circuitry generates a congestion notification message that comprises a congestion feedback value responsive to the feedback parameter. In further embodiments, a system includes a switch that processes data for a first data link layer access network. The switch includes circuitry that identifies whether a received packet originated from a source device that shares the same network layer access layer as the switch. If the source device shares the same network layer access network as the switch, the circuitry generates a congestion notification message comprising a congestion feedback value for the switch.

Abstract: Disclosed are various embodiments for facilitating network flows in a networked environment. In various embodiments, a switch transmits data using an egress port that comprises an egress queue. The switch sets a congestion notification threshold for the egress queue. The switch generates a drain rate metric based at least in part on a drain rate for the egress queue, and the congestion notification threshold is adjusted based at least in part on the drain rate metric.

Abstract: Methods and apparatus for dynamic load balancing using virtual link credit accounting are disclosed. An example method includes receiving, at a network device, a data packet to be communicated using an aggregation group, the aggregation group including a plurality of virtual links having a common destination. The example method further includes determining a hash value based on the packet and determining an assigned virtual link of the plurality of virtual links based on the hash value. The example method also includes reducing a number of available transmission credits for the aggregation group and reducing a number of available transmission credits for the assigned virtual link. The example method still further includes communicating the packet to another network device using the assigned virtual link.

Abstract: A switch architecture includes an ingress module, ingress fabric interface module, and a switch fabric. The switch fabric communicates with egress fabric interface modules and egress modules. The architecture implements multiple layers of congestion management. The congestion management may include fast acting link level flow control and more slowly acting end-to-end flow control. The switch architecture simultaneously provides high scalability, with low latency and low frame loss.

Abstract: Aspects of oversubscription monitoring are described. In one embodiment, oversubscription monitoring includes accumulating an amount of data that arrives at a network component over at least one epoch of time. Further, a core processing rate at which data can be processed by the network component is calculated. Based on the amount of data and the core processing rate, it is determined whether the network component is operating in an oversubscribed region of operation. In one embodiment, when the network component is operating in the oversubscribed region of operation, certain quality of service metrics are monitored. Using the monitored metrics, a network operation display object may be generated for identifying or troubleshooting network errors during an oversubscribed region of operation of the network component.

Abstract: Network devices facilitate flow management through packet marking. The network devices may be switches, routers, bridges, hubs, or any other network device. The packet marking may include analyzing received packets to determine when the received packets meet a marking criterion, and then applying a configurable marking function to mark the packets in a particular way. The marking capability may facilitate deadline aware end-to-end flow management, as one specific example. More generally, the marking capability may facilitate traffic management actions such as visibility actions and flow management actions.

Abstract: Embodiments relate to forwarding of packets in link aggregation environments. A method for forwarding a packet through an extended switch including a first port extender and a second port extender directly or indirectly communicatively coupled to respectively a first interface and a second interface of a controlling bridge includes, associating a first port extender interface of the first port extender with a global namespace or an interface-specific namespace. The method further includes receiving a packet through the first port extender interface, marking the received packet with an indication of the namespace configuration of the first port extender interface, processing the marked packet in the controlling bridge based at least in part upon the indication, and transmitting the processed packet out of the controlling bridge.

Abstract: Network devices facilitate network tracing using tracing packets that travel through the network devices. The network devices may be switches, routers, bridges, hubs, or any other network device. The network tracing may include sending tracing packets down each of multiple routed paths between a source and a destination, at each hop through the network, or through a selected subset of the paths between a source and a destination. The network devices may add tracing information to the tracing packets, which an analysis system may review to determine characteristics of the network and the characteristics of the potentially many paths between a source and a destination.

Abstract: Disclosed are various embodiments that relate to a network switch. The switch determines whether a network packet is associated with a packet processing context, the packet processing context specifying a condition of handling network packets processed in the switch. The switch determines debug metadata for the network packet in response to the network packet being associated with the packet processing context; and the debug metadata is stored in a capture buffer.

Abstract: The present invention provides a system and method for dynamically selecting an authentication virtual server from a plurality of authentication virtual servers. A traffic management virtual server may determine from a request received from a client to access content of a server that the client has not been authenticated. The traffic management virtual server can identify a policy for selecting an authentication virtual server to provide authentication of the client. Responsive to the identification, the traffic management virtual server can select, via the policy, an authentication virtual server of the plurality of authentication virtual servers to authenticate the client. Responsive to the request, the traffic management virtual server may transmit a response to the client The response includes an instruction to redirect to the selected authentication virtual server.

Abstract: A method for managing data traffic operating on a deadline is provided. The method includes receiving, on an intermediate node, a packet having one or more traffic characteristics. The method also includes evaluating, on the intermediate node, the one or more traffic characteristics to determine a priority of the packet. The method also includes selecting one of multiple queues on the intermediate node based on the determined priority. The method also includes processing, on the intermediate node, the packet based on the determined priority. The method also includes enqueuing the processed packet into the selected queue. The method further includes outputting the queued packet from the selected queue.