Abstract: A forwarding system including a plurality of forwarding elements to receive and transmit data and a control element to receive and process route updates, the control element being connected to the forwarding elements and including at least one route management component to transmit one or more route updates to the forwarding elements and synchronize the commitment of the route updates by the forwarding elements.

Abstract: An access control system including a network device having a plurality of network interfaces for receiving and transmitting packets of data, the network device including a forwarding element to apply filter rules to the packets, and a filter rule constructor engine associated with said forwarding element to receive access control rules and decryption information for a security protocol, derive from the access control rules and security information a set of filter rules to be applied to packet headers encrypted with the security protocol, and transmit the set of filter rules to the at least one forwarding element.

Abstract: A method of access control management includes determining a private network address for a user in connection with the user accessing a network resource, determining an access control list entry for the user based on an access control policy, translating a public network address to the private network address for the user accessing the network resource, and allowing or blocking the user access based on the access control list entry, wherein determining the access control list entry is performed before translating the public network address to the private network address.

Abstract: A traffic pattern of data packets that originate at a traffic source and are transmitted through one of multiple ports is monitored. A parameter value characterizing fluctuations a in a transmission rate of data through the port relative to a transmission rate for the monitored traffic pattern is generated, and data packets from the traffic source are allocated to at least one other port for transmission based on the first parameter value.

Abstract: A method and system for label-based packet forwarding among multiple forwarding elements is described. The system includes a plurality of forwarding elements to forward a data packet from an ingress port at which the data packet is received from a network to an egress port from which the data packet will be transmitted to a next hop in the network and a control element coupled to the plurality of forwarding elements to control the forwarding elements. Each forwarding element has one or more label switch tables with one or entries to label data packets for forwarding along a path from the ingress port of one of the plurality of forwarding elements to the egress port of another of the plurality of forwarding elements.

Abstract: A method and apparatus to provide service to an active network node may be described.

Abstract: A flow control system may include a network device having a plurality of network interfaces for receiving and transmitting packets of data, a control element associated with the network device to receive from a security endpoint a security information event which includes rules for decrypting or routing an encrypted packet, and a routing element associated with the network device to route packets based on the rules provided in the security information event.

Abstract: A system for updating classification chains, including but not limited to firewall ACLS, can include a network device having a plurality of interfaces to receive and transmit packets of data, a forwarding element to apply classification rules to the packets, and a packet classification chain that resides at least temporarily on the network device, wherein the chain includes classification rules, an associated action, and an update field to trigger insertion or deletion of the rule.

Abstract: An access control system including a network device having a plurality of network interfaces for receiving and transmitting packets of data, the network device including a forwarding element to apply filter rules to the packets, and a filter rule constructor engine associated with said forwarding element to receive access control rules and decryption information for a security protocol, derive from the access control rules and security information a set of filter rules to be applied to packet headers encrypted with the security protocol, and transmit the set of filter rules to the at least one forwarding element.

Abstract: A forwarding system including a plurality of forwarding elements to receive and transmit data and a control element to receive and process route updates, the control element being connected to the forwarding elements and including at least one route management component to transmit one or more route updates to the forwarding elements and synchronize the commitment of the route updates by the forwarding elements.

Abstract: Method and apparatus for assigning policies which are rules that govern the use of or access to network services. Each rule defines conditions that when evaluated true trigger actions to allow or deny the service. Techniques are disclosed which provide for explicit, flexible, and centralized assignment of policy to targets which are specified network services. These techniques include explicitly associating a policy with a network resource or process, grouping policy related processes, grouping related targets, associating groups of targets with groups of policies, mapping a user name contained in a policy to an associated network address such as an Internet Protocol (IP) address, and providing dynamically mapped policy identified user and host names with associated network addresses, such as IP addresses, to client processes.

Abstract: A method of access control management includes determining a private network address for a user in connection with the user accessing a network resource, determining an access control list entry for the user based on an access control policy, translating a public network address to the private network address for the user accessing the network resource, and allowing or blocking the user access based on the access control list entry, wherein determining the access control list entry is performed before translating the public network address to the private network address.

Abstract: A method and system are disclosed for measuring data traffic with parameters of the token bucket (with queue) traffic shaping model. Based upon measurements of data traffic, token bucket capacity is calculated as a function of token generation. The complexity of the calculations is linearly related to the number of data packets in the traffic pattern.