Abstract: The aggregation of packets in a network controller is described. A packet, destined to a station, is received at a network device having a plurality of processors. The packet is queued into a selected queue of a plurality of queues based at least on an identifier of the station and a category associated with the packet. The packet is aggregated with other packets in a selected queue to create an aggregated packet if the selected queue has reached a predetermined size, and the aggregated packet is transmitted to the destination station.

Abstract: The present disclosure discloses a method and network device for control plane protection for various tables using storm prevention entries. Specifically, the disclosed system receives a first packet, and creates an inactive entry in a table. The system then forwards the first packet from a first processor to a second processor for processing. Also, the system associates the inactive entry with a timestamp indicating when the first packet is forwarded to the second processor, and determines a configured interval (CI) associated with the table. Further, the system compares a difference between a current timestamp and the timestamp associated with the inactive entry against the CI upon receiving a second packet. If the difference is longer than the CI, the system associates the inactive entry with the current timestamp, and forwards the second packet to the second processor for processing. Otherwise, the system discards the second packet.

Abstract: A first data set is derived from a second data set. The first data set is stored in a database of derived data sets. The second data set is updated without updating the first data set, such that the first data set and the second data are inconsistent. The first data set is deleted or updated during batch processing of the database of the derived data sets.

Abstract: The present disclosure discloses a method and network device for a rate limiting mechanism based on device load/capacity or traffic content. Specifically, the system receives a request from a network node, and determines whether a ratio between a current load and a capacity exceeds a threshold. If so, the system determines a wait time period based on current load/capacity ratio, and responds to the network node with a message including the wait time period. Moreover, the system can inspect content of the request to determine a message type, and whether the message type indicates that the request is associated with dependent messages. If so, the system responds to the request with a busy message including the wait time period. Further, the system rejects new session requests if the number of concurrent sessions currently connected to the network device approaches the number of sessions associated with a regression point.

Abstract: The present disclosure discloses a method and network device for an enhanced serialization mechanism. Specifically, the disclosed system receives a plurality of packets from a plurality of transport layer flows corresponding to a security association. Also, the system designates one processor of a plurality of processors to be associated with the security association. Moreover, the system assigns a sequence number to each packet, and transmits the plurality of packets from the plurality of transport layer flows such that packets within the same transport layer flow are transmitted in order of their sequence numbers. However, at least two packets from two different transport layer flows may be transmitted out of incremental order of their sequence number.

Abstract: The present disclosure discloses a method and network device for achieving enhanced performance with multiple CPU cores in a network device having a symmetric multiprocessing architecture. The disclosed method allows for storing, by each central processing unit (CPU) core, a non-atomic data structure, which is specific to each networking CPU core, in a memory shared by the plurality of CPU cores. Also, the memory is not associated with any locking mechanism. In response to a data packet is received by a particular CPU core, the disclosed system will update a value of the non-atomic data structure corresponding to the particular CPU core. The data structure may be a counter or a fragment table. Further, a dedicated CPU core is allocated to process only data packets received from other CPU cores, and is responsible for dynamically responding to queries receives from a control plane process.

Abstract: The present disclosure discloses a method and system for achieving enhanced performance for application message handling. The disclosed system includes a device and is configured to receive, at a first processing layer implemented by the device, a message addressed to a first port. The system is further configured to modify the message to be addressed to a second port indicated in a body of the message prior to forwarding the message to a second processing layer implemented by the device. Furthermore, the system is configured to forward, by the first processing layer to the second processing layer, the modified message addressed to the second port.

Abstract: The present disclosure discloses a method and network device for session based forwarding. Specifically, the disclosed system receives a first packet in a session, and performs a route lookup to determine a route for the first packet. Then, the system caches a reference to the route and a neighbor in the session, and also caches a reference to the session in a tunnel within which packets in the session are to be forwarded. Based on a comparison between the route version number cached in the session and the route version number in a route table corresponding to the route referenced by a route index in the session, the system determines whether the route is stale. If so, the system performs another route lookup to update the route. Moreover, the system uses cached reference to the session in the tunnel for forwarding subsequent packets in the session.

Abstract: According to one embodiment, a method comprises an operation of determining whether an ingress control message is locally terminated control traffic on a digital device prior to the ingress control message being forwarded to a hardware processor of the digital device for processing. A priority is assigned to the ingress control message based on information within the ingress control message, if the ingress control message is determined to be locally terminated control logic.

Abstract: The present disclosure discloses a method and network device for home VLAN identification for roaming mobile clients. Specifically, the disclosed method and system detects that the mobile client has roamed away from a first network to a second network, maintains a mapping between a virtual local area network (VLAN) corresponding to the mobile client and a tunnel corresponding to a foreign agent in the second network, and forwards packets to or from the mobile client on the VLAN based on the mapping between the VLAN and the tunnel via which the packets are received. Therefore, the disclosed method and system allows for identification of home VLANs for roaming mobile clients without merging VLAN policy configurations at the home agent and the foreign agent.

Abstract: The present disclosure discloses a method and network device for home VLAN identification for roaming mobile clients. Specifically, the disclosed method and system detects that the mobile client has roamed away from a first network to a second network, maintains a mapping between a virtual local area network (VLAN) corresponding to the mobile client and a tunnel corresponding to a foreign agent in the second network, and forwards packets to or from the mobile client on the VLAN based on the mapping between the VLAN and the tunnel via which the packets are received. Therefore, the disclosed method and system allows for identification of home VLANs for roaming mobile clients without merging VLAN policy configurations at the home agent and the foreign agent.

Abstract: Assigning clients to VLANs on a digital network. A client attaching to a digital network through a network device is initially assigned to a first VLAN. This VLAN may have restricted access and is used for authentication. The device snoops DHCP traffic on this first VLAN rewriting DHCP traffic from the client to request a short lease time for the client. A short lease time may be on the order of 30 seconds. The device optionally rewrites DHCP traffic to the client on the first VLAN to assure a short lease time is returned; this rewriting supports DHCP servers which do not issue short leases. Traffic on this first VLAN may be limited to authentication such as captive portals, 802.1x, Kerberos, and the like. If client authentication on the first VLAN does not succeed, when the short lease expires, the client will receive another short lease on the first VLAN. The network device snoops authentication traffic.

Abstract: Improved handling of RTP streams in digital networks. A switching device in a digital network such as a controller, bridge, or access point examines streams flowing through the device. The device monitors the initial UDP packets of a stream until a predetermined number of packets have been monitored. The device monitors and fingerprints the header portion of UDP packets, looking for RTP header bit patterns, ignoring certain RTP packet types, and caching others. This fingerprinting process attempts to match cached packet header information against subsequent packets in the stream to detect RTP streams. If the stream is determined to be an RTP stream, then the RTP type from the packet header is used to tag the stream. In one embodiment, such tags are QoS tags. Tagging may also be based on the control session port used.

Abstract: Processing of IGMP control packets in an access point (AP) connected to a digital network. According to the present invention, an AP in a network converts IGMP queries from multicast to unicast and sends these unicast packets to each client of the AP. These IGMP query packets may be filtered or restricted by per-user client rules These IGMP query packets may also be tagged as high priority packets to speed their delivery. The AP also suppresses the retransmission of IGMP Join packets to clients of the AP.

Abstract: Processing of MLD control packets in an access point (AP) connected to a digital network. According to the present invention, an AP in a network converts MLD queries from multicast to unicast and sends these unicast packets to each client of the AP. These MLD query packets may be filtered or restricted by per-user client rules These MLD query packets may also be tagged as high priority packets to speed their delivery. The AP also suppresses the retransmission of MLD Join packets to clients of the AP.

Abstract: Improved handling of multicast streams in digital networks. A switching device in a digital network such as a controller, bridge, or access point examines streams flowing through the device. The device identifies a multicast stream and assigns a stateful session to this stream. QoS marking may be applied to the stream. The device assigns a shaping policy to the stream, assigning it a default value in terms of bandwidth credits. This default value may be dependent on the stream type. The credits used by the stream are evaluated periodically. If the stream has exceeded the allocated bandwidth for the shaping policy, the number of credits are increased by a predetermined factor. If the stream has unused credits, the allocated number of credits are reduced by a predetermined factor. The increase and decrease factors may be tuned, for example, to provide a fast attack and a slow decay. The period used for stream evaluation may be adjusted.

Abstract: A port shutdown protocol coordinates among various components involved in the process of administratively bringing down a link at both ends of a link connecting two switches. Execution of the protocol avoids or reduces frame drops and/or reordering. In this protocol, peer switches perform various actions when bringing down an ISL in a synchronized manner. In one implementation, this protocol uses the Exchange Peer Protocol (EPP) as the underlying transport to carry the port shutdown protocol frames.

Abstract: A technique is provided for facilitating fabric membership login for an N_Port of a storage area network. A communication from a network node is received. The communication may include a portion of criteria associated with the N_Port. Using at least a portion of the portion of criteria, a virtual fabric identifier corresponding to a virtual fabric which is associated with the N_Port may be automatically identified. Fabric configuration information, which includes the virtual fabric identifier, may be automatically provided to the network node. A fabric login request from the N_Port to login to the virtual fabric may then be received. According to a specific embodiment, the communication may be transmitted from a network node to an F_Port on a Fibre Channel switch.

Abstract: A technique is provided for facilitating fabric membership login for an N_Port of a storage area network. A communication from a network node is received. The communication may include a portion of criteria associated with the N_Port. Using at least a portion of the portion of criteria, a virtual fabric identifier corresponding to a virtual fabric which is associated with the N_Port may be automatically identified. Fabric configuration information, which includes the virtual fabric identifier, may be automatically provided to the network node. A fabric login request from the N_Port to login to the virtual fabric may then be received. According to a specific embodiment, the communication may be transmitted from a network node to an F_Port on a Fiber Channel switch.

Abstract: A technique is provided for facilitating fabric membership login for an N13 Port of a storage area network. A communication from a network node is received. The communication may include a portion of criteria associated with the N13 Port. Using at least a portion of the portion of criteria, a virtual fabric identifier corresponding to a virtual fabric which is associated with the N13 Port may be automatically identified. Fabric configuration information, which includes the virtual fabric identifier, may be automatically provided to the network node. A fabric login request from the N13 Port to login to the virtual fabric may then be received. According to a specific embodiment, the communication may be transmitted from a network node to an F13 Port on a Fibre Channel switch.