Foundry Networks, Inc. Patent applications |
Patent application number | Title | Published |
20130259037 | DUPLICATING NETWORK TRAFFIC THROUGH TRANSPARENT VLAN FLOODING - An approach to duplicating network traffic is described. In one approach, a method of creating multiple copies of network traffic is detailed. The method involves receiving network traffic, producing a duplicate copy of the network traffic, and forwarding the duplicate copy to a monitoring port. The monitoring port forwards copies to a number of indicated ports. | 10-03-2013 |
20120166760 | HIGH SPEED COUNTER DESIGN - Techniques for incrementing counters in an efficient manner. In one set of embodiments, counter logic circuits are provided that can operate at higher frequencies than existing counter logic circuits, while being capable of being implemented in currently available field programmable gate arrays (FPGAs) or fabricated using currently available process technologies. The counter logic circuits of the present invention may be used to increment statistics counters in network devices that support line speeds of 40 Gbps, 100 Gbps, and greater. | 06-28-2012 |
20120166512 | High speed design for division & modulo operations - Techniques for efficiently performing division and modulo operations in a programmable logic device. In one set of embodiments, the division and modulo operations are synthesized as one or more alternative arithmetic operations, such as multiplication and/or subtraction operations. The alternative arithmetic operations are then implemented using dedicated digital signal processing (DSP) resources, rather than non-dedicated logic resources, resident on a programmable logic device. In one embodiment, the programmable logic device is a field-programmable gate array (FPGA), and the dedicated DSP resources are pre-fabricated on the FPGA. Embodiments of the present invention may be used in Ethernet-based network devices to support the high-speed packet processing necessary for 100G Ethernet, 32-port (or greater) trunking, 32-port/path (or greater) load balancing (such as 32-path ECMP), and the like. | 06-28-2012 |
20120163389 | TECHNIQUES FOR SELECTING PATHS AND/OR TRUNK PORTS FOR FORWARDING TRAFFIC FLOWS - Techniques that offer enhanced diversity in the selection of paths (e.g., ECMP paths) and/or ports from ports associated with trunks for forwarding data traffic. In one embodiment, one or more functions are used to generate a result. A first portion of the generated result may be used as an index (e.g., ECMP index) for selecting a path (e.g., an ECMP path) from multiple possible paths for forwarding a packet. A second portion of the generated result, different from the first portion, may be used as an index (trunk index) for selecting an output port from multiple output ports associated with a trunk for forwarding a packet. In this manner, selected portions of the generated result may be used as indices, one for selecting a path and another for selecting a trunk port for forwarding packets such that the two indices are not the same and are not dependent upon one another. | 06-28-2012 |
20120131671 | Securing An Access Provider - To secure an access provider, communications to/from the access provider are monitored for a partially-completed connection transaction. Detected partially-completed connection transactions are terminated when they remain in existence for a period of time that exceeds a threshold period of time. The monitoring may include detecting partially-completed connection transactions initiated by an access requestor, measuring the period of time that a partially-completed connection transaction remains in existence, comparing the period of time with the threshold period of time, and resetting a communication port located on the access provider. | 05-24-2012 |
20110002340 | PIPELINE METHOD AND SYSTEM FOR SWITCHING PACKETS - A switching device comprising one or more processors coupled to a media access control (MAC) interface and a memory structure for switching packets rapidly between one or more source devices and one or more destination devices. Packets are pipelined through a series of first processing segments to perform a plurality of first sub-operations involving the initial processing of packets received from source devices to be buffered in the memory structure. Packets are pipelined through a series of second processing segments to perform a plurality of second sub-operations involved in retrieving packets from the memory structure and preparing packets for transmission. Packets are pipelined through a series of third processing segments to perform a plurality of third sub-operations involved in scheduling transmission of packets to the MAC interface for transmission to one or more destination devices. | 01-06-2011 |
20100333191 | SYSTEM AND METHOD FOR PROTECTING CPU AGAINST REMOTE ACCESS ATTACKS - A system and method that provides for protection of a CPU of a router, by establishing a management port on a router. Hosts which are connected to a non-management ports of the router are denied access to management functions of a CPU of the router. The system and method can utilize an application specific integrated circuit, in conjunction with a CAM-ACL, which analyzes data packets received on the ports of router, and the ASIC operates to drop data packets which are directed to the CPU of the router. This system and method operates to filter data packets which may be generated in attempts to hack in to control functions of a network device, and the operation does not require that the CPU analyze all received data packets in connection with determining access to the control functions of the router. | 12-30-2010 |
20100299544 | Enabling/Disabling Power-Over-Ethernet Software Subsystem In Response To Power Supply Status - An Ethernet switch includes 12-Volt and 48-Volt power sourcing modules, system software, Ethernet interface modules and optional power over Ethernet (PoE) modules. The Ethernet interface modules are motherboards that include the circuitry required to implement a non-PoE system. The PoE modules are daughter boards that include the circuitry required to supply powered devices in a PoE subsystem. A PoE module may be connected to a corresponding Ethernet interface module. During start up, all of the Ethernet interface modules are first powered up in response to the 12-Volt power sourcing module. If the system software subsequently determines that the 48-Volt power sourcing module is operational, then (and only then) the system software attempts to detect the presence of any PoE modules. Upon detecting one or more PoE modules, the PoE modules are initialized and configured, thereby enabling PoE operation. | 11-25-2010 |
20100299427 | CONFIGURABLE GEOGRAPHIC PREFIXES FOR GLOBAL SERVER LOAD BALANCING - In a load balancing system, user-configurable geographic prefixes are provided. IP address prefix allocations provided by the Internet Assigned Numbers Authority (IANA) and associated geographic locations are stored in a first, static database in a load balancing switch, along with other possible default geographic location settings. A second, non-static database stores user-configured geographic settings. In particular, the second database stores Internet Protocol (IP) address prefixes and user-specified geographic regions for those prefixes. The specified geographic region can be continent, country, state, city, or other user-defined region. The geographic settings in the second database can override the information in the first database. These geographic entries help determine the geographic location of a client and host IP addresses, and aid in directing the client to a host server that is geographically the closest to that client. | 11-25-2010 |
20100293296 | GLOBAL SERVER LOAD BALANCING - A global server load balancing (GSLB) switch serves as a proxy to an authoritative DNS communicates with numerous site switches which are coupled to host servers serving specific applications. The GSLB switch receives from site switches operational information regarding host servers within the site switches neighborhood. When a client program requests a resolution of a host name, the GSLB switch, acting as a proxy of an authoritative DNS, returns one or more ordered IP addresses for the host name. The IP addresses are ordered using metrics that include the information collected from the site switches. In one instance, the GSLB switch places the address that is deemed “best” at the top of the list. | 11-18-2010 |
20100254255 | REDUNDANCY SUPPORT FOR NETWORK ADDRESS TRANSLATION (NAT) - Stateful failover redundancy support is provided for network address translation (NAT). A master NAT device is backed-up with at least one back-up NAT device. Existing sessions are synchronized between the two NAT devices, such as via a dedicated link between them. In the event of a failover where the master NAT device is unable to perform its NAT functions, ownership of Internet protocol (IP) addresses is transferred from the master NAT device to the back-up NAT device. The back-up NAT device, which is now owner of the IP addresses, assumes the NAT functionality associated with these IP addresses and continues the existing sessions, as well as processing new sessions. | 10-07-2010 |
20100246588 | SYSTEM ARCHITECTURE FOR VERY FAST ETHERNET BLADE - The system of the present invention provides data transmission speeds at or in excess of 10 gigabits per second between one or more source devices and one or more destination devices. The system comprises a media access control (MAC) interface to facilitate receipt and transmission of packets over a physical interface. A first field programmable gate array is coupled to the MAC interface and operative to receive packets from the MAC interface and configured to perform initial processing of packets, which are dispatched to a first memory. A second field programmable gate array is operative to retrieve packets from the first memory and configured to compute an appropriate destination, which is used to dispatch packets to a backplane. A third field programmable gate array is provided that is operative to receive packets from the backplane and configured to organize the packets for transmission, which are dispatched to a second memory. A fourth field programmable gate array is coupled to the MAC interface and operative to retrieve packets from the second memory and configured to schedule the transmission of packets to the MAC interface for transmission to one or more destination devices. | 09-30-2010 |
20100235506 | SECURING AN ACCESSIBLE COMPUTER SYSTEM - To secure an accessible computer system, the computer system is monitored for connection transactions. An access requestor is denied access to the computer system when the access requestor initiates a number of connection transactions that exceed a configurable threshold number during a first configurable period of time. The monitoring may include detecting connection transactions initiated by the access requestor, counting the number of connection transactions initiated by the access requestor during the first configurable period of time, and comparing the number of connection transactions initiated by the access requestor during the first configurable period of time to the configurable threshold number. | 09-16-2010 |
20100223621 | Statistical tracking for global server load balancing - Server load-balancing operation-related data, such as data associated with a system configured for global server load balancing (GSLB) that orders IP addresses into a list based on a set of performance metrics, is tracked. Such operation-related data includes inbound source IP addresses (e.g., the address of the originator of a DNS request), the requested host and zone, identification of the selected “best” IP addresses resulting from application of a GSLB algorithm and the selection metric used to decide on an IP address as the “best” one. Furthermore, the data includes a count of the selected “best” IP addresses selected via application of the GSLB algorithm, and for each of these IP addresses, the list of deciding performance metrics, along with a count of the number of times each of these metrics in the list was used as a deciding factor in selection of this IP address as the best one. This tracking feature allows better understanding of GSLB policy decisions (such as those associated with performance, maintenance, and troubleshooting) and intelligent deployment of large-scale resilient GSLB networks. | 09-02-2010 |
20100220742 | SYSTEM AND METHOD FOR ROUTER QUEUE AND CONGESTION MANAGEMENT - In a multi-QOS level queuing structure, packet payload pointers are stored in multiple queues and packet payloads in a common memory pool. Algorithms control the drop probability of packets entering the queuing structure. Instantaneous drop probabilities are obtained by comparing measured instantaneous queue size with calculated minimum and maximum queue sizes. Non-utilized common memory space is allocated simultaneously to all queues. Time averaged drop probabilities follow a traditional Weighted Random Early Discard mechanism. Algorithms are adapted to a multi-level QOS structure, floating point format, and hardware implementation. Packet flow from a router egress queuing structure into a single egress port tributary is controlled by an arbitration algorithm using a rate metering mechanism. The queuing structure is replicated for each egress tributary in the router system. | 09-02-2010 |
20100220723 | METHOD FOR PROVIDING SCALABLE MULTICAST SERVICE IN A VIRTUAL PRIVATE LAN SERVICE - Multicast capability in a virtual private LAN service (VPLS) is provided in a provider IP/MPLS infrastructure without headend replications by encapsulating a customer data packet to use an established multicast protocol, such as IP multicast. In one example, the customer data packet is encapsulated by an IP header having an IP multicast group address and an Ethernet header. In one implementation, a DNS type mechanism is provided to distribute the IP multicast addresses for VPLS use. Such IP multicast group address can be set aside from an administratively scoped address range. An efficient IP routing algorithm running on the provider's network provides an efficient distribution tree for routing IP-encapsulated customer packet for the VPLS. | 09-02-2010 |
20100217863 | Securing An Access Provider - To secure an access provider, communications to/from the access provider are monitored for a partially-completed connection transaction. Detected partially-completed connection transactions are terminated when they remain in existence for a period of time that exceeds a threshold period of time. The monitoring may include detecting partially-completed connection transactions initiated by an access requestor, measuring the period of time that a partially-completed connection transaction remains in existence, comparing the period of time with the threshold period of time, and resetting a communication port located on the access provider. | 08-26-2010 |
20100211626 | Method and apparatus for maintaining longer persistent connections - A hypertext transfer protocol (HTTP) connection between a client terminal and a server includes a client-side connection and a server-side connection. Different techniques are used to extend the persistence of the HTTP connection. These techniques include keeping the server-side connection persistent if the client terminal sends a RESET to the server, keeping the server-side connection persistent but closing the client-side connection if the client terminal sends a RESET or a FIN packet to the server, rewriting a “Connection: Close” header in a request to a “Connection: Keep-Alive,” inserting a “Connection: Keep-Alive” in a header of a request, modifying a “Connection: Close” header in a request, and changing the HTTP version value in a request. | 08-19-2010 |
20100208738 | SYSTEM AND METHOD FOR ROUTER VIRTUAL NETWORKING - A host router is logically partitioned into virtual router domains that manage independent processes and routing application copies but share a common operating system. Each v-net manages an independent set of sockets and host router interfaces, each associated with only one v-net at one time, but interchangeably repartitionable Traffic is removed from an interface during repartitioning. Duplicate arrays of global variables copied to each v-net are accessed by macro references. A v-net facility can separate route tables used internally from the externally visible route tables and can avoid conflicts between internal and external IP addresses that share the same identifier. For example a common FreeBSD operating system supports a dynamic routing protocol (DRP) application. Each v-net runs an independent copy of the DRP software and is logically independent. A failure in one DRP copy does not adversely affect other copies. | 08-19-2010 |
20100195661 | Optimizations and Enhancements to the IEEE RSTP 802.1w Implementation - A method for supporting dynamic configuration changes comprises receiving a message from a current root bridge, comparing a bridge media access control (MAC) address of a receiving port to a bridge MAC address of the received message, if the bridge MAC addresses are the same, then comparing a current priority value with a previous priority value of the current root bridge, determining if the receiving port is a qualified root port, and if the port is a qualified root port, then returning a superior designated message to execute an RSTP calculation. | 08-05-2010 |
20100161894 | DOUBLE DENSITY CONTENT ADDRESSABLE MEMORY (CAM) LOOKUP SCHEME - The number of content addressable memory (CAM) lookups is reduced from two to one. Each side (left and right sides) of a CAM is programmed with network addresses, such as IP addresses, based on certain bits of the network addresses. These bits of the network addresses (which represent packet routes) are examined and used to determine whether the particular network address is to be placed on the left or right sides of the CAM. The grouping of certain network addresses either on the left or right sides of the CAM can be performed by examining an individual bit of each network address, by performing an exclusive OR (XOR) operation on a plurality of bits of each network address, and/or by searching for bit patterns of the network address in a decision table. Network addresses that cannot be readily assigned to a particular side of the CAM using these grouping techniques are programmed into both sides of the CAM. During packet routing, techniques similar to the grouping techniques that populated the CAM are used to determine which of the two sides of the CAM is to be searched. | 06-24-2010 |
20100153558 | GLOBAL SERVER LOAD BALANCING - A global server load-balancing (GSLB) switch serves as a proxy to an authoritative DNS and communicates with numerous site switches that are coupled to host servers serving specific applications. The GSLB switch receives from site switches operational information regarding host servers within the site switches neighborhood. When a client program requests a resolution of a host name, the GSLB switch, acting as a proxy of an authoritative DNS, returns one or more ordered IP addresses for the host name. The IP addresses are ordered using metrics that include the information collected from the site switches or based on other metric information. Examples of metrics include weighted site, weighted IP, and active bindings metrics. The GSLB switch places the address that is deemed “best” at the top of the list. | 06-17-2010 |
20100150148 | Method and system for IP fragmentation handling - In a network, packets are fragmented into head and non-head fragments. Non-head fragments are saved up front at an entry point, while a network switch forwards only the head fragment to Layer 4-Layer 7 (L4-L7) features for processing. The switch records changes that are performed on the head fragment's fields by the L4-L7 features while they process the head fragment. At an exit point, fields of the saved non-head fragments are overwritten with information that was recorded for the head fragment. This can include updating or modifying the source and destination parameters of the non-head fragments in an intelligent manner by reusing the results of the packet processing that was performed on the head fragment. This fragmentation handling technique avoids having to redundantly process the non-head fragments in the same manner as the head fragments. | 06-17-2010 |
20100135313 | NETWORK ROUTING SYSTEM FOR ENHANCED EFFICIENCY AND MONITORING CAPABILITY - According to an embodiment of the invention, a network device such as a router or switch provides efficient data packet handling capability. The network device includes one or more input ports for receiving data packets to be routed, as well as one or more output ports for transmitting data packets. The network device includes an integrated port controller integrated circuit for routing packets. The integrated circuit includes an interface circuit, a received packets circuit, a buffer manager circuit for receiving data packets from the received packets circuit and transmitting data packets in one or more buffers and reading data packets from the one or more buffers. The integrated circuit also includes a rate shaper counter for storing credit for a traffic class, so that the integrated circuit can support input and/or output rate shaping. The integrated circuit may be associated with an IRAM, a CAM, a parameter memory configured to hold routing and/or switching parameters, which may be implemented as a PRAM, and an aging RAM, which stores aging information. The aging information may be used by a CPU coupled to the integrated circuit via a system interface circuit to remove entries from the CAM and/or the PRAM when an age count exceeds an age limit threshold for the entries. | 06-03-2010 |
20100121932 | Distributed health check for global server load balancing - A global server load-balancing (GSLB) switch serves as a proxy to an authoritative DNS and communicates with numerous site switches that are coupled to host servers serving specific applications. The GSLB switch receives from site switches operational information regarding host servers within the site switches neighborhood. This operational information includes health check information that is remotely obtained in a distributed manner from remote metric agents at the site switches. When a client program requests a resolution of a host name, the GSLB switch, acting as a proxy of an authoritative DNS, returns one or more ordered IP addresses for the host name. The IP addresses are ordered using metrics, including the health check metric that evaluates these IP addresses based on the health check information communicated to the GSLB switch in a distributed manner by the distributed health check site switches. In one instance, the GSLB switch places the address that is deemed “best” at the top of the list. | 05-13-2010 |
20100115133 | CONFIGURABLE GEOGRAPHIC PREFIXES FOR GLOBAL SERVER LOAD BALANCING - In a load balancing system, user-configurable geographic prefixes are provided. IP address prefix allocations provided by the Internet Assigned Numbers Authority (IANA) and associated geographic locations are stored in a first, static database in a load balancing switch, along with other possible default geographic location settings. A second, non-static database stores user-configured geographic settings. In particular, the second database stores Internet Protocol (IP) address prefixes and user-specified geographic regions for those prefixes. The specified geographic region can be continent, country, state, city, or other user-defined region. The geographic settings in the second database can override the information in the first database. These geographic entries help determine the geographic location of a client and host IP addresses, and aid in directing the client to a host server that is geographically the closest to that client. | 05-06-2010 |
20100106999 | TECHNIQUES FOR DETERMINING LOCAL REPAIR PATHS USING CSPF - Techniques for computing a path for a local repair connection to be used to protect a connection traversing an original path from an ingress node to an egress node. The computed path originates at a node (start node) in the original path and terminates at another node (end node) in the original path that is downstream from the start node. A Constraint Shortest Path First (CSPF) algorithm may be used to compute the path. The computed path is such that it satisfies one or more constraints and does not traverse a path from a first node in the original path to a second node in the original path, wherein the first and second nodes are upstream from the start node in the original path and the second node is downstream from the first node in the original path. A local repair connection may then be signaled using the computed path. | 04-29-2010 |
20100100671 | DOUBLE DENSITY CONTENT ADDRESSABLE MEMORY (CAM) LOOKUP SCHEME - The number of content addressable memory (CAM) lookups is reduced from two to one. Each side (left and right sides) of a CAM is programmed with network addresses, such as IP addresses, based on certain bits of the network addresses. These bits of the network addresses (which represent packet routes) are examined and used to determine whether the particular network address is to be placed on the left or right sides of the CAM. The grouping of certain network addresses either on the left or right sides of the CAM can be performed by examining an individual bit of each network address, by performing an exclusive OR (XOR) operation on a plurality of bits of each network address, and/or by searching for bit patterns of the network address in a decision table. Network addresses that cannot be readily assigned to a particular side of the CAM using these grouping techniques are programmed into both sides of the CAM. During packet routing, techniques similar to the grouping techniques that populated the CAM are used to determine which of the two sides of the CAM is to be searched. | 04-22-2010 |
20100095008 | Global server load balancing support for private VIP addresses - A site switch determines the mapping between public and private IP addresses of VIPs configured on the site switch. The site switch then transmits the public IP address, rather than the private IP address, to a load balancing switch that performs the load balancing for network resources accessible via the site switch. This public IP address has also been configured on an authoritative DNS server for which the load balancing switch serves as a proxy. The load balancing switch updates its address records, containing the VIPs configured on the site switch, with the public address of the VIP. When the load balancing switch reorders a DNS reply from the authoritative DNS server for a domain containing the public address, the load balancing switch correctly identifies the IP address as a VIP on the site switch and applies appropriate load balancing metrics to the received IP address. | 04-15-2010 |
20100082787 | Global server load balancing - A global server load-balancing (GSLB) switch serves as a proxy to an authoritative DNS and communicates with numerous site switches that are coupled to host servers serving specific applications. The GSLB switch receives from site switches operational information regarding host servers within the site switches neighborhood. When a client program requests a resolution of a host name, the GSLB switch, acting as a proxy of an authoritative DNS, returns one or more ordered IP addresses for the host name. The IP addresses are ordered using metrics that include the information collected from the site switches. In one instance, the GSLB switch places the address that is deemed “best” at the top of the list. | 04-01-2010 |
20100077447 | Authentication techniques - Techniques for authenticating clients of differing capabilities in an efficient manner. Two or more authentication techniques, including one preferred authentication technique, are initiated to run in parallel to authenticate a client. Upon determining that the client can support the preferred authentication technique, the preferred technique is used to authenticate the client and the other authentication techniques are aborted. If it is determined that the client cannot support the preferred authentication technique, then one of the other authentication techniques is used to authenticate the client. In this manner, based upon the capabilities of the client, an appropriate authentication technique is used to authenticate the client in an efficient manner. | 03-25-2010 |
20100061393 | System and Method for High Speed Packet Transmission - The present invention provides systems and methods for providing data transmission speeds at or in excess of 10 gigabits per second between one or more source devices and one or more destination devices. According to one embodiment, the system of the present invention comprises a first and second media access control (MAC) interfaces to facilitate receipt and transmission of packets over an associated set of physical interfaces. The system also contemplates a first and second field programmable gate arrays (FPGA) coupled to the MAC interfaces and an associated first and second memory structures, the first and second FPGAs are configured to perform initial processing of packets received from the first and second MAC interfaces and to schedule the transmission of packets to the first and second MAC interface for transmission to one or more destination devices. The first and second FPGAs are further operative to dispatch and retrieve packets to and from the first and second memory structures. A third FPGA, coupled to the first and second memory structures and a backplane, is operative to retrieve and dispatch packets to and from the first and second memory structures, compute appropriate destinations for packets and organize packets for transmission. The third FPGA is further operative to receive and dispatch packets to and from the backplane. | 03-11-2010 |
20100061236 | SMOOTHING ALGORITHM FOR ROUND TRIP TIME (RTT) MEASUREMENTS - A smoothing algorithm for round trip time (RTT) measurements is provided to a network device to effectively deal with variations or other potential anomalies that may occur in RTT measurements. The algorithm involves: first determining what should be considered a very high or a very small value for a RTT sample. If a new RTT sample is in an acceptable range, then the network device performs a relatively basic smoothing. If the new RTT sample is much higher than a current RTT value, then the network device ignores the value of this RTT sample a few times. If the network device still detects this large value after ignoring that value for some time, then the network device factors this value into the current RTT value using an additive increase. Similarly, if the value of the new RTT sample is much lower than current RTT value, the network device ignores the value of the new RTT sample a few times. If the network device still sees this small/low value after ignoring that value for sometime, then the network device factors this value into the current RTT value using a multiplicative decrease. An effective RTT value results, which can be used singly or in combination with other metrics to load balance network traffic. | 03-11-2010 |
20100049999 | System Software For Managing Power Allocation To Ethernet Ports In The Absence of Mutually Exclusive Detection And Powering Cycles In Hardware - A method of allocating power to ports in an Ethernet switch, including: ( | 02-25-2010 |
20100046521 | System and Method for High Speed Packet Transmission - The present invention provides systems and methods for providing data transmission speeds at or in excess of 10 gigabits per second between one or more source devices and one or more destination devices. According to one embodiment, the system of the present invention comprises a first and second media access control (MAC) interfaces to facilitate receipt and transmission of packets over an associated set of physical interfaces. The system also contemplates a first and second field programmable gate arrays (FPGA) coupled to the MAC interfaces and an associated first and second memory structures, the first and second FPGAs are configured to perform initial processing of packets received from the first and second MAC interfaces and to schedule the transmission of packets to the first and second MAC interface for transmission to one or more destination devices. The first and second FPGAs are further operative to dispatch and retrieve packets to and from the first and second memory structures. A third FPGA, coupled to the first and second memory structures and a backplane, is operative to retrieve and dispatch packets to and from the first and second memory structures, compute appropriate destinations for packets and organize packets for transmission. The third FPGA is further operative to receive and dispatch packets to and from the backplane. | 02-25-2010 |
20100034215 | Backplane Interface Adapter with Error Control - A backplane interface adapter with error control and redundant fabric for a high-performance network switch. The error control may be provided by an administrative module that includes a level monitor, a stripe synchronization error detector, a flow controller, and a control character presence tracker. The redundant fabric transceiver of the backplane interface adapter improves the adapter's ability to properly and consistently receive narrow input cells carrying packets of data and output wide striped cells to a switching fabric. | 02-11-2010 |
20100023618 | SYSTEM AND METHOD FOR SUPPLICANT BASED ACCOUNTING AND ACCESS - The method of the present invention comprises initiating a connection to a port on an access device by a supplicant and associating supplicant identification information with the port. The access device may comprise any network connectivity device, including a wireless access point. Data packets transmitted over the port by the supplicant are statistically sampled as they are transmitted, with each of the sample data packets also associated with the supplicant identification information. The sample data packets are stored according to their associated supplicant identification information in order to perform accounting. The sample data packets, with the supplicant identification information, are sent to a network management system where the data is archived and presented in a human readable form, e.g., charts, etc. | 01-28-2010 |
20100011126 | GLOBAL SERVER LOAD BALANCING - A global server load balancing (GSLB) switch serves as a proxy to an authoritative DNS communicates with numerous site switches which are coupled to host servers serving specific applications. The GSLB switch receives from site switches operational information regarding host servers within the site switches neighborhood. When a client program requests a resolution of a host name, the GSLB switch, acting as a proxy of an authoritative DNS, returns one or more ordered IP addresses for the host name. The IP addresses are ordered using metrics that include the information collected from the site switches. In one instance, the GSLB switch places the address that is deemed “best” at the top of the list. | 01-14-2010 |
20100011120 | CANONICAL NAME (CNAME) HANDLING FOR GLOBAL SERVER LOAD BALANCING - Canonical name (CNAME) handling is performed in a system configured for global server load balancing (GSLB), which orders IP addresses into a list based on a set of performance metrics. When the GSLB switch receives a reply from an authoritative DNS server, the GSLB switch scans the reply for CNAME records. If a CNAME record is detected and it points to a host name configured for GSLB, then a GSLB algorithm is applied to the reply. This involves identifying the host name (pointed to by the CNAME record) in the reply and applying the metrics to the list of returned IP addresses corresponding to that host name, to reorder the list to place the “best” IP address at the top. If the CNAME record in the reply points to a host name that is not configured for GSLB, then the GSLB sends the reply unaltered to the inquiring client. | 01-14-2010 |
20100010991 | HOST-LEVEL POLICIES FOR GLOBAL SERVER LOAD BALANCING - In a network, a user can configure host-level policies usable for load balancing traffic to servers of a domain. A global server load balancing (GSLB) switch provides load balancing to the servers, and is configured with the GSLB host-level policies. Users can define a host-level policy (alternatively or additionally to a globally applied GSLB policy) and apply the host-level policy to hosts in domains configured on the GSLB switch. Thus, the user can enable different policies for different hosts. This allows the user to have the flexibility to control metrics used for selection of a best address for querying clients, as well as the metric order and additional parameters used in the GSLB process, at the host level. | 01-14-2010 |
20090307773 | SYSTEM AND METHOD FOR ARP ANTI-SPOOFING SECURITY - A system and method that provides for copying ARP replies, and generating data packets which include the ARP reply, and other information such as an identification of the port on the ARP reply was received. These data packets are then transmitted to an ARP collector which stores the ARP reply and port information. The ARP collector then uses this stored information, and analyzes future data packets relative to the stored information to detect occurrences of ARP spoofing. The ARP collector further provides for generating alerts and taking security actions when ARP reply spoofing is detected. | 12-10-2009 |
20090300759 | ATTACK PREVENTION TECHNIQUES - Techniques for detecting and responding to attacks on computer and network systems including denial-of-service (DoS) attacks. A packet is classified as potentially being an attack packet if it matches an access control list (ACL) specifying one or more conditions. One or more actions may be performed responsive to packets identified as potential attack packets. These actions may include dropping packets identified as potential attack packets for a period of time, rate limiting a port over which the potential attack packets are received for a period of time, and other actions. | 12-03-2009 |
20090299791 | Method and system for management of licenses - Licensed connections to network resources or services, such as servers or applications, are managed, including setting, limiting, monitoring, enforcing, recording, reporting, or otherwise managing licenses across multiple network resources. Real-time information that tracks license usage is logged. Reporting features are provided to allow a system administrator, vendor, network operator, or other entity to access the log information to determine license usage and compliance. Layer | 12-03-2009 |
20090296565 | SYSTEM AND METHOD FOR PROVIDING NETWORK ROUTE REDUNDANCY ACROSS LAYER 2 DEVICES - Systems and methods are described for providing network route redundancy through Layer 2 devices, such as a loop free Layer 2 network having a plurality of switching devices. A virtual switch is coupled to the loop free Layer 2 network, the virtual switch having two or more switches configured to transition between master and backup modes to provide redundant support for the loop free Layer 2 network, the switches communicating their status through use of a plurality of redundancy control packets. The system also includes means for allowing the redundancy control packets to be flooded through the Layer 2 network. The means may include time-to-live data attached to the redundancy control packet which is decremented only when the packets are transferred through devices which are configured to recognize the protocol used in redundancy control packets. | 12-03-2009 |
20090292943 | TECHNIQUES FOR DETERMINING LOCAL REPAIR CONNECTIONS - Techniques for configuring a local repair connection for a protected connection including determining a path for the local repair connection. The path traversed by a local repair connection starts at a node in the path associated with the protected connection and ends at a merge point node in the path associated with the protected connection that is downstream from the start node. In one embodiment, the merge point node may even be more than two hops downstream from the start node in the path associated with the protected connection. The local repair path may include zero or more nodes that are not included in the path associated with the protected connection. Techniques are also described for optimizing the path associated with a local repair connection. | 11-26-2009 |
20090292942 | TECHNIQUES FOR DETERMINING OPTIMIZED LOCAL REPAIR PATHS - Techniques for finding an optimized local repair path that may be used to signal a local repair connection for a protected connection. The optimized local repair path starts at a node in the path associated with the protected connection and ends at a merge point node in the path associated with the protected connection that is downstream from the start node. Various techniques may be used for finding an optimized local repair path. | 11-26-2009 |
20090290499 | Backplane Interface Adapter with Error Control and Redundant Fabric - A backplane interface adapter with error control and redundant fabric for a high-performance network switch. The error control may be provided by an administrative module that includes a level monitor, a stripe synchronization error detector, a flow controller, and a control character presence tracker. The redundant fabric transceiver of the backplane interface adapter improves the adapter's ability to properly and consistently receive narrow input cells carrying packets of data and output wide striped cells to a switching fabric. | 11-26-2009 |
20090287952 | Backplane Interface Adapter with Error Control and Redundant Fabric - A backplane interface adapter with error control and redundant fabric for a high-performance network switch. The error control may be provided by an administrative module that includes a level monitor, a stripe synchronization error detector, a flow controller, and a control character presence tracker. The redundant fabric transceiver of the backplane interface adapter improves the adapter's ability to properly and consistently receive narrow input cells carrying packets of data and output wide striped cells to a switching fabric. | 11-19-2009 |
20090282322 | TECHNIQUES FOR SEGMENTED CRC DESIGN IN HIGH SPEED NETWORKS - Embodiments of the present invention provide techniques for efficient generation of CRC values in a network environment. Specific embodiments of the present invention enable CRC processing circuits that can generate CRC values at high data throughput rates (e.g., 100 Gbps or greater), while being capable of being implemented on currently available FPGAs. Accordingly, embodiments of the present invention may be used in network devices such as routers, switches, hubs, host network interfaces and the like to support high speed data transmission standards such as 100G Ethernet and beyond. | 11-12-2009 |
20090282148 | SEGMENTED CRC DESIGN IN HIGH SPEED NETWORKS - Embodiments of the present invention provide techniques for efficient generation of CRC values in a network environment. Specific embodiments of the present invention enable CRC processing circuits that can generate CRC values at high data throughput rates (e.g., 100 Gbps or greater), while being capable of being implemented on currently available FPGAs. Accordingly, embodiments of the present invention may be used in network devices such as routers, switches, hubs, host network interfaces and the like to support high speed data transmission standards such as 100G Ethernet and beyond. | 11-12-2009 |
20090279561 | Backplane Interface Adapter - A backplane interface adapter for a network switch. The backplane interface adapter includes at least one receiver that receives input cells carrying packets of data; at least one cell generator that generates encoded cells which include the packets of data from the input cells; and at least one transmitter that transmits the generated cells to a switching fabric. The cell includes a destination slot identifier that identifies a slot of the switching fabric towards which the respective input cell is being sent. The generated cells include in-band control information. | 11-12-2009 |
20090279549 | Hitless software upgrades - Disclosed is a technique for facilitating software upgrade for a switching system comprising a first management processor and a second management processor and a set of one or more line processors, the techniques comprising receiving a signal to perform a software upgrade for a line processor from the set of line processors, and performing a software upgrade for the line processor without substantially affecting packet switching performed by the switching system. | 11-12-2009 |
20090279548 | PIPELINE METHOD AND SYSTEM FOR SWITCHING PACKETS - A switching device comprising one or more processors coupled to a media access control (MAC) interface and a memory structure for switching packets rapidly between one or more source devices and one or more destination devices. Packets are pipelined through a series of first processing segments to perform a plurality of first sub-operations involving the initial processing of packets received from source devices to be buffered in the memory structure. Packets are pipelined through a series of second processing segments to perform a plurality of second sub-operations involved in retrieving packets from the memory structure and preparing packets for transmission. Packets are pipelined through a series of third processing segments to perform a plurality of third sub-operations involved in scheduling transmission of packets to the MAC interface for transmission to one or more destination devices. | 11-12-2009 |
20090279542 | Techniques for using dual memory structures for processing failure detection protocol packets - Techniques are provided for assisting in the processing of failure detection protocol (FDP) packets. Techniques are provided that assist a CPU of a network device in processing incoming FDP packets. In one embodiment, only a subset of FDP packets received by the network device is forwarded to the CPU for processing, the other FDP packets are dropped and not forwarded to the CPU. The processing is performed using dual memory structures that enable receipt of FDP packets by the network device to be decoupled from the processing of FDP packets by the CPU of the network device. | 11-12-2009 |
20090279541 | Techniques for detecting non-receipt of fault detection protocol packets - Techniques that assist in processing of failure detection protocol (FDP) packets. Techniques are provided that assist a CPU of a network device in processing incoming FDP packets. In one embodiment, a module is provided in a network device for detecting and flagging the non-receipt of FDP packets by the network device for one or more FDP sessions. In this manner, the task of detecting non-receipt of FDP packets is offloaded from the CPU of the network device. This enables the network device to support newer FDPs with shorter periodic interval requirements. | 11-12-2009 |
20090279441 | Techniques for transmitting failure detection protocol packets - Techniques are provided for processing of failure detection protocol (FDP) packets. Techniques are provided that assist a CPU of a network device in processing incoming FDP packets. The task of transmitting FDP packets from a network device is offloaded from the CPU of the network device and instead handled by another module of the network device. In this manner, the processing that the CPU of the network device has to perform for transmitting FDP packets for the various FDP sessions of the network device is reduced. This enables the network device to support newer FDPs with shorter periodic interval requirements. | 11-12-2009 |
20090279440 | Techniques for processing incoming failure detection protocol packets - Techniques that assist in processing of failure detection protocol (FDP) packets. Techniques are provided that assist a CPU of a network device in processing incoming FDP packets. In one embodiment, only a subset of FDP packets received by the network device is forwarded to the CPU for processing, the other FDP packets are dropped and not forwarded to the CPU. In this manner, the amount of processing that a CPU of the network device has to perform for incoming FDP packets is reduced. This enables the network device to support newer FDPs with shorter periodic interval requirements. | 11-12-2009 |
20090279423 | Recovering from Failures Without Impact on Data Traffic in a Shared Bus Architecture - Methods of detecting and recovering from communication failures within an operating network switching device that is switching packets in a communication network, and associated structures. The communication failures addressed involve communications between the packet processors and a host CPU over a shared communications bus, e.g., PCI bus. The affected packet processor(s)—which may be all or a subset of the packet processors of the network switch—may be recovered without affecting hardware packet forwarding through the affected packet processors. This maximizes the up time of the network switching device. Other packet processor(s), if any, of the network switching device, which are not affected by the communication failure, may continue their normal packet forwarding, i.e., hardware forwarding that does not involve communications with the host CPU as well as forwarding or other operations that do involve communications with the host CPU. | 11-12-2009 |
20090276601 | VIRTUAL MEMORY MAPPING FOR EFFICIENT MEMORY USAGE - A processor (e.g. utilizing an operating system and/or circuitry) may access physical memory by paging, where a page is the smallest partition of memory mapped by the processor from a virtual address to a physical address. An application program executing on the processor addresses a virtual address space so that the application program may be unaware of physical memory paging mechanisms. A memory control layer manages physical memory space in units of sub-blocks, wherein a sub-blocks is smaller than a size of the page. Multiple virtual address blocks may be mapped to the same physical page in memory. A sub-block can be moved from a page (e.g. from one physical memory to a second physical memory) without moving other sub-blocks within the page in a manner that is transparent to the application program. | 11-05-2009 |
20090275328 | METHODS AND APPARATUS FOR HANDLING WIRELESS ROAMING AMONG AND ACROSS WIRELESS AREA NETWORKS - Wireless roaming in a computer network may be handled through a solution provided on one or more switches in the network. A roam request sent by a switch corresponding to the user's new location may be received by the other switches in the network. If the user is known to any of these switches, then they may execute steps to accommodate the roaming. The tasks performed may vary based on whether the roaming is on layer | 11-05-2009 |
20090265785 | SYSTEM AND METHOD FOR ARP ANTI-SPOOFING SECURITY - A system and method that provides for copying ARP replies, and generating data packets which include the ARP reply, and other information such as an identification of the port on the ARP reply was received. These data packets are then transmitted to an ARP collector which stores the ARP reply and port information. The ARP collector then uses this stored information, and analyzes future data packets relative to the stored information to detect occurrences of ARP spoofing. The ARP collector further provides for generating alerts and taking security actions when ARP reply spoofing is detected. | 10-22-2009 |
20090260083 | SYSTEM AND METHOD FOR SOURCE IP ANTI-SPOOFING SECURITY - A system and method that provides for using source IP addresses and MAC addresses in a network to provide security against attempts by users of the network to use false source IP addresses in data packets. The system and method provide for analyzing MAC addresses and source IP addresses at the datalink (layer 2) level, and to use the information derived from such analysis to block access through a port where a host device is using a false, or spoofed, source IP address in transmitted data packets. Further, the system and method provide for validating initially learned source IP addresses, and for determining whether the number of unsuccessful attempts to validate new source IP addresses exceeds a threshold level, and where the number does exceed the threshold number the system and method can provide for operation in a possible attack mode. | 10-15-2009 |
20090254973 | SYSTEM AND METHOD FOR SOURCE IP ANTI-SPOOFING SECURITY - A system and method that provides for using source IP addresses and MAC addresses in a network to provide security against attempts by users of the network to use false source IP addresses in data packets. The system and method provide for analyzing MAC addresses and source IP addresses at the datalink (layer 2) level, and to use the information derived from such analysis to block access through a port where a host device is using a false, or spoofed, source IP address in transmitted data packets. | 10-08-2009 |
20090129261 | HIGH AVAILABLE METHOD FOR BORDER GATEWAY PROTOCOL VERSION 4 - High availability BGP4 is based on redundant hardware as well as redundant software that replicates the RUN state of BGP4. There are two copies, respectively active and backup, of BGP4 running on two separate redundant hardware platforms. All BGP4 internal implementations apply various methods to replicate the running state of BGP4 independently of peer network routers. When this hardware or software fails on one redundant hardware platform, peer routers are unaware of the failure. Internally, based on duplicative states, the local router recovers from the failure and keeps the protocol running. During the recovery period, the local router can bring up a backup again. In the HA architecture, these activities are not detected by peer routers, such that there is no instability to the Internet backbone caused by BGP4 failure. | 05-21-2009 |
20090100500 | Scalable distributed web-based authentication - Web-based authentication includes receiving a packet in a network switch having at least one associative store configured to forward packet traffic to a first one or more processors of the switch that are dedicated to cryptographic processing if a destination port of the packet indicates a secure transport protocol, and to a second one or more processors of the switch that are not dedicated to cryptographic processing if the destination port does not indicate a secure transport protocol. If a source of the packet is an authenticated user, the packet is forwarded via an output port of the switch, based on the associative store. If the source is an unauthenticated user, the packet is forwarded to the first one or more processors if the destination port indicates a secure transport protocol, and to the second one or more processors if the destination port does not indicate a secure transport protocol. | 04-16-2009 |
20090092135 | SYSTEM AND METHOD FOR ROUTER DATA DISTRIBUTION - Employing an asymmetric protocol, multiple sources reliably broadcast dynamically changing routing tables incrementally across multiple consumers from a single distributor. Each of multiple sources send current tables to the distributor using a snapshot mechanism. Message are buffered, segmented, paced by timers, and broadcast to the consumers repetitively at the distributor. Negative acknowledgments from the consumer request missing messages from the distributor after receipt of a keepalive message from the distributor. The distributor marks the missing messages and retransmits replacements from a history buffer only after firing of a resend timer. A unique Session ID included in all messages originating from each particular source facilitates reliable table distribution from multiple sources to multiple consumers via a single distributor. | 04-09-2009 |
20080244282 | Managing Power Allocation To Ethernet Ports In The Absence Of Mutually Exclusive Detection And Powering Cycles In Hardware - A method of allocating power to ports in an Ethernet switch, including: (1) assigning a configuration power to a selected port, wherein the assigned configuration power is less than a power supplied by the selected port to a powered, (2) enabling and powering the selected port in a single indivisible step, (3) determining the power limit of a device coupled to the selected port, (4) comparing the power supplied by the selected port to the device with the configuration power assigned to the selected port, and (5) if the power supplied by the selected port to the device is greater than the configuration power assigned to the selected port, then increasing the configuration power of the selected port to correspond with the power limit of the device. | 10-02-2008 |