Integrated methods of performing network switch functions
Granted: December 28, 2010
Patent Number:
7860006
On-switch methods for enforcing a policy relating to one or more network switch resources, for detecting and mitigating a network anomaly, and for selectively filtering packets to an externally-accessible port, are provided. The methods may each be embodied as one or more rules held by one or more processor readable media, with one or more of the rules defining one or more conditions to be met by one or more usage-derived packet statistics, and one or more actions to be performed if the…
Convergence of multicast traffic
Granted: December 21, 2010
Patent Number:
7856019
A multicast data packet sent from a source node is received by a transit node. The multicast data packet includes a source address and a multicast group address. A hardware cache miss is detected at the transit node for the multicast data packet. The multicast data packet is hardware-flooded onto ports of the network. The flooding consists of forwarding a copy of the multicast data packet to neighbor nodes of the transit node based on virtual local area network (VLAN) membership. A…
Methods, systems, and computer program products for routing packets at a multi-mode layer 3 packet forwarding device
Granted: November 30, 2010
Patent Number:
7843927
The subject matter described herein includes methods, systems, and computer program products for routing packets at a multi-mode layer 3 packet forwarding device. According to one aspect, the subject matter described herein includes operating a first of at least two modules in a host mode, and operating a second of at least two modules in a longest prefix matching (LPM) mode. Operating a module in a host mode includes populating a host table and an LPM table with entries corresponding to…
Method and apparatus for dynamic anomaly-based updates to traffic selection policies in a switch
Granted: November 16, 2010
Patent Number:
7835348
Techniques and architectures to dynamically modify policies used to determine how data in switched network traffic is selected for security inspection. One embodiment of the invention modifies policies used to determine how data in network traffic is redirected from a switch to an intrusion prevention system, without the policy modifications interrupting the handling of network traffic by the switch.
System and method for assembling a data packet
Granted: October 26, 2010
Patent Number:
7821931
Disclosed is a system and method for assembling a data packet. The system can be implemented as four memory elements associated with one or more processors. The first memory element stores a sequence number and a sub-channel identifier for an incoming data packet. The second memory element stores a revised packet fragment. The third memory element stores an unrevised packet fragment. The fourth memory element stores a starting address. In the system, the starting address may be the…
Data structures for supporting packet data modification operations
Granted: October 26, 2010
Patent Number:
7822032
A processor readable medium storing a data structure for supporting one or more packet modification operations is provided. The data structure has a pointer to a sequence of one or more commands stored in a first memory area and implementing one or more packet modification operations. The data structure also has a pointer to a burst of one or more data or mask items stored in a second memory area for use by the one or more commands. A method of performing one or more packet modification…
MAC address detection device for virtual routers
Granted: October 26, 2010
Patent Number:
7822033
A MAC address detector for a networking device is provided, the device configured to present different virtual routers to different end users, classes of service or packets. First addressing logic provides a pool of N potential MAC addresses of the device, wherein N is an integer of one or more. Second addressing logic generates a (N+1)th potential MAC address of the device by combining a permanent or semi-permanent identifier of the device, for example, a chassis identifier, with a…
Packet processing system architecture and method
Granted: October 26, 2010
Patent Number:
7822038
A packet processing system architecture and method are provided. According to a first aspect of the invention, a plurality of quality of service indicators are provided for a packet, each with an assigned priority, and a configurable priority resolution scheme is utilized to select one of the quality of service indicators for assigning to the packet. According to a second aspect of the invention, wide data paths are utilized in selected areas of the system, while avoiding universal…
Method and system for detecting and preventing access intrusion in a network
Granted: October 26, 2010
Patent Number:
7823199
A wireless computer network includes components cooperating together to prevent access intrusions by detecting unauthorized devices connected to the network, disabling the network connections to the devices, and then physically locating the devices. The network can detect both unauthorized client stations and unauthorized edge devices such as wireless access points (APs). The network can detect intruders by monitoring information transferred over wireless channels, identifying protocol…
Method of providing virtual router functionality through abstracted virtual identifiers
Granted: October 19, 2010
Patent Number:
7817633
A method of providing virtual router functionality to a packet responsive to one or more abstracted virtual packet identifiers is provided. The method occurs in a networking device having a router core. The one or more abstracted virtual identifiers are abstracted from one or more virtual identifiers derived from the packet, thus insulating the router core from changes in the one or more virtual identifiers. A packet is received having a VLAN field, and a key is formed from the VLAN…
Flexible flow-aging mechanism
Granted: October 19, 2010
Patent Number:
7817549
A flow identifier is stored in a memory to identify a network flow. The memory is capable of storing multiple flow identifiers for multiple flows. Packet statistics are collected for each of the flows. The packet statistics are compared and a flow identifier is subsequently selected and removed from the memory.
Methods, systems, and computer program products for killing prioritized packets using time-to-live values to prevent head-of-line blocking
Granted: October 12, 2010
Patent Number:
7813348
Methods, systems, and computer program products for killing prioritized packets in multiple queues using time-to-live values to prevent head-of-line blocking. In one example, a method for scheduling prioritized packets in queuing system includes receiving a plurality of packets having a plurality of different priorities. The method can also include assigning the packets to the queues, wherein at least some of the queues include packets of a plurality of different priorities. In addition,…
Method of and system for analyzing the content of resource requests
Granted: October 12, 2010
Patent Number:
7814204
Systems and methods are described for analyzing the content of resource requests. A tokenizer parses the resource request and derives a key therefrom. A database associates values of the key with categories of service. An association engine uses the key to obtain one or more matching entries from the database, and derive therefrom the desired category of service for the resource request. A cookie engine derives cookie information from a cookie located in the resource request. A session…
Method and system for VLAN aggregation
Granted: September 7, 2010
Patent Number:
7792058
A method and system for an aggregated virtual local area network (VLAN) architecture in which several VLANs in a network share the same default router address and subnet mask, but remain isolated from one another's network traffic. Instead of the traditional method of assigning one subnet to a VLAN, each VLAN is assigned only a portion of a subnet's IP address space, and is further grouped into a super-VLAN uniquely associated with that subnet. Intra-VLAN traffic is forwarded only to…
Method and apparatus for dynamic configuration management
Granted: August 24, 2010
Patent Number:
7783733
A method is provided to dynamically manage the configuration of a network device. An application supporting a protocol, network interface or other component of the configuration operates in conjunction with a master agent and subagent to send and receive configuration management information. The application further operates in conjunction with a configuration manager interface and configuration manager to access and update the configuration in accordance with a priority of the…
Automatic tiered services based on network conditions
Granted: August 10, 2010
Patent Number:
7773507
A traffic selector table for a network switch is populated with one or more entries that each identifies a tiered service. A traffic flow that matches an entry in the table is identified by the switch. The matched traffic flow is redirected to an intrusion prevention device to determine whether the traffic presents a threat to the network. The switch detects a condition in network traffic flowing through the switch. The traffic selector table is dynamically modified in response to the…
Ring topology discovery
Granted: July 6, 2010
Patent Number:
7752338
A method is provided for determining the integrity of a domain defined in a network. The method includes processes and systems to facilitate the discovery a conceptual ring topology of the domain in the network, and the determination of the integrity of the domain based on the conceptual ring topology that was discovered.
Methods, systems, and computer program products for rate-based distribution of layer 2 packets for in-line processing at a layer 2 packet forwarding device at a transmission rate less than a received transmission rate
Granted: June 8, 2010
Patent Number:
7733899
The subject matter described herein includes methods, systems, and computer program products for rate-based distribution of layer 2 packets for in-line processing at a layer 2 packet forwarding device. According to one aspect, the subject matter described herein includes a method for distributing layer 2 packets for in-line processing at a transmission rate less than a received transmission rate. The method includes receiving an input stream of layer 2 packets at an input port of a layer…
High speed bus with flow control and extended burst enhancements
Granted: May 25, 2010
Patent Number:
7724669
In a networked system, in which high speed busses interconnect sources and destinations of data, systems for and methods of flow control and extended burst transfers are described. The present invention is directed to a system for selectively varying the number of burst transfers used to transmit a block of data. The present invention is also directed to a method of selectively varying the number of burst transfers needed to transmit a block of data.
Methods, systems, and computer program products for controlling updating of a layer 3 host table based on packet forwarding lookup miss counts
Granted: May 25, 2010
Patent Number:
7724734
Methods, systems, and computer program products for controlling updating of a layer 3 host table based on packet forwarding miss counts are disclosed. According to one method, layer 3 packets are routed using at least one of a layer 3 host table containing entries corresponding to remote hosts and a longest prefix matching table containing prefixes corresponding to remote hosts. For each layer 3 destination address for which a lookup in at least one table fails, a number of packets…
