公开(公告)号：US07921686B2

公开(公告)日：2011-04-12

申请号：US12101850

申请日：2008-04-11

申请人： Nagaraj Bagepalli ,  Prashant Gandhi ,  Abhijit Patra ,  Kirti Prabhu ,  Anant Thakar

发明人： Nagaraj Bagepalli ,  Prashant Gandhi ,  Abhijit Patra ,  Kirti Prabhu ,  Anant Thakar

IPC分类号： G06F15/173

CPC分类号： H04L63/205 ,  H04L9/3242 ,  H04L47/20 ,  H04L63/02 ,  H04L63/0428 ,  H04L63/166 ,  H04L69/16 ,  H04L69/161 ,  H04L69/321 ,  Y10T70/5827

摘要： A highly scalable application network appliance is described herein. According to one embodiment, a network element includes a switch fabric, a first service module coupled to the switch fabric, and a second service module coupled to the first service module over the switch fabric. In response to packets of a network transaction received from a client over a first network to access a server of a data center having multiple servers over a second network, the first service module is configured to perform a first portion of OSI (open system interconnection) compatible layers of network processes on the packets while the second service module is configured to perform a second portion of the OSI compatible layers of network processes on the packets. The first portion includes at least one OSI compatible layer that is not included in the second portion. Other methods and apparatuses are also described.

摘要翻译： 这里描述了高度可扩展的应用网络设备。 根据一个实施例，网络元件包括交换结构，耦合到交换结构的第一服务模块以及通过交换结构耦合到第一服务模块的第二服务模块。 响应于通过第一网络从客户端接收的网络事务的分组来访问具有多个服务器的数据中心的服务器，所述第一服务模块被配置为执行OSI的第一部分（开放系统互连） 在第二服务模块被配置为执行分组上的OSI兼容的网络进程层的第二部分时，分组上的网络进程的兼容层。 第一部分包括不包括在第二部分中的至少一个OSI兼容层。 还描述了其它方法和装置。

公开(公告)号：US07895463B2

公开(公告)日：2011-02-22

申请号：US12101865

申请日：2008-04-11

申请人： Nagaraj Bagepalli ,  Prashant Gandhi ,  Abhijit Patra ,  Kirti Prabhu ,  Anant Thakar

发明人： Nagaraj Bagepalli ,  Prashant Gandhi ,  Abhijit Patra ,  Kirti Prabhu ,  Anant Thakar

IPC分类号： G06F11/00

CPC分类号： H04L63/205 ,  H04L9/3242 ,  H04L47/20 ,  H04L63/02 ,  H04L63/0428 ,  H04L63/166 ,  H04L69/16 ,  H04L69/161 ,  H04L69/321 ,  Y10T70/5827

摘要： Redundant application network appliances using a low latency lossless interconnect link are described herein. According to one embodiment, in response to receiving at a first network element a packet of a network transaction from a client over a first network for accessing a server of a datacenter, a layer 2 network process is performed on the packet and a data stream is generated. The data stream is then replicated to a second network element via a layer 2 interconnect link to enable the second network element to perform higher layer processes on the data stream to obtain connection states of the network transaction. In response to a failure of the first network element, the second network element is configured to take over processes of the network transaction from the first network element using the obtained connection states without user interaction of the client. Other methods and apparatuses are also described.

摘要翻译： 本文描述了使用低延迟无损互连链路的冗余应用网络设备。 根据一个实施例，响应于在第一网络元件处接收来自客户端的用于访问数据中心的服务器的来自客户端的网络事务的分组，对分组进行第2层网络处理，并且数据流是 生成。 然后，经由层2互连链路将数据流复制到第二网络元件，以使得第二网络元件能够在数据流上执行更高层次的过程以获得网络事务的连接状态。 响应于第一网络元件的故障，第二网络元件被配置为在没有客户端的用户交互的情况下使用所获得的连接状态从第一网络元件接管网络事务的过程。 还描述了其它方法和装置。

公开(公告)号：US20090063893A1

公开(公告)日：2009-03-05

申请号：US12101865

申请日：2008-04-11

申请人： Nagaraj Bagepalli ,  Prashant Gandhi ,  Abhijit Patra ,  Kirti Prabhu ,  Anant Thakar

发明人： Nagaraj Bagepalli ,  Prashant Gandhi ,  Abhijit Patra ,  Kirti Prabhu ,  Anant Thakar

IPC分类号： G06F11/20

CPC分类号： H04L63/205 ,  H04L9/3242 ,  H04L47/20 ,  H04L63/02 ,  H04L63/0428 ,  H04L63/166 ,  H04L69/16 ,  H04L69/161 ,  H04L69/321 ,  Y10T70/5827

摘要： Redundant application network appliances using a low latency lossless interconnect link are described herein. According to one embodiment, in response to receiving at a first network element a packet of a network transaction from a client over a first network for accessing a server of a datacenter, a layer 2 network process is performed on the packet and a data stream is generated. The data stream is then replicated to a second network element via a layer 2 interconnect link to enable the second network element to perform higher layer processes on the data stream to obtain connection states of the network transaction. In response to a failure of the first network element, the second network element is configured to take over processes of the network transaction from the first network element using the obtained connection states without user interaction of the client. Other methods and apparatuses are also described.

摘要翻译： 本文描述了使用低延迟无损互连链路的冗余应用网络设备。 根据一个实施例，响应于在第一网络元件处接收来自客户端的用于访问数据中心的服务器的来自客户端的网络事务的分组，对分组进行第2层网络处理，并且数据流是 生成。 然后，经由层2互连链路将数据流复制到第二网络元件，以使得第二网络元件能够在数据流上执行更高层次的过程以获得网络事务的连接状态。 响应于第一网络元件的故障，第二网络元件被配置为在没有客户端的用户交互的情况下使用所获得的连接状态从第一网络元件接管网络事务的过程。 还描述了其它方法和装置。

公开(公告)号：US20090063747A1

公开(公告)日：2009-03-05

申请号：US12101874

申请日：2008-04-11

申请人： Nagaraj Bagepalli ,  Prashant Gandhi ,  Abhijit Patra ,  Kirti Prabhu ,  Anant Thakar

发明人： Nagaraj Bagepalli ,  Prashant Gandhi ,  Abhijit Patra ,  Kirti Prabhu ,  Anant Thakar

IPC分类号： G06F13/00

CPC分类号： H04L63/205 ,  H04L9/3242 ,  H04L47/20 ,  H04L63/02 ,  H04L63/0428 ,  H04L63/166 ,  H04L69/16 ,  H04L69/161 ,  H04L69/321 ,  Y10T70/5827

摘要： An application network appliance having inter-module communication using a universal serial bus (USB) is described herein. According to one embodiment, a network element includes a lossless data transport fabric (LDTF), multiple service modules coupled to each other over the LDTF, and a service control module (SCM) coupled to each of the service modules over the LDTF for routing network data between the SCM and the service modules. The SCM is also coupled to each of the service modules via a universal serial bus (USB) for managing the service modules, where the network element operates as a security gateway to a datacenter having multiple servers. Other methods and apparatuses are also described.

摘要翻译： 本文描述了具有使用通用串行总线（USB）的模块间通信的应用网络设备。 根据一个实施例，网络元件包括无损数据传输结构（LDTF），通过LDTF彼此耦合的多个服务模块以及通过LDTF耦合到每个服务模块的服务控制模块（SCM），用于路由网络 SCM和服务模块之间的数据。 SCM还通过用于管理服务模块的通用串行总线（USB）耦合到每个服务模块，其中网络元件作为具有多个服务器的数据中心的安全网关操作。 还描述了其它方法和装置。

公开(公告)号：US20090063688A1

公开(公告)日：2009-03-05

申请号：US12101860

申请日：2008-04-11

申请人： Nagaraj Bagepalli ,  Prashant Gandhi ,  Abhijit Patra ,  Kirti Prabhu ,  Anant Thakar

发明人： Nagaraj Bagepalli ,  Prashant Gandhi ,  Abhijit Patra ,  Kirti Prabhu ,  Anant Thakar

IPC分类号： G06F15/16

CPC分类号： H04L63/205 ,  H04L9/3242 ,  H04L47/20 ,  H04L63/02 ,  H04L63/0428 ,  H04L63/166 ,  H04L69/16 ,  H04L69/161 ,  H04L69/321 ,  Y10T70/5827

摘要： A network element having centralized TCP termination with multi-service chaining is described herein. According to one embodiment, a network element includes a switch fabric, a first service module coupled to the switch fabric, and a second and a third service modules coupled to the first service module over the switch fabric. In response to packets of a network transaction received from a client over a first network for access a server of a data center having multiple servers over a second network, the first service module is configured to terminate a TCP connection of the packets. The TCP terminated packets are transmitted to the second and third service modules over the switch fabric. The second and third service modules are configured to perform different application network services on the TCP terminated packets without having to perform a TCP process again. Other methods and apparatuses are also described.

摘要翻译： 这里描述了具有多服务链接的集中式TCP终止的网络元件。 根据一个实施例，网络元件包括交换结构，耦合到交换结构的第一服务模块，以及通过交换结构耦合到第一服务模块的第二和第三服务模块。 响应于通过第一网络从客户端接收的网络交易的分组，用于通过第二网络访问具有多个服务器的数据中心的服务器，所述第一服务模块被配置为终止分组的TCP连接。 TCP端接的数据包通过交换结构传输到第二和第三服务模块。 第二和第三服务模块被配置为在TCP终止的分组上执行不同的应用网络服务，而不必再次执行TCP进程。 还描述了其它方法和装置。

公开(公告)号：US20130268588A1

公开(公告)日：2013-10-10

申请号：US13438861

申请日：2012-04-04

申请人： David Chang ,  Abhijit Patra ,  Nagaraj Bagepalli ,  Murali Anantha

发明人： David Chang ,  Abhijit Patra ,  Nagaraj Bagepalli ,  Murali Anantha

IPC分类号： G06F15/16

CPC分类号： G06F9/45558 ,  G06F2009/45595 ,  H04L12/6418 ,  H04L41/12 ,  H04L49/70 ,  H04L67/10

摘要： A sense of location is provided for distributed virtual switch components into the service provisioning scheme to reduce latency observed in conducting policy evaluations across a network in a hybrid cloud environment. A management application in a first virtual network subscribes to virtual network services provided by a second virtual network. A first message is sent to the second virtual network, the first message comprising information configured to start a virtual switch in the second virtual network that switches network traffic for one or more virtual machines in the second virtual network that are configured to extend services provided by the first virtual network into the second virtual network. A second message is sent to the second virtual network, the second message comprising information configured to start a virtual service node in the second virtual network that provides network traffic services for the one or more virtual machines.

摘要翻译： 将分布式虚拟交换机组件的位置感提供到服务提供方案中，以减少在混合云环境中跨网络进行策略评估时观察到的延迟。 第一虚拟网络中的管理应用订阅由第二虚拟网络提供的虚拟网络服务。 将第一消息发送到第二虚拟网络，第一消息包括被配置为启动第二虚拟网络中的虚拟交换机的信息，该第二虚拟网络切换第二虚拟网络中的一个或多个虚拟机的网络流量，所述虚拟机被配置为扩展由 第一个虚拟网络进入第二个虚拟网络。 第二消息被发送到第二虚拟网络，第二消息包括被配置为启动在第二虚拟网络中为一个或多个虚拟机提供网络业务服务的虚拟服务节点的信息。

公开(公告)号：US08516241B2

公开(公告)日：2013-08-20

申请号：US13180678

申请日：2011-07-12

申请人： David Chang ,  Abhijit Patra ,  Nagaraj Bagepalli ,  Rajesh Kumar Sethuraghavan

发明人： David Chang ,  Abhijit Patra ,  Nagaraj Bagepalli ,  Rajesh Kumar Sethuraghavan

IPC分类号： H04L1/14 ,  H04L29/08 ,  H04L29/02

CPC分类号： H04L63/0263 ,  G06F9/45558 ,  G06F2009/45587 ,  G06F2009/45595 ,  H04L29/08927 ,  H04L29/08972 ,  H04L49/356 ,  H04L49/70 ,  H04L63/0218 ,  H04L63/0227

摘要： Techniques are provided for implementing a zone-based firewall policy. At a virtual network device, information is defined and stored that represents a security management zone for a virtual firewall policy comprising one or more common attributes of applications associated with the security zone. Information representing a firewall rule for the security zone is defined and comprises first conditions for matching common attributes of applications associated with the security zone and an action to be performed on application traffic. Parameters associated with the application traffic are received that are associated with properly provisioned virtual machines. A determination is made whether the application traffic parameters satisfy the conditions of the firewall rule and in response to determining that the conditions are satisfied, the action is performed.

公开(公告)号：US08094560B2

公开(公告)日：2012-01-10

申请号：US12123223

申请日：2008-05-19

申请人： Nagaraj Bagepalli ,  Abhijit Patra

发明人： Nagaraj Bagepalli ,  Abhijit Patra

IPC分类号： H04L12/28 ,  H04L12/56

CPC分类号： H04L45/42 ,  H04L45/38 ,  H04L49/1546 ,  H04L49/254 ,  H04L49/3063 ,  H04L49/351

摘要： Techniques for multi-stage multi-core processing of network packets are described herein. In one embodiment, work units are received within a network element, each work unit representing a packet of different flows to be processed in multiple processing stages. Each work unit is identified by a work unit identifier that uniquely identifies a flow in which the associated packet belongs and a processing stage that the associated packet is to be processed. The work units are then dispatched to multiple core logic, such that packets of different flows can be processed concurrently by multiple core logic and packets of an identical flow in different processing stages can be processed concurrently by multiple core logic, in order to determine whether the packets should be transmitted to one or more application servers of a datacenter. Other methods and apparatuses are also described.

摘要翻译： 本文描述了用于网络分组的多阶段多核处理的技术。 在一个实施例中，工作单元被接收在网络元件内，每个工作单元表示将在多个处理阶段中处理的不同流的分组。 每个工作单元由唯一地标识相关联的分组所属的流程的工作单元标识符和相关联的分组被处理的处理阶段来标识。 然后将工作单元分配到多个核心逻辑，使得可以通过多个核心逻辑并行地处理不同流的分组，并且可以通过多个核心逻辑并行处理不同处理阶段中的相同流的分组，以便确定是否 应将数据包传输到数据中心的一个或多个应用程序服务器。 还描述了其它方法和装置。

公开(公告)号：US20090288135A1

公开(公告)日：2009-11-19

申请号：US12123219

申请日：2008-05-19

申请人： David Chang ,  Prashant Gandhi ,  Abhijit Patra ,  Vijay Sagar

发明人： David Chang ,  Prashant Gandhi ,  Abhijit Patra ,  Vijay Sagar

IPC分类号： G06F17/00

CPC分类号： H04L63/0263 ,  H04L63/20

摘要： Techniques for building and managing network policies for accessing resources of a datacenter are described herein. In one embodiment, events are captured within a network element pertaining to certain activities of accessing certain resources of a datacenter, wherein the network element operates as an application service gateway to the datacenter. A new rule/policy is provisioned based on attributes extracted from the captured events, where the attributes includes at least one of user attribute, environment attribute, and a resource attribute. A simulation is performed on the new rule/policy under a real time network traffic condition, generating a simulation result. The new rule/policy is committed if the simulation result satisfies a predetermined condition, wherein the new rule/policy is enforced within the network element to determine whether a particular client is eligible to access a particular resource of the datacenter. Other methods and apparatuses are also described.

摘要翻译： 本文描述了用于构建和管理用于访问数据中心的资源的网络策略的技术。 在一个实施例中，事件被捕获在与访问数据中心的某些资源的某些活动有关的网络元件内，其中网络元件作为到数据中心的应用服务网关操作。 基于从捕获的事件提取的属性来设置新的规则/策略，其中属性包括用户属性，环境属性和资源属性中的至少一个。 在实时网络流量条件下对新规则/策略进行仿真，生成仿真结果。 如果模拟结果满足预定条件，则新规则/策略被提交，其中新的规则/策略在网络元素内被强制以确定特定客户端是否有资格访问数据中心的特定资源。 还描述了其它方法和装置。

公开(公告)号：US07430208B1

公开(公告)日：2008-09-30

申请号：US10940098

申请日：2004-09-14

申请人： Abhijit Patra ,  Samar Sharma

发明人： Abhijit Patra ,  Samar Sharma

IPC分类号： H04L12/28

CPC分类号： H04L49/253 ,  H04L49/203 ,  H04L49/309 ,  H04L49/606

摘要： An apparatus and method of using same for associating a tag with each packet in an ATM switch to eliminate the need for an OVC table, thus saving both egress processing time and memory resources. The tag includes both a type of switching identifier and a per-logical-interface or per-external-VC information field. A packet received by the egress packet processing engine has associated with it (by the control plane) a frame control word containing a new cell header (NCH) corresponding to the OVC on which the packet was received from the fabric. This NCH contains the tag used to expedite egress processing. In one embodiment of the present invention, the tag value is provided in two fields, a tag type and a tag parameter. The tag type represents a code for different data path applications. The tag parameter takes on multiple values based on the tag type. The present invention efficiently uses the OVC to NCH mapping to map many OVCs to a small set of tags coded within the switch's NCH so that, rather than having to do an extra look-up in the egress engine in a large and non-scaleable OVC table, the egress engine has only to look in a small, fully-scaleable tag table. In fact, in one embodiment, no egress look-up is required at all.

摘要翻译： 一种用于将标签与ATM交换机中的每个分组关联以消除对OVC表的需要的装置和方法，从而节省了出口处理时间和存储资源。 该标签包括一种类型的交换标识符和每个逻辑接口或每个外部VC信息字段。 由出口分组处理引擎接收到的分组已经通过控制平面与控制平面相关联，该帧控制字包含与从组织接收分组的OVC对应的新信元报头（NCH）。 该NCH包含用于加速出口处理的标签。 在本发明的一个实施例中，标签值被提供在两个字段中，标签类型和标签参数。 标签类型代表不同数据路径应用程序的代码。 标签参数根据标签类型占用多个值。 本发明有效地使用OVC到NCH映射以将许多OVC映射到在交换机的NCH内编码的一小组标签，使得不必在大型和不可扩展的OVC中对出口引擎进行额外的查找 表格中，出口引擎只能查看一个小型，完全可扩展的标签表。 实际上，在一个实施例中，根本不需要出口查找。