摘要:
A method and system for graphically representing relationships between a plurality of filter rules in a computer system is disclosed. The computer system includes a display. Each of the plurality of filter rules has a priority. The method and system include allowing entry of at least one filter rule of the plurality of filter rules and providing a graphical display of a first portion of the plurality of filter rules on the display. Each of the first portion of the plurality of filter rules is displayed hierarchically based on the priority of each of the first portion of the plurality of filter rules. If the first portion of plurality of filter rules includes a plurality of intersecting filter rules, then displaying the plurality of intersecting filter rules in the graphical display to indicate at least one intersection of at least one higher priority filter rule and at least one lower priority filter rule and to indicate that the at least one higher priority filter rule dominates the at least one lower priority filter rule.
摘要:
A network switch as well as methods, systems and computer program products for controlling congestion at a granularity of less than a link are provided. Such finer granularity may be provided by pausing traffic at a source port level of a network switch. The network switch which transmitted a message which resulted in congestion being detected is notified of the congestion and pauses the communications from the source port of the message while maintaining communications over the link from other source ports. Such source port level congestion control may be provided by a network switch having a sub-queue of its output queues where each sub-queue corresponds to an input port. Source port level pausing of transmissions may then be provided by pausing the sub-queue associated with a source port.
摘要:
A system and method for retrieving information in a distributed table by partitioning a search key. A packet processor may generate a search key for a received packet of data. The packet processor may partition the search key into a plurality of segments where the length of each segment corresponds to a size of a particular layer of a table. The packet processor may read a particular entry in a particular layer, e.g., the first layer, of the table using a value of the segment, e.g., the first segment, associated with that layer. A determination may be made to determine if the particular entry read stores a pointer that points to the next level of the table. If so, then the packet processor may read a particular entry in the next level of the table using the value of the next segment of the plurality of segments.
摘要:
A method for dynamically adjusting the flow rate of a plurality of logical pipes that share a common output queue. In accordance with the method of the present invention, a minimum flow rate and a maximum flow rate are set for each of the pipes. Next a determination is made of whether or not excess queue bandwidth exists in accordance with the output flow rate of the shared queue. The determination of whether or not excess bandwidth exists comprises comparing the output flow rate of the shared queue with a pre-determined threshold queue output value. An instantaneous excess bandwidth signal has a value of 1 if there is excess bandwidth and is otherwise 0 if there is no excess bandwidth. In an alternate embodiment, the instantaneous excess bandwidth signal for a particular pipe is logically ANDed with one or more additional excess bandwidth signals to form a composite instantaneous excess bandwidth signal. In response to the existence of excess queue bandwidth, a flow rate of a pipe is linearly increased while in response to a lack of excess queue bandwidth, the flow rate of the pipe is exponentially decreased.
摘要:
A system for minimizing congestion in a communication system is disclosed. The system comprises at least one ingress system for providing data. The ingress system includes a first free queue and a first flow queue. The system also includes a first congestion adjustment module for receiving congestion indications from the free queue and the flow queue. The first congestion adjustment module generates end stores transmit probabilities and performs per packet flow control actions. The system further includes a switch fabric for receiving data from the ingress system and for providing a congestion indication to the ingress system. The system further includes at least one egress system for receiving the data from the switch fabric. The egress system includes a second free queue and a second flow queue. The system also includes a second congestion adjustment module for receiving congestion indications from the second free queue and the second flow queue. The second congestion adjustment module generates and stores transmit probabilities and performs per packet flow control actions. Finally, the system includes a scheduler for determining the order and timing of transmission of packets out the egress system and to another node or destination. A method and system in accordance with the present invention provides for a unified method and system for logical connection of congestion with the appropriate flow control responses. The method and system utilizes congestion indicators within the ingress system, egress system, and the switch fabric in conjunction with a coarse adjustment system and fine adjustment system within the ingress device and the egress device to intelligently manage the system.
摘要:
A method and system for testing a plurality of filter rules in a computer system is disclosed. The plurality of filter rules is used with a key. Each of the plurality of filter rules is capable of being described using a plurality of bits corresponding to a portion of the key. The plurality of bits can include at least one binary value, at least one wildcard, and at least one boundary symbol. The at least one binary value can be a zero or a one. The method and system include selecting a portion of the plurality of filter rules that the key can match by testing part of the key against a portion of the plurality of bits and explicitly testing the key against the portion of the plurality of filter rules. A first bit of the portion of the plurality of bits has a first maximum number of the at least one binary symbol for the plurality of filter rules. Each subsequent bit of the portion plurality of bits has a second maximum number of the at least one binary symbol for a plurality of remaining bits and is selected based on testing of a prior bit. Preferably, the portion of the plurality of bits is tested using a decision tree which includes nodes corresponding to a second portion of the plurality of bits.
摘要:
A method of flow control for Available Bit Rate (ABR) sources in an Asynchronous Transfer Mode (ATM) network is implemented. An effective rate for the source is determined by an ATM switch based on a critically damped second order system. The effective rate is damped toward a share value that is based on the source queue length, a target queue length, and the actual cell rates of the connected ABR sources sending traffic through the ATM switch. The resulting feedback loop ensures that the source queue length will not exceed the target queue length.
摘要:
A system, method and program product for managing e-mails from a source suspected of sending spam. The e-mails are received at a firewall or router en route to a mail server. A determination is made whether a source has sent an e-mail which exhibits characteristics of spam. In response, subsequent e-mails from the source destined for the mail server are rate-limiting at the firewall or router such that the firewall or router limits a rate at which the subsequent e-mails are forwarded from the firewall or router to the mail server. The rate is predetermined and less than a maximum rate at which the firewall or router can physically forward e-mails to the mail server absent the rate limit. A determination is made whether another source has sent another e-mail which exhibits more characteristics of spam than the first said e-mail. In response, subsequent e-mails from this other source are blocked at the firewall or router. The rate limit can be a limit on a number of e-mails per unit of time from the source that will be forwarded from the firewall or router to the mail server.
摘要:
A method for increasing the capacity of a connection table in a firewall accelerator by means of mapping packets in one session with some common security actions into one table entry. For each of five Network Address Translation (NAT) configurations, a hash function is specified. The hash function takes into account which of four possible arrival types a packet at a firewall accelerator may have. When different arrival types of packets in the same session are processed, two or more arrival types may have the same hash value.
摘要:
A method and system for transmitting packets in a packet switching network. Packets received by a packet processor may be prioritized based on the urgency to process them. Packets that are urgent to be processed may be referred to as real-time packets. Packets that are not urgent to be processed may be referred to as non-real-time packets. Real-time packets have a higher priority to be processed than non-real-time packets. A real-time packet may either be discarded or transmitted into a real-time queue based upon its value priority, the minimum and maximum rates for that value priority and the current real-time queue congestion conditions. A non-real-time packet may either be discarded or transmitted into a non-real-time queue based upon its value priority, the minimum and maximum rates for that value priority and the current real-time and non-real-time queue congestion conditions.