摘要:
The occurrence of false positives and the post-processing of digital streams subjected to examination by a deterministic finite state machine for character strings are reduced by combining location-based pattern matching, e.g. on packet headers, and content-based pattern matching, e.g. on payloads of packets. One scheme allows automatic transition from a header match state into an initial state of a content matching machine. Another scheme is based on a rules graph defining strings of match states and the examination of a list of match states (rather than characters) which have been previously determined, for example by means of header matching and content matching. The latter is also capable of comparing offset and depth values associated with the match states with offset and depth criteria.
摘要:
A content addressable memory stores entries each comprising a rule and as part of the entry a mask identifying all the entities to which the rule is applicable. A search pattern of data and a bit mask identifying the actual entity (or entities) associated with the data is applied as a search word along with a comparison mask that excludes all the other entities from the comparison of the search word with the entry. The CAM can thereby store efficiently in a single entry a rule that may be applicable to some but not all of a multiplicity of entities such as possible ingress ports of a network unit.
摘要:
A cascade system of network units includes forwarding units which have external ports, a communication fabric connecting the units and at least one processing unit which needs no forwarding database. The processing unit may perform a security operation such as intrusion prevention or encryption. Each forwarding unit on receipt of a packet performs a look-up to determine an egress port, to determine whether the packet must be diverted to a processing unit, to provide the packet with a first forwarding instruction identifying the egress port uniquely within the system and a second forwarding instruction identifying a diversion port by which the packet can reach the processing unit and to set an order field which determines which of the forwarding instructions shall be performed first. The processing unit is operative on receipt of the packet by way of the diversion port to change the order field to specify that the packet should now be sent to the egress port.
摘要:
A rules engine for the examination of selected fields in an addressed data packet has an access control list table of which the entries each define an access control list rule, an action and a chain identifier. The access control list rule may be a basic rule which refers to network addresses and transport layer port numbers. The rules engine also has an extension rule table of which the entries each define an extension rule, a respective action and a respective rule identifier. The extension rule may refer to a particular TCP flag. When a packet arrives, the engine searches both tables. This search is made independently of the ordinary network layer or link layer address lookup. If there is a match in both tables, and the chain identifier matches the extension rule identifier, the rules engine prescribes the action associated with the extension rule. If the chain identifier of a matched access control list rule does not match a rule identifier of a matched extension rule the rules engine prescribes the action associated with the basic rule. In the absence of a match with any access control list rule the action on a packet is based on the result from the ordinary address lookup.
摘要:
A network stack includes a plurality of network units each of which includes a multiplicity of ports for receiving and forwarding addressed data packets, at least two cascade ports and a switching engine for forwarding received packets to at least one port in accordance with address data in the packets and a cascade connection including, for each of two opposite directions around the stack, at least one unidirectional path for data packets composed of links each between a respective cascade port on a network unit and a corresponding cascade port on the next network unit.
摘要:
The occurrence of false positives and the post-processing of digital streams subjected to examination by a deterministic finite state machine for character strings are reduced by combining location-based pattern matching, e.g. on packet headers, and content-based pattern matching, e.g. on payloads of packets. One scheme allows automatic transition from a header match state into an initial state of a content matching machine. Another scheme is based on a rules graph defining strings of match states and the examination of a list of match states (rather than characters) which have been previously determined, for example by means of header matching and content matching. The latter is also capable of comparing offset and depth values associated with the match states with offset and depth criteria.
摘要:
In one embodiment, a method is described for detecting an operational failure between the network unit and an adjacent network unit in the stack; controlling the switching engine to redirect packets which would otherwise be sent from a particular port to the adjacent network unit to be forwarded from another port to be sent to a different network unit in the stack; and entering the switching engine into a bypass mode in response to control data indicating an operational failure between at least two other network units in the stack to cause packets to be forwarded without being re-directed by the switching engine.
摘要:
A multi-port network unit for use in a cascade system of network units sends from a cascade port a packet including a special header having a source port ID, a destination port ID and a ‘destination port known’ field. The port IDs identify both a unit and a port within a unit. A routing database is set up, optionally by a discovery protocol, in terms of ports and either destination units (within the cascade) or source units (within the cascade). The database includes a mesh table, indicating from which cascade port a packet with a known destination port ID should be forwarded, without needing a fresh look-up. The database also includes a multicast exclusion table which allows ingress of packets with source unit IDs matched to an ingress port. The scheme allows a general mesh type of cascade while dynamically preventing closed loops.
摘要:
Cascade control logic for use in a switch or other network unit that can be used in a cascaded stack can maintain normally a point-to-point half-duplex connection for control data with each of the next preceding and next succeeding units in the cascade. Each cascade logic device is organised so that for one direction, conveniently called the up direction, a device is a master and in the other direction the device is a slave in respect of the control path. A control device will generate master control frames in the up direction and deliver slave control frames in the down direction. The control device is organised so that in the absence of reception of valid control frames on a control link control data which would otherwise be sent out on that link is looped back within the control device. In this manner the control device can maintain under normal circumstances two virtual control channels which can ‘self-heal’ notwithstanding the failure or powering-down of a unit in the cascade.Status information represented by the control frames can be used to control a switching engine to provide self healing of the data path in the cascade.
摘要:
In one embodiment, a method is described for detecting an operational failure between the network unit and an adjacent network unit in the stack; controlling the switching engine to redirect packets which would otherwise be sent from a particular port to the adjacent network unit to be forwarded from another port to be sent to a different network unit in the stack; and entering the switching engine into a bypass mode in response to control data indicating an operational failure between at least two other network units in the stack to cause packets to be forwarded without being re-directed by the switching engine.