-
公开(公告)号:US07941837B1
公开(公告)日:2011-05-10
申请号:US11751731
申请日:2007-05-22
申请人: Dongyi Jiang , Chih-Wei Chao , Rakesh Nair , Daniel Hirschberg
发明人: Dongyi Jiang , Chih-Wei Chao , Rakesh Nair , Daniel Hirschberg
IPC分类号: G06F9/00
CPC分类号: H04L63/0209 , H04L63/0236
摘要: Techniques are described to enable two or more layer two (L2) firewall devices to be configured as a high availability (HA) cluster in an active-active configuration. A first layer two (L2) firewall and a second L2 firewall are positioned within the same L2 network. The first L2 firewall and the second L2 firewall are concurrently configured with active virtual security devices (VSDs) within the L2 network, and concurrently apply L2 firewall services to packets within the L2 network. A VSD of one of the L2 firewalls automatically switches to an active VSD status for a VSD group in place of a VSD of another L2 firewall when the other L2 firewall fails.
摘要翻译: 描述技术以使得两个或多个第二层(L2)防火墙设备能够被配置为主动 - 主动配置中的高可用性(HA)群集。 第一层二层(L2)防火墙和第二层L2防火墙位于同一L2网络内。 第一个L2防火墙和第二个L2防火墙同时配置在L2网络内的主动虚拟安全设备(VSD),并对L2网络内的报文同时应用L2防火墙业务。 当另一个L2防火墙发生故障时,其中一个L2防火墙的VSD自动切换到VSD组的主动VSD状态,代替另一个L2防火墙的VSD。
-
2.发明授权Packet forwarding using feedback controlled weighted queues dynamically adjusted based on processor utilization 有权使用基于处理器利用率动态调整的反馈控制加权队列的分组转发公开(公告)号:US08208406B1
公开(公告)日:2012-06-26
申请号:US12111996
申请日:2008-04-30
申请人: Dongyi Jiang , Chih-Wei Chao , David Yu , Jin Shang
发明人: Dongyi Jiang , Chih-Wei Chao , David Yu , Jin Shang
IPC分类号: H04L12/28
CPC分类号: H04L47/623
摘要: In general, techniques are described for dynamically managing weighted queues. In accordance with the techniques, a network security device comprises a queue management module that assigns, for each queue of a plurality of queues, a quota desirable to a user that a processor of the network security device consumes to service each queue. The queue management module determines, based on the desirable quotas, a queue weight for each queue and computes. Based on the computation, the queue management module dynamically adjusts one or more of the weights such that subsequent amounts of processing time actually required to process the number of packets defined by each of the queue weights more accurately reflects the desirable quotas assigned to each of the queues. The network device outputs the number of packets in accordance with the adjusted weights.
摘要翻译: 一般来说,描述了用于动态管理加权队列的技术。 根据这些技术,网络安全设备包括队列管理模块,其为多个队列的每个队列分配对网络安全设备的处理器消耗对每个队列服务的用户所需的配额。 队列管理模块基于所需的配额来确定每个队列的队列权重并进行计算。 基于该计算,队列管理模块动态地调整一个或多个权重,使得实际需要处理由每个队列权重定义的分组数量的后续处理时间量更准确地反映分配给每个队列权重的所需配额 队列 网络设备根据调整的权重输出数据包数。
-
公开(公告)号:US09100329B1
公开(公告)日:2015-08-04
申请号:US13536419
申请日:2012-06-28
申请人: Dongyi Jiang , Jin Shang , David Yu , Tsai-Zong Lin , Chih-Wei Chao
发明人: Dongyi Jiang , Jin Shang , David Yu , Tsai-Zong Lin , Chih-Wei Chao
IPC分类号: H04L12/26 , H04L12/707 , H04L12/703
CPC分类号: H04L45/28 , H04L41/0654 , H04L41/0663 , H04L45/22 , H04L45/74 , H04L49/557
摘要: A device receives traffic; identifies an address associated with the traffic; determines whether the address is associated with an aggregate interface, the aggregate interface being associated with a first port and a second port. The first port corresponds to a first node in a first state, that indicates that the first node is available to forward the traffic, and the second port corresponds to a second node in a second state, that indicates that that the second node is not available to forward the traffic. The device transmits the traffic to the first node via the first port and to the second node, via the second port, when the address is associated with the aggregate interface. Transmitting the traffic enables the second node to forward the traffic when the first node changes from the first state to the second state.
摘要翻译: 设备接收流量; 识别与流量相关联的地址; 确定地址是否与聚合接口相关联,聚合接口与第一端口和第二端口相关联。 第一端口对应于处于第一状态的第一节点,其指示第一节点可用于转发业务,并且第二端口对应于处于第二状态的第二节点,其指示第二节点不可用 转发流量。 当地址与聚合接口相关联时,设备经由第一端口向第一节点传送流量,并经由第二端口将流量发送到第二节点。 当第一节点从第一状态改变到第二状态时,发送流量使得第二节点能够转发流量。
-
公开(公告)号:US09021547B1
公开(公告)日:2015-04-28
申请号:US13333439
申请日:2011-12-21
申请人: Tsai-Zong Lin , Chih-Wei Chao , Jin Shang , Dongyi Jiang , Anchung Chung
发明人: Tsai-Zong Lin , Chih-Wei Chao , Jin Shang , Dongyi Jiang , Anchung Chung
CPC分类号: H04L63/20 , H04L63/0227 , H04L63/164 , H04L63/166
摘要: This disclosure is directed toward an integrated switching and routing security device that provides zone-based security directly between layer two (L2) interfaces of L2 bridge domains and/or layer three (L3) interfaces of L3 routing instances within the security device. The integrated switching and routing security device supports both switching and routing functionalities for packets on L2 and L3 interfaces, and supports security within and between L2 bridge domains and L3 routing instances. The integrated switching and routing security device configures L2 security zones for one or more L2 interfaces and configures L3 security zones for one or more L3 interfaces. The integrated switching and routing security device then applies security policies to incoming packets according to the L2 security zones and/or the L3 security zones associated with the incoming interface and an outgoing interface for the packets to provide end-to-end security within the security device.
摘要翻译: 本公开涉及集成的交换和路由安全设备,其直接在L2网桥域的第二层(L2)接口和/或L3路由实例的第三层(L3)接口之间提供基于区域的安全性。 集成交换和路由安全设备支持L2和L3接口上的数据包的交换和路由功能,并支持L2桥接域和L3路由实例之间的安全性。 集成交换路由安全设备为一个或多个L2接口配置L2安全区域,并为一个或多个L3接口配置L3安全区域。 集成交换和路由安全设备然后根据与入局接口相关联的L2安全区域和/或L3安全区域对传入的分组应用安全策略,以及用于分组的输出接口,以提供安全性内的端到端安全性 设备。
-
公开(公告)号:US08379647B1
公开(公告)日:2013-02-19
申请号:US11877146
申请日:2007-10-23
摘要: A device may reserve a slot for a received packet in a packet ordering queue (POQ), convey the packet to one of a plurality of threads for processing, obtain the packet from the one of the plurality of threads after the packet has been processed, organize the packet in the POQ in accordance with a position of the reserved slot, and release the packet from the POQ if the reserved slot is a head of the POQ.
摘要翻译: 设备可以在分组排序队列(POQ)中为接收到的分组预留时隙,将分组传送到多个线程中的一个进行处理,在分组被处理之后从多个线程中的一个线程获得分组, 根据保留时隙的位置在POQ中组织分组,如果保留的时隙是POQ的头,则从POQ释放分组。
-
公开(公告)号:US09258277B1
公开(公告)日:2016-02-09
申请号:US13534095
申请日:2012-06-27
申请人: Yan Zhuang , Xiao Ping Zhu , Rakesh Nair Gopala Krishnan Nair , Dongyi Jiang , Yong Tian , Jinfeng Yu , Haiyu Wang
发明人: Yan Zhuang , Xiao Ping Zhu , Rakesh Nair Gopala Krishnan Nair , Dongyi Jiang , Yong Tian , Jinfeng Yu , Haiyu Wang
IPC分类号: G06F17/00 , H04L29/06 , H04L12/851
CPC分类号: H04L63/0236 , H04L47/2483 , H04L61/2517 , H04L61/2539 , H04L61/255
摘要: In general, techniques are described for performing decentralized packet dispatch. A network device comprising one or more service processing units (SPUs) and an interface may implement the techniques. The interface receives a packet associated with a session and selects a first one of SPUs to dispatch the packet based on first information extracted from the packet. The first one of the SPUs dispatches the packet to a second one of the SPUs based on second information extracted from the packet. The second one of the SPUs performs first pass processing to configure the network security device to perform fast path processing of the packet such that second one of the SPUs applies one or more services to the packet and subsequent packets associated with the same session without application of services to the packets by the first one of the service processing units.
摘要翻译: 一般来说,描述了执行分散式分组调度的技术。 包括一个或多个服务处理单元(SPU)和接口的网络设备可以实现这些技术。 该接口接收与会话关联的分组,并根据从该分组提取的第一信息选择一个SPU中的第一个分组来分组。 基于从分组中提取的第二信息,第一个SPU将分组分派到第二个SPU。 第二个SPU执行第一遍处理以配置网络安全设备来执行分组的快速路径处理,使得第二个SPU将一个或多个服务应用于与相同会话关联的分组和后续分组,而不应用 由第一个服务处理单元向数据包提供服务。
-
公开(公告)号:US08224976B2
公开(公告)日:2012-07-17
申请号:US12343694
申请日:2008-12-24
申请人: Dongyi Jiang , Laxminarayana Tumuluru , Jianwen Pi
发明人: Dongyi Jiang , Laxminarayana Tumuluru , Jianwen Pi
IPC分类号: G06F15/16
CPC分类号: H04L67/42 , H04L63/02 , H04L67/14 , H04L67/2842 , H04L67/303 , H04L69/16
摘要: A network device connects between a client and a server. The network device is configured to store information regarding a capability of the server; receive a first message, from the client, intended for the server; obtain the stored information regarding the capability of the server; generate a second message that includes the information regarding the capability of the server; send the second message to the client; receive a third message from the client; and establish, based on the third message, a connection between the client and the server.
摘要翻译: 网络设备在客户端和服务器之间连接。 网络设备被配置为存储关于服务器的能力的信息; 从客户端接收针对服务器的第一条消息; 获取有关服务器能力的存储信息; 生成包括关于服务器的能力的信息的第二消息; 向客户发送第二条消息; 从客户端收到第三条消息; 并基于第三个消息建立客户端和服务器之间的连接。
-
公开(公告)号:US07952999B1
公开(公告)日:2011-05-31
申请号:US11745707
申请日:2007-05-08
申请人: Dongyi Jiang , David Yu
发明人: Dongyi Jiang , David Yu
IPC分类号: H04L29/02
CPC分类号: H04L63/0227 , H04L63/20
摘要: A device may receive packets for a system and obtain a packet drop rate of the system, a processor utilization rate of the system, and a target processor utilization rate of the system. In addition, the device may determine a target packet drop rate based on the packet drop rate, the processor utilization rate, and the target processor utilization rate. The device may drop a portion of the packets in accordance with the packet drop rate.
摘要翻译: 设备可以接收系统的分组,并获得系统的分组丢弃率,系统的处理器利用率和系统的目标处理器利用率。 此外,设备可以基于分组丢弃率,处理器利用率和目标处理器利用率来确定目标分组丢弃率。 该设备可以根据分组丢弃率丢弃一部分分组。
-
公开(公告)号:US20100161741A1
公开(公告)日:2010-06-24
申请号:US12343694
申请日:2008-12-24
申请人: Dongyi Jiang , Laxminarayana Tumuluru , Jianwen Pi
发明人: Dongyi Jiang , Laxminarayana Tumuluru , Jianwen Pi
IPC分类号: G06F15/16
CPC分类号: H04L67/42 , H04L63/02 , H04L67/14 , H04L67/2842 , H04L67/303 , H04L69/16
摘要: A network device connects between a client and a server. The network device is configured to store information regarding a capability of the server; receive a first message, from the client, intended for the server; obtain the stored information regarding the capability of the server; generate a second message that includes the information regarding the capability of the server; send the second message to the client; receive a third message from the client; and establish, based on the third message, a connection between the client and the server.
摘要翻译: 网络设备在客户端和服务器之间连接。 网络设备被配置为存储关于服务器的能力的信息; 从客户端接收针对服务器的第一条消息; 获取有关服务器能力的存储信息; 生成包括关于服务器的能力的信息的第二消息; 向客户发送第二条消息; 从客户端收到第三条消息; 并基于第三个消息建立客户端和服务器之间的连接。
-
10.发明授权Traffic cut-through within network device having multiple virtual network devices 有权具有多个虚拟网络设备的网络设备内的流量切换公开(公告)号:US08953599B1
公开(公告)日:2015-02-10
申请号:US13539120
申请日:2012-06-29
申请人: Colby Barth , Nischal Sheth , Nitin Kumar , Xuefei Zhang , Panning Huang , Raghavendra Mallya , Bhasker R. Allam , Krishna Narayanaswamy , Dongyi Jiang , Tsai-Zong Lin , Jiaxiang Su
发明人: Colby Barth , Nischal Sheth , Nitin Kumar , Xuefei Zhang , Panning Huang , Raghavendra Mallya , Bhasker R. Allam , Krishna Narayanaswamy , Dongyi Jiang , Tsai-Zong Lin , Jiaxiang Su
IPC分类号: H04L12/28 , H04L12/751
CPC分类号: H04L45/02 , H04L45/40 , H04L45/586 , H04L45/60
摘要: In general, techniques are for providing a direct forwarding path between virtual routers within a single virtualized routing system. In one example, a method includes combining forwarding information from a plurality of virtual routers into collapsed forwarding information that comprises one or more direct forwarding paths between the respective virtual routers. The method also includes determining a direct forwarding path to an egress interface of the second virtual router, in response to receiving a network packet at an ingress interface of a first virtual router. The method also includes forwarding the network packet from the ingress interface of the first virtual router to the egress interface of the second virtual router using the direct forwarding path, wherein the network packet traverses a switch fabric directly from the ingress interface of the first virtual router to the egress interface of the second virtual router.
摘要翻译: 通常,技术用于在单个虚拟化路由系统内的虚拟路由器之间提供直接转发路径。 在一个示例中,一种方法包括将来自多个虚拟路由器的转发信息组合成包括在各个虚拟路由器之间的一个或多个直接转发路径的折叠转发信息。 响应于在第一虚拟路由器的入口接口处接收到网络分组,该方法还包括确定到第二虚拟路由器的出口接口的直接转发路径。 该方法还包括使用直接转发路径将网络分组从第一虚拟路由器的入口接口转发到第二虚拟路由器的出口接口,其中网络分组从第一虚拟路由器的入口接口直接穿越交换结构 到第二虚拟路由器的出口接口。
-
-
-
-
-
-
-
-
-
搜索结果
12 条记录 (耗时 0.021 秒)
