Local area network switch using control plane packet mirroring to support multiple network traffic analysis devices
    1.
    发明授权
    Local area network switch using control plane packet mirroring to support multiple network traffic analysis devices 有权
    局域网交换机采用控制平面分组镜像,支持多个网络流量分析设备

    公开(公告)号:US07626938B1

    公开(公告)日:2009-12-01

    申请号:US11094980

    申请日:2005-03-31

    IPC分类号: G01R31/00

    摘要: An Ethernet network device includes a port logic module that is associated with a device port of the Ethernet network device. A packet processing module includes an ingress processing module that receives an incoming packet and that generates a control traffic tag. An ingress command execution module receives the incoming packet and the control traffic tag, generates a duplicate packet that is identical to the incoming packet, and generates a device interface code that identifies the port logic module based on the control traffic tag. A control traffic routing module receives the duplicate packet and the device interface code and forwards the duplicate packet to the port logic module. A network traffic analysis device receives the duplicate packet. The port logic module replaces a first destination header of the duplicate packet with a second destination header that is identical to a destination header of the incoming packet.

    摘要翻译: 以太网网络设备包括与以太网设备的设备端口相关联的端口逻辑模块。 分组处理模块包括接收进入分组并且生成控制业务标签的入口处理模块。 入口命令执行模块接收输入数据包和控制流量标签,生成与传入数据包相同的重复数据包,并生成基于控制流量标签识别端口逻辑模块的设备接口代码。 控制流量路由模块接收重复数据包和设备接口代码,并将重复数据包转发到端口逻辑模块。 网络流量分析设备接收重复的数据包。 端口逻辑模块用与传入分组的目的地报头相同的第二目的地报头替换重复分组的第一目的地报头。

    Efficient host-controller address learning in ethernet switches
    2.
    发明授权
    Efficient host-controller address learning in ethernet switches 有权
    以太网交换机中高效的主机控制器地址学习

    公开(公告)号:US07826452B1

    公开(公告)日:2010-11-02

    申请号:US10761879

    申请日:2004-01-21

    IPC分类号: H04L12/28

    CPC分类号: H04L45/74 H04L49/35

    摘要: A method, apparatus, and computer-readable media for a switch comprising a plurality of network ports and a central processing unit (CPU) interface comprises receiving, on one of the network ports, a packet comprising a source media access control (MAC) address; sending, to the CPU interface, a request to approve an association between the one of the network ports and the source MAC address when no request to approve the association between the one of the network ports and the source MAC address has been sent to the CPU interface; and sending, to the CPU interface, the request to approve the association between the one of the network ports and the source MAC address when an association between the source MAC address and a different one of the network ports has been approved.

    摘要翻译: 一种用于交换机的方法,装置和计算机可读介质,包括多个网络端口和中央处理单元(CPU)接口,包括在所述网络端口之一上接收包括源媒体访问控制(MAC)地址 ; 当没有请求批准一个网络端口和源MAC地址之间的关联的请求已经被发送到CPU时,向CPU接口发送批准一个网络端口与源MAC地址之间的关联的请求 接口; 并且当源MAC地址与不同网络端口之间的关联已被批准时,向CPU接口发送批准一个网络端口与源MAC地址之间的关联的请求。

    Secure automatic learning in ethernet bridges
    3.
    发明授权
    Secure automatic learning in ethernet bridges 有权
    在以太网桥上安全自动学习

    公开(公告)号:US07796590B1

    公开(公告)日:2010-09-14

    申请号:US11346089

    申请日:2006-02-01

    IPC分类号: H04L12/54

    摘要: A method of managing network traffic. The method includes initializing a database in communication with a network device. The database includes a number of MAC address entries and a network flooding entry associated with each of the number of MAC address entries. Each of the number of MAC address entries is associated with a station known to the network. The method also includes receiving network traffic at the network device. The network traffic is associated with a MAC source address. The method further includes determining whether the MAC source address is included in the database, automatically learning a location associated with the MAC source address, and forwarding the network traffic over the network if the MAC source address is included in the database. Additionally, the method includes dropping or trapping the network traffic if the MAC source address is not included in the database. Dropping the network traffic is performed without interaction with a CPU.

    摘要翻译: 一种管理网络流量的方法。 该方法包括初始化与网络设备通信的数据库。 数据库包括多个MAC地址表项和与每个MAC地址表项相关联的网络洪泛条目。 MAC地址表项中的每一个与网络已知的站相关联。 该方法还包括在网络设备处接收网络流量。 网络流量与MAC源地址相关联。 该方法还包括:如果MAC源地址包括在数据库中,则确定MAC源地址是否包括在数据库中,自动学习与MAC源地址相关联的位置,以及如果MAC源地址被包括在网络中,则转发网络流量。 此外,如果MAC源地址不包括在数据库中,则该方法包括丢弃或捕获网络流量。 执行网络流量下降而不与CPU进行交互。

    Efficient host-controller address learning in ethernet switches
    4.
    发明授权
    Efficient host-controller address learning in ethernet switches 有权
    以太网交换机中高效的主机控制器地址学习

    公开(公告)号:US08472445B1

    公开(公告)日:2013-06-25

    申请号:US12917405

    申请日:2010-11-01

    IPC分类号: H04L12/28

    CPC分类号: H04L45/74 H04L49/35

    摘要: A network switch including a port, a memory, and a controller. The port has a port identifier and receives a packet (including an address of the source device) transmitted from a source device to the network switch. The memory is configured to store entries, each entry including (i) an identifier of a port of the network switch and (ii) an address of a network device. The controller is configured to (i) determine whether the address of the source device and the port identifier of the packet are stored in the memory and (ii) send a message to a processor requesting approval of the packet. The controller is configured to send the message when (i) the address of the source device is not stored in the memory or (ii) the port identifier of the packet is not stored with the address of the source device as one of the entries.

    摘要翻译: 包括端口,存储器和控制器的网络交换机。 该端口具有端口标识符,并接收从源设备发送到网络交换机的数据包(包括源设备的地址)。 存储器被配置为存储条目,每个条目包括(i)网络交换机的端口的标识符和(ii)网络设备的地址。 控制器被配置为(i)确定源设备的地址和分组的端口标识是否存储在存储器中,以及(ii)向请求批准分组的处理器发送消息。 控制器被配置为在(i)源设备的地址不存储在存储器中时发送消息,或者(ii)分组的端口标识符不与源设备的地址一起存储为条目之一。

    IPv4, IPv6, and ARP spoofing protection method
    5.
    发明授权
    IPv4, IPv6, and ARP spoofing protection method 有权
    IPv4,IPv6和ARP欺骗保护方法

    公开(公告)号:US08804729B1

    公开(公告)日:2014-08-12

    申请号:US11357630

    申请日:2006-02-16

    IPC分类号: H04L9/32 H04L29/06

    CPC分类号: H04L63/1466

    摘要: A method of detecting address spoofing includes receiving an ARP packet at a network device. The ARP packet includes a first address associated with a first network layer and a second address associated with a second network layer. The method also includes accessing a first memory searchable by the first address to obtain a memory reference and retrieving a third address associated with the second network layer from a second memory using the memory reference. The method further includes comparing the second address with the third address and detecting address spoofing if a match is not present between the second address and the third address.

    摘要翻译: 检测地址欺骗的方法包括在网络设备处接收ARP分组。 ARP分组包括与第一网络层相关联的第一地址和与第二网络层相关联的第二地址。 该方法还包括访问由第一地址可搜索的第一存储器以获得存储器引用,并且使用存储器引用从第二存储器检索与第二网络层相关联的第三地址。 该方法还包括将第二地址与第三地址进行比较,并且如果第二地址和第三地址之间不存在匹配,则检测地址欺骗。

    Switching apparatus and method based on virtual interfaces
    6.
    发明授权
    Switching apparatus and method based on virtual interfaces 有权
    基于虚拟接口的交换设备和方法

    公开(公告)号:US08625594B2

    公开(公告)日:2014-01-07

    申请号:US12938116

    申请日:2010-11-02

    IPC分类号: H04L12/28

    摘要: A network device comprises a plurality of physical ports, and a packet processing pipeline coupled to the plurality of physical ports. The packet processing pipeline is configured to assign a virtual port from a plurality of virtual ports to a packet received via one of the physical ports, wherein a quantity of the plurality of virtual ports is larger than a quantity of the plurality of physical ports, and wherein, for each of at least some of the physical ports, multiple virtual ports correspond to one physical port. The packet processing pipeline is also configured to assign a virtual domain from a plurality of virtual domains to the packet based on the assigned virtual port, and process the packet based on one or more of i) the assigned virtual port, ii) the assigned virtual domain, and iii) a header field of the packet, including determining zero, one, or more physical ports to which the packet is to be forwarded.

    摘要翻译: 网络设备包括多个物理端口和耦合到多个物理端口的分组处理流水线。 分组处理流水线被配置为将虚拟端口从多个虚拟端口分配给经由物理端口之一接收的分组,其中多个虚拟端口的数量大于多个物理端口的数量,以及 其中,对于至少一些物理端口中的每一个,多个虚拟端口对应于一个物理端口。 分组处理流水线还被配置为基于所分配的虚拟端口从多个虚拟域向所述分组分配虚拟域,并且基于所分配的虚拟端口中的一个或多个来处理所述分组,ii)所分配的虚拟 域,以及iii)分组的报头字段,包括确定要转发分组的零个,一个或多个物理端口。

    Preventing denial-of-service attacks employing broadcast packets
    7.
    发明授权
    Preventing denial-of-service attacks employing broadcast packets 有权
    使用广播数据包防止拒绝服务攻击

    公开(公告)号:US08830997B1

    公开(公告)日:2014-09-09

    申请号:US12917417

    申请日:2010-11-01

    IPC分类号: H04L12/28

    摘要: A network device including a processor having an internet protocol (IP) address, and a processor port configured to communicate exclusively with the processor. The network device also includes a plurality of network ports configured to communicate with network nodes external to the network device. In addition, the network device includes a forwarding engine configured to selectively transfer packets (i) among the plurality of network ports, and (ii) between the processor port and the plurality of network ports; receive a broadcast packet from one of the plurality of network ports, the broadcast packet including a target IP address; and forward the broadcast packet to the processor, via the processor port, only when both (i) the broadcast packet is a control packet, and (ii) the target IP address of the broadcast packet matches the IP address of processor.

    摘要翻译: 一种网络设备,包括具有互联网协议(IP)地址的处理器和被配置为与处理器专用通信的处理器端口。 网络设备还包括被配置为与网络设备外部的网络节点进行通信的多个网络端口。 另外,网络设备包括:转发引擎,被配置为选择性地传送多个网络端口中的分组(i),以及(ii)处理器端口和多个网络端口之间; 从所述多个网络端口之一接收广播分组,所述广播分组包括目标IP地址; 并且只有当(i)广播分组都是控制分组时,并且(ii)广播分组的目标IP地址与处理器的IP地址匹配,则经由处理器端口将广播分组转发到处理器。

    Rate limiting per-flow of traffic to CPU on network switching and routing devices
    8.
    发明授权
    Rate limiting per-flow of traffic to CPU on network switching and routing devices 有权
    速率限制网络交换和路由设备上CPU流量的每流量

    公开(公告)号:US08255515B1

    公开(公告)日:2012-08-28

    申请号:US11334184

    申请日:2006-01-17

    IPC分类号: G06F15/173 G08B23/00

    CPC分类号: H04L47/24

    摘要: A network device for use in a networking system. The network device includes a packet processor adapted to receive control packets at a network port of the network device. The packet processor is also adapted to assign a CPU code to the control packets. The network device also includes a CPU in communication with the packet processor and a lookup table indexed by the CPU code and in communication with the packet processor. According to embodiments of the present invention, one or more entries in the lookup table define a rate limit in accordance with which packets characterized by the CPU code are delivered from the packet processor to the CPU.

    摘要翻译: 用于网络系统的网络设备。 网络设备包括适于在网络设备的网络端口处接收控制分组的分组处理器。 分组处理器还适用于为控制分组分配CPU代码。 网络设备还包括与分组处理器通信的CPU和由CPU代码索引并与分组处理器通信的查找表。 根据本发明的实施例,查找表中的一个或多个条目根据由CPU代码表征的哪个分组从分组处理器传送到CPU来定义速率限制。

    Switching Apparatus and Method Based on Virtual Interfaces
    9.
    发明申请
    Switching Apparatus and Method Based on Virtual Interfaces 有权
    基于虚拟接口的交换设备和方法

    公开(公告)号:US20110134925A1

    公开(公告)日:2011-06-09

    申请号:US12938116

    申请日:2010-11-02

    IPC分类号: H04L12/28

    摘要: A network device comprises a plurality of physical ports, and a packet processing pipeline coupled to the plurality of physical ports. The packet processing pipeline is configured to assign a virtual port from a plurality of virtual ports to a packet received via one of the physical ports, wherein a quantity of the plurality of virtual ports is larger than a quantity of the plurality of physical ports, and wherein, for each of at least some of the physical ports, multiple virtual ports correspond to one physical port. The packet processing pipeline is also configured to assign a virtual domain from a plurality of virtual domains to the packet based on the assigned virtual port, and process the packet based on one or more of i) the assigned virtual port, ii) the assigned virtual domain, and iii) a header field of the packet, including determining zero, one, or more physical ports to which the packet is to be forwarded.

    摘要翻译: 网络设备包括多个物理端口和耦合到多个物理端口的分组处理流水线。 分组处理流水线被配置为将虚拟端口从多个虚拟端口分配给经由物理端口之一接收的分组,其中多个虚拟端口的数量大于多个物理端口的数量,以及 其中,对于至少一些物理端口中的每一个,多个虚拟端口对应于一个物理端口。 分组处理流水线还被配置为基于所分配的虚拟端口从多个虚拟域向所述分组分配虚拟域,并且基于所分配的虚拟端口中的一个或多个来处理所述分组,ii)所分配的虚拟 域,以及iii)分组的报头字段,包括确定要转发分组的零个,一个或多个物理端口。

    IP multicast forwarding in MAC bridges
    10.
    发明授权
    IP multicast forwarding in MAC bridges 有权
    MAC组播转发MAC桥

    公开(公告)号:US07933268B1

    公开(公告)日:2011-04-26

    申请号:US11376428

    申请日:2006-03-14

    IPC分类号: H04L12/28 H04L12/56

    摘要: The invention provides novel methods of forwarding multicast data packets to selected egress ports in a MAC bridging environment. A multicast data packet is received via an ingress port. A source IP address and a destination multicast IP address are retrieved from the multicast packet. In a forwarding database, different groups of egress ports correspond to different combinations of a source address, a destination multicast address, and a virtual local area network identifier (VLAN-ID). The forwarding database is accessed, based on the retrieved source address, the retrieved destination multicast address, and a VLAN-ID, to thereby determine a corresponding group of egress ports. The multicast packet is then forwarded to the corresponding group of egress ports.

    摘要翻译: 本发明提供了将组播数据分组转发到MAC桥接环境中的选定出口端口的新颖方法。 通过入口接收多播数据包。 从组播数据包中检索源IP地址和目的地组播IP地址。 在转发数据库中,不同的出口端口组对应于源地址,目的组播地址和虚拟局域网标识符(VLAN-ID)的不同组合。 基于检索的源地址,检索到的目的地多播地址和VLAN-ID访问转发数据库,​​从而确定相应的出口端口组。 然后将组播数据包转发到相应的出口端口组。