摘要:
Out-of-profile rate-limited traffic is sampled to provide data for analysis, such as for, but not limited to, identifying a threat condition such as a denial-of-service or other malicious attack, or a non-malicious attack such as an error in configuration. A rate limiter including at least three states is typically used, with one of these states being an out-of-profile sampling state wherein the packet traffic is sampled to identify one or more sampled packets on which analysis can be performed, with defensive action possibly taken in response to the analysis.
摘要:
Out-of-profile rate-limited traffic is sampled to provide data for analysis, such as for, but not limited to, identifying a threat condition such as a denial-of-service or other malicious attack, or a non-malicious attack such as an error in configuration. A rate limiter including at least three states is typically used, with one of these states being an out-of-profile sampling state wherein the packet traffic is sampled to identify one or more sampled packets on which analysis can be performed, with defensive action possibly taken in response to the analysis.
摘要:
A technique for scaling virtual local area networks (VLANs) in a manner that allows existing standards to be used to process VLAN traffic and provide loop-free topologies for the VLANs. A data network is divided into customer, domain and core networks. VLANs are apportioned between the core network and domain networks such that VLANs apportioned to the core networks are global to both the core and domain networks and VLANs apportioned to the domain networks are local to each domain. Packets transported in the domain network contain domain VLAN (DVLAN) tags which are conventional VIDs that identify VLANs used to transport the packets in the domain network. Packets transported in the core network contain transport VLAN (TVLAN) tags which are conventional VIDs that identify VLANs used to transport the packets in the core network. In addition, packets transported in the core network contain pseudo-LAN (P-LAN) tags that are used in combination with TVLAN tags to identify DVLAN tags associated with the packet.
摘要:
A grand computer network is formed from layer 2 (L2) networking technology in which groups of Provider L2 bridges are organized into formations, and different formations are interconnected via network-network interface (NNI) links. Customer sites are coupled to the formations. Customers identify their traffic, e.g., frames, by labeling or tagging it with a Customer Virtual Local Area Network (VLAN) Identifier (C-VLAN ID) or Customer Service Instance (CSI). Within the formations, the C-VLAN ID is mapped to a Service VLAN ID (S-VLAN ID) or Provider Service Instance (PSI), and the S-VLAN ID is appended to the customer traffic. The PSIs are hierarchical, such that each PSI belongs to at most one other “outer” or higher-level PSI, but may itself own any number of “inner” or lower-level PSIs. As a given frame traverses through the different formations of the Grand Network via the NNI links, the frame acquires an encapsulation, sheds an encapsulation or exchanges its current encapsulation for a different one. Bridges within the formations run a Hierarchical Spanning Tree Program (HSTP) to block intra-formation loops, and a GARP L2-NNI Registration Protocol (GLRP) to block inter-formation loops.
摘要:
A system for providing a substantially balanced distribution of traffic over an aggregation of output lines carrying digital information makes use of m random or pseudo-random bits substantially greater in number than the number of bits (n) used for selection of individual lines. The m bits address a table populated with n-bit entries whose bit combinations correspond with the respective output lines, with the relative numbers of the bit combinations being such as to provide substantially equal loads on the individual lines.
摘要:
Disclosed are, inter alia, methods, apparatus, computer-storage media, mechanisms, and means associated with loss of reducing flooding in a bridged network, typically including a device directly connected to multiple upstream bridges. These bridges are configured such that the device receives broadcast/multicast traffic from a single interface of one of the bridges, while allowing unicast traffic over each of the communications links connecting the device to the bridges. In one configuration, the device implements virtual machine(s), each including a virtual network interface associated with a MAC address; and the directly connected bridges are configured, for each particular MAC address of these MAC addresses of the virtual interfaces, such that one and only one of the bridges will forward packets having the particular MAC address as its destination address over a communications link directly connected to the device.
摘要:
A technique that may be used to limit the amount of flooding that occurs for a particular virtual local area network (VLAN) in a data network. Limits are established for VLANs processed by an intermediate node. Each limit indicates a number of forwarding database entries that may be associated with a particular VLAN. If the number of entries in the forwarding database reaches the limit established for a particular VLAN, an action is taken which may include limiting the amount of flooding that occurs for that VLAN.
摘要:
In one embodiment, an apparatus configured for communication with a plurality of virtual machines includes a virtual switch in communication with one or more of the virtual machines, an interface in communication with one or more of the virtual machines and configured for communication with a hardware implemented switch, and a mode selector for assigning to each of the virtual machines, a mode of operation for forwarding data from the virtual machine and switching the assigned mode of operation at one or more of the virtual machines. The mode of operation is selected from a first mode wherein the data is forwarded by the hardware implemented switch and a second mode wherein the data is forwarded by the virtual switch.
摘要:
In one embodiment, an apparatus includes a processor configured for operation in a control plane in a distributed virtual switch in communication with a plurality of virtual machines each having a virtual interface. The processor is operable to identify other control planes in the distributed virtual switch, assign a virtual interface identifier to one of the virtual interfaces, receive a configuration for the virtual interface, and share the configuration with the other control planes in the distributed virtual switch. The virtual interface identifier provides a unique identifier for the virtual interface across all of the control planes. The apparatus further includes memory for storing the configuration of the virtual interface. A method for operating a network device associated with a control in the distributed virtual switch is also disclosed.
摘要:
A method and device for efficient transmission of flood data frames in a backbone network comprising a plurality of virtual local area networks (VLANs). A flood data frame is received at an intermediate network device communicatively coupled to a backbone network, wherein the destination of the flood data frame is unknown. A customer associated with the flood data frame is identified. A customer multicast group associated with the customer is identified, the customer multicast group identifying at least one destination intermediate network device coupled to the backbone network. The flood data frame is forwarded to at least one destination intermediate network device of the customer multicast group.