公开(公告)号：US07200145B1

公开(公告)日：2007-04-03

申请号：US10840212

申请日：2004-05-05

申请人： Thomas J. Edsall ,  Marco Foschiano ,  Michael Fine ,  Thomas Nosella

发明人： Thomas J. Edsall ,  Marco Foschiano ,  Michael Fine ,  Thomas Nosella

IPC分类号： H04L12/56

CPC分类号： H04L12/4641 ,  H04L12/467

摘要： The invention uses a layer 2 switch (L2 switch), or bridge, to separate user's message traffic by use of Virtual Local Area Networks (VLANs) defined within the switch. Three new types of ports are defined, “promiscuous” ports “isolated” ports, and “community” ports. Three types of VLANs internal to the switch are defined, “primary” VLANs, “isolated” VLANs and “community” VLANs. The promiscuous ports are connected to layer 3 or layer 4 devices. Isolated ports and community ports are connected to individual user's servers, etc., and maintain traffic for each user separate from other users. The primary VLAN connects to all promiscuous ports, to all isolated ports, and to all community ports. The primary VLAN is a one way connection from promiscuous ports to isolated or community ports. An isolated VLAN connects to all promiscuous ports and to all isolated ports. The isolated VLAN is a one way connection from an isolated port to the promiscuous ports. A community VLAN is defined as connecting to a group of community ports, and also connecting to all of the promiscuous ports. The group of community ports is referred to as a “community” of community ports. A community VLAN is a one way connection from a community of ports to the promiscuous ports, but allows a packet received by one community port to be transmitted out of the switch, through the other community ports connected to that community VLAN.

摘要翻译： 本发明使用第2层交换机（L2交换机）或桥接器来通过使用在交换机内定义的虚拟局域网（VLAN）来分离用户的消息业务。 定义了三种新类型的端口，“混杂”端口“隔离”端口和“社区”端口。 交换机内部的三种VLAN定义为“主”VLAN，“隔离”VLAN和“社区”VLAN。 混杂端口连接到第3层或第4层设备。 隔离的端口和社区端口连接到个人用户的服务器等，并保持每个用户与其他用户分开的流量。 主VLAN连接到所有混杂端口，所有隔离端口和所有社区端口。 主VLAN是从混杂端口到隔离或社区端口的单向连接。 隔离VLAN连接到所有混杂端口和所有隔离端口。 隔离VLAN是从隔离端口到混杂端口的单向连接。 社区VLAN被定义为连接到一组社区端口，并且还连接到所有混杂端口。 社区港口群体被称为社区港口的“社区”。 社区VLAN是从端口群组到混杂端口的单向连接，但允许通过连接到该社区VLAN的其他社区端口将一个社区端口接收的数据包从交换机传输出去。

公开(公告)号：US06741592B1

公开(公告)日：2004-05-25

申请号：US09575774

申请日：2000-05-22

申请人： Thomas J. Edsall ,  Marco Foschiano ,  Michael Fine ,  Thomas Nosella

发明人： Thomas J. Edsall ,  Marco Foschiano ,  Michael Fine ,  Thomas Nosella

IPC分类号： G06F15173

CPC分类号： H04L12/4641

摘要： The invention uses a layer 2 switch (L2 switch), or bridge, to separate user's message traffic by use of Virtual Local Area Networks (VLANs) defined within the switch. Three new types of ports are defined, “promiscuous” ports “isolated” ports, and “community” ports. Three types of VLANs internal to the switch are defined, “primary” VLANs, “isolated” VLANs and “community” VLANs. The promiscuous ports are connected to layer 3 or layer 4 devices. Isolated ports and community ports are connected to individual user's servers, etc., and maintain traffic for each user separate from other users. The primary VLAN connects to all promiscuous ports, to all isolated ports, and to all community ports. The primary VLAN is a one way connection from promiscuous ports to isolated or community ports. An isolated VLAN connects to all promiscuous ports and to all isolated ports. The isolated VLAN is a one way connection from an isolated port to the promiscuous ports. A community VLAN is defined as connecting to a group of community ports, and also connecting to all of the promiscuous ports. The group of community ports is referred to as a “community” of community ports. A community VLAN is a one way connection from a community of ports to the promiscuous ports, but allows a packet received by one community port to be transmitted out of the switch, through the other community ports connected to that community VLAN.

摘要翻译： 本发明使用第2层交换机（L2交换机）或桥接器来通过使用在交换机内定义的虚拟局域网（VLAN）来分离用户的消息业务。 定义了三种新类型的端口，“混杂”端口“隔离”端口和“社区”端口。 交换机内部的三种VLAN定义为“主”VLAN，“隔离”VLAN和“社区”VLAN。 混杂端口连接到第3层或第4层设备。 隔离的端口和社区端口连接到个人用户的服务器等，并保持每个用户与其他用户分开的流量。 主VLAN连接到所有混杂端口，所有隔离端口和所有社区端口。 主VLAN是从混杂端口到隔离或社区端口的单向连接。 隔离VLAN连接到所有混杂端口和所有隔离端口。 隔离VLAN是从隔离端口到混杂端口的单向连接。 社区VLAN被定义为连接到一组社区端口，并且还连接到所有混杂端口。 社区港口群体被称为社区港口的“社区”。 社区VLAN是从端口群组到混杂端口的单向连接，但允许通过连接到该社区VLAN的其他社区端口将一个社区端口接收的数据包从交换机传输出去。

公开(公告)号：US06870812B1

公开(公告)日：2005-03-22

申请号：US10392157

申请日：2003-03-18

申请人： Raymond J. Kloth ,  Thomas J. Edsall ,  Michael Fine ,  Dinesh G. Dutt

发明人： Raymond J. Kloth ,  Thomas J. Edsall ,  Michael Fine ,  Dinesh G. Dutt

IPC分类号： H04L12/56 ,  H04L12/26 ,  H04L12/28 ,  H04J1/16 ,  H04J3/14

CPC分类号： H04L47/41 ,  H04L45/7453 ,  H04L47/10 ,  H04L47/215 ,  H04L47/2408 ,  H04L47/2416 ,  H04L47/2441 ,  H04L47/30 ,  H04L47/32 ,  Y02D50/30

摘要： A method and apparatus for implementing Quality of Service (QoS) policy in a data communications network. A content addressable memory (CAM) contains flow information for each active flow of packets passing through a given node of a data communications network. The CAM has associated with each entry a packet counter, a byte counter, a token bucket, and a contract value. Each flow is assigned one of a plurality of output queues and optionally at least one output threshold value. An access control list CAM (ACLCAM) contains masked flow information. The ACLCAM provides an index to internal token bucket counters and preconfigured contract values of an aggregate flow table which becomes affected by the packet statistics. In this way, flows are aggregated for assignment of output queues and thresholds, possible dropping, and possible modification of packets.

摘要翻译： 一种用于在数据通信网络中实现服务质量（QoS）策略的方法和装置。 内容可寻址存储器（CAM）包含针对通过数据通信网络的给定节点的分组的每个活动流的流信息。 CAM与每个条目相关联，分组计数器，字节计数器，令牌桶和合同值。 每个流被分配多个输出队列中的一个和可选的至少一个输出阈值。 访问控制列表CAM（ACLCAM）包含屏蔽流信息。 ACLCAM为内部令牌桶计数器提供索引，并为分组统计信息影响的聚合流表的预配置合同值。 以这种方式，聚合流量以分配输出队列和阈值，可能丢弃和可能的数据包修改。

公开(公告)号：US06643260B1

公开(公告)日：2003-11-04

申请号：US09213105

申请日：1998-12-18

申请人： Raymond J. Kloth ,  Thomas J. Edsall ,  Michael Fine ,  Dinesh G. Dutt

发明人： Raymond J. Kloth ,  Thomas J. Edsall ,  Michael Fine ,  Dinesh G. Dutt

IPC分类号： G01R3108

CPC分类号： H04L47/41 ,  H04L45/7453 ,  H04L47/10 ,  H04L47/215 ,  H04L47/2408 ,  H04L47/2416 ,  H04L47/2441 ,  H04L47/30 ,  H04L47/32 ,  Y02D50/30

摘要： A content addressable memory (CAM or L3 Table) contains flow information for each active flow of packets passing through a given node of a data communications network. The CAM has associated with each entry (corresponding to each active flow) a packet counter, a byte counter, a token bucket and a contract value. Each flow is assigned one of a plurality of output queues and optionally at least one output threshold value. A token bucket algorithm is employed on each flow to determine whether packets from that flow exceed the contract value. Such packets may be dropped or optimally modified to reflect an alternate output queue and/or alternate threshold before being sent to the selected output queue for transmission from the node. In another aspect an access control list CAM (ACLCAM) contains masked flow information. The ACLCAM provides an index to internal token bucket counters and preconfigured contract values of an aggregate flow table which becomes affected by the packet statistics. In this way flows are aggregated for assignment of output queues and thresholds, possible dropping and possible modification of packets. In another aspect the CAM contains active flow information, the ACLCAM and the aggregate flow table are combined in one system and used to produce in parallel a pair of traffic rate limiting and prioritizing decisions for each packet. The two results are then resolved to yield a single result.

摘要翻译： 一种在数据通信网络中实现服务质量策略的方法和装置。 该系统包括主动流内容可寻址存储器（CAM），访问控制列表CAM（ACLCAM）和聚合流表。 CAM各自包含通过数据通信网络的给定节点的每个活动流的流的信息的条目。 CAM与每个条目相关联，分组计数器，字节计数器，令牌桶和合同值。 ACLCAM为内部令牌桶计数器提供了索引，并为分组统计信息影响的聚合流表的预配置合同值。主动流CAM，ACLCAM和聚合流表用于并行生成一对流量 限制和确定每个数据包的优先级。 然后解析两个结果以产生单个结果。

公开(公告)号：US06868065B1

公开(公告)日：2005-03-15

申请号：US10391683

申请日：2003-03-18

申请人： Raymond J. Kloth ,  Thomas J. Edsall ,  Michael Fine ,  Dinesh G. Dutt

发明人： Raymond J. Kloth ,  Thomas J. Edsall ,  Michael Fine ,  Dinesh G. Dutt

IPC分类号： H04L12/56 ,  H04J1/16 ,  H04J3/14 ,  H04L1/00 ,  H04L12/26 ,  H04L12/28

CPC分类号： H04L47/41 ,  H04L45/7453 ,  H04L47/10 ,  H04L47/215 ,  H04L47/2408 ,  H04L47/2416 ,  H04L47/2441 ,  H04L47/30 ,  H04L47/32 ,  Y02D50/30

摘要： A method and apparatus for implementing Quality of Service (QoS) policy in a data communications network. An active flow content addressable memory (CAM) contains entries of flow information for each active flow of packets passing through a given node of the data communications network. The CAM has associated with each entry a packet counter, a byte counter, a token bucket, and a contract value. Each flow is assigned one of a plurality of output queues and optionally at least one output threshold value. A token bucket algorithm is employed on each flow to determine whether packets from that flow exceed the contract value. Such packets may be dropped or optimally modified to reflect an alternate output queue and/or alternate threshold before being sent to the selected output queue for transmission from the node.

摘要翻译： 一种用于在数据通信网络中实现服务质量（QoS）策略的方法和装置。 活动流内容可寻址存储器（CAM）包含通过数据通信网络的给定节点的每个活动流的流的信息条目。 CAM与每个条目相关联，分组计数器，字节计数器，令牌桶和合同值。 每个流被分配多个输出队列中的一个和可选的至少一个输出阈值。 在每个流中使用令牌桶算法来确定来自该流的分组是否超过了合同值。 在发送到所选择的输出队列以便从节点传输之前，可以丢弃或最佳地修改这样的分组以反映替代输出队列和/或替代阈值。

公开(公告)号：US06798746B1

公开(公告)日：2004-09-28

申请号：US10156971

申请日：2002-05-28

申请人： Raymond J. Kloth ,  Thomas J. Edsall ,  Michael Fine ,  Dinesh G. Dutt

发明人： Raymond J. Kloth ,  Thomas J. Edsall ,  Michael Fine ,  Dinesh G. Dutt

IPC分类号： G01R3108

CPC分类号： H04L47/32 ,  H04L47/10 ,  H04L47/20 ,  H04L47/215 ,  H04L47/24 ,  H04L47/2441 ,  H04L47/29 ,  H04L49/90

摘要： A content addressable memory (CAM or L3 Table) contains flow information for each active flow of packets passing through a given node of a data communications network. The CAM has associated with each entry (corresponding to each active flow) a packet counter, a byte counter, a token bucket and a contract value. Each flow is assigned one of a plurality of output queues and optionally at least one output threshold value. A token bucket algorithm is employed on each flow to determine whether packets from that flow exceed the contract value. Such packets may be dropped or optimally modified to reflect an alternate output queue and/or alternate threshold before being sent to the selected output queue for transmission from the node. In another aspect an access control list CAM (ACLCAM) contains masked flow information. The ACLCAM provides an index to internal token bucket counters and preconfigured contract values of an aggregate flow table which becomes affected by the packet statistics. In this way flows are aggregated for assignment of output queues and thresholds, possible dropping and possible modification of packets. In another aspect the CAM contains active flow information, the ACLCAM and the aggregate flow table are combined in one system and used to produce in parallel a pair of traffic rate limiting and prioritizing decisions for each packet. The two results are then resolved to yield a single result.

摘要翻译： 内容可寻址存储器（CAM或L3表）包含通过数据通信网络的给定节点的分组的每个活动流的流信息。 CAM与分组计数器，字节计数器，令牌桶和合同值的每个条目（对应于每个活动流）相关联。 每个流被分配多个输出队列中的一个和可选的至少一个输出阈值。 在每个流中使用令牌桶算法来确定来自该流的分组是否超过了合同值。 在发送到所选择的输出队列以便从节点传输之前，可以丢弃或最佳地修改这样的分组以反映替代输出队列和/或替代阈值。 在另一方面，访问控制列表CAM（ACLCAM）包含被屏蔽的流信息。 ACLCAM为内部令牌桶计数器提供索引，并为分组统计信息影响的聚合流表的预配置合同值。 以这种方式，聚合流量以分配输出队列和阈值，可能丢弃和可能的修改数据包。 在另一方面，CAM包括活动流信息，ACLCAM和聚合流表在一个系统中组合并且用于并行地产生一对每个分组的业务速率限制和优先级决定。 然后解析两个结果以产生单个结果。

公开(公告)号：US20110119752A1

公开(公告)日：2011-05-19

申请号：US13012432

申请日：2011-01-24

申请人： Michael R. Smith ,  Padmanabha Nallur ,  Wilson Kok ,  Michael Fine

发明人： Michael R. Smith ,  Padmanabha Nallur ,  Wilson Kok ,  Michael Fine

IPC分类号： G06F21/20

CPC分类号： H04L63/20

摘要： A method and system for including security information with a packet is disclosed. A packet is detected as it exits a first network and enters a second network. The first network is configured to support a network security technique, and the second network is not configured to support the network security technique. Network security information associated with the network security technique is included with the packet. A network device is configured to include network security information in overhead of a packet. A method for identifying a first network device in a network is also disclosed. Identification information of the first network is communicated to a second network device.

摘要翻译： 公开了一种包含安全信息与分组的方法和系统。 当数据包离开第一个网络并进入第二个网络时被检测到。 第一个网络被配置为支持网络安全技术，而第二个网络没有被配置为支持网络安全技术。 与网络安全技术相关联的网络安全信息包括在包中。 网络设备被配置为在分组的开销中包括网络安全信息。 还公开了一种用于识别网络中的第一网络设备的方法。 第一网络的识别信息被传送到第二网络设备。

公开(公告)号：US07877601B2

公开(公告)日：2011-01-25

申请号：US10999343

申请日：2004-11-30

申请人： Michael R. Smith ,  Padmanabha Nallur ,  Wilson Kok ,  Michael Fine

发明人： Michael R. Smith ,  Padmanabha Nallur ,  Wilson Kok ,  Michael Fine

IPC分类号： H04L29/06 ,  G06F9/00 ,  G06F15/16 ,  G06F17/00 ,  G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08B23/00

CPC分类号： H04L63/20

摘要： A method and system for including security information with a packet is disclosed. A packet is detected as it exits a first network and enters a second network. The first network is configured to support a network security technique, and the second network is not configured to support the network security technique. Network security information associated with the network security technique is included with the packet. A network device is configured to include network security information in overhead of a packet. A method for identifying a first network device in a network is also disclosed. Identification information of the first network is communicated to a second network device.

摘要翻译： 公开了一种包含安全信息与分组的方法和系统。 当数据包离开第一个网络并进入第二个网络时被检测到。 第一个网络被配置为支持网络安全技术，而第二个网络没有被配置为支持网络安全技术。 与网络安全技术相关联的网络安全信息包括在包中。 网络设备被配置为在分组的开销中包括网络安全信息。 还公开了一种用于识别网络中的第一网络设备的方法。 第一网络的识别信息被传送到第二网络设备。

公开(公告)号：US20060200670A1

公开(公告)日：2006-09-07

申请号：US11069857

申请日：2005-03-01

申请人： Irene Kuffel ,  Wilson Kok ,  Michael Fine ,  Fabio Maino ,  Jed Lau

发明人： Irene Kuffel ,  Wilson Kok ,  Michael Fine ,  Fabio Maino ,  Jed Lau

IPC分类号： H04L9/00

CPC分类号： H04L9/321 ,  H04L9/3247 ,  H04L9/3263 ,  H04L9/3271 ,  H04L63/08 ,  H04L2209/76

摘要： Various systems and method are disclosed for disseminating security server contact information in a network. For example, one method (e.g., performed by a security server) involves determining that a network device is a secure network device, in response to participating in a security exchange with the network device; and then sending a server list to the network device. The server list includes the network address of at least one security server. Another method (e.g., performed by a network device) involves initiating an authentication exchange; receiving a server list, which includes the network address of a security server, as part of the authentication exchange; and communicating with the security server by sending a packet to the network address included in the server list.

摘要翻译： 公开了用于在网络中传播安全服务器联系信息的各种系统和方法。 例如，响应于参与与网络设备的安全交换，一种方法（例如由安全服务器执行）涉及确定网络设备是安全网络设备; 然后将服务器列表发送到网络设备。 服务器列表包括至少一个安全服务器的网络地址。 另一种方法（例如，由网络设备执行）涉及启动认证交换; 作为认证交换的一部分，接收包括安全服务器的网络地址的服务器列表; 并通过向包括在服务器列表中的网络地址发送分组来与安全服务器通信。

公开(公告)号：US4894846A

公开(公告)日：1990-01-16

申请号：US213746

申请日：1988-06-30

申请人： Michael Fine

发明人： Michael Fine

IPC分类号： G06F1/14 ,  H04J3/06

CPC分类号： H04J3/0667

摘要： A method for maintaining a correct time in a distributed processing system involves clerk nodes maintaining their local clocks by requesting time intervals from server nodes, and server nodes maintaining their local clocks either by requesting time intervals from other server nodes or by receiving time information from an outside source. Server nodes also provide time intervals to requesting clerk nodes and requesting server nodes with such a method. System time is always increasing and monotonic and faulty servers are detected periodically.