公开(公告)号：US09584360B2

公开(公告)日：2017-02-28

申请号：US10674627

申请日：2003-09-29

申请人： Prajakta S. Joshi

发明人： Prajakta S. Joshi

IPC分类号： G06F9/46 ,  H04L29/12 ,  H04L29/08

CPC分类号： H04L29/12066 ,  H04L29/12367 ,  H04L61/1511 ,  H04L61/2514 ,  H04L67/1002

摘要： A site switch determines the mapping between public and private IP addresses of VIPs configured on the site switch. The site switch then transmits the public IP address, rather than the private IP address, to a load balancing switch that performs the load balancing for network resources accessible via the site switch. This public IP address has also been configured on an authoritative DNS server for which the load balancing switch serves as a proxy. The load balancing switch updates its address records, containing the VIPs configured on the site switch, with the public address of the VIP. When the load balancing switch reorders a DNS reply from the authoritative DNS server for a domain containing the public address, the load balancing switch correctly identifies the IP address as a VIP on the site switch and applies appropriate load balancing metrics to the received IP address.

摘要翻译： 站点交换机确定在站点交换机上配置的VIP的公有IP地址和私有IP地址之间的映射。 然后，站点交换机将公共IP地址（而不是专用IP地址）发送到负载平衡交换机，该负载平衡交换机可通过站点交换机访问网络资源的负载平衡。 此公用IP地址也已在负载平衡交换机用作代理的权威DNS服务器上配置。 负载平衡交换机更新其地址记录，其中包含在站点交换机上配置的VIP与VIP的公共地址。 当负载平衡交换机从包含公用地址的域的权威DNS服务器重新排序DNS回复时，负载平衡交换机将该IP地址正确地标识为站点交换机上的VIP，并对接收到的IP地址应用适当的负载均衡度量。

公开(公告)号：US09479415B2

公开(公告)日：2016-10-25

申请号：US15043421

申请日：2016-02-12

申请人： Foundry Networks, LLC

发明人： Hari Natarajan ,  Eskinder Sahle ,  Charles Helfinstine ,  Chris Oskuie

IPC分类号： H04L12/28 ,  H04L12/26 ,  H04L12/933 ,  H04L12/931 ,  H04L12/721 ,  H04L12/761 ,  H04L12/46

CPC分类号： H04L43/12 ,  H04L12/4641 ,  H04L12/4645 ,  H04L12/465 ,  H04L43/026 ,  H04L43/10 ,  H04L45/16 ,  H04L45/32 ,  H04L49/10 ,  H04L49/354

摘要： Provided are methods, non-transitory computer-readable medium, and network devices for duplicating network traffic through transparent VLAN flooding. In some implementations, a network device comprises a plurality of ports. The plurality of ports may include a first port configured as a receiving port for a VLAN configured for the network device. The plurality of ports may further include a set of ports configured as I/O ports of the VLAN. MAC learning may be disabled for the receiving port. In some implementations, the network device is configured to determine, based on contents of a packet received at the receiving port, that the packet is to be sent to one or more monitoring devices. The network device may further be configure to, upon receiving the packet at the receiving port of the VLAN, cause a copy of the packet to be sent to each of one or more I/O ports of the VLAN.

摘要翻译： 提供了通过透明VLAN泛洪来复制网络流量的方法，非暂时性计算机可读介质和网络设备。 在一些实现中，网络设备包括多个端口。 多个端口可以包括被配置为为网络设备配置的VLAN的接收端口的第一端口。 多个端口还可以包括配置为VLAN的I / O端口的一组端口。 接收端口可能禁用MAC学习。 在一些实现中，网络设备被配置为基于在接收端口处接收的分组的内容来确定分组将被发送到一个或多个监视设备。 网络设备还可以被配置为在VLAN的接收端口接收到分组时，使分组的副本被发送到VLAN的一个或多个I / O端口中的每一个。

公开(公告)号：US09338100B2

公开(公告)日：2016-05-10

申请号：US13925564

申请日：2013-06-24

申请人： Foundry Networks, LLC

发明人： Yuen Fai Wong ,  Yu-Mei Lin ,  Richard A. Grenier

IPC分类号： H04L12/851 ,  H04L12/935 ,  H04L12/931 ,  H04L12/865

CPC分类号： H04L47/2433 ,  H04L47/6275 ,  H04L49/30 ,  H04L49/352

摘要： A method and apparatus aggregate a plurality of input data streams from first processors into one data stream for a second processor, the circuit and the first and second processors being provided on an electronic circuit substrate. The aggregation circuit includes (a) a plurality of ingress data ports, each ingress data port adapted to receive an input data stream from a corresponding first processor, each input data stream formed of ingress data packets, each ingress data packet including priority factors coded therein, (b) an aggregation module coupled to the ingress data ports, adapted to analyze and combine the plurality of input data steams into one aggregated data stream in response to the priority factors, (c) a memory coupled to the aggregation module, adapted to store analyzed data packets, and (d) an output data port coupled to the aggregation module, adapted to output the aggregated data stream to the second processor.

公开(公告)号：US09332066B2

公开(公告)日：2016-05-03

申请号：US14033398

申请日：2013-09-20

申请人： Foundry Networks, LLC

发明人： Ronald W. Szeto ,  David Chun-Ying Cheung ,  Rajkumar Jalan

IPC分类号： G06F15/173 ,  H04L29/08 ,  H04L29/06

CPC分类号： H04L67/1002 ,  H04L63/0218 ,  H04L63/1458 ,  H04L67/1031 ,  H04L67/1036 ,  H04L67/2842

摘要： Each service in a computer network may have a connection rate limit. The number of new connections per time period may be limited by using a series of rules. In a specific embodiment of the present invention, a counter is increased each time a server is selected to handle a connection request. For each service, connections coming in are tracked. Therefore, the source of connection-request packets need not be examined. Only the destination service is important. This saves significant time in the examination of the incoming requests. Each service may have its own set of rules to best handle the new traffic for its particular situation. For server load balancing, a reset may be sent to the source address of the new connection request. For transparent cache switching, the connection request may be forwarded to the Internet.

公开(公告)号：US09112715B2

公开(公告)日：2015-08-18

申请号：US12765765

申请日：2010-04-22

申请人： Nitin Jain ,  Lee Chen ,  Earl Ferguson ,  Min Zhu

发明人： Nitin Jain ,  Lee Chen ,  Earl Ferguson ,  Min Zhu

IPC分类号： H04L12/18

CPC分类号： H04L12/1886

摘要： A routing system utilizes a layer 2 switch interconnecting several routers to intelligently forward multicast packets throughout an interne exchange carrying multicast content. The layer 2 switch performs protocol snooping to extract a lookup key that is based on network layer protocol information. The lookup key is uniquely formulated to support either shared or explicit source distribution trees. The lookup key is used to query a forwarding memory that returns an outgoing port index. The outgoing port index points to one or more outgoing ports that are eligible to receive the multicast packet. The outgoing ports are also connected to the neighboring device(s) that are designated to receive the multicast packet. The routing system also supports real time maintenance and updating of the forwarding memory based on the periodic exchange of control messages. The routing system is configured to support PIM routers operating in PIM SM or PIM SSM modes. However, the routing system can also support other multicast protocols and/or standards.

摘要翻译： 路由系统利用互连多个路由器的层2交换机在携带多播内容的内部交换机中智能地转发多播分组。 第二层交换机执行协议侦听，提取基于网络层协议信息的查找密钥。 查找密钥是独一无二的，用于支持共享或明确的源分发树。 查询键用于查询返回出站端口索引的转发内存。 出站端口索引指向一个或多个有资格接收组播数据包的输出端口。 输出端口也连接到被指定为接收多播分组的相邻设备。 路由系统还支持基于控制消息的周期性交换的转发存储器的实时维护和更新。 路由系统配置为支持以PIM SM或PIM SSM模式运行的PIM路由器。 然而，路由系统还可以支持其他多播协议和/或标准。

公开(公告)号：US09049047B2

公开(公告)日：2015-06-02

申请号：US13278599

申请日：2011-10-21

申请人： Rajkumar Jalan ,  Louis Yun ,  Ivy Pei-Shan Hsu

发明人： Rajkumar Jalan ,  Louis Yun ,  Ivy Pei-Shan Hsu

IPC分类号： G06F15/16 ,  H04L12/46 ,  H04L12/18 ,  H04L12/931 ,  H04L29/06 ,  H04L12/28

CPC分类号： H04L12/4633 ,  H04L12/185 ,  H04L12/1886 ,  H04L12/4641 ,  H04L49/354 ,  H04L63/0272

摘要： Multicast capability in a virtual private LAN service (VPLS) is provided in a provider IP/MPLS infrastructure without headend replications by encapsulating a customer data packet to use an established multicast protocol, such as IP multicast. In one example, the customer data packet is encapsulated by an IP header having an IP multicast group address and an Ethernet header. In one implementation, a DNS type mechanism is provided to distribute the IP multicast addresses for VPLS use. Such IP multicast group address can be set aside from an administratively scoped address range. An efficient IP routing algorithm running on the provider's network provides an efficient distribution tree for routing IP-encapsulated customer packet for the VPLS.

摘要翻译： 虚拟专用LAN服务（VPLS）中的组播能力通过封装客户数据包来使用已建立的多播协议（如IP多播），在提供商IP / MPLS架构中提供无前端复制功能。 在一个示例中，客户数据分组由具有IP多播组地址和以太网报头的IP报头来封装。 在一个实现中，提供DNS类型机制来分发用于VPLS使用的IP多播地址。 这样的IP组播组地址可以从管理范围的地址范围来设置。 在提供商网络上运行的高效IP路由算法为VPLS路由IP封装的客户数据包提供了一个有效的分配树。

公开(公告)号：US08819252B1

公开(公告)日：2014-08-26

申请号：US10139095

申请日：2002-05-03

申请人： Ronald W. Szeto ,  David Chun Ying Cheung ,  Rajkumar Jalan ,  Sridhar J. Devarapalli

发明人： Ronald W. Szeto ,  David Chun Ying Cheung ,  Rajkumar Jalan ,  Sridhar J. Devarapalli

IPC分类号： G06F15/16

CPC分类号： H04L63/1458 ,  H04L63/108 ,  H04L67/1008

摘要： Transaction rate limiting is provided to monitor new connections. If the number of new connections requested by a particular client exceeds a predetermined threshold value, then the client may be frozen out for a configured period of time. By denying access for the configured period of time, the client is prevented from monopolizing a particular client. Additionally, if the client does have malicious intent, a denial of service attack may be thwarted. The denial of service may be accomplished without alerting the client. This prevents a malicious client from regrouping and attempting an assault via a different mechanism.

摘要翻译： 提供事务速率限制来监视新的连接。 如果特定客户端请求的新连接的数量超过预定阈值，则客户端可以在已配置的时间段内被冻结。 通过在配置的时间段内拒绝访问，客户端被阻止垄断特定客户端。 另外，如果客户端确实有恶意的意图，则拒绝服务攻击可能会被阻止。 拒绝服务可以在不告知客户的情况下完成。 这样可以防止恶意客户端通过不同的机制重新组合和尝试攻击。

公开(公告)号：US08718051B2

公开(公告)日：2014-05-06

申请号：US12608985

申请日：2009-10-29

申请人： Yuen Fai Wong

发明人： Yuen Fai Wong

IPC分类号： H04L12/50

CPC分类号： H04L49/352 ,  H04L5/14 ,  H04L12/4645 ,  H04L45/745 ,  H04L45/7453 ,  H04L49/30 ,  H04L49/3063 ,  H04Q11/0428

摘要： The present invention provides systems and methods for providing data transmission speeds at or in excess of 10 gigabits per second between one or more source devices and one or more destination devices. According to one embodiment, the system of the present invention comprises a first and second media access control (MAC) interfaces to facilitate receipt and transmission of packets over an associated set of physical interfaces. The system also contemplates a first and second field programmable gate arrays (FPGA) coupled to the MAC interfaces and an associated first and second memory structures, the first and second FPGAs are configured to perform initial processing of packets received from the first and second MAC interfaces and to schedule the transmission of packets to the first and second MAC interface for transmission to one or more destination devices. The first and second FPGAs are further operative to dispatch and retrieve packets to and from the first and second memory structures. A third FPGA, coupled to the first and second memory structures and a backplane, is operative to retrieve and dispatch packets to and from the first and second memory structures, compute appropriate destinations for packets and organize packets for transmission. The third FPGA is further operative to receive and dispatch packets to and from the backplane.

公开(公告)号：US08650295B2

公开(公告)日：2014-02-11

申请号：US13676804

申请日：2012-11-14

申请人： Brocade Communications Systems, Inc.

发明人： Animesh Chaturvedi ,  Marc Lavine ,  Manan Shah ,  Ron Lau

IPC分类号： G06F15/173 ,  G06F11/00 ,  H04L29/06

CPC分类号： H04L63/20 ,  H04L63/1416 ,  H04L63/1433

摘要： Technology for network security is disclosed. In one embodiment, a method of managing network security includes receiving sampled packets. The sampled packets represent packets being sampled from network packet traffic in at least one location in a network. The sampled packets are converted into an appropriate format for analysis to form converted packets. Moreover, the converted packets are sent to a first group including at least one security device for analysis. If an event message is generated by the at least one security device as a result of analysis of the converted packets, the event message is received from the at least one security device. Network security is evaluated based on the event message and security policies and is adjusted based on that evaluation. The method may be implemented with a network manager.

摘要翻译： 披露了网络安全技术。 在一个实施例中，一种管理网络安全性的方法包括接收采样分组。 采样的分组表示在网络中的至少一个位置中从网络分组流量采样的分组。 采样数据包被转换成适当的格式进行分析以形成转换的数据包。 此外，转换的分组被发送到包括至少一个用于分析的安全设备的第一组。 如果通过分析转换的分组的结果由至少一个安全设备生成事件消息，则从至少一个安全设备接收事件消息。 基于事件消息和安全策略评估网络安全性，并根据该评估进行调整。 该方法可以用网络管理器来实现。

公开(公告)号：US08533823B2

公开(公告)日：2013-09-10

申请号：US12392422

申请日：2009-02-25

申请人： Ronald W. Szeto ,  Nitin Jain ,  Ravindran Suresh ,  Philip Kwan

发明人： Ronald W. Szeto ,  Nitin Jain ,  Ravindran Suresh ,  Philip Kwan

IPC分类号： G06F12/00

CPC分类号： H04L63/0263 ,  H04L63/101 ,  H04L63/1441 ,  H04L2463/146

摘要： A system and method that provides for using source IP addresses and MAC addresses in a network to provide security against attempts by users of the network to use false source IP addresses in data packets. The system and method provide for analyzing MAC addresses and source IP addresses at the datalink (layer 2) level, and to use the information derived from such analysis to block access through a port where a host device is using a false, or spoofed, source IP address in transmitted data packets. Further, the system and method provide for validating initially learned source IP addresses, and for determining whether the number of unsuccessful attempts to validate new source IP addresses exceeds a threshold level, and where the number does exceed the threshold number the system and method can provide for operation in a possible attack mode.