Abstract: Methods, apparatuses and systems directed to the classification of encrypted network traffic. In one implementation, the present invention facilitates the classification of network traffic that has been encrypted according to a dynamically-created encryption mechanism involving a handshake between two end-systems, such as the SSL and TLS protocols. In one implementation, the present invention observes and analyzes attributes of the handshake between two nodes to enhance the classification of network traffic. In one embodiment, the enhanced classification mechanisms described herein operate seamlessly with other Layer 7 traffic classification mechanisms that operate on attributes of the packets themselves. Implementations of the present invention can be incorporated into a variety of network devices, such as traffic monitoring devices, packet capture devices, firewalls, and bandwidth management devices.

Abstract: Systems and methods for redundancy in a network device are disclosed. An exemplary network device comprises: a plurality of data forwarding elements (DFEs); and a redundant control plane. The redundant control plane comprises: an active control processor for configuring forwarding operation of each of the DFEs; an active layer-2 switch coupled to the active control processor and to each of the DFEs; a standby control processor; and a standby layer-2 switch coupled to the standby control processor and to each of the DFEs. The active control processor is programmed in a full-mesh so that the active control processor is in communication with each of the DFEs. The standby control processor is programmed in a full-mesh so that the standby control processor is in communication with each of the DFEs.

Abstract: Element managers and processes receive, from a selected network element, first neighbor information describing a first neighboring network element directly connected to the selected network element and second neighbor information describing a different second neighboring network element directly connected to the selected network element. Based at least in part on the first neighbor information and the second neighbor information, the element managers and processes determine that the first neighboring network element is a logical neighbor that is connected by a tunnel to the selected network element and is coupled to the selected network element via one or more intermediate packet switches.

Abstract: A system and method for dynamically controlling aggregate and individual packet flow characteristics within a compressed logical data tunnel. A logical data tunnel is formed and includes one or more packet flows. Each packet flow includes individual packets having a shared destination address. Bandwidth allocated to control an aggregated flow of packets routed through the logical data tunnel. A transfer rate is assigned to control each packet flow transiting within the logical data tunnel.

Abstract: Methods, apparatuses and systems facilitating the concurrent classification and control of tunneled and non-tunneled data flows in a packet-based computer network environment. As discussed in more detail below, embodiments of the present invention allow for the “intra-tunnel” classification of data flows and, based on the classification, the deterministic and intelligent application of aggregate bandwidth utilization controls on data flows corresponding to a given tunnel. Embodiments of the present invention allow for the allocation of bandwidth on an application-level basis between tunneled and non-tunneled traffic, as well as between applications within a given tunnel. Other embodiments of the present invention can be configured to provide a differentiated security model for non-tunneled and tunneled traffic. In addition, embodiments of the present invention can be further configured to implement a layered security model for tunneled traffic.

Abstract: Methods, apparatuses and systems directed to a network traffic synchronization mechanism facilitating the deployment of network devices in redundant network topologies. In certain embodiments, when a first network device directly receives network traffic, it copies the network traffic and transmits it to at least one partner network device. The partner network device processes the copied network traffic, just as if it had received it directly, but, in one embodiment, discards the traffic before forwarding it on to its destination. In one embodiment, the partner network devices are operative to exchange directly received network traffic. As a result, the present invention provides enhanced reliability and seamless failover. Each unit, for example, is ready at any time to take over for the other unit should a failure occur.

Abstract: If a selected packet switch connected to a neighboring packet switch makes first information identifying the neighboring packet switch available, element managers and processes retrieve the first information from the selected packet switch. The first information is derived by the selected packet switch from communication via a first protocol between the selected packet switch and the neighboring packet switch. If the first information is not available to the element manager and if the selected packet switch makes second information identifying the neighboring packet switch available to the element manager, the element managers and processes retrieve the second information from the selected packet switch. The second information is derived from communication via a second protocol between the selected packet switch and the neighboring packet switch and the first and second protocols are different protocols.

Abstract: Methods, apparatuses and systems that facilitate the classification of web services network traffic. In one implementation, the present invention processes interface definitions corresponding to a given Web service to construct a traffic classification configuration for the Web service, including one or more traffic classes and corresponding matching rules or attributes for each traffic class. In one implementation, the present invention automatically creates traffic classes and matching rules that allow for differentiation between the operations supported by a Web service. Implementations of the present invention provide a mechanism allowing for classification of Web services network traffic on a granular basis to enhance network monitoring and analysis tasks, as well as network control functions, such as bandwidth management, security and other functions.

Abstract: Methods and systems for controlling access to a host processor is disclosed. One exemplary method comprises the steps of receiving a plurality of signaling packets and controlling access to a host processor, via a first and a second path, for at least a portion of the packets in accordance with a bandwidth limit for the respective path. An exemplary system comprises: a host processor; and a traffic manager coupled to the host processor via a first path and a second path. The traffic manager is configured to communicate at least a portion of the packets to the host processor via a selected one of the paths. The traffic manager is further configured to regulate traffic along the first path such that the bandwidth limit of the first path is respected, and to regulate traffic along the second path such that the bandwidth limit of the second path is respected.

Abstract: Systems and methods for determining lost packets for real-time transport protocol (RTP) data flows is disclosed. Generally, a first endpoint is connected to a second endpoint, wherein the first endpoint comprises a transceiver, software stored within the first endpoint defining functions to be performed by the first endpoint, and a processor. The processor is configured by the software to perform the steps of determining a sequence number of a received RTP data packet within said RTP data flow, storing said determined sequence number, calculating whether said determined sequence number sequentially falls within a predetermined numerical order, and if said sequence number of said received RTP data packet does not sequentially fall within said numerical order, storing said sequence number as a missed RTP data packet.

Abstract: This document describes tools useful in relaying a data stream from a data device to a network tunnel. These tools may utilize an encapsulation scheme to convert data packets from a user format to a tunnel format required by a network tunnel. Similarly, the tools may utilize a de-encapsulation scheme to convert data packets from the tunnel format to the user format required by the user. The tools may also forward the data packets from a user network to the network tunnel and vice versa, through a conventional switch module. In some embodiments, the tools do so by modifying the data packets to add a provisional identifier recognized by the switch module to map a particular data stream into a particular network tunnel.

Abstract: Methods, apparatuses and systems directed to the coordinated classification of network traffic. In one implementation, the present invention enables a coordinated network environment for traffic classification where an upstream network device classifies a data flow and adds traffic class information to at least one packet in the data flow. Downstream network devices in the communications path to the destination host can use the traffic class information in the modified packet, bypassing at least some of the local traffic classification operations and thereby reducing CPU utilization. In one implementation, the last downstream network device strips the traffic classification information from the modified packet before it is forwarded to the destination host. Embodiments of the invention reduce or eliminate redundant network traffic classification operations performed by a plurality of network devices in a communications path.

Abstract: The present invention, in particular embodiments, provides methods, apparatuses and systems directed to providing a Wide Area File System that is robust against network connectivity issues. In particular implementations, the present invention provides a WAFS disconnected-mode read-write access that provides for a more seamless user experience against WAN or other network connectivity failures. Specific embodiments provide for management, at a network device such as an EFG node, of file objects previously opened during a connected state with a remote file server appliance, creation of new file objects during a disconnected state and re-synchronization of those file objects (data and meta-data) when a connection becomes available.

Abstract: This document describes tools that enable a switch to temporarily alter its forwarding behavior when statistical data characterizing the switch satisfies a user-specified condition. To do so, the tools may monitor chronological sets of statistical data associated with the switch over a period of time. If the tools determine at one point during the period of time that one set of statistical data satisfies the user-specified condition, the tools alter the forwarding behavior of the switch for the remainder of the period of time. At the conclusion of the period of time, the tools restore the original forwarding behavior to the switch.

Abstract: The present invention, in particular embodiments, provides methods, apparatuses and systems directed to providing a Wide Area File System that is robust against network connectivity issues. In particular implementations, the present invention provides a WAFS disconnected-mode read-write access that provides for a more seamless user experience against WAN or other network connectivity failures. Specific embodiments provide for management, at a network device such as an EFG node, of file objects previously opened during a connected state with a remote file server appliance, creation of new file objects during a disconnected state and re-synchronization of those file objects (data and meta-data) when a connection becomes available.

Abstract: Packet flow rate control techniques are enhanced by the interactive and early invocation of packet queuing to control short flows of packets and to eliminate undershoot and overshoot of a targeted flow rate. Packet queuing involves the scheduled release of packets in accordance with flow policies (priorities) to achieve a pre-selected outgoing target flow rate. The combination of controlled packet queuing and packet flow rate control with appropriate mechanisms for favoring one over the other improves the efficiency of data transmission.

Abstract: An element manager acquires information identifying a network element. Based on the acquired information, the element manager associates a template configuration with the network element. The template configuration includes configuration parameter values. Subsequent to the associating, the element manager provides configuration information describing a configuration of the network element without retrieving the configuration information from the network element. The configuration information is based on the template configuration. An element manager and programming first determine that a configuration of a network element should match a template configuration. The configuration includes configuration parameter values utilized by the network element. The element manager and programming acquire at least one of the configuration parameter values and determine that the at least one acquired configuration parameter value does not match a corresponding configuration parameter value of the template configuration.

Abstract: A system and method for dynamically controlling a rogue application through incremental bandwidth restrictions is disclosed. A network connection supporting a flow of network traffic in a distributed computing environment is monitored. The network traffic flow includes a stream of data packets generated by a rogue application. Bandwidth allocated to the monitored network connection is incrementally adjusted until the flow of the network traffic for the rogue application achieves a steady state of bandwidth restriction. The flow of subsequent network traffic over the monitored network connection is controlled at the steady state of bandwidth restriction.

Abstract: Packet tunnel network configuration methods, management system operation methods, and management systems receive a request to enable layer-two Ethernet communication between service virtual local area networks via edge bridges fully connected by packet tunnels. The packet tunnel network configuration methods, management system operation methods, and management systems direct the edge bridges to establish the packet tunnels and modify Ethernet packets received from the service virtual local area networks by adding an instance service identifier and a tunnel identifier to the received Ethernet packets.

Abstract: Methods, apparatuses and systems facilitating enhanced classification of network traffic that extends beyond analysis of explicitly presented packet attributes and holistically analyzes data flows, and in some implementations, related data flows against known application behavior patterns to classify the data flows. Implementations of the present invention facilitate the classification of encrypted or compressed network traffic, or where the higher layer information in the data flows are formatted according to a non-public or proprietary protocol.