Abstract: Methods, apparatuses and systems directed to enhanced packet load shedding mechanisms implemented in various network devices. In one implementation, the present invention enables a selective load shedding mechanism that intelligently discards packets to allow or facilitate management access during DoS attacks or other high traffic events. In one implementation, the present invention is directed to a selective load shedding mechanism that, while shedding load necessary to allow a network device to operate appropriately, does not attempt to control traffic flows, which allows for other processes to process, classify, diagnose and/or monitor network traffic during high traffic volume periods. In another implementation, the present invention provides a packet load shedding mechanism that reduces the consumption of system resources during periods of high network traffic volume.

Abstract: A system and a method connect mobile devices via channels which connect a first terminal and a second terminal. A bearer establishment of the connection is identified by the first terminal and/or the second terminal. The first terminal accesses information to identify the second terminal and/or to select a first codec for data to transmit the data in the first codec between the terminals. The first terminal alternatively chooses a first codec without accessing the information. The data in the first codec is transmitted from the first terminal to the second terminal without an exchange of codec capabilities and/or codec preferences. The second terminal is capable of receiving the data sent in the first codec. Alternatively, the second terminal may be incapable of receiving the data sent in the first codec. The first terminal uses capability and/or preference information received from the second terminal to detect cases whether the second terminal is incapable of receiving the data in the first codec.

Abstract: A media control system (MCS) enforces media control policies on systems that conform to the relevant protocol specifications (such as SIP and SDP), for example, by interpreting and potentially modifying or destroying the SDP offers embedded in the SIP signaling messages that traverse it. This enables the MCS to exercise control over SIP-associated media sessions without necessarily inserting itself into the media streams themselves. The MCS can enforce media control policies that are based either directly on information that is explicitly contained in SDP message bodies or on secondary information that can be derived from information that is contained in the SDP messages.

Abstract: This document describes tools that forward data packets having tags conforming to different formats. In one embodiment, the tools receive a data packet on each of a plurality of ports, each data packet comprising a tag conforming to a different format. The tools relay the data packets to a port capable of transmitting tags conforming to a plurality of formats. In another embodiment, the tools receive a plurality of data packets on a source port comprising a plurality of logical source ports, each of which is associated with a unique tag. At least one data packet is received on each logical source port. Each data packet includes the tag associated with the logical source port on which the data packet is received. The tools map each data packet to one of a plurality of virtual switches based on the logical source port on which the data packet is received.

Abstract: Methods, apparatuses and systems that dynamically adjust the selection of differentiated network services for selected classes of traffic in response to changing network conditions or application performance levels. In one implementation, the present invention allows for a differentiated network services scheme that adapts to existing network conditions and, in one implementation, selects higher, generally more expensive classes of differentiated network service for certain data flows when the performance of selected applications degrades below a threshold level. The present invention, in one implementation, allows for bandwidth cost savings without sacrificing application performance.

Abstract: Methods, apparatuses and systems directed to the classification of encrypted network traffic. In one implementation, the present invention facilitates the classification of network traffic that has been encrypted according to a dynamically-created encryption mechanism involving a handshake between two end-systems, such as the SSL and TLS protocols. In one implementation, the present invention observes and analyzes attributes of the handshake between two nodes to enhance the classification of network traffic. In one embodiment, the enhanced classification mechanisms described herein operate seamlessly with other Layer 7 traffic classification mechanisms that operate on attributes of the packets themselves. Implementations of the present invention can be incorporated into a variety of network devices, such as traffic monitoring devices, packet capture devices, firewalls, and bandwidth management devices.

Abstract: Systems and methods for redundancy in a network device are disclosed. An exemplary network device comprises: a plurality of data forwarding elements (DFEs); and a redundant control plane. The redundant control plane comprises: an active control processor for configuring forwarding operation of each of the DFEs; an active layer-2 switch coupled to the active control processor and to each of the DFEs; a standby control processor; and a standby layer-2 switch coupled to the standby control processor and to each of the DFEs. The active control processor is programmed in a full-mesh so that the active control processor is in communication with each of the DFEs. The standby control processor is programmed in a full-mesh so that the standby control processor is in communication with each of the DFEs.

Abstract: Element managers and processes receive, from a selected network element, first neighbor information describing a first neighboring network element directly connected to the selected network element and second neighbor information describing a different second neighboring network element directly connected to the selected network element. Based at least in part on the first neighbor information and the second neighbor information, the element managers and processes determine that the first neighboring network element is a logical neighbor that is connected by a tunnel to the selected network element and is coupled to the selected network element via one or more intermediate packet switches.

Abstract: A system and method for dynamically controlling aggregate and individual packet flow characteristics within a compressed logical data tunnel. A logical data tunnel is formed and includes one or more packet flows. Each packet flow includes individual packets having a shared destination address. Bandwidth allocated to control an aggregated flow of packets routed through the logical data tunnel. A transfer rate is assigned to control each packet flow transiting within the logical data tunnel.

Abstract: Methods, apparatuses and systems facilitating the concurrent classification and control of tunneled and non-tunneled data flows in a packet-based computer network environment. As discussed in more detail below, embodiments of the present invention allow for the “intra-tunnel” classification of data flows and, based on the classification, the deterministic and intelligent application of aggregate bandwidth utilization controls on data flows corresponding to a given tunnel. Embodiments of the present invention allow for the allocation of bandwidth on an application-level basis between tunneled and non-tunneled traffic, as well as between applications within a given tunnel. Other embodiments of the present invention can be configured to provide a differentiated security model for non-tunneled and tunneled traffic. In addition, embodiments of the present invention can be further configured to implement a layered security model for tunneled traffic.

Abstract: Methods, apparatuses and systems directed to a network traffic synchronization mechanism facilitating the deployment of network devices in redundant network topologies. In certain embodiments, when a first network device directly receives network traffic, it copies the network traffic and transmits it to at least one partner network device. The partner network device processes the copied network traffic, just as if it had received it directly, but, in one embodiment, discards the traffic before forwarding it on to its destination. In one embodiment, the partner network devices are operative to exchange directly received network traffic. As a result, the present invention provides enhanced reliability and seamless failover. Each unit, for example, is ready at any time to take over for the other unit should a failure occur.

Abstract: If a selected packet switch connected to a neighboring packet switch makes first information identifying the neighboring packet switch available, element managers and processes retrieve the first information from the selected packet switch. The first information is derived by the selected packet switch from communication via a first protocol between the selected packet switch and the neighboring packet switch. If the first information is not available to the element manager and if the selected packet switch makes second information identifying the neighboring packet switch available to the element manager, the element managers and processes retrieve the second information from the selected packet switch. The second information is derived from communication via a second protocol between the selected packet switch and the neighboring packet switch and the first and second protocols are different protocols.

Abstract: Methods, apparatuses and systems that facilitate the classification of web services network traffic. In one implementation, the present invention processes interface definitions corresponding to a given Web service to construct a traffic classification configuration for the Web service, including one or more traffic classes and corresponding matching rules or attributes for each traffic class. In one implementation, the present invention automatically creates traffic classes and matching rules that allow for differentiation between the operations supported by a Web service. Implementations of the present invention provide a mechanism allowing for classification of Web services network traffic on a granular basis to enhance network monitoring and analysis tasks, as well as network control functions, such as bandwidth management, security and other functions.

Abstract: Methods and systems for controlling access to a host processor is disclosed. One exemplary method comprises the steps of receiving a plurality of signaling packets and controlling access to a host processor, via a first and a second path, for at least a portion of the packets in accordance with a bandwidth limit for the respective path. An exemplary system comprises: a host processor; and a traffic manager coupled to the host processor via a first path and a second path. The traffic manager is configured to communicate at least a portion of the packets to the host processor via a selected one of the paths. The traffic manager is further configured to regulate traffic along the first path such that the bandwidth limit of the first path is respected, and to regulate traffic along the second path such that the bandwidth limit of the second path is respected.

Abstract: Systems and methods for determining lost packets for real-time transport protocol (RTP) data flows is disclosed. Generally, a first endpoint is connected to a second endpoint, wherein the first endpoint comprises a transceiver, software stored within the first endpoint defining functions to be performed by the first endpoint, and a processor. The processor is configured by the software to perform the steps of determining a sequence number of a received RTP data packet within said RTP data flow, storing said determined sequence number, calculating whether said determined sequence number sequentially falls within a predetermined numerical order, and if said sequence number of said received RTP data packet does not sequentially fall within said numerical order, storing said sequence number as a missed RTP data packet.

Abstract: This document describes tools useful in relaying a data stream from a data device to a network tunnel. These tools may utilize an encapsulation scheme to convert data packets from a user format to a tunnel format required by a network tunnel. Similarly, the tools may utilize a de-encapsulation scheme to convert data packets from the tunnel format to the user format required by the user. The tools may also forward the data packets from a user network to the network tunnel and vice versa, through a conventional switch module. In some embodiments, the tools do so by modifying the data packets to add a provisional identifier recognized by the switch module to map a particular data stream into a particular network tunnel.

Abstract: Methods, apparatuses and systems directed to the coordinated classification of network traffic. In one implementation, the present invention enables a coordinated network environment for traffic classification where an upstream network device classifies a data flow and adds traffic class information to at least one packet in the data flow. Downstream network devices in the communications path to the destination host can use the traffic class information in the modified packet, bypassing at least some of the local traffic classification operations and thereby reducing CPU utilization. In one implementation, the last downstream network device strips the traffic classification information from the modified packet before it is forwarded to the destination host. Embodiments of the invention reduce or eliminate redundant network traffic classification operations performed by a plurality of network devices in a communications path.

Abstract: The present invention, in particular embodiments, provides methods, apparatuses and systems directed to providing a Wide Area File System that is robust against network connectivity issues. In particular implementations, the present invention provides a WAFS disconnected-mode read-write access that provides for a more seamless user experience against WAN or other network connectivity failures. Specific embodiments provide for management, at a network device such as an EFG node, of file objects previously opened during a connected state with a remote file server appliance, creation of new file objects during a disconnected state and re-synchronization of those file objects (data and meta-data) when a connection becomes available.

Abstract: This document describes tools that enable a switch to temporarily alter its forwarding behavior when statistical data characterizing the switch satisfies a user-specified condition. To do so, the tools may monitor chronological sets of statistical data associated with the switch over a period of time. If the tools determine at one point during the period of time that one set of statistical data satisfies the user-specified condition, the tools alter the forwarding behavior of the switch for the remainder of the period of time. At the conclusion of the period of time, the tools restore the original forwarding behavior to the switch.

Abstract: The present invention, in particular embodiments, provides methods, apparatuses and systems directed to providing a Wide Area File System that is robust against network connectivity issues. In particular implementations, the present invention provides a WAFS disconnected-mode read-write access that provides for a more seamless user experience against WAN or other network connectivity failures. Specific embodiments provide for management, at a network device such as an EFG node, of file objects previously opened during a connected state with a remote file server appliance, creation of new file objects during a disconnected state and re-synchronization of those file objects (data and meta-data) when a connection becomes available.