Abstract: A policy engine for handling incoming data packets. The policy engine includes a stream classification module, a data packet input/output module, and a policy enforcement module. The policy enforcement module further includes a packet scheduler, an on-chip packet buffer circuitry, and a plurality of action processors. The stream classification module creates a packet service header for each data packet, wherein the packet service header indicates policies to be enforced for that data packet. The action processors enforce the policies.

Abstract: A software facility for automatically identifying subnetworks in a network is described. The facility receives a plurality of addresses of hosts in the network, and accesses a binary tree. The nodes of the binary tree each represent a range of addresses within the network. A facility traverses the binary tree to identify candidate nodes where both child nodes have one or more descendent leaf nodes representing host addresses. The facility tests the address range represented by each candidate node visited in the traversal to determine whether the address range is a subnet address range for a subnet being used on the network. If testing indicates that a visited candidate node represents such an address range, the facility identifies the visited candidate node as a subnet node. The facility skips, in the traversal, any candidate notes that are descendents of an identified subnet node.

Abstract: The present invention is directed to a facility for classifying network packets. The classified network packets each contain a source address, a source port number, a destination address, and a destination port number. The facility first sums the source address, the source port number, the destination address, and the destination port number contained by the packet. The facility then determines the modulo remainder of the sum over a constant predetermined value. The facility uses the determined modulo remainder to classify the packet into a class of packets predicted to relate to the same network session.

Abstract: A method of scheduling packet output according to a quality of service action specification, the method maintains a calendar queue of bandwidth timeslots, organizes the timeslots into groups, invokes a look-up logic circuitry to inspect a group of timeslots substantially simultaneously, determines a first unoccupied timeslot to schedule a current packet, and also determines a first occupied timeslot that contains a next packet to transmit.

Abstract: A hardware-based policy engine that employs a policy cache to process packets of network traffic. The policy engine includes a stream classifier that associates each packet with at least one action processor based on data in the packet, and the action processor further acts on the packets based on the association determined by the stream classifier.