Abstract: In one embodiment, enhanced packet flow monitoring is performed by packet switching devices in a network. A packet switching device is configured to monitor a flow of packets passing through the packet switching device, including detecting a gap in consecutive packets of the flow of packets, and attributing the gap as not being dropped one or more packets based on a particular time duration between a last received packet of the flow of packets before said detected gap and a first received packet of the flow of packets after said detected gap. In one embodiment, the gap is attributed to not being dropped packets when the particular time duration is greater than a threshold value; and conversely, attributed to being dropped packets when the particular time duration is less than a same or different threshold value.

Abstract: In one embodiment, enhanced packet flow monitoring is performed by packet switching devices in a network. A packet switching device is configured to monitor a flow of packets passing through the packet switching device, including detecting a gap in consecutive packets of the flow of packets, and attributing the gap as not being dropped one or more packets based on a particular time duration between a last received packet of the flow of packets before said detected gap and a first received packet of the flow of packets after said detected gap. In one embodiment, the gap is attributed to not being dropped packets when the particular time duration is greater than a threshold value; and conversely, attributed to being dropped packets when the particular time duration is less than a same or different threshold value.

Abstract: In one embodiment, excess committed network appliance resources are shared for providing services within a network appliance. One approach maintains service resources in a committed service resource pool and one or more other pools of service resources. Service resources are taken from a corresponding pool as needed. Service resources are reallocated to the committed resource pool as needed to ensure that service resources are available to service corresponding packet streams at their corresponding committed rate. Examples of such services provided by a network appliance include, but are not limited to, network address translation (NAT), firewall, Internet Protocol Security (IPsec), virtual private network (VPN), or deep packet inspection (DPI) services.

Abstract: A method for automated communication includes receiving in a server scheduling information with regard to a child, including a daily drop-off time of the child. The server automatically sends a first query to the primary caregiver on the certain day at a time within a predefined interval following the drop-off time, as to whether the primary caregiver dropped off the child. Upon failing to receive a positive reply to the first query, the server automatically sends at least one second query to at least one secondary caregiver as to whether the at least one secondary caregiver dropped off the child. An alert may be issued upon failing to receive at the server a positive reply to any of the first and second queries.

Abstract: A service is applied in a packet switching device to both directions of a flow of packets through the packet switching device, with the application of this Layer-4 to layer-7 service to one direction requiring state information shared from the application of the service to packets traversing in the other direction. The service (e.g. firewall, network address translation) can be applied by different processing complexes which do not share memory; thus, state information is communicated between the processing complexes. When the service is applied by a single processing complex, packets can be directed explicitly to the single processing complex. The inline application of services in a packet switching system typically eliminates the need to change a packet's path through the packet switching system to that through a dedicated application server, and may eliminate the need for a dedicated services card or blade server.

Abstract: In one embodiment, excess committed network appliance resources are shared for providing services within a network appliance. One approach maintains service resources in a committed service resource pool and one or more other pools of service resources. Service resources are taken from a corresponding pool as needed. Service resources are reallocated to the committed resource pool as needed to ensure that service resources are available to service corresponding packet streams at their corresponding committed rate. Examples of such services provided by a network appliance include, but are not limited to, network address translation (NAT), firewall, Internet Protocol Security (IPsec), virtual private network (VPN), or deep packet inspection (DPI) services.

Abstract: Packets are encapsulated and sent from a service node (e.g., packet switching device) using one or more services applied to a packet by an application node (e.g., a packet switching device and/or computing platform such as a Cisco ASR 1000) to generate a result, which is used by the service node to process packets of a flow of packets to which the packet belonged. An example of a service applied to a packet is a classification service, such as, but not limited to, using deep packet inspection on the packet to identify a classification result. The service node can, for example, use this classification result to process other packets in a same packet flow, such that all packets of a flow do not need to be, nor typically are, sent to an application node for processing.

Abstract: Methods and devices for managing traffic are described. Traffic from a source in a virtual private network (VPN) is received. The traffic is directed to a virtual interface that is designated to receive traffic from the VPN. The virtual interface is configured to associate the traffic with an identifier that uniquely identifies the VPN to a session border controller (SBC). The SBC can use the identifier to determine whether the source and the destination of the traffic are in the same VPN.

Abstract: Streams of packets are dynamically switched among dedicated and shared queues. For example, when a packet stream is in a maintenance mode (such as to keep a tunnel or packet stream associated with a server active) all packet traffic received over a packet stream is directed into the shared queue while the packet stream is not associated with one of the dedicated queues. In response to a detected change in the packet activity status of packet traffic (e.g., the establishment of a call or an increase in packet traffic, especially desirous of individualized quality of service) over a particular packet stream of the packet streams, the particular packet stream is associated with a particular group of dedicated queues such that at least non-control data traffic received over the particular packet stream is subsequently directed into the particular group of dedicated queues while the particular packet stream remains associated with the particular group of dedicated queues.

Abstract: Packets are encapsulated and sent from a service node (e.g., packet switching device) using one or more services applied to a packet by an application node (e.g., a packet switching device and/or computing platform such as a Cisco ASR 1000) to generate a result, which is used by the service node to process packets of a flow of packets to which the packet belonged. An example of a service applied to a packet is a classification service, such as, but not limited to, using deep packet inspection on the packet to identify a classification result. The service node can, for example, use this classification result to process other packets in a same packet flow, such that all packets of a flow do not need to be, nor typically are, sent to an application node for processing.

Abstract: A service is applied in a packet switching device to both directions of a flow of packets through the packet switching device, with the application of this Layer-4 to layer-7 service to one direction requiring state information shared from the application of the service to packets traversing in the other direction. The service (e.g. firewall, network address translation) can be applied by different processing complexes which do not share memory; thus, state information is communicated between the processing complexes. When the service is applied by a single processing complex, packets can be directed explicitly to the single processing complex. The inline application of services in a packet switching system typically eliminates the need to change a packet's path through the packet switching system to that through a dedicated application server, and may eliminate the need for a dedicated services card or blade server.

Abstract: One or more firewalls are used to perform firewall functionality on packets based on the entry and exit accesses of each of the one or more firewalls being applied to a packet. For example, when firewalls are included in a router, the interfaces of the router are typically mapped to virtual firewalls and access thereof. Based on the determined routing of a particular packet, the firewalls to apply and their corresponding entry and exit accesses are identified. In order to decouple the application by the firewall itself of the security policies from the network topology and routing architecture (e.g., the network routing address information which is typically relied upon by current firewalls), the firewall functionality is defined based on the identified entry and exit accesses of a firewall, rather than based on network defined addresses, for example.

Abstract: Methods and apparatus are disclosed for sending a multicast packet from multiple network interfaces across multiple networks using the same media access source address (MAC source address). One implementation includes a processing element and a network interface for each of the multiple networks. The processing element generates and initiates sending of a multicast packet having a same media access source address (MAC source address) from at least two of the multiple network interfaces. In one implementation, a single copy of the multicast packet is buffered, and each of the network interfaces retrieves, such as via a direct memory access (DMA) request, the multicast packet and forwards it to an attached network.

Abstract: In one embodiment, a router receives a call request for establishing a multimedia exchange between two remote endpoints. The router selects a processing entity to manage a subset of connections with the remote endpoints according to an endpoint identification such as a remote address included in the call request. A different processing entity manages the remaining connections with the remote endpoints. Accordingly, the load of managing signaling for establishing the multimedia exchange is balanced between a plurality of processing elements that appear externally as a single entity such that modification of remote endpoint behavior is not required.

Abstract: In one embodiment, flows are monitored that are open for a length of time until ending by either a distinct ending or by being silent longer than a configured aging timer (wherein a silent flow is a “zombie flow”). In response to each first flow ending, a total flow time value may be increased by a length of time that first flow was open, and in response to each second flow ending by aging, a zombie flow time value may be increased by the aging timer. A ratio of zombie flows at a particular time in the computer network that will be ended by aging may be estimated as the zombie flow time value divided by the total flow time value. Also, in other embodiments, a capacity improvement, performance hit, and accuracy hit may be predicted based on a new aging timer value.

Abstract: A method for communication includes associating respective feature chains with a plurality of interfaces of a data switch. The feature chains include service features. A respective failure policy is defined for each of one or more of the service features in each of the feature chains. Upon detecting a failure in a service feature in a feature chain associated with one of the interfaces, data packets are routed through the data switch while applying, responsively to the failure, the respective failure policy to the one of the interfaces.

Abstract: A technique maintains configurations of an intermediate node in a version control system. Entities within the intermediate node are represented by objects. Each object is associated with a state. Each object is distinct from other objects in the intermediate node, thus enabling the state of an object to be changed, without affecting other objects. Versions of the objects' states are maintained in the version control system. The version control system is configured to maintain one or more versions of state associated with the objects. A configuration of the intermediate node is defined by labeling a version of objects saved in the version control system. A configuration is applied to the intermediate node by acquiring the states of objects associated with the configuration from the version control system and configuring the intermediate node's entities represented by the objects in accordance with the acquired states.

Abstract: A novel and useful mechanism for detecting the nodes connected to a network device and for creating a ring network from the nodes detected thereby. The invention simplifies insertion, removal and modification of nodes in the ring by detecting and reconfiguring the S ring without requiring intervention by a user. Identification information messages generated by network devices and sent out on all links and received over a plurality of ports are used in identifying and determining the connectivity and topology of the network devices. The resulting topology information is stored in a node database. The contents of the node database are then used to generate one or more ring networks, wherein each ring generated corresponds to a unique line speed. The connectivity of the one or more rings generated is stored in a ring database and the rings configured therefrom.

Abstract: Methods and devices for managing traffic at a session border controller (SBC) are described. A signal portion of traffic en route from a source in a virtual private network (VPN) to a destination is received. The signal portion has embedded therein an identifier that uniquely identifies the VPN. The identifier is accessed to determine whether the destination is also in the VPN. A decision whether to direct a media portion of the traffic to an SBC is made depending on whether or not the destination is outside of the VPN.

Abstract: Disclosed are, inter alia, methods, apparatus, data structures, computer-readable media, mechanisms, and means for applying features to packets in an order specified by a selected feature order template. By providing multiple feature order templates, a network device manufacturer can provide the user of the network device the ability to select among a variety of orders in which features are applied, while limiting the possible selectable orderings such as to those capable by the hardware and software of the network device, and/or to a subset of orderings thereof which has been thoroughly tested. Some devices further allow a user to define new feature order templates via a user interface.