Abstract: A method for processing packets in a multi-processor environment, that includes receiving a set-up request packet for a communication session and directing the set-up request packet to a selected one of a plurality of processors. A set-up reply packet is generated at the selected one of the plurality of processors, the set-up reply packet including a virtual identifier assigned to the selected one of the plurality of processors. The set-up reply packet is transported to establish the communication session.

Abstract: A method, apparatus, computer product and structure is presented for representing and managing large amounts of information concerning networks of elements. While being useful for communication networks, it can be also usefully deployed in the context of other networks such as distribution and transportation networks. The method uses a hierarchical construct called “catalog”—a set of elements (which could be “atomic” elements or catalogs themselves)—to organize information about physical or abstract entities relevant for modeling the network. A matrix construct whose rows and columns constitute such elements are used to model connections at different levels of abstraction. A common framework and representation provided using these two constructs is shown to be useful for visualization, administration, configuration, modeling, monitoring and manipulation of the network.

Abstract: A method for processing packets in a multi-processor environment, that includes receiving a set-up request packet for a communication session and directing the set-up request packet to a selected one of a plurality of processors. A set-up reply packet is generated at the selected one of the plurality of processors, the set-up reply packet including a virtual identifier assigned to the selected one of the plurality of processors. The set-up reply packet is transported to establish the communication session.

Abstract: A method for processing packets in a multi-processor environment, that includes receiving a set-up request packet for a communication session and directing the set-up request packet to a selected one of a plurality of processors. A set-up reply packet is generated at the selected one of the plurality of processors, the set-up reply packet including a virtual identifier assigned to the selected one of the plurality of processors. The set-up reply packet is transported to establish the communication session.

Abstract: In a pipeline network processor, a multicast echo feature ensures that a copy of a packet is sent to all downstream ports associated with an upstream port that delivers the packet. The pipeline network processor maintains a table of header information that is stripped away upon reception in order to forward the packet to each appropriate downstream port. The pipeline network processor performs direct lookups to identify downstream ports associated with the upstream port over which the packet is received. A direct lookup is also performed to obtain the necessary header with which to forward the packet. A copy of the packet with the correct header is then sent to each identified downstream port.

Abstract: In a pipeline network processor, a packet intercept feature determines whether a packet is to be intercepted based on the inbound and outbound port through which the packet travels and based on the source and destination of the packet. When a packet enters the pipeline network processor, a determination is made as to whether the inbound and outbound ports are enabled for packet intercept. If so, a source and/or destination media access control address is compared to a list of configured intercept addresses. If a match is found, a copy of the packet is diverted to an intercept receiver and the original packet is forwarded to its intended destination.

Abstract: A method and system for verifying the availability of a back-up virtual private network IP security (IPSec) tunnel between two network elements by originating a plurality of connection tests between the network elements. The first network element transmits a backup tunnel verification test message to the second network element over the back-up secure tunnel upon receipt of a backup tunnel verification test command. The back-up secure tunnel includes two unidirectional tunnels. The second network element receives the back-up tunnel verification test message over the first back-up unidirectional secure tunnel and transmits a response back to the first network element over the second back-up unidirectional secure tunnel.

Abstract: A method and system for determining the connectivity of a virtual private network IP security (IPSec) tunnel between two network elements by originating a plurality of connection tests between the network elements. The first network element transmits a connectivity test message to the second network element over the secure tunnel upon receipt of an initiate connectivity test command. The secure tunnel includes two unidirectional tunnels. The second network element receives the connectivity test message over the first unidirectional secure tunnel and transmits a response back to the first network element over the second unidirectional secure tunnel. The number of successful responses received from the second network element are accumulated and the results are reported back to the source of the connectivity test command.

Abstract: A packet communications network includes a route management system in which routes can be remotely changed by using a simple set command to set a data value in the originating or terminating node of the route. Storage tables in the originating and destination nodes record the route changes and administrative data concerning the route. This administrative data can be retrieved from the originating node by simple get or get-next commands. The administrative data can include the specific specification of the route in links, the time of creation of the route, the route replaced and the reason for initiating the change in route. Together these capabilities permit centralized management of route changes in the entire network from a single manager node, and using only simple set, get and get-next command structures.

Abstract: A method and system for monitoring the status of an active secure tunnel between a pair of network elements in a communications network. The first network element originates and transmits an Internet Protocol Security (IPSec) test message to a second network element using a first unidirectional secure tunnel in response to the receipt of an active tunnel monitor command. The second network element receives the IPSec test message and transmits a response back to the first network element using a second unidirectional secure tunnel. The number of times that second network element failed to return a response to an IPSec test message is accumulated during a predetermined time interval and then compared with a threshold value to determine if the active secure tunnel has become disabled.

Abstract: A system and method for DEN/LDAP client database access with backoff capability. A current tree of directory information maintained at an LDAP server is used by LDAP clients to retrieve policy configuration information. When an LDAP client wishes to update policy configuration information, a new tree is created by cloning the current or a previous tree or by building a new tree. When the LDAP client is finished updating the new tree, the path for using LDAP clients is set to the new tree and the clients are requested to read LDAP policy configuration information using the new path. If the new tree of policy configuration information is found to be unsuitable, the clients' path is reset to the original tree and the clients are requested to read LDAP information policies using the reset path.

Abstract: A system, method and program product for defining a Virtual Private Network (VPN) by the sum of a plurality of policy segments. Each policy segment is composed of a policy segment name, a policy segment type, a VPN device list, a policy template, a quality of service template and a connection type. The policy segment type can include Internet Protocol Security (IPsec), Differential Services (DiffServ) or Reservation Protocol (RSVP). The group of devices in a policy segment are it specified in a device list which is a collection of other device lists and/or device interface profiles. The group of common policy components are specified in a policy template. Policy templates contain the condition and action references that are used to generate policies for the policy segment. The condition reference includes a validity period and a traffic profile. The action reference includes at least one of an IPsec action, a DiffServ action or an RSVP action.

Abstract: A method and system for testing a Layer 2 tunnel in a data communication network including a network device and a network manager are described. According to the method, a test invocation is received from the network manager at the network device. In response to receipt of the test invocation at the network device, a Layer 2 tunnel within the data communication network is tested, and a result of the test is reported to the network manager. The tests that may be conducted include a connectivity test to determine if a Layer 2 tunnel can be established and a responsiveness test to determine the propagation time of a Layer 2 tunnel. Advantageously, both compulsory and voluntary Layer-2 tunnels can be tested, thereby enabling all Layer 2 protocols (e.g., L2TP, L2F, and PPTP) to be supported.

Abstract: A system and method for a multiple manager to multiple server Internet Protocol (IP) locking application in a directory-enabled network. The IP locking application is a component of a network management application and runs on each server device. The IP locking application processes requests from a network management application on two user-defined TCP/IP port numbers. The first port is designated as the status port and can be accessed by multiple network management applications and/or multiple users to determine the identification of the network management application and/or user that has control of the second port which is designated as the lock port. The status port is used to determine whether or not the server directory is currently being updated by another network management application or user. The lock port is used to actually lock the server device by forming a connection to the port and passing the user and network management application identifiers of the lock requester.

Abstract: A system and method for generating unsupported network information indicators for monitoring and managing a network having at least one network manager resident within a network station and at least one network agent resident within a network device. The method and system accomplish their objects as follows. Network parameters of interest are selected. Network parameters accessible by the at least one network agent are determined. And, in response to the determining, the selected network parameters of interest are construed by utilizing the determined network parameters accessible to the at least one network agent.

Abstract: A method and system for monitoring and managing a network having at least one network manager resident within a network station and at least one network agent resident within a network device. The method and system accomplish their objects as follows. One or more network parameters of one or more network devices are grouped. In response to the grouping, a group monitor is constructed wherein any changes of the grouped one or more network parameters are reflected by the constructed group monitor. The constructed group monitor can thereafter be monitored for indications of changes in any of the grouped network parameters.

Abstract: A method of data retrieval reduces the number of Instrumentation message flows in a Simple Network Management Protocol (SNMP) device. The method uses "look-ahead" algorithms whereby data items which have not yet been requested by the Agent (but are expected to be) are retrieved from Instrumentation. The method comprises the step of retrieving from the Instrumentation an entire row of data from an SNMP table whenever a GetRequest or GetNextRequest Protocol Data Unit (PDU) is issued by the Manager to the Agent. A SubAgent saves this row in anticipation of a subsequent request for another column in this same row thereby eliminating the need for further Instrumentation message flows for further data retrieval from this row. Whenever a new GetRequest is issued by the Manager, a new set of data is retrieved from the Instrumentation.

Abstract: A new system and method allows a Manager in a Simple Network Management Protocol (SNMP) environment to gather updates from its Agents. The system and method comprise the unique provision of an index which is used in each of the Agent's tables for indicating the various revisions thereof. The index lexicographically increases with each revision to the table. The Manager maintains a record of the index of the data which it has received from its Agents, requesting only that data having a lexicographically larger indexing. Further, the index is used in related tables so that the tables will be kept in "sync" in that the Manager will know whether it has the latest updates so that an accurate picture may be portrayed.

Abstract: A packet communications network includes a route management system in which routes can be remotely changed by using a simple set command to set a data value in the originating or terminating node of the route. Storage tables in the originating and destination nodes record the route changes and administrative data concerning the route. This administrative data can be retrieved from the originating node by simple get or get-next commands. The administrative data can include the specific specification of the route in links, the time of creation of the route, the route replaced and the reason for initiating the change in route. Together these capabilities permit centralized management of route changes in the entire network from a single manager node, and using only simple set, get and get-next command structures.

Abstract: A packet communications network includes a centrally controlled route testing system in which each node includes test results tables containing the results of all path tests originated at that node. A centralized route management facility initiates a path test originating at any node by remotely altering a trigger value in a trigger data object at that node. A general results table contains general test results for an entire path between the local node and a remote node while a detailed test results table contains detailed, hop-by-hop test results for each transmission leg of a multi-leg path. The general results table contains a name trigger field for identifying a point-to-point path to be tested, and a connection trigger field for identifying a link-by-link path to be tested.