Abstract: Techniques are provided for receiving one or more packets at a network device in a network. The one or more packets are part of normal network communication traffic. Device specific information associated with the one or more packets is generated that is unique to or available at the network device. One or more duplicate packets corresponding to the one or more packets are generated. The device specific information is encapsulated within the one or more duplicate packets for transmission over the network. The one or more duplicate packets are received at a network analyzer in the network. The device specific information associated with the one or more packets that is unique to the network device is extracted from the one or more duplicate packets and analyzed to determine network metrics for the one or more packets.

Abstract: Methods and apparatus for intelligent sharing and tighter integration between a service engine (SE) for network communication and a high-speed forwarding device, such that certain network flows may be offloaded from the SE to benefit from the high-speed forwarding capacity of such a device are provided. To accomplish the integration, an application binary interface (ABI) may be employed as an in-band high-priority communication protocol between the data planes of the SE and the high-speed forwarding device, and an application programming interface (API) may be utilized to leverage the ABI and any in-band or out-of-band channel to allow the master SE to control the high-speed slave device. Such integration techniques are not limited to a few specialized hardware components, but may also be applied to other types of hardware resources, such as flow tables, quality of service (QoS) tables, access control list (ACL) tables for security, forwarding and adjacency tables, etc.

Abstract: Disclosed are, inter alia, methods, apparatus, data structures, computer-readable media, and mechanisms, for policy-based processing of packets, including mechanisms for managing the policies. A user is authenticated and its user group identifier is identified. A packet is received and is associated with the user group identifier, and one or more fields (typically other than the source address field) of the packet are used to identify a second group identifier. A lookup operation is then performed on a policy based on the first and second group identifiers to identify a packet processing action to be performed on the packet. These identifiers are typically not network addresses, which disassociates the policy from physical network addresses (which often are dynamically assigned and may also vary based on the access point into the network of a user), and allows a switching device to process packets based on a policy stated using group identifiers.

Abstract: Methods, apparatus, and other mechanisms are disclosed for generating accounting or other data based on that indicated in access control lists or other specifications, and typically using associative memory entries in one or more associative memory banks and/or memory devices. One implementation identifies an access control list including multiple access control list entries, with a subset of these access control list entries identifying accounting requests. Accounting mechanisms are associated with each of said access control list entries in the subset of access control list entries identifying accounting requests. An item is identified, and a corresponding accounting mechanism is updated. In one implementation, the item includes at least one autonomous system number. In one implementation, at least one of the accounting mechanisms is associated with at least two different access control list entries in the subset of access control list entries identifying accounting requests.

Abstract: Methods and apparatus for intelligent sharing and tighter integration between a service engine (SE) for network communication and a high-speed forwarding device, such that certain network flows may be offloaded from the SE to benefit from the high-speed forwarding capacity of such a device are provided. To accomplish the integration, an application binary interface (ABI) may be employed as an in-band high-priority communication protocol between the data planes of the SE and the high-speed forwarding device, and an application programming interface (API) may be utilized to leverage the ABI and any in-band or out-of-band channel to allow the master SE to control the high-speed slave device. Such integration techniques are not limited to a few specialized hardware components, but may also be applied to other types of hardware resources, such as flow tables, quality of service (QoS) tables, access control list (ACL) tables for security, forwarding and adjacency tables, etc.

Abstract: Disclosed are, inter alia, methods, apparatus, data structures, computer-readable media, and mechanisms, for policy-based processing of packets, including mechanisms for managing the policies. A user is authenticated and its user group identifier is identified. A packet is received and is associated with the user group identifier, and one or more fields (typically other than the source address field) of the packet are used to identify a second group identifier. A lookup operation is then performed on a policy based on the first and second group identifiers to identify a packet processing action to be performed on the packet. These identifiers are typically not network addresses, which disassociates the policy from physical network addresses (which often are dynamically assigned and may also vary based on the access point into the network of a user), and allows a switching device to process packets based on a policy stated using group identifiers.

Abstract: Methods, apparatus, and other mechanisms are disclosed for generating accounting or other data based on that indicated in access control lists or other specifications, and typically using associative memory entries in one or more associative memory banks and/or memory devices. One implementation identifies an access control list including multiple access control list entries, with a subset of these access control list entries identifying accounting requests. Accounting mechanisms are associated with each of said access control list entries in the subset of access control list entries identifying accounting requests. An item is identified, and a corresponding accounting mechanism is updated. In one implementation, the item includes at least one autonomous system number. In one implementation, at least one of the accounting mechanisms is associated with at least two different access control list entries in the subset of access control list entries identifying accounting requests.

Abstract: Router circuit, provides Internet protocol (IP) address translation to enable connection or packet-level multiplexing over multiple single-user IP address account links. Connection-level multiplexing (CLM) provide between LAN and WAN addresses outbound packet transfer by replacing private packet source IP address and port number with said external IP address port number, and inbound packet transfer by replacing external packet destination IP address and port number with private IP address and port number. Look-up table provides bi-directional translation or effective multiplexing of IP addresses and port assignments for incoming or outgoing packets. Packet-level multiplexing (PLM) provides between LAN1 and LAN2 addresses outbound packet processing, wherein destination IP address and port number are replaced with external IP address and port number, and inbound packet processing, wherein source IP address and port number are replaced with internal IP address and port number.