||||||||||||||||||||||l||||||||||l|||||||||||||ll||||||||||||||||||||||||||
`
`USOU7742406B1
`
`(12) United States Patent
`Muppala
`
`[10) Patent N0.:
`(45; Date of Patent:
`
`US 7,742,406 Bl
`Jun. 22, 2010
`
`(54)
`
`(75}
`
`(73)
`
`COORDINATED ENVIRONMENT FOR
`CLASSIFICATION AN D CONTROL OF
`NETWORK TRAFFIC
`
`[nventorz Suresh Muppala. (.‘upertino. CA (US)
`
`Assignee: Paeketeer, Inc.. C upertino. CA (U S)
`
`( ’3 7
`
`Notice:
`
`Subject to any disclaimer. the term of this
`patent is extended or adjusted under 35
`use. 154{b)by 1039 days.
`
`(21)
`
`Appl.No.: 117019.502
`
`122)
`
`Filed:
`
`Dec. 20, 2004
`
`(51)
`
`(52)
`(58)
`
`(56}
`
`Int. (:1.
`(2006.01)
`H041! 12726
`(2006.01)
`H04L 12/28
`(2006.0l)
`H041. 12/56
`U.S. (.‘l.
`....................................... 3707230; 3707392
`Field of(.7lassifieation Search
`None
`
`See application file for complete search history.
`References Cited
`
`U .S. PAYEN'I‘ DOCUMENTS
`
`6.490.630 131*
`6.778.530 Bl '9
`6.937.560 152*
`6.963.578 32’“
`7.395.538 Bl’a
`7.480.246 132*
`7.512.l29 Bl"
`
`12-2002 l’oon ct a].
`872004 Greene ........
`872005 Ennsetal.
`.......
`ll.-"2005 Akahaneel a].
`7.52003 (‘amey elal.
`172009 Agarwal ct a].
`3-"2009 Favoret a1.
`
`
`
`3705229
`370-389
`370-229
`370-417
`7|S-"l05
`370-412
`370-394
`
`772009 Darling et al.
`7.567.504 82“
`132010 Parker
`7.649.870 BZ "‘
`6:"2002 Roberts
`200270080786 Al *
`672003 Solomon
`200350112808 Al "‘
`[0-2005 Parker et a1.
`2005-"0220011 Al’“
`2008:0037546 .w nuns Ishikawactal.
`2009-0039239 Al“
`4.2009 Herrera er al.
`
`3705216
`370.9389
`...... 370-389
`...... 370-400
`..... 370.:‘229
`
`..... meg:
`
`tea-=59
`
`‘5' cited by examiner
`
`Prfmmjt’ Ifmmi‘ner Ayaz R Sheikh
`Assistant Examiner
`'l‘imothy J Weidner
`(74) Attornev, Agent. or Firm—Baker Botts L.L.P.
`
`(57)
`
`ABSTRACT
`
`Methods, apparatuses and systems directed to the coordi-
`nated classification 0 Network lrallic. In one implementation.
`the present invention enables a coordinated network environ—
`ment for traffic classification where an upstream network
`device classifies a data flow and adds traffic class inibrmation
`to at least one packet in the data flow. Downstream network
`devices in the communications path to the destination host
`can use the lraliic class information in the modified packet.
`bypassing at
`least some of the local
`traffic classification
`operations and thereby reducing CPU utilization. In one
`implementation. the last downstream network device strips
`the traffic classification information from the modified packet
`before it is forwarded to the destination host. Embodiments of
`the invention reduce or eliminate redundant network traIfic
`
`classification operations performed by a plurality of network
`devices in a commlmications path.
`
`21 Claims, 5 Drawing Sheets
`
`63
`60b
`62 66 {J
`
`64
`
`
`
`130a
`
`
`
`
`
`
`
`61
`62
`63
`64
`
`60a
`
`
`
`
`
`62
`
`63
`
`44a
`
`VMWARE 1005
`VMWARE 1005
`
`

`

`US. Patent
`
`Jun.22,2010
`
`Sheetl 0f5
`
`US 7,742,406 Bl
`
`
`
`mow
`
`

`

`US. Patent
`
`Jun. 22, 2010
`
`Sheet 2 of 5
`
`US 7,742,406 B1
`
`Network Device Application
`Processor
`
`Flow Control
`Module
`
`Application Traffic Management
`Device
`
`Interface
`
`Traffic
`.
`.
`Clasmficanon
`
`Management
`.
`nformatlon Bas-
`
`Host
`Database
`
`Administrator
`
`Fig._2
`
`

`

`US. Patent
`
`Jun. 22, 2010
`
`Sheet 3 of5
`
`US 7,742,406 B1
`
`104
`
`10 5
`
`Flow
`
`Obj
`
`t?
`
`N 0
`
`Construct
`
`Flow Object
`
`114
`
` Remote
`No
`Classification
`Flag Set?
`
`Yes .
`
`No
`
`
`
`
`110
`
`”2
`
`Yes
`
`Set Remote
`Classification Flag
`in Flow Object
`
`Set Traffic Class
`in Flow Object
`based on c_Tag
`
`
`Pass Packet Pointer to
`Traffic Classification
`
`Engine
`
`
`1 18
`
`Update Flow
`Object Attributes
`
`l20
`
`Record Measurement
`Variables
`
`F1g._3
`
`1 2 8
`
`1 22
`
`1 24
`
`NO
`
`Yes
`
`YCS
`-
`
`T0 Active
`Downstream
`
`chag Node?
`
`N O
`
`
`
`
`
`New
`
`
`Flowfl'raffi c
`
`
`
`Class?
`
`
`Add c_Tag to
`Packet
`
`Strip c_Tag
`fi'Om Packet
`
`"
`Pass Packet to Flow Control
`Module
`
`134
`
`

`

`US. Patent
`
`Jun. 22, 2010
`
`Sheet 4 of5
`
`US 7,742,406 B1
`
`106
`
`No
`
`Remote
`Classification
`Flag Set?
`
`Set Remote
`Classification Flag
`in Fiow Object
`
`Set Service Id in
`Flow Object based
`on c_Tag
`
`
`
`116
`
`Pass Packet Pointer to
`Traffic Classification
`
`Engine
`
`118
`
`Update Flow
`Object Attributes
`
`120
`
`Record Measurement
`Variables
`
`F1g._3A
`
`128
`
`Yes
`
`Yes
`
`l22
`
`To
`
`
`No
`Downstream
`c_Tag Node?
`
`
`
`New
`
`
`
`Add c_Tag to
`Flowaervice
`
`Packet
`Id?
`
`
`
`Strip c_'1'ag
`from Packet
`
`124
`
`Pass Packet to Flow Control
`Module
`
`

`

`US. Patent
`
`Jun. 22, 2010
`
`Sheet 5 0T5
`
`US 7,742,406 Bl
`
`m3.
`
`AInlul
`
`m.
`
`Ek8S6newmm.
`
`wow
`
`.32
`
`Eunl
`
`
`

`

`US ?,?42,406 B]
`
`l
`COORDINATE!) ENVIRONMENT FOR
`CLASSIFICA'I‘ION AND CONTROL OF
`NETWORK TRAFFIC
`
`CROSS-REFERENCE TO RELATED
`APPl ,ICA'I‘IONS AND PA'I‘ILN'IS
`
`This application makes reference to the following com-
`monly owned U.S. patent applications and patents. which are
`incorporated herein by reference in their entirety for all pur-
`poses:
`U.S. patent application Ser. No. 08061828 now US. Pat.
`No. 5.802.106 in the name of Robert 1.. Packer. entitled
`“Method for Rapid Data Rate Detection in a Packet Continu—
`nication Environment Without Data Rate Supervision;”
`U .S. patent application Ser. No. 08970693 new U.S. Pat.
`No. 6.0 I 8.5 16.
`in the name of Robert I... Packer. entitled
`“Method for Minimizing Unneeded Retransmission of Pack-
`ets in a Packet Communication l-ittvironment Supporting a
`Plurality of Data 1 .ink Rates:"
`U.S. patent application Ser. No. 081742.994 now U.S. Pat.
`No. 6.038.216. in the name of Robert L. Packer. entitled
`“Method for [Explicit Data Rate Control in a Packet (.Iommu-
`nication Environment without Data Rate Supervision?
`U.S. patent application Ser. No. 091977.642 now U.S. Pat.
`No. 6.046.980,
`in the name of Robert 1.. Packer. entitled
`“System for Managing Flow Bandwidth U tiliration at Net-
`work. Transport and Application Layers in Store and Forward
`Networ ':_“
`U.S. patent application Ser. No. 09;” 106.924 now U .8. Pat.
`No. 6.] 15.357. in the name ofRobert L. Packer and Brett D.
`Galloway. entitled “Method for Pacing Data Flow in a Packet-
`based Networkf‘
`
`5
`
`10
`
`3o
`
`2
`
`US patent application Ser. No. 101155.936 now U .8. Pat.
`No. 6.591.299. in the name of Guy Riddle. Robert 1.. Packer.
`and Mark Hill. entitled “Method liorAutomatically Classify-
`ing Tralfic Willi Enhanced Hierarchy In A Packet Communi-
`cations Networkz"
`U .S. patent application Ser. No. 10f236.149. in the name of
`Brett Galloway and George Powers. entitled “Classification
`Data Structure enabling Multi-Dimensiona] Network Traffic
`Classification and Control Schemes:”
`U. S. patent application Ser. No. 10;”453345. in the name of
`Scott Hankins. Michael R. Morfortl. and Michael .1. Quinn.
`entitled “Flow-Based Packet Capturez“
`U .S. patent application Ser. No. 10f61 1,573. in the name of
`Roopesh Varier. David Jacobson. and Guy Riddle. entitled
`“Network Traffic Synchronization Mechanismz”
`U. S. patent application Ser. No. 10576383 in the name of
`Guy Riddle. entitled “Enhanced Flow Data Records Includ-
`ing Traffic Type Data:"
`U. S. patent application Ser. No. 10t720.329. in the name of
`Wong-Chin Yong, Mark Hill and Anne (Tesa Klein. entitled
`“Heuristic Behavior Pattern Matching of Data Flows in
`Enhanced Network Traffic Classification:”
`U . S. patent application Ser. No. 10t’810,785 in the name of
`Azeem li‘erioz. Wei-Lung Lai. and .lim Stabile. entitled “Slow-
`Start Adaptive Mechanisms to improve Efficiency of Band-
`width Allocation;"
`U .S. patent application Scr. No. 108132.198 in the name of
`Michael Robert Morford and Robert E. Purvy. entitled
`“Adaptive. Application—Aware Selection of Differentiated
`Network Services;”
`U. S. patent application Ser. No. 10843.1 85 in the name of
`Guy Riddle. Curtis Vance Bradford mid Maddie Cheng.
`entitled “Packet Load Shedding"
`U .S. patent application Ser. No. 100558.340 in the name of
`Roopesh Varier. James J. Stabile. Paul Leslie Archard. Guy
`Riddle. and David Jacobson, entitled “Network Traffic Syn—
`cln‘onization and Data Compression in Redundant Network
`'Iopologies;“ enid
`U.S. patent application Ser. No. 10838435 in the name of
`Guy Riddle. entitled “Classification and Management ofNet-
`work Trailie Based on Attributes Orthogonal
`to Explicit
`Packet Attributes.”
`
`1"] RI .1) ()1? '1‘1- 113 INVENTION
`
`The present invention relates to computer networks and.
`more particularly.
`to methods. apparatuses and systems
`directed to the classification and control 0 l‘ network traffic.
`
`BACKGROUND OF THE INVENTION
`
`[Enterprises have become increasingly dependent on com-
`puter network infrastructures to provide services and accom-
`plish mission-critical tasks. Indeed. the performance. secu-
`rity. and elliciency of these network infrastructures have
`become critical as enterprises increase their reliance on dis—
`tributed computing enviromnents and wide area computer
`networks.
`
`To facilitate monitoring. management and control of net-
`work environments. a variety of network devices. applica-
`tions. technologies and services have been developed. For
`example. certain data flow rate control mechanisms have been
`developed to provide a means to control and optimize effi-
`ciency ofdata transfer as well as allocate available bandwidth
`among a variety of business enterprise filnctionalities. For
`example. U.S. Pat. No. 6.038.216 discloses a method for
`explicit data rate control in a packet-based network environ-
`
`40
`
`45
`
`U.S. patent application Ser. No. 091016.776 now U.S. Pat.
`No. 6.205.120. in the name of Robert L. Packer and Guy
`Riddle, entitled “Method for Transparently Determining and
`Setting an Optimal Minimum Required TCP Window Sizef‘
`U.S. patent application Ser. No. 09t479.3 56 now U .8. Pat.
`No. 6.285.658.
`in the name of Robert I... Packer. entitled
`“System for Managing Flow BandWidth Utilization at Net-
`work. 'I‘ransport and Application Layers in Store and Forward
`Network"
`U.S. patent application Ser. No. 09;r 198.090 now US. Pat.
`No. 6.412.000. in the name of Guy Riddle and Robert L.
`Packer. entitled “Method for Automatically Classifying Traf-
`fic in a Packet Connnunications Networkf‘
`U .S. patent application Ser. No.09tl98.051, in the name of
`Guy Riddle. entitled “Method forAutomatically Determining
`a Traffic Policy in a Packet Communications Network;”
`U.S. patent application Ser. No. 09006772, now US. Pat.
`No. 6.456.360. in the name of Robert L. Packer. Brett D.
`Galloway and Ted 1111‘. entitled “Method for Data Rate Con-
`trol for Heterogeneous or l’eer Intemetworking'.“
`U.S. patent application Ser. No. 09.010442. in the name of
`Todd Krautkremer and Guy Riddle. entitled “Application 55
`Service Level Mediation and Method of Using the Same?‘
`U.S. patent application Ser. No. 10t015,826 in the name of
`Guy Riddle. entitled “Dynamic Tunnel Probing in a Commu—
`nications Network;"
`U.S. patent application Ser. No. 10t039.992. in the name of at:
`Michael J. Quinn and Mary L. I_.aier. entitled “Method and
`Apparatus for Fast Lookup of Related Classification Entities
`in a Tree—Ordered Classification I-Iierarcliyg"
`U.S. patent application Ser. No. 10f108.085. in the name of
`Wei—Lung Lai. Jon Eric Okholm. and Michael J . Quinn.
`entitled “Output Scheduling Data Structure Facilitating l-Iier-
`archical Network Resource Allocation Scheme.“
`
`50
`
`65
`
`

`

`3
`
`4
`
`US ?,?42,406 B]
`
`ment without data rate supervision. Data rate control directly
`moderates the rate of data transmission from a sending host.
`resulting in j ust-in-time data transmission to control inbound
`traffic and reduce the inefficiencies associated with dropped
`packets. Bandwidth management devices allow for explicit
`data rate control for firms associated with a particular traffic
`classification. For example. U.S. Pat. No. 6,412,000. above,
`discloses automatic classification of network traffic for use in
`connection with bandwidth allocation mechanisms. U .5. Pat.
`
`No. 6.046.980 discloses systems and methods allowing for
`application layer control of bandwidth utilisation in packet-
`based computer networks. For example. bandwidth manage-
`ment devices allow network administrators to specify policies
`operative to control and/”or prioritize the bandwidth allocated
`to individual data flows according to traffic classifications. In
`addition. certain bandwidth management devices. as Well as
`certain routers. allow network administrators to specify
`aggregate bandwidth utilization controls to divide available
`bandwidth into partitions. With some network devices. these
`partitions can be configured to provide a minimum bandwidth
`guarantee, andfor cap bandwidth, as to a particular class of
`traffic. An administrator specifies a traffic class (such as FTP
`data. or data flows involving a specific user or network appli-
`cation) and the size of the reserved virtual link—i.c._. mini-
`mum guaranteed bandwidth andfor maximum bandwidth.
`Such partitions can be applied on a per-application basis
`(protecting andfor capping bandwidth for all traflic associ-
`ated with an application) or a per—user basis (controlling.
`prioritizing, protecting andfor capping bandwidth for a par—
`ticular user).
`In addition, certain bandwidth management
`devices allow administrators to define a partition hierarchy by
`configuring one or more partitions dividing the access link
`and further dividing the parent partitions into one or more
`child panitions.
`Furthermore, network security is another concern. such as
`the detection of computer viruses. as well as prevention of
`Denial —of-Service (DOS) attacks on. or unauthorized access
`to. enterprise networks. Accordingly, firewalls and other net-
`work devices are deployed at the edge of such networks to
`filter packets and perform various operations in response to a
`security threat. In addition. packet capture and other network
`data gathering devices are often deployed at the edge of. as
`well as at other strategic points in= a network to allow network
`administrators to monitor network conditions. Other network
`devices also perform security or data gathering or monitoring
`functions. such as packet capture devices.
`Many of the systems and technologies discussed above
`incorporate or utilize traffic classification mechanisms to per-
`form their respective functions. Identification of traffic types
`associated with data flows traversing a network generally
`involves the application of matching criteria or mics to
`explicitly presented or readily discoverable attributes of indi-
`vidual packets. or groups of packets, against an application
`signature which may compii se a protocol identifier (cg.
`'I‘CP, li'I'fP. U DP. M [Ml-i types. etc .). a port number, and even
`an applicationvspecific string of text in the payload of a
`packet. Indeed. the rich Layer 7 classification functionality of
`Packetshaperli- bandwidth management devices offered by
`Packetecrtltt. Inc. of Cupertino. Calif. is an attractive feature
`for network administrators. as it allows for accurate identifi-
`cation ofa variety of application types.
`'Jhe through-put ofnetwork devices that utilize traffic clas-
`sification can become a concern. as traffic classification. espe—
`cially granular classification mechanisms. can include a vari—
`ety ofCPU—intensive operations. If a network device. such as
`an application traffic management device. becomes a bottle-
`neck. it can defeat the very purpose for which the network
`
`10
`
`3o
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`device was deployed—namely. increased efficiency and per-
`formance. Network device vendors, therefore. must configure
`their network devices with sufficient computational resources
`to avoid creating a performance bottleneck. Classification of
`data flows especially in modern network environments. how-
`ever. is often one of the most CPU-intensive tasks performed
`by the network devices. In addition. recent trends seen in
`many network applications suggest that the resource inten-
`sive nature of network traffic classification will only increase.
`Indeed. an increasing number of network applications
`employ data compression. encryption technology. andr‘or pro-
`prietary protocols that obscure or prevent identification of
`various application-specific attributes. often leaving well-
`known port numbers as the only basis for classification. In
`fact. as networked applications become increasingly com-
`plex. data encryption andfor compression has become a
`touted security or optimization feature. Indeed. data encryp-
`tion addresses the concem of security and privacy issues, but
`also makes it much more difficult for intermediate network
`
`devices to identify the applications that employ thorn. In
`addition. traffic classification based solely on well—known
`port numbers can be problematic. especially where a network
`application uses dynamic port number assignments or incor-
`rectly uses a well-known port number, leading to misclassi-
`fication of the data flows.
`In addition, classifying such
`encrypted network traffic as unknown (or encrypted) and
`applying a particular rate or admission policy to unknown
`traffic classes undermines the granular control otherwise pro—
`vided by bandwidth management devices and. further. may
`cause legitimate, encrypted traffic to stiffer as a result.
`Traffic classification mechanisms have to adapt to address
`these circtunstances. For example. U.S. application Ser. No.
`109385135 discloses network traffic classification mecha-
`nisms that classify network trd file based on the behavioral
`attributes of the data flows. U.S. application Ser. No. 10:720.
`329 discloses the classification of data flows based on heu—
`
`ristic behavior pattern matching. These classification mecht -
`nisms differ
`from traditional classification mechanisms
`
`which classify traffic based on explicitly presented attributes
`of individual data packets; however. they are quite resource
`intensive. requiring maintenance and analysis ofa significant
`amount of statefiil information for each data flow.
`
`Enterprises network topologies can span a vast array of
`designs and connection schemes depending on the enter~
`prise‘s resource requirements. the number of locations or
`offices to connect. desired service levels. costs and the like. A
`given enterprise often must support multiple LAN or WAN
`segments that support headquarters, branch offices and other
`operational and office facilities. Indeed. enterprise network
`design topologies ofien include multiple,
`interconnected
`LAN and WAN segments in the enterprise’s intranet. and
`multiple paths to extranets and the Internet. These network
`topologies often require the deployment of a variety ofnet-
`work deviccs at each remote facility. In addition. some net-
`work systems are end-to-end solutions, such as application
`traffic optimizers using protocol intervention technologies.
`requiring network devices at each end ofa communications
`path between. forexample. a main office and a remote facility.
`In a typical network environment where the classification
`information is not cxchemged. each network device separately
`analyzes the data flows in order to classify them. Often times.
`the methods used for classifying network traffic on these
`network devices will result in the same or similar classifica—
`
`tion of the data flows traversing the network devices. While
`the prior art is suitable for its intended objective. the separate
`classification of data flows traversing a plurality of identical
`or similar network devices results in certain inefficiencies. In
`
`

`

`US ?,?42,406 B]
`
`5
`other words. a downstream network device, such as band;
`width management device. located along a conununications
`path traversed by a given data flow fails to take advantage of
`the classification information derived by an upstream net-
`work device in the communications path. Additionally. in
`fault tolerant networks, rcxiundant networking devices are
`used in active-and-standby configurations. U. 8. application
`Ser. Nos. 10261 1,573 and 10858340 disclose the configura-
`tion and deployment of application traffic management
`devices in redundant network topologies. [n tltese deploy-
`ments, the active and standby network devices transmit syn-
`chronixation packets to maintain the same state. while one or
`both network devices forward network tra ffic. In these con-
`
`figurations. both network devices classify the saute traffic
`independently in order to maintain the same flow state and
`statistics information. The resources spent classifying the
`traffic reduces performance. which can become a concern as
`traffic loads increase.
`
`In light ofthe foregoing, a need in the art exists for increas—
`ing the efficiency and performance of network traffic classi—
`fication. A need also exists in the art for reducing the resource
`requirements associated with network traffic classification.
`Embodiments of the present invention substantially fulfill
`these needs.
`
`SUMMARY 01-: TI 11E INVENTION
`
`The present invention provides methods. apparatuses and
`systems directed to the coordinated classification of network
`traffic. In one implementation. the present invention enables a
`coordinated network environment for traffic classification
`
`where an upstream network device classifies a data flow and
`adds traffic class information to at least one packet in the data
`flow. Downstream network devices in the communications
`
`path to the destination host can use the traffic class inf'onna-
`tion in the modified packet. bypassing at least some of the
`local
`traffic classification operations and thereby reducing
`CPU utilization. In one implementation. the last downstream
`network device strips the traffic classification information
`from the modified packet before it is forwarded to the desti-
`nation host.
`
`In one implementation. the traffic classification informa-
`tion is added using a tag or header added to the first packet in
`a given flow and, potentially, one or more subsequent packets
`in the flow when additional traffic classification information
`
`is obtained. Intermediate network devices along the commu-
`nication path can also use the tra file classification information
`and forward the packets with the traffic classification tag
`without modification. Embodiments of the present invention
`reduce or eliminate redundant traffic classification opera-
`tions, thereby improving overall system performance. As dis-
`cussed in more detail below, the present invention can be
`applied in a variety of contexts and system architectures. For
`example. the present invention can be applied to a network
`environment including a plurality of application traffic man-
`agement devices. Other network devices can also be used.
`such as packet capture devices. firewalls. gateways. proxies
`and the like. Furthermore.
`the present
`invention can be
`applied in a network system where upstream and downstream
`network devices are disposed in a corrununication path
`
`6
`
`between networks or end systems. The present invention can
`also be applied between partner network devices in redundant
`network topologies.
`
`DESCRIPTION ()12 THE DRAWINGS
`
`10
`
`FIG. 1 is a functional block diagram illustrating a computer
`network system architecture in which an embodiment of the
`present invention may operate.
`FIG. 2 is a functional block diagram illustrating the func-
`tionality of a network device. according to one implementa-
`tion of the present invention. for use in a coordinated traffic
`classification environment.
`FIG. 3 is a flow chart diagram showing a method. according
`to one implementation of the present invention. directed to
`coordinating network trafl'ic classification among peer net-
`work devices.
`
`FIG. 3 A is a flow chart diagram showing a method. accord-
`ing to another implementation of the present
`invention.
`directed to coordinating network traffic classification among
`peer network devices.
`FIG. 4 is a functional block diagram illustrating an opera—
`tion of a coordinated network trafiic classification environ-
`ment. according to one implementation of the present inven-
`tion.
`
`DIESCRIP'I'ION Ol’ PREFIERRl'ilI)
`EMBODIMENHS)
`
`3o
`
`4E]
`
`45
`
`50
`
`55
`
`60
`
`65
`
`1'-‘ I03. 1 and 2 illustrate an exemplary network environment
`in which an embodiment ofthe present invention operates. Of
`course, the present invention can be applied to a variety of
`network architectures. FIG.
`1
`illustrates, for didactic pur-
`poses. a network 50. such as wide area network. interconnect-
`ing a first enterprise network 40. supporting a central operat—
`ing or headquarters facility, and a second enterprise network
`40a. supporting a branch office facility. As FIG. 2 shows. the
`first network 40 interconnects several ‘I'CTl’t'lP end systems.
`including client devices 42 and serverdevice 44. and provides
`access to resources operably connected to computer network
`50 via router 22 and access link 21. Access link 21 is a
`physical andfor logical connection between two networks,
`such as computer network 50 and network 40. The computer
`network environment, including network 40 and network 50
`is a packet-based communications environment, employing
`'l'CPr'lP protocols. andfor other suitable protocols. said has a
`plurality of interconnected digital packet transmission sta-
`tions or routing nodes. First network 40. and network 400. can
`each be a local area network. a wide area network, or any
`other suitable network.
`
`As FIGS. 1 and 2 illustrate. application traffic management
`device 1 30. in one implementation, is deployed at the edge of
`network 40. In one implementation. application traffic man-
`agement device 130 is operative to classify and manage data
`flows traversing access link 21. However, the coordinated
`traffic classification fitnctionality according to the present
`invention can be integrated into a variety ofnetwork devices,
`such as proxies. firewalls. packet capture or network moni—
`toring equipment, VPN servers. web services network gate-
`ways or brokers, and the like. Furthermore. as shown in FIG.
`.1. application traffic management device 130. in one imple-
`mentation. operates in connection with either or both o fappli-
`cation traffic management device 130a, deployed at the edge
`of network 40a, and application traffic management device
`130!) deployed within network 50. In other implementations
`hovvever. the coordinated traffic classification functionality
`according to the present invention can be used in connection
`
`

`

`7
`
`8
`
`US ?,?42,406 Bl
`
`with different network device types, each of which utilize
`network traffic classification to perform a network function.
`For example. the present invention cart be applied to a net-
`work system including an application traffic management
`device disposed at a first point in a communications path. and
`a traffic monitoring device disposed at a second point in the
`connnunications path.
`As FIG. 2 illustrates, network application traffic manage-
`ment device 130, in one implementation; comprises network
`device application processor 75. and first and second network
`interfaces 71, 72, which operably connect application traffic
`management device 130 to the communications path between
`router 22 and network 40. Network device application pro-
`cessor 75 generally refers to the functionality implemented
`by application traffic management device 130. such as net—
`work monitoring or reporting. application traffic manage-
`ment. and the like. In one embodiment. network device appli-
`cation processor 75 is a combination of hardware and
`software. such as a central processing unit. memory. a system
`bus. an operating system. device drivers. and one or more
`software modules implementing the functions performed by
`application traffic management device 130. as well as the
`coordinated traffic classification functionality described
`herein. For didactic purposes. application traffic management
`device 1 30 is configured to manage network traffic traversing
`access link 21. The above-identified patents and patent appli-
`cations. incorporated by reference herein. disclose various
`functionalities and features that may be incorporated into
`application traffic management devices according to various
`implementations of the present invention. [11 one implemen-
`tation, the configuration of application traffic management
`devices 1300. 130i) is the same or substantially similar to
`application traffic management device 130. as described
`herein.
`In one embodiment, first and second network interfaces 71.
`72 are the hardware communications interfaces that receive
`
`and transmit packets over the computer network environ~
`mcnt. ln one implementation. first and second network inter-
`faces 71. 72 reside on separate network interface cards oper-
`ably connected to the system bus of application traffic
`management device .130. In another implementation. first and
`second network interfaces reside on the same network inter—
`face card. ln addition, the first and second network interfaces
`71. 72 can be wired network interfaces. such as Ethernet
`(llistE 802.3) interfaces. andfor wireless network interfaces.
`such as IEEE 802.11. Blue'l'ooth. satellite-based interfaces.
`and the like. As FIG. 2 illustrates. application traffic manage-
`ment device 130,
`in one embodiment. includes persistent
`memory '76. such as a hard disk drive or other suitable
`memory device, such writable CD, DVD, or tape drives. In
`other
`implementations. application traffic management
`device 130 can include additional network interfaces, beyond
`network interfaces 71 and 72. to support additional access
`links or other functionality. Furthermore. US. application
`Ser. No. 101843.185 provides a description ofthe operation of
`various modules. such as network interface drivers. and data
`structures for receiving into memory and processing packets
`encountered at network interfaces 71, 72.
`As FIG. 2 illustrates. network device application processor
`'15. in one implementation. includes a packet processor 92.
`flow control module 94. and traffic classification engine 96.
`Network device application processor 75, in one implemen-
`tation, further comprises host database 134. flow database
`135, measurement engine 140. management
`information
`base 138. and administrator interface 150. In one embodi—
`ntcnt. the packet processor 92 is operative to process data
`packets. such as detecting new data flows. parsing the data
`
`.3
`
`10
`
`3t]
`
`4t]
`
`45
`
`50
`
`55
`
`60
`
`65
`
`packets for various attributes (such as source and destination
`addresses. and the like) and storing packet attributes in a
`buffer structure. and riiaintaining one or more flow variables
`or statistics (such as packet count} in connection with the data
`flows andfor the sourcefdestination hosts. The traffic classi-
`fication engine 96, as discussed more fully below, is operative
`to classify data flows based on one or more attributes associ—
`ated with the data flows. Traffic classification engine 96, in
`one implementation, stores traffic classes associated with
`data liows encountered during operation of application traffic
`management device 130. as well as manually created traffic
`classes configured by a network administrator. in a hierarchi-
`cal traffic class structure. In one embodiment, traffic classifi-
`cation engine 96 stores traffic classes, in association with
`pointers to traffic management policies or pointers to data
`structures defining such traffic management policies. In one
`implementation. flow control module 94 is operative to apply
`bandwidth utilization controls to data flows traversing the
`access link 21 in the inbound andfor outbound directions.
`
`in one implementation. network
`As discussed above.
`device application processor '75 further comprises measure—
`ment engine 140. management information base (MB) 138.
`and administrator interface 151). Management information
`base 138 is a database of standard and extended network
`
`objects related to the operation of application traffic manage-
`ment device 130. Measurement engine 140 maintains mea-
`surement and statistical data relating to operation of applica-
`tion traffic management device 130 to allow for monitoring of
`bandwidth utilization and network perfonnance across access
`link 2} with respect to a plurality of bandwidth utilization and
`other network statistics on an aggregate andfor per-traffic-
`class level.
`
`Administrator interface 150 facilitates the configuration of
`application traffic management device 130 to adjust or
`change operational and configuration parameters associated
`with the device. For example. administrator interface 150
`allows administrators to select identified traffic classes and
`associate them w ith traffic management policies. Administra-
`tor interface 150 also displays various views associated with
`a hierarchicai traffic classification scheme and allows admin-
`
`istrators to configure or revise the hierarchical traffic classi-
`fication scheme. Administrator interface 150 can provide a
`command line interface andfor a graphical user interface
`accessible. for example. through a conventional browser on
`client device 42.
`
`A. 1. Packet Processing
`As discussed above. packet processor 92, in one implemen-
`tation. is operative to detect new data flows. instantiate data
`structures associated with the flows and parse packets to
`popul