In an example, a network switch is configured to operate natively as a load balancer. The switch receives incoming traffic on a first interface communicatively coupled to a first network, and assigns the traffic to one of a plurality of traffic buckets. This may include looking up a destination IP of an incoming packet in a fast memory such as a ternary content-addressable memory (TCAM) to determine whether the packet is directed to a virtual IP (VIP) address that is to be load balanced. If so, part of the source destination IP address may be used as a search tag in the TCAM to assign the incoming packet to a traffic bucket or IP address of a service node.

In an example, a network switch is configured to operate natively as a load balancer. The switch receives incoming traffic on a first interface communicatively coupled to a first network, and assigns the traffic to one of a plurality of traffic buckets. This may include looking up a destination IP of an incoming packet in a fast memory such as a ternary content-addressable memory (TCAM) to determine whether the packet is directed to a virtual IP (VIP) address that is to be load balanced. If so, part of the source destination IP address may be used as a search tag in the TCAM to assign the incoming packet to a traffic bucket or IP address of a service node.

An improved autonegotiation approach includes determining that a negotiated rate between a first network device and a second network device exceeds data transfer capacity over a network path downstream of the second network device. In response, a configuration message is generated and transmitted to the first network device. When received by the first network device, the configuration message causes the first network device to limit data transfer between the first network device and the second network device to no more than the downstream data transfer capacity.

An improved autonegotiation approach includes determining that a negotiated rate between a first network device and a second network device exceeds data transfer capacity over a network path downstream of the second network device. In response, a configuration message is generated and transmitted to the first network device. When received by the first network device, the configuration message causes the first network device to limit data transfer between the first network device and the second network device to no more than the downstream data transfer capacity.

Approaches, techniques, and mechanisms are disclosed for assigning paths to network packets. The path assignment techniques utilize path state information and/or other criteria to determine whether to route a packet along a primary candidate path selected for the packet, or one or more alternative candidate paths selected for the packet. According to an embodiment, network traffic is at least partially balanced by redistributing only a portion of the traffic that would have been assigned to a given primary path. Move-eligibility criteria are applied to traffic to determine whether a given packet is eligible for reassignment from a primary path to an alternative path. The move-eligibility criteria determine which portion of the network traffic to move and which portion to allow to proceed as normal. In an embodiment, the criteria and functions used to determine whether a packet is redistributable are adjusted over time based on path state information.

Approaches, techniques, and mechanisms are disclosed for assigning paths to network packets. The path assignment techniques utilize path state information and/or other criteria to determine whether to route a packet along a primary candidate path selected for the packet, or one or more alternative candidate paths selected for the packet. According to an embodiment, network traffic is at least partially balanced by redistributing only a portion of the traffic that would have been assigned to a given primary path. Move-eligibility criteria are applied to traffic to determine whether a given packet is eligible for reassignment from a primary path to an alternative path. The move-eligibility criteria determine which portion of the network traffic to move and which portion to allow to proceed as normal. In an embodiment, the criteria and functions used to determine whether a packet is redistributable are adjusted over time based on path state information.

Disclosed is an apparatus for distributed processing of an identical packet in high-speed network security equipment, including: a plurality of analysis modules for each determining whether vulnerability analysis is required by analyzing a received packet; a circular queue for receiving the packet from an analysis module initially determining that the vulnerability analysis is required and storing the received packet as a bucket structure; and a plurality of analysis engines for each performing different vulnerability analyses for the packet acquired from the circular queue based on a packet address of the bucket structure, in which the bucket structure includes a packet data storage unit and packet use information storage units which are as many as the plurality of analysis engines, and the packet use information storage units store packet use information of the plurality of respective analysis engines, respectively.

In one embodiment, a device includes an interface to send and receive packets of network flows, and processing circuitry to track a connection status of each of the network flows, selectively assign some network flows of the network flows having a non-terminated connection status to a flow aging process based on a statistical model of connection termination, operate the flow aging process to identify idle network flows of the some network flows, and release resources associated with the idle network flows.

In one embodiment, a device includes an interface to send and receive packets of network flows, and processing circuitry to track a connection status of each of the network flows, selectively assign some network flows of the network flows having a non-terminated connection status to a flow aging process based on a statistical model of connection termination, operate the flow aging process to identify idle network flows of the some network flows, and release resources associated with the idle network flows.

A distributed computing system, such as may be used to implement an electronic trading system, supports a notion of fairness in latency. The system does not favor any particular client. Thus, being connected to a particular access point into the system (such as via a gateway) does not give any particular device an unfair advantage or disadvantage over another. That end is accomplished by precisely controlling latency, that is, the time between when request messages arrive at the system and a time at which corresponding response messages are permitted to leave. The precisely controlled, deterministic latency can be fixed over time, or it can vary according to some predetermined pattern, or vary randomly within a pre-determined range of values.