The present invention relates generally to communication systems, and more specifically to a system and method for monitoring and controlling traffic through a network device in order to protect network resources against unauthorized or malicious use.
In existing systems, access to communication networks, such as Asynchronous Transfer Mode (ATM) networks, is provided through interfaces provided in or associated with host computer systems. The interface between a host computer system and an ATM network is known as a User Network Interface (UNI). Each UNI may include one or more virtual connections ("connections") between the host computer system and other host systems. When a virtual connection is established, bandwidth may be reserved for use by the connection. Such reserved bandwidth is referred to as "guaranteed" bandwidth. An amount of bandwidth in addition to the guaranteed bandwidth may also be defined in association with a virtual connection. Such additional bandwidth is known as "available" bandwidth. Network resources are used to support available bandwidth traffic for a virtual connection only to the extent they are not being used to support guaranteed bandwidth traffic. Guaranteed bandwidth and available bandwidth are sometimes referred to as the Committed Information Rate ("CIR") and Excess Information Rate ("EIR") of a virtual connection.
In order for multiple connections to coexist within a given network device, each connection must be monitored to determine when the amount of traffic it is carrying is exceeding its guaranteed bandwidth allocation. Otherwise, resources may be allocated to support available bandwidth traffic on a first connection that should be allocated to support guaranteed bandwidth on another connection. Accordingly, network devices such as switches provide functionality known as "rate policing" to ensure that received data units are correctly identified as being within the guaranteed bandwidth or available bandwidth of their respective connections.
In existing systems, rate policing has been performed by monitoring the amount of data that is received and accepted on a virtual connection over a fixed time period, referred to as the rate policing window. A guaranteed bandwidth data limit for the rate policing window of a given connection is determined as a function of the amount of guaranteed bandwidth for the connection, and the duration of the connection's rate policing window. When the amount of traffic received over a connection exceeds the guaranteed bandwidth data limit of the connection during a rate policing window, any further traffic received over that connection during the rate policing window is considered available bandwidth traffic.
Existing rate policing systems have employed a byte counter and a rate policing window timer to monitor the received traffic for each connection they support. These systems modify the counter as traffic is received to reflect the amount of traffic received. When the value of the byte counter for a connection indicates that the guaranteed bandwidth limit for a rate policing window has been reached, the rate policing function turns off the connection, dropping any subsequent data units received for the remainder of the rate policing window. The amount of traffic discarded during the remainder of the rate policing window may be counted so that it can later be read or reported for purposes of network management. At the end of each rate policing window, the counter for the associated connection is set to zero and the connection turned back on if necessary.
As the number of connections that must be supported by a network device increases, the costs associated with performing rate policing have become unacceptably high. Specifically, the costs associated with providing hardware and/or software support for periodically resetting a separate timer and counter for each of several thousand connections, irrespective of whether the connections are currently being used, may be prohibitively high.
For these reasons, it would be desirable to have a system for performing rate policing which does not require constant monitoring of separate timers and counters for each of a large number of connections, including resetting such counters and timers at the end of each rate policing window. The system should further be capable of conveniently supporting large numbers of virtual connections, and operating compatibly with contemporary communications protocols such as Asynchronous Transfer Mode (ATM).