Abstract: Embodiments described herein provide techniques for atomically updating a ternary content addressable memory (TCAM)-based access control list (ACL). According to one embodiment, a current version bit of the ACL is determined. The current version bit indicates that a rule in the ACL is active is the version flag in the rule matches the current version bit. Through these techniques, a first set of rules can be modified to create a second set of rules (e.g., by insertions, deletions, and replacements, etc.).

Abstract: Embodiments described herein provide techniques for atomically updating a ternary content addressable memory (TCAM)-based access control list (ACL). According to one embodiment, a current version bit of the ACL is determined. The current version bit indicates that a rule in the ACL is active is the version flag in the rule matches the current version bit. Through these techniques, a first set of rules can be modified to create a second set of rules (e.g., by insertions, deletions, and replacements, etc.).

Abstract: Techniques are provided for packet routing in a distributed network switch. The distributed network switch includes multiple switch modules operatively connected to one another, and each switch module includes multiple bridge elements and a management controller. In one embodiment, a shared interface routing (SIR) framework is provided that includes an analysis and bifurcation layer, at least one packet interface, and an analysis assist layer. A packet is received over a first logical network and via a physical port, the packet being destined for at least a first application executing on the management controller. The analysis assist layer analyzes the packet to determine a reason code to assign to the packet. The analysis and bifurcation layer then analyzes the packet based at least in part on the reason code.

Abstract: Techniques are provided for packet routing in a distributed network switch. The distributed network switch includes multiple switch modules operatively connected to one another, and each switch module includes multiple bridge elements and a management controller. In one embodiment, a shared interface routing (SIR) framework is provided that includes an analysis and bifurcation layer, at least one packet interface, and an analysis assist layer. A packet is received over a first logical network and via a physical port, the packet being destined for at least a first application executing on the management controller. The analysis assist layer analyzes the packet to determine a reason code to assign to the packet. The analysis and bifurcation layer then analyzes the packet based at least in part on the reason code.

Abstract: Techniques are provided for hash-based routing table management in a distributed network switch. A frame having a source address and a destination address is received. If no routing entry for the source address is found in a routing table of a switch module in the distributed network switch, where the routing table is divided into slices of buckets, then routing information is determined for the source address and a routing entry is generated. The routing table is modified to include the routing entry and based on a set of hash functions and properties of the slices.

Abstract: Techniques are provided for managing a routing table in a distributed network switch. The distributed network switch is divided into logical switch partitions, or logical networks, that may share a routing table. The shared routing table is configured with counters and thresholds to control utilization of the routing table on a per-logical network basis. When counters exceed certain threshold, the routing table is modified to reduce routing entries within the routing table or pause insertion of new routing entries.

Abstract: Techniques are provided for hash-based routing table management in a distributed network switch. A frame having a source address and a destination address is received. If no routing entry for the source address is found in a routing table of a switch module in the distributed network switch, where the routing table is divided into slices of buckets, then routing information is determined for the source address and a routing entry is generated. The routing table is modified to include the routing entry and based on a set of hash functions and properties of the slices.

Abstract: Techniques are disclosed for notifying network control software of new and moved source MAC addresses. In one embodiment, a switch detects packets sent by a new or migrated virtual machine, and sends a copy of a detected packet to the network control software as a notification. The switch further learns the source MAC address, thereby permitting the entry to be used for normal forwarding prior to validation of the entry and the VM associated therewith by the network control software. Until the network control software has validated the VM, the switch may periodically retry the notification to the network control software. “No_Redirect” and “Not_Validated” flags may be used to indicate whether a notification has already been attempted and thus no retry is necessary, and that the VM associated with the VM has not yet been validated, respectively.

Abstract: Techniques are disclosed for notifying network control software of new and moved source MAC addresses. In one embodiment, a switch may redirect a packet sent by a new or migrated virtual machine to the network control software as a notification. The switch does not forward the packet, thereby protecting against denial of service attacks. The switch further adds to a forwarding database a temporary entry which includes a “No_Redirect” flag for a new source MAC address, or updates an existing entry for a source MAC address that hits in the forwarding database by setting the “No_Redirect” flag. The “No_Redirect” flag indicates whether a notification has already been sent to the network control software for this source MAC address. The switch may periodically retry the notification to the network control software, until the network control software validates the source MAC address, depending on whether the “No_Redirect” is set.

Abstract: Techniques are disclosed for notifying network control software of new and moved source MAC addresses. In one embodiment, a switch may redirect a packet sent by a new or migrated virtual machine to the network control software as a notification. The switch does not forward the packet, thereby protecting against denial of service attacks. The switch further adds to a forwarding database a temporary entry which includes a “No_Redirect” flag for a new source MAC address, or updates an existing entry for a source MAC address that hits in the forwarding database by setting the “No_Redirect” flag. The “No_Redirect” flag indicates whether a notification has already been sent to the network control software for this source MAC address. The switch may periodically retry the notification to the network control software, until the network control software validates the source MAC address, depending on whether the “No_Redirect” is set.

Abstract: Techniques are provided for retrieving entries from a routing table or a forwarding database in a distributed network switch. The forwarding database includes match and mask registers used to compare routing entries and return matching routing entries to a requesting management controller. The forwarding database uses a separate timeout value associated with the forwarding database to avoid timeout errors for general register operations, and allows for an asynchronous dump operation of routing entries.

Abstract: Techniques are disclosed for notifying network control software of new and moved source MAC addresses. In one embodiment, a switch may redirect a packet sent by a new or migrated virtual machine to the network control software as a notification. The switch does not forward the packet, thereby protecting against denial of service attacks. The switch further adds to a forwarding database a temporary entry which includes a “No_Redirect” flag for a new source MAC address, or updates an existing entry for a source MAC address that hits in the forwarding database by setting the “No_Redirect” flag. The “No_Redirect” flag indicates whether a notification has already been sent to the network control software for this source MAC address. The switch may periodically retry the notification to the network control software, until the network control software validates the source MAC address, depending on whether the “No_Redirect” is set.

Abstract: Techniques are disclosed for notifying network control software of new and moved source MAC addresses. In one embodiment, a switch may redirect a packet sent by a new or migrated virtual machine to the network control software as a notification. The switch does not forward the packet, thereby protecting against denial of service attacks. The switch further adds to a forwarding database a temporary entry which includes a “No_Redirect” flag for a new source MAC address, or updates an existing entry for a source MAC address that hits in the forwarding database by setting the “No_Redirect” flag. The “No_Redirect” flag indicates whether a notification has already been sent to the network control software for this source MAC address. The switch may periodically retry the notification to the network control software, until the network control software validates the source MAC address, depending on whether the “No_Redirect” is set.

Abstract: Techniques are provided for retrieving entries from a routing table or a forwarding database in a distributed network switch. The forwarding database includes match and mask registers used to compare routing entries and return matching routing entries to a requesting management controller. The forwarding database uses a separate timeout value associated with the forwarding database to avoid timeout errors for general register operations, and allows for an asynchronous dump operation of routing entries.

Abstract: Techniques are disclosed for notifying network control software of new and moved source MAC addresses. In one embodiment, a switch detects packets sent by a new or migrated virtual machine, and sends a copy of a detected packet to the network control software as a notification. The switch further learns the source MAC address, thereby permitting the entry to be used for normal forwarding prior to validation of the entry and the VM associated therewith by the network control software. Until the network control software has validated the VM, the switch may periodically retry the notification to the network control software. “No_Redirect” and “Not_Validated” flags may be used to indicate whether a notification has already been attempted and thus no retry is necessary, and that the VM associated with the VM has not yet been validated, respectively.

Abstract: A mechanism is provided for sharing a communication used by a parser (parser path) in a network adapter of a network processor for sending requests for a process to be executed by an external coprocessor. The parser path is shared by processors of the network processor (software path) to send requests to the external processor. The mechanism uses for the software path a request mailbox comprising a control address and a data field accessed by MMIO for sending two types of messages, one message type to read or write resources and one message type to trigger an external process in the coprocessor and a response mailbox for receiving response from the external coprocessor comprising a data field and a flag field. The other processors of the network poll the flag until set and get the coprocessor result in the data field.

Abstract: Techniques are disclosed for hash-based routing table management in a distributed network switch having multiple switch modules. Upon determining that an attempt to insert a first routing entry into a first hash table of the routing table has failed, a second routing entry, which exists in the first hash table, is attempted to be moved to a second hash table of the routing table. If the move attempt is successful, then the first routing entry is added to the location previously occupied by the second routing entry. If the move attempt is unsuccessful, then a third routing entry, which exists in the first hash table, is attempted to be moved.

Abstract: A mechanism is provided for merging in a network processor results from a parser and results from an external coprocessor providing processing support requested by said parser. The mechanism enqueues in a result queue both parser results needing to be merged with a coprocessor result and parser results which have no need to be merged with a coprocessor result. An additional queue is used to enqueue the addresses of the result queue where the parser results are stored. The result from the coprocessor is received in a simple response register. The coprocessor result is read by the result queue management logic from the response register and merged to the corresponding incomplete parser result read in the result queue at the address enqueued in the additional queue.

Abstract: A method, a system, and a computer program product is disclosed for identifying a quality of service (QoS) classification of a packet in a network by a network processor. The method comprising: providing a table wherein a priority value with a maximum of N values is used as an index into the table to retrieve a QoS classification having a maximum of M values with M less than N; receiving a data packet in a stream of data packets; extracting at least two priority indicator values from the packet; converting the at least two priority indicator values into a priority value; utilizing the priority value as an index into the table; extracting the entry in the table corresponding to the priority value as the QoS classification of the packet; and utilizing the QoS classification for subsequent processing of the data packet.

Abstract: Techniques are provided for routing table synchronization for a distributed network switch. In one embodiment, a first frame having a source address and a destination address is received. If no routing entry for the source address is found in a routing table of a first switch module, routing information is determined for the source address and a routing entry is generated. An indication is sent to a second switch module, to request a routing entry for the source address to be generated in the second switch module, based on the routing information.