Abstract: Access control lists (ACLs) include one or more rules that each define a condition and one or more actions to be performed if the condition is satisfied. In one embodiment, the conditions are stored on a ternary content-addressable memory (TCAM), which receives a portion of network traffic, such as a frame header, and compares different portions of the header to entries in the TCAM. If the frame header satisfies the condition, the TCAM reports the match to other elements in the ACL. For certain conditions, the TCAM may divide the condition into a plurality of sub-conditions which are each stored in a row of the TCAM. To efficiently use the limited space in TCAM, the networking element may include one or more comparator units which check for special-case conditions. The comparator units may be used in lieu of the TCAM to determine whether the condition is satisfied.

Abstract: A network processor includes first communication protocol ports that each support ‘M’ minimum size packet data path traffic on ‘N’ lanes at ‘S’ Gigabits per second (Gbps) and traffic with different communication protocol units on ‘n’ additional lanes at ‘s’ Gbps. The first communication protocol ports support access to an external coprocessor using parsing logic located in each of the first communication protocol ports. The parsing logic, during a parsing period, is configured to send a request to the external coprocessor at reception of a ‘M’ size packet and to receive a response from the external coprocessor. The parsing logic sends a request maximum ‘m’ size byte word to the external coprocessor on one of the additional lanes and receives a response maximum ‘m’ size byte word from the external coprocessor on the one of the additional lanes while complying with the equation N×S/M=<n×s/m.

Abstract: Embodiments presented herein describe techniques for isolating multicast and broadcast frames to a traffic class that is separate from a traffic class used for unicast frames. According to one embodiment, a network switch receives an incoming Ethernet virtual local area network (VLAN)-tagged frame. The switch evaluates priority bits of the VLAN tag of the frame. The switch also determines a type of frame (e.g., whether the frame is unicast, broadcast, multicast, or flood). Based on the priority field values and the type of the frame, the switch identifies a mapping of the frame to a particular traffic class. The network switch assigns the frame to the traffic class.

Abstract: Embodiments presented herein describe techniques for isolating multicast and broadcast frames to a traffic class that is separate from a traffic class used for unicast frames. According to one embodiment, a network switch receives an incoming Ethernet virtual local area network (VLAN)-tagged frame. The switch evaluates priority bits of the VLAN tag of the frame. The switch also determines a type of frame (e.g., whether the frame is unicast, broadcast, multicast, or flood). Based on the priority field values and the type of the frame, the switch identifies a mapping of the frame to a particular traffic class. The network switch assigns the frame to the traffic class.

Abstract: Embodiments presented herein provide a TCAM-based access control list that supports disjunction operations in rules. According to one embodiment, a numeric range table is tied to the access control list. Each entry in the numeric range table includes an encode field that provides for scanning TCP flags in a TCP header of an incoming Ethernet frame. Further, each entry provides a first mask and a second mask used to test for desired set and unset TCP flags in a given frame. Each entry also provides an operation field that performs a disjunction operation that compares the first mask, the second mask, and set TCP flags in a given frame.

Abstract: Embodiments presented herein describe techniques for parsing an Internet Protocol version 6 frame and skipping extension headers of the frame. A configurable skip list is provided that specifies extension headers for a networking device to skip when parsing the frame. The networking device examines “next header” fields of each extension header to determine a next extension header in the chain. If the next extension header matches an extension header in the skip list, the networking device iterates to the next header in the chain until the end of the chain (or an extension header that does not contain a match in the list) is reached.

Abstract: Memory controllers employing memory capacity and/or bandwidth compression with next read address prefetching, and related processor-based systems and methods are disclosed. In certain aspects, memory controllers are employed that can provide memory capacity compression. In certain aspects disclosed herein, a next read address prefetching scheme can be used by a memory controller to speculatively prefetch data from system memory at another address beyond the currently accessed address. Thus, when memory data is addressed in the compressed memory, if the next read address is stored in metadata associated with the memory block at the accessed address, the memory data at the next read address can be prefetched by the memory controller to be available in case a subsequent read operation issued by a central processing unit (CPU) has been prefetched by the memory controller.

Abstract: Aspects disclosed herein include memory controllers employing memory capacity compression, and related processor-based systems and methods. In certain aspects, compressed memory controllers are employed that can provide memory capacity compression. In some aspects, a line-based memory capacity compression scheme can be employed where additional translation of a physical address (PA) to a physical buffer address is performed to allow compressed data in a system memory at the physical buffer address for efficient compressed data storage. A translation lookaside buffer (TLB) may also be employed to store TLB entries comprising PA tags corresponding to a physical buffer address in the system memory to more efficiently perform the translation of the PA to the physical buffer address in the system memory. In certain aspects, a line-based memory capacity compression scheme, a page-based memory capacity compression scheme, or a hybrid line-page-based memory capacity compression scheme can be employed.

Abstract: Embodiments presented herein describe techniques for parsing an Internet Protocol version 6 frame and skipping extension headers of the frame. A configurable skip list is provided that specifies extension headers for a networking device to skip when parsing the frame. The networking device examines “next header” fields of each extension header to determine a next extension header in the chain. If the next extension header matches an extension header in the skip list, the networking device iterates to the next header in the chain until the end of the chain (or an extension header that does not contain a match in the list) is reached.

Abstract: Embodiments presented herein describe techniques for selecting incoming network frames to be mirrored using an access control list. According to one embodiment, an incoming frame is received. Upon determining that the incoming frame matches an entry in the access control list, a mirror field of the entry is evaluated. The mirror field identifies at least one mirroring action to perform on the frame. The identified mirroring action is performed on the frame.

Abstract: Embodiments described herein provide techniques for atomically updating a ternary content addressable memory (TCAM)-based access control list (ACL). According to one embodiment, a current version bit of the ACL is determined. The current version bit indicates that a rule in the ACL is active is the version flag in the rule matches the current version bit. Through these techniques, a first set of rules can be modified to create a second set of rules (e.g., by insertions, deletions, and replacements, etc.).

Abstract: Embodiments described herein provide techniques for atomically updating a ternary content addressable memory (TCAM)-based access control list (ACL). According to one embodiment, a current version bit of the ACL is determined. The current version bit indicates that a rule in the ACL is active is the version flag in the rule matches the current version bit. Through these techniques, a first set of rules can be modified to create a second set of rules (e.g., by insertions, deletions, and replacements, etc.).

Abstract: Providing memory bandwidth compression using compressed memory controllers (CMCs) in a central processing unit (CPU)-based system is disclosed. In this regard, in some aspects, a CMC is configured to receive a memory read request to a physical address in a system memory, and read a compression indicator (CI) for the physical address from a master directory and/or from error correcting code (ECC) bits of the physical address. Based on the CI, the CMC determines a number of memory blocks to be read for the memory read request, and reads the determined number of memory blocks. In some aspects, a CMC is configured to receive a memory write request to a physical address in the system memory, and generate a CI for write data based on a compression pattern of the write data. The CMC updates the master directory and/or the ECC bits of the physical address with the generated CI.

Abstract: Embodiments presented herein describe techniques for selecting incoming network frames to be mirrored using an access control list. According to one embodiment, an incoming frame is received. Upon determining that the incoming frame matches an entry in the access control list, a mirror field of the entry is evaluated. The mirror field identifies at least one mirroring action to perform on the frame. The identified mirroring action is performed on the frame.

Abstract: Embodiments presented herein provide a TCAM-based access control list that supports disjunction operations in rules. According to one embodiment, a numeric range table is tied to the access control list. Each entry in the numeric range table includes an encode field that provides for scanning TCP flags in a TCP header of an incoming Ethernet frame. Further, each entry provides a first mask and a second mask used to test for desired set and unset TCP flags in a given frame. Each entry also provides an operation field that performs a disjunction operation that compares the first mask, the second mask, and set TCP flags in a given frame.

Abstract: A technique for analyzing network packets includes receiving, by a network processor, a network packet having a packet header including address and control information. A set of bytes are extracted, using the network processor, from the packet header and a set of input bits for generating a hash code are derived, using the network processor, from the set of bytes. Finally, the hash code is generated using the input bits.

Abstract: Techniques are disclosed for notifying network control software of new and moved source MAC addresses. In one embodiment, a switch may redirect a packet sent by a new or migrated virtual machine to the network control software as a notification. The switch does not forward the packet, thereby protecting against denial of service attacks. The switch further adds to a forwarding database a temporary entry which includes a “No_Redirect” flag for a new source MAC address, or updates an existing entry for a source MAC address that hits in the forwarding database by setting the “No_Redirect” flag. The “No_Redirect” flag indicates whether a notification has already been sent to the network control software for this source MAC address. The switch may periodically retry the notification to the network control software, until the network control software validates the source MAC address, depending on whether the “No_Redirect” is set.

Abstract: Techniques are disclosed for notifying network control software of new and moved source MAC addresses. In one embodiment, a switch may redirect a packet sent by a new or migrated virtual machine to the network control software as a notification. The switch does not forward the packet, thereby protecting against denial of service attacks. The switch further adds to a forwarding database a temporary entry which includes a “No_Redirect” flag for a new source MAC address, or updates an existing entry for a source MAC address that hits in the forwarding database by setting the “No_Redirect” flag. The “No_Redirect” flag indicates whether a notification has already been sent to the network control software for this source MAC address. The switch may periodically retry the notification to the network control software, until the network control software validates the source MAC address, depending on whether the “No_Redirect” is set.

Abstract: Techniques are disclosed for notifying network control software of new and moved source MAC addresses. In one embodiment, a switch detects packets sent by a new or migrated virtual machine, and sends a copy of a detected packet to the network control software as a notification. The switch further learns the source MAC address, thereby permitting the entry to be used for normal forwarding prior to validation of the entry and the VM associated therewith by the network control software. Until the network control software has validated the VM, the switch may periodically retry the notification to the network control software. “No_Redirect” and “Not_Validated” flags may be used to indicate whether a notification has already been attempted and thus no retry is necessary, and that the VM associated with the VM has not yet been validated, respectively.

Abstract: Techniques are disclosed for notifying network control software of new and moved source MAC addresses. In one embodiment, a switch detects packets sent by a new or migrated virtual machine, and sends a copy of a detected packet to the network control software as a notification. The switch further learns the source MAC address, thereby permitting the entry to be used for normal forwarding prior to validation of the entry and the VM associated therewith by the network control software. Until the network control software has validated the VM, the switch may periodically retry the notification to the network control software. “No_Redirect” and “Not_Validated” flags may be used to indicate whether a notification has already been attempted and thus no retry is necessary, and that the VM associated with the VM has not yet been validated, respectively.