Abstract: Techniques and a network appliance apparatus are provided herein to extend local area networks (LANs) and storage area networks (SANs) beyond a data center while converging the associated local area network and storage area network host layers. A service flow is received at a device in a network. It is determined if the service flow is associated with storage area network or with local area network traffic. In response to determining that the service flow is storage area network traffic, storage area network extension services are performed with respect to the service flow in order to extend the storage area network on behalf of a remote location. In response to determining that the service flow is local area network traffic, local area network extension services are performed with respect to the service flow in order to extend the local area network on behalf of the remote location.

Abstract: Embodiments of the invention relate to scalable policy assignment in an edge virtual bridging (EVB) environment. One embodiment includes fetching virtual machine (VM) information for one or more VMs from a virtual station interface (VSI) database (DB). The VM information includes a VSI type identification (ID) associated with each VM. A policy discriminator (PD) value is associated for each VSI type ID. A VSI DB table is generated with at least a portion of the VM information from the VSI DB and the PD for each VSI type ID. A message is received including virtual machine (VM) information for a created VM. One or more rules and bandwidth filter information associated with a VSI type ID are retrieved from the VSI DB table. The associated rules and filter information are applied based on the PD.

Abstract: Techniques are provided for providing access control lists in a distributed network switch. The distributed network switch made of switch units is divided into logical switch partitions, or logical networks. Physical ports of the switch units are partitioned into logical ports, where each logical port is associated with a logical switch partition. A control point of the distributed network switch manages and assigns a service tag (S-Tag) used to identify which logical port ingress and egress frames are associated with. To generate metrics and other forwarding actions for a given logical switch partition, the control point sets up access control list (ACLs) targeting the logical port associated with the S-Tags associated with the given logical switch partition.

Abstract: In one embodiment, a method for providing virtual link aggregation (vLAG) in a transparent interconnection of lots of links (TRILL)-enabled network, includes creating a virtual routing bridge logically connected to a first physical routing bridge and a second physical routing bridge to form a vLAG group at an edge of the TRILL-enabled network; determining a first distribution tree linking the first physical routing bridge to every other routing bridge in the TRILL-enabled network in a non-repeating fashion, ending with the second physical routing bridge; determining a second distribution tree linking the second physical routing bridge to every other routing bridge in the TRILL-enabled network in a non-repeating fashion, ending with the first physical routing bridge; receiving a multicast packet at the virtual routing bridge from one of the physical routing bridges; and distributing the multicast packet according to either the first or the second distribution tree thereby preventing looping.

Abstract: Techniques are provided for providing access control lists in a distributed network switch. The distributed network switch made of switch units is divided into logical switch partitions, or logical networks. Physical ports of the switch units are partitioned into logical ports, where each logical port is associated with a logical switch partition. A control point of the distributed network switch manages and assigns a service tag (S-Tag) used to identify which logical port ingress and egress frames are associated with. To generate metrics and other forwarding actions for a given logical switch partition, the control point sets up access control list (ACLs) targeting the logical port associated with the S-Tags associated with the given logical switch partition.

Abstract: Embodiments of the invention relate to scalable policy management in an edge virtual bridging (EVB) environment. One embodiment includes fetching information from a virtual station interface (VSI) database. A first table is generated with at least a portion of the information from the VSI database. A message is received including virtual machine (VM) information for a created VM. A second table is generated including at least a portion of the VM information. A VM identification (ID) is retrieved based on VM type from the first table. Rules associated with the retrieved VM ID are retrieved from the second table. The associated rules for the VM are applied.

Abstract: Embodiments of the invention relate to scalable policy assignment in an edge virtual bridging (EVB) environment. One embodiment includes a system including a physical end station includes a hypervisor. The physical end station creates at least one virtual machine (VM). A virtual station interface (VSI) database (DB) is coupled to a VM manager server. The VSI DB stores policy information and bandwidth filter information. A policy assignment module is coupled to a switch adjacent to the physical end station. The policy assignment module generates a VSI DB table with at least a portion of the VSI DB information from the VSI DB and a policy discriminator (PD) value for each VSI type ID.

Abstract: In one embodiment, a system includes a TRILL-enabled network that includes a first physical routing bridge (RB) and a second physical RB, logic adapted for creating a virtual RB logically connected to the first and second physical RBs to form a vLAG group at an edge of the network, logic adapted for determining a first distribution tree linking the first physical RB to every other RB in the network in a non-repeating fashion, ending with the second physical RB, and logic adapted for determining a second distribution tree linking the second physical RB to every other RB in the network in a non-repeating fashion, ending with the first physical RB, wherein when a multicast packet is received by the virtual RB from one of the physical RBs, the multicast packet is distributed according to either the first or the second distribution tree thereby preventing looping.

Abstract: Embodiments associated with enabling Quality of Service (QoS) for MACsec protected frames are described. One example method includes identifying a security indicator in an encrypted network communication and selectively forwarding the encrypted network communication according to a QoS policy. The example method may also include selectively storing a control packet security indicator sniffed from a control packet network communication in response to determining that a match exists between a control packet identification field and a QoS database entry.

Abstract: Systems, methods, and other embodiments associated with aggregation of cryptography engines are described. One example method includes receiving an outbound data packet on an outbound side of a data connection. The example method may also include analyzing the outbound data packet to determine a distribution value. The example method may also include selectively distributing the outbound data packet to one of a plurality of outbound processors based, at least in part, on the distribution value. The example method may also include receiving an inbound data packet on an inbound side of the data connection. The example method may also include examining the inbound data packet for an identifier. The example method may also include selectively distributing the inbound data packet to one of a plurality of inbound processors based, at least in part, on the identifier.

Abstract: A method and system for static routing in a TRILL network is disclosed. Routing bridges in the TRILL network use LLDP discovery to identify their next hop routing bridges. A data packet, with an inner header specifying a MAC address of a destination host, is sent by a source host and received by an ingress routing bridge. The ingress routing bridge encapsulates the data packet with a TRILL header and an outer header and sends the data packet to a next hop routing bridge on path to the destination host. The next hop routing bridge determines it is not the egress routing bridge for the data packet and sends the data packet onward to the egress routing bridge. The egress routing bridge decapsulates the data packet and forwards the data packet to the destination host specified in the inner header.

Abstract: Techniques and a network edge device are provided herein to extend local area networks (LANs) and storage area networks (SANs) beyond a data center while converging the associated local area network and storage area network host layers. A packet is received at a device in a network. It is determined if the packet is routed to a local or remote storage area network or local area network. In response to determining that the packet routed to a remote storage area network, storage area network extension services are performed with respect to the packet in order to extend the storage area network on behalf of a remote location. In response to determining that the packet is routed to a local local area network traffic, local area network extension services are performed with respect to the packet in order to extend the local area network on behalf of the remote location.

Abstract: Techniques and a network appliance apparatus are provided herein to extend local area networks (LANs) and storage area networks (SANs) beyond a data center while converging the associated local area network and storage area network host layers. A service flow is received at a device in a network. It is determined if the service flow is associated with storage area network or with local area network traffic. In response to determining that the service flow is storage area network traffic, storage area network extension services are performed with respect to the service flow in order to extend the storage area network on behalf of a remote location. In response to determining that the service flow is local area network traffic, local area network extension services are performed with respect to the service flow in order to extend the local area network on behalf of the remote location.

Abstract: Embodiments associated with enabling Quality of Service (QoS) for MACsec protected frames are described. One example method includes identifying a security indicator in an encrypted network communication and selectively forwarding the encrypted network communication according to a QoS policy. The example method may also include selectively storing a control packet security indicator sniffed from a control packet network communication in response to determining that a match exists between a control packet identification field and a QoS database entry.

Abstract: Systems, methods, and other embodiments associated with aggregation of cryptography engines are described. One example method includes receiving an outbound data packet on an outbound side of a data connection. The example method may also include analyzing the outbound data packet to determine a distribution value. The example method may also include selectively distributing the outbound data packet to one of a plurality of outbound processors based, at least in part, on the distribution value. The example method may also include receiving an inbound data packet on an inbound side of the data connection. The example method may also include examining the inbound data packet for an identifier. The example method may also include selectively distributing the inbound data packet to one of a plurality of inbound processors based, at least in part, on the identifier.

Abstract: A mechanism for a network device to constrain multicast flooding of out-of-profile multicast frames is provided by defining a multicast flood domain that includes a subset of ports that are members of the broadcast domain. Such a multicast flood domain can be user configured or dynamically configured to include device ports that are coupled to network elements that should receive such out-of-profile multicast transmissions and exclude network elements that should not receive such multicast transmissions. In one embodiment of the present invention, such capability is provided by incorporating into a network device a mechanism for performing a multicast flood domain lookup of an address table in the event that an out-of-profile multicast frame is received.

Abstract: A mechanism for a network device to constrain multicast flooding of out-of-profile multicast frames is provided by defining a multicast flood domain that includes a subset of ports that are members of the broadcast domain. Such a multicast flood domain can be user configured or dynamically configured to include device ports that are coupled to network elements that should receive such out-of-profile multicast transmissions and exclude network elements that should not receive such multicast transmissions. In one embodiment of the present invention, such capability is provided by incorporating into a network device a mechanism for performing a multicast flood domain lookup of an address table in the event that an out-of-profile multicast frame is received.