Abstract: Techniques are disclosed for notifying network control software of new and moved source MAC addresses. In one embodiment, a switch may redirect a packet sent by a new or migrated virtual machine to the network control software as a notification. The switch does not forward the packet, thereby protecting against denial of service attacks. The switch further adds to a forwarding database a temporary entry which includes a “No_Redirect” flag for a new source MAC address, or updates an existing entry for a source MAC address that hits in the forwarding database by setting the “No_Redirect” flag. The “No_Redirect” flag indicates whether a notification has already been sent to the network control software for this source MAC address. The switch may periodically retry the notification to the network control software, until the network control software validates the source MAC address, depending on whether the “No_Redirect” is set.

Abstract: Techniques are disclosed for notifying network control software of new and moved source MAC addresses. In one embodiment, a switch may redirect a packet sent by a new or migrated virtual machine to the network control software as a notification. The switch does not forward the packet, thereby protecting against denial of service attacks. The switch further adds to a forwarding database a temporary entry which includes a “No_Redirect” flag for a new source MAC address, or updates an existing entry for a source MAC address that hits in the forwarding database by setting the “No_Redirect” flag. The “No_Redirect” flag indicates whether a notification has already been sent to the network control software for this source MAC address. The switch may periodically retry the notification to the network control software, until the network control software validates the source MAC address, depending on whether the “No_Redirect” is set.

Abstract: Techniques are disclosed for notifying network control software of new and moved source MAC addresses. In one embodiment, a switch detects packets sent by a new or migrated virtual machine, and sends a copy of a detected packet to the network control software as a notification. The switch further learns the source MAC address, thereby permitting the entry to be used for normal forwarding prior to validation of the entry and the VM associated therewith by the network control software. Until the network control software has validated the VM, the switch may periodically retry the notification to the network control software. “No_Redirect” and “Not_Validated” flags may be used to indicate whether a notification has already been attempted and thus no retry is necessary, and that the VM associated with the VM has not yet been validated, respectively.

Abstract: Access control lists (ACLs) permit network administrators to manage network traffic flowing through a networking element to optimize network security, performance, quality of service (QoS), and the like. If a networking element has multiple ACLs directed towards different types of network optimization, each ACL may return a separate action set that identifies one or more actions the networking element should perform based on a received frame. In some cases, these action sets may conflict. To resolve the conflicts, a networking element may include resolution logic that selects one of the conflicting actions based on a predefined precedence value assigned to each action in an action set. By comparing the different precedence values, the resolution logic generates a new action set based on the actions with the highest precedence value.

Abstract: Techniques are provided for retrieving entries from a routing table or a forwarding database in a distributed network switch. The forwarding database includes match and mask registers used to compare routing entries and return matching routing entries to a requesting management controller. The forwarding database uses a separate timeout value associated with the forwarding database to avoid timeout errors for general register operations, and allows for an asynchronous dump operation of routing entries.

Abstract: Access control lists (ACLs) permit network administrators to manage network traffic flowing through a networking element to optimize network security, performance, quality of service (QoS), and the like. If a networking element has multiple ACLs directed towards different types of network optimization, each ACL may return a separate action set that identifies one or more actions the networking element should perform based on a received frame. In some cases, these action sets may conflict. To resolve the conflicts, a networking element may include resolution logic that selects one of the conflicting actions based on a predefined precedence value assigned to each action in an action set. By comparing the different precedence values, the resolution logic generates a new action set based on the actions with the highest precedence value.

Abstract: Embodiments described herein provide techniques for atomically updating a ternary content addressable memory (TCAM)-based access control list (ACL). According to one embodiment, a current version bit of the ACL is determined. The current version bit indicates that a rule in the ACL is active is the version flag in the rule matches the current version bit. Through these techniques, a first set of rules can be modified to create a second set of rules (e.g., by insertions, deletions, and replacements, etc.).

Abstract: Embodiments described herein provide techniques for atomically updating a ternary content addressable memory (TCAM)-based access control list (ACL). According to one embodiment, a current version bit of the ACL is determined. The current version bit indicates that a rule in the ACL is active is the version flag in the rule matches the current version bit. Through these techniques, a first set of rules can be modified to create a second set of rules (e.g., by insertions, deletions, and replacements, etc.).

Abstract: Link aggregation is a practice that uses multiple Ethernet links between two end points in order to obtain higher bandwidth and resiliency than possible with a single link. A flow distribution technique is provided to distribute traffic between the two end points equally across all links in the group and achieve greater efficiency. The flow distribution technique generates and sub-divides a hash value based on received packet flow. The divided portions of the hash value are used in a hierarchical fashion to select a link to use for this packet.

Abstract: Techniques are provided for retrieving entries from a routing table or a forwarding database in a distributed network switch. The forwarding database includes match and mask registers used to compare routing entries and return matching routing entries to a requesting management controller. The forwarding database uses a separate timeout value associated with the forwarding database to avoid timeout errors for general register operations, and allows for an asynchronous dump operation of routing entries.

Abstract: Techniques are provided for retrieving entries from a routing table or a forwarding database in a distributed network switch. The forwarding database includes match and mask registers used to compare routing entries and return matching routing entries to a requesting management controller. The forwarding database uses a separate timeout value associated with the forwarding database to avoid timeout errors for general register operations, and allows for an asynchronous dump operation of routing entries.

Abstract: Techniques are provided for retrieving entries from a routing table or a forwarding database in a distributed network switch. The forwarding database includes match and mask registers used to compare routing entries and return matching routing entries to a requesting management controller. The forwarding database uses a separate timeout value associated with the forwarding database to avoid timeout errors for general register operations, and allows for an asynchronous dump operation of routing entries.

Abstract: Access control lists (ACLs) include one or more rules that each define a condition and one or more actions to be performed if the condition is satisfied. In one embodiment, the conditions are stored on a ternary content-addressable memory (TCAM), which receives a portion of network traffic, such as a frame header, and compares different portions of the header to entries in the TCAM. If the frame header satisfies the condition, the TCAM reports the match to other elements in the ACL. For certain conditions, the TCAM may divide the condition into a plurality of sub-conditions which are each stored in a row of the TCAM. To efficiently use the limited space in TCAM, the networking element may include one or more comparator units which check for special-case conditions. The comparator units may be used in lieu of the TCAM to determine whether the condition is satisfied.

Abstract: Techniques are provided for managing a routing table in a distributed network switch. The distributed network switch is divided into logical switch partitions, or logical networks, that may share a routing table. The shared routing table is configured with counters and thresholds to control utilization of the routing table on a per-logical network basis. When counters exceed certain threshold, the routing table is modified to reduce routing entries within the routing table or pause insertion of new routing entries.

Abstract: Link aggregation is a practice that uses multiple Ethernet links between two end points in order to obtain higher bandwidth and resiliency than possible with a single link. A flow distribution technique is provided to distribute traffic between the two end points equally across all links in the group and achieve greater efficiency. The flow distribution technique generates and sub-divides a hash value based on received packet flow. The divided portions of the hash value are used in a hierarchical fashion to select a link to use for this packet.

Abstract: Access control lists (ACLs) include one or more rules that each define a condition and one or more actions to be performed if the condition is satisfied. In one embodiment, the conditions are stored on a ternary content-addressable memory (TCAM), which receives a portion of network traffic, such as a frame header, and compares different portions of the header to entries in the TCAM. If the frame header satisfies the condition, the TCAM reports the match to other elements in the ACL. For certain conditions, the TCAM may divide the condition into a plurality of sub-conditions which are each stored in a row of the TCAM. To efficiently use the limited space in TCAM, the networking element may include one or more comparator units which check for special-case conditions. The comparator units may be used in lieu of the TCAM to determine whether the condition is satisfied.

Abstract: Techniques are provided for hash-based routing table management in a distributed network switch. A frame having a source address and a destination address is received. If no routing entry for the source address is found in a routing table of a switch module in the distributed network switch, routing information is determined for the source address and a routing entry is generated. The routing table is modified to include the routing entry and based on a set of hash functions.

Abstract: Techniques are provided for hash-based routing table management in a distributed network switch. A frame having a source address and a destination address is received. If no routing entry for the source address is found in a routing table of a switch module in the distributed network switch, routing information is determined for the source address and a routing entry is generated. The routing table is modified to include the routing entry and based on a set of hash functions.

Abstract: A network processor includes first communication protocol ports that each support ‘M’ minimum size packet data path traffic on ‘N’ lanes at ‘S’ Gigabits per second (Gbps) and traffic with different communication protocol units on ‘n’ additional lanes at ‘s’ Gbps. The first communication protocol ports support access to an external coprocessor using parsing logic located in each of the first communication protocol ports. The parsing logic, during a parsing period, is configured to send a request to the external coprocessor at reception of a ‘M’ size packet and to receive a response from the external coprocessor. The parsing logic sends a request maximum ‘m’ size byte word to the external coprocessor on one of the additional lanes and receives a response maximum ‘m’ size byte word from the external coprocessor on the one of the additional lanes while complying with the equation N×S/M=<n×s/m.

Abstract: Techniques are provided for hash-based routing table management in a distributed network switch. A frame having a source address and a destination address is received by a switch module having bridge elements and a routing table divided into slices of buckets, each slice having a respective property and including one or more buckets. If a routing entry for the source address is found in a first slice of a first set of buckets of the routing table responsive to a lookup request for the source address, and the property of the first slice satisfies a replication condition, then the routing entry is replicated to a second set of buckets of the routing table.