Abstract: Embodiments provide a TCAM-based access control list that supports disjunction operations in rules. A network frame is received. Embodiments determine set TCP flags of the network frame. Upon determining that the set TCP flags match a first entry in a numeric range table, bits of a search key corresponding to the first entry are updated. The search key accesses a second entry stored in a TCAM. The first entry further comprises an encode field to scan a TCP header of the network frame for set TCP flags, a first mask field to a condition corresponding to unset TCP flags to identify in the network frame, a second mask field to a condition corresponding to set TCP flags to identify in the network frame, and an operation field specifying a disjunction operation for comparing the set TCP flags with the first mask field and the second mask field.

Abstract: Embodiments provide a TCAM-based access control list that supports disjunction operations in rules. A network frame is received. Embodiments determine set TCP flags of the network frame. Upon determining that the set TCP flags match a first entry in a numeric range table, bits of a search key corresponding to the first entry are updated. The search key accesses a second entry stored in a TCAM. The first entry further comprises an encode field to scan a TCP header of the network frame for set TCP flags, a first mask field to a condition corresponding to unset TCP flags to identify in the network frame, a second mask field to a condition corresponding to set TCP flags to identify in the network frame, and an operation field specifying a disjunction operation for comparing the set TCP flags with the first mask field and the second mask field.

Abstract: Embodiments presented herein provide a TCAM-based access control list that supports disjunction operations in rules. According to one embodiment, a numeric range table is tied to the access control list. Each entry in the numeric range table includes an encode field that provides for scanning TCP flags in a TCP header of an incoming Ethernet frame. Further, each entry provides a first mask and a second mask used to test for desired set and unset TCP flags in a given frame. Each entry also provides an operation field that performs a disjunction operation that compares the first mask, the second mask, and set TCP flags in a given frame.

Abstract: Embodiments presented herein describe techniques for isolating multicast and broadcast frames to a traffic class that is separate from a traffic class used for unicast frames. According to one embodiment, a network switch receives an incoming Ethernet virtual local area network (VLAN)-tagged frame. The switch evaluates priority bits of the VLAN tag of the frame. The switch also determines a type of frame (e.g., whether the frame is unicast, broadcast, multicast, or flood). Based on the priority field values and the type of the frame, the switch identifies a mapping of the frame to a particular traffic class. The network switch assigns the frame to the traffic class.

Abstract: Embodiments presented herein describe techniques for selecting incoming network frames to be mirrored using an access control list. According to one embodiment, an incoming frame is received. Upon determining that the incoming frame matches an entry in the access control list, a mirror field of the entry is evaluated. The mirror field identifies at least one mirroring action to perform on the frame. The identified mirroring action is performed on the frame.

Abstract: Embodiments presented herein describe techniques for selecting incoming network frames to be mirrored using an access control list. According to one embodiment, an incoming frame is received. Upon determining that the incoming frame matches an entry in the access control list, a mirror field of the entry is evaluated. The mirror field identifies at least one mirroring action to perform on the frame. The identified mirroring action is performed on the frame.

Abstract: Embodiments presented herein describe techniques for isolating multicast and broadcast frames to a traffic class that is separate from a traffic class used for unicast frames. According to one embodiment, a network switch receives an incoming Ethernet virtual local area network (VLAN)-tagged frame. The switch evaluates priority bits of the VLAN tag of the frame. The switch also determines a type of frame (e.g., whether the frame is unicast, broadcast, multicast, or flood). Based on the priority field values and the type of the frame, the switch identifies a mapping of the frame to a particular traffic class. The network switch assigns the frame to the traffic class.

Abstract: Techniques are provided for retrieving entries from a routing table or a forwarding database in a distributed network switch. The forwarding database includes match and mask registers used to compare routing entries and return matching routing entries to a requesting management controller. The forwarding database uses a separate timeout value associated with the forwarding database to avoid timeout errors for general register operations, and allows for an asynchronous dump operation of routing entries.

Abstract: Embodiments presented herein provide a TCAM-based access control list that supports disjunction operations in rules. According to one embodiment, a numeric range table is tied to the access control list. Each entry in the numeric range table includes an encode field that provides for scanning TCP flags in a TCP header of an incoming Ethernet frame. Further, each entry provides a first mask and a second mask used to test for desired set and unset TCP flags in a given frame. Each entry also provides an operation field that performs a disjunction operation that compares the first mask, the second mask, and set TCP flags in a given frame.

Abstract: Embodiments described herein provide techniques for atomically updating a ternary content addressable memory (TCAM)-based access control list (ACL). According to one embodiment, a current version bit of the ACL is determined. The current version bit indicates that a rule in the ACL is active is the version flag in the rule matches the current version bit. Through these techniques, a first set of rules can be modified to create a second set of rules (e.g., by insertions, deletions, and replacements, etc.).

Abstract: Embodiments described herein provide techniques for atomically updating a ternary content addressable memory (TCAM)-based access control list (ACL). According to one embodiment, a current version bit of the ACL is determined. The current version bit indicates that a rule in the ACL is active is the version flag in the rule matches the current version bit. Through these techniques, a first set of rules can be modified to create a second set of rules (e.g., by insertions, deletions, and replacements, etc.).

Abstract: Techniques are provided for retrieving entries from a routing table or a forwarding database in a distributed network switch. The forwarding database includes match and mask registers used to compare routing entries and return matching routing entries to a requesting management controller. The forwarding database uses a separate timeout value associated with the forwarding database to avoid timeout errors for general register operations, and allows for an asynchronous dump operation of routing entries.

Abstract: Techniques for transmitting a packet from a source switch module to a destination switch module. Embodiments receive, at a first port of a first switch module, a packet that includes (i) path information specifying a route to the destination switch module, (ii) a set of load/store operations to be executed by the destination switch module and (iii) return path information specifying a route from the destination switch module to the source switch module. Upon determining that the first switch module is the destination switch module, the set of load/store operations are copied from the received packet into an execution buffer for automatic execution. Once the set of load/store operations are executed, embodiments transmit the packet to a second switch module using the first port on which the packet was received.

Abstract: Techniques for transmitting a packet from a source switch module to a destination switch module. Embodiments receive, at a first port of a first switch module, a packet that includes (i) path information specifying a route to the destination switch module and (ii) a set of load/store operations to be executed by the destination switch module. An indication of the first port is inserted into a return path information portion of the received packet. Upon determining that the first switch module is not the destination switch module, embodiments transmit the packet to a second switch module using a second port, the second port specified in the path information of the received packet, wherein the destination switch module is configured, upon receiving the packet, to copy the set of load/store operations into an execution buffer to be automatically executed.

Abstract: Techniques are provided for retrieving entries from a routing table or a forwarding database in a distributed network switch. The forwarding database includes match and mask registers used to compare routing entries and return matching routing entries to a requesting management controller. The forwarding database uses a separate timeout value associated with the forwarding database to avoid timeout errors for general register operations, and allows for an asynchronous dump operation of routing entries.

Abstract: Techniques are provided for retrieving entries from a routing table or a forwarding database in a distributed network switch. The forwarding database includes match and mask registers used to compare routing entries and return matching routing entries to a requesting management controller. The forwarding database uses a separate timeout value associated with the forwarding database to avoid timeout errors for general register operations, and allows for an asynchronous dump operation of routing entries.

Abstract: Techniques are described for transmitting a packet from a source switch module to a destination switch module. Embodiments include determining, at the destination switch module, a path from the source switch module to the destination switch module. Path information specifying the determined path from the source switch module to the destination switch module is transmitted from the destination switch module to the source switch module. Additionally, embodiments include receiving, at the destination switch module, from the source switch module, a packet that includes (i) at least a portion of the path information and (ii) payload data to be processed at the destination switch module, wherein the packet was routed using the at least a portion of the path information. The payload data within the received packet is processing by the destination switch module.

Abstract: Techniques are described for transmitting a packet from a source switch module to a destination switch module. Embodiments receive, at the source switch module, from the destination switch module, path information specifying a path from the source switch module to the destination switch module. Upon detecting an occurrence of a predefined event, a packet is generated that includes (i) the received path information and (ii) payload data to be processed at the destination switch module. Embodiments determine an Ethernet port of the source switch module on which to transmit the packet, based on the received path information. The packet is transmitted to a second switch module using the determined Ethernet port.

Abstract: Techniques for transmitting a packet from a source switch module to a destination switch module. Embodiments retrieve path information specifying a route to the destination switch module. A packet is created that includes (i) at least a portion of the path information and (ii) a set of load/store operations to be executed by the destination switch module. Embodiments then transmit the packet to a first switch module using a first port, the first port specified in the retrieved path information. The first switch module is configured to transmit the packet based on the at least a portion of the path information in the packet, and the destination switch module is configured, upon receiving the packet, to copy the set of load/store operations into an execution buffer to be automatically executed.

Abstract: Techniques for transmitting a packet from a source switch module to a destination switch module. Embodiments receive, at a first port of a first switch module, a packet that includes (i) path information specifying a route to the destination switch module and (ii) a set of load/store operations to be executed by the destination switch module. An indication of the first port is inserted into a return path information portion of the received packet. Upon determining that the first switch module is not the destination switch module, embodiments transmit the packet to a second switch module using a second port, the second port specified in the path information of the received packet, wherein the destination switch module is configured, upon receiving the packet, to copy the set of load/store operations into an execution buffer to be automatically executed.