Abstract: Methods and apparatus are provided for improving both node-based and message-based security in a fiber channel network. Entity to entity authentication and key exchange services can be included in existing initialization messages used for introducing fiber channel network entities into a fiber channel fabric, or with specific messages exchanged over an already initialized communication channel. Both per-message authentication and encryption mechanisms can be activated using the authentication and key exchange services. Messages passed between fiber channel network entities can be encrypted and authenticated using information provided during the authentication sequence. Security services such as per-message authentication, confidentiality, integrity protection, and anti-replay protection can be implemented.

Abstract: Passing data over virtual links is disclosed, including: encapsulating a layer three data packet as an inner payload of a network data packet; and generating an outer header of the network data packet with a layer two header and a layer three header, wherein the network data packet is configured to communicate over a virtual link between a first interface of a first network appliance and a first interface of a second network appliance.

Abstract: Creating virtual links including: determining a first network appliance to configure to communicate with a second network appliance using a virtual link, wherein the virtual link comprises a layer three overlay point-to-point data link; and determining the second network appliance to configure to communicate with the first network appliance using the virtual link.

Abstract: A distributed virtual appliance is disclosed, including: determining a classification type associated with the first flow; and determining an allocation of the first flow to the first data plane compute unit of the distributed virtual appliance based at least in part on the determined classification type and at least a subset of information of a first flow identifier, wherein the distributed virtual appliance includes a plurality of compute units, including the first data plane compute.

Abstract: VLAN tagging in a virtual environment is described, including configuring a set of VLAN tagging parameters for each virtual network device to be used by the virtual network device to correctly perform VLAN tagging of frames in response to configuration changes with respect to the virtual network device. A first example of a configuration change with respect to the virtual network device comprises the virtual network device being transitioned from being attached to a virtual switch tagging (VST) port group to being attached to a virtual guest tagging (VGT) port group. A second example of a configuration change with respect to the virtual network device comprises the virtual network device being migrated from a first host to a second host.

Abstract: Providing a shared interface among a plurality of compute units is disclosed. A plurality of compute units is determined and a shared interface for the plurality of compute units is provided, wherein incoming traffic is received by any of the plurality of compute units. Also, the packet is received at the shared interface for a plurality of compute units. The packet is encapsulated using a first header, wherein the first header specifies one of the plurality of compute units, and wherein the one of the plurality of compute units is selected independent of an interface address associated with the shared interface.

Abstract: Passing data over virtual links is disclosed, including: encapsulating a layer three data packet as an inner payload of a network data packet; and generating an outer header of the network data packet with a layer two header and a layer three header, wherein the network data packet is configured to communicate over a virtual link between a first interface of a first network appliance and a first interface of a second network appliance.

Abstract: Passing data over virtual links is disclosed, including: encapsulating a layer three data packet as an inner payload of a network data packet; and generating an outer header of the network data packet with a layer two header and a layer three header, wherein the network data packet is configured to communicate over a virtual link between a first interface of a first network appliance and a first interface of a second network appliance.

Abstract: Creating virtual links including: determining a first network appliance to configure to communicate with a second network appliance using a virtual link, wherein the virtual link comprises a layer three overlay point-to-point data link; and determining the second network appliance to configure to communicate with the first network appliance using the virtual link.

Abstract: Creating virtual links is disclosed, including: determining a first network appliance to configure to communicate with a second network appliance using a virtual link, wherein the virtual link comprises a layer three overlay point-to-point data link; and determining the second network appliance to configure to communicate with the first network appliance using the virtual link.

Abstract: VLAN tagging in a virtual environment is described, including configuring a set of VLAN tagging parameters for each virtual network device to be used by the virtual network device to correctly perform VLAN tagging of frames in response to configuration changes with respect to the virtual network device. A first example of a configuration change with respect to the virtual network device comprises the virtual network device being transitioned from being attached to a virtual switch tagging (VST) port group to being attached to a virtual guest tagging (VGT) port group. A second example of a configuration change with respect to the virtual network device comprises the virtual network device being migrated from a first host to a second host.

Abstract: In one embodiment, a Fibre Channel over Ethernet (FCoE) proxy point (FPP) that is connected to one or more end-point devices is coupled to one or more other FPPs, and to a FCoE control and management plane (F-CMP) server. The FPP provides data plane functionality. The F-CMP server provides control plane functionality. At least some control and management traffic received at the FPP is proxied between the F-CMP server and the one or more end point devices connected to the FPP. FCoE traffic received at the FPP from the one or more end point devices connected to the FPP is transmitted to the one or more other FPPs without the FCoE traffic traversing the F-CMP server. The transmitting is performed by data plane functionality of the FPP operating under directions from the control plane functionality of the F-CMP server.

Abstract: A distributed virtual appliance is disclosed, including: allocating network traffic to a plurality of compute units implementing a network service associated with the distributed virtual appliance; and dynamically adding or removing one or more compute units implementing the network service without disruption to the network traffic.

Abstract: Methods and apparatus are provided for improving both node-based and message-based security in a fibre channel network. Entity to entity authentication and key exchange services can be included in existing initialization messages used for introducing fibre channel network entities into a fibre channel fabric, or with specific messages exchanged over an already initialized communication channel. Both per-message authentication and encryption mechanisms can be activated using the authentication and key exchange services. Messages passed between fibre channel network entities can be encrypted and authenticated using information provided during the authentication sequence. Security services such as per-message authentication, confidentiality, integrity protection, and anti-replay protection can be implemented.

Abstract: Methods and apparatus are provided for improving both node-based and message-based security in a fiber channel network. Entity to entity authentication and key exchange services can be included in existing initialization messages used for introducing fiber channel network entities into a fiber channel fabric, or with specific messages exchanged over an already initialized communication channel. Both per-message authentication and encryption mechanisms can be activated using the authentication and key exchange services. Messages passed between fiber channel network entities can be encrypted and authenticated using information provided during the authentication sequence. Security services such as per-message authentication, confidentiality, integrity protection, and anti-replay protection can be implemented.

Abstract: A distributed virtual appliance is disclosed, including: determining a classification type associated with the first flow; and determining an allocation of the first flow to the first data plane compute unit of the distributed virtual appliance based at least in part on the determined classification type and at least a subset of information of a first flow identifier, wherein the distributed virtual appliance includes a plurality of compute units, including the first data plane compute.

Abstract: Providing a shared interface among a plurality of compute units is disclosed. A plurality of compute units is determined and a shared interface for the plurality of compute units is provided, wherein incoming traffic is received by any of the plurality of compute units. Also, the packet is received at the shared interface for a plurality of compute units. The packet is encapsulated using a first header, wherein the first header specifies one of the plurality of compute units, and wherein the one of the plurality of compute units is selected independent of an interface address associated with the shared interface.

Abstract: In one embodiment, a Fibre Channel over Ethernet (FCoE) proxy point (FPP) that is connected to one or more end-point devices is coupled to one or more other FPPs, and to a FCoE control and management plane (F-CMP) server. The FPP provides data plane functionality. The F-CMP server provides control plane functionality. At least some control and management traffic received at the FPP is proxied between the F-CMP server and the one or more end point devices connected to the FPP. FCoE traffic received at the FPP from the one or more end point devices connected to the FPP is transmitted to the one or more other FPPs without the FCoE traffic traversing the F-CMP server. The transmitting is performed by data plane functionality of the FPP operating under directions from the control plane functionality of the F-CMP server.

Abstract: In one embodiment, one or more Fiber Channel over Ethernet (FCoE) proxy points (FPPs) communicates control and management information with a separately housed FCoE control and management plane (F-CMP) server in order to direct data plane functionality of the FPPs. Each FPP also proxies control and management protocols between the F-CMP server and one or more FCoE end-point devices for which the FPP is responsible (on FCoE ports). Traffic received by the FPP may then be processed according to the directed data plane functionality, such that FCoE traffic transmitted between first and second FCoE end-point devices separated by the Ethernet network is directed over the Ethernet network end-to-end between correspondingly responsible FPPs without traversing the F-CMP server.

Abstract: A distributed virtual appliance is disclosed, including: allocating network traffic to a plurality of compute units implementing a network service associated with the distributed virtual appliance; and dynamically adding or removing one or more compute units implementing the network service without disruption to the network traffic.