Abstract: Methods, systems, and computer programs are presented for providing a program to a server. One method includes an operation for receiving a request by a switching device from a first server, the request being for a boot image for booting the first server. In addition, the method includes operations for determining if the boot image is available from non-volatile storage in the switching device, and for forwarding the request to a second server when the boot image is absent from the non-volatile storage. Further, the method includes an operation for sending the boot image to the first server from the switching device when the boot image is available from the non-volatile storage.

Abstract: Methods, systems, and computer programs are presented for managing a switching layer fabric. A network device operating system (ndOS) program includes program instructions for exchanging switching policy regarding a switching of network packets in a plurality of ndOS switching devices having respective ndOS programs executing therein. The first ndOS program is executed in a first ndOS switching device, and the switching policy is exchanged with other ndOS programs via multicast messages. Further, the ndOS program includes program instructions for exchanging resource control messages with the other ndOS switching devices to implement service level agreements in the switching layer fabric, where the ndOS switching devices cooperate to enforce the service level agreements. Further yet, the ndOS program includes program instructions for receiving changes to the switching policy, and program instructions for propagating the received changes to the switching policy via message exchange between the ndOS programs.

Abstract: Methods, systems, and computer programs are presented for switching a network packet. One method includes operations for receiving a packet having a media access control (MAC) address, and for switching the packet by a first packet switching device (PSD) when the MAC address is present in a first memory. Further, the method includes operations for transferring the packet to a second PSD when the MAC address is absent from the first memory and present in a second memory associated with the second PSD, and for transferring the packet to a third PSD when the MAC address is absent from the first memory and the second memory.

Abstract: One networking device includes a switch module, a server, and a switch controller. The switch module has ports with a communications interface of a first type (CI1) and ports with a communications interface of a second type (CI2). The server, coupled to the switch module via a first CI2 coupling, includes a virtual CI1 driver, which provides a CI1 interface in the server, defined to exchange CI1 packets with the switch module via the first CI2 coupling. The virtual CI1 driver includes a first network device operating system (ndOS) program. The switch controller, in communication with the switch module via a second CI2 coupling, includes a second ndOS program controlling, in the switch module, a packet switching policy defining the switching of packets through the switch module or switch controller. The first and second ndOS programs exchange control messages to maintain a network policy for the switch fabric.

Abstract: A computer readable medium comprising software instructions for: obtaining an allocation policy by a MAC layer executing on a host; receiving, a request for a transmit kernel buffer (TxKB) by a sending application executing on at least one processor of the host; obtaining a location of a plurality of available TxKBs on the host; obtaining a location of at least one available network interface on the host; obtaining a location of the sending application; allocating one of the plurality of available TxKBs to obtain an allocated TxKB, wherein the one of the plurality of available TxKBs is selected according to the allocation policy using the location of the plurality of available TxKB, the location of the at least one available network interface, and the location of the sending application, to obtain an allocated TxKB; and providing, to the sending application, the location of the allocated TxKB.

Abstract: A method for managing a guest OS executing on a host. The method includes receiving, from the guest OS associated with a first MAC address, a second MAC address, wherein the first MAC address is associated with a first guest VNIC, wherein the second MAC address is associated with a second guest VNIC; configuring an intermediate VNIC executing on the host OS to forward packets associated with the second MAC address to the guest OS, wherein packets associated with the first MAC address and received by the intermediate VNIC are forwarded to the guest OS; and forwarding the second MAC address from the intermediate VNIC to a device driver associated with a physical NIC, wherein the device driver configures a classifier on the physical NIC to forward packets associated with the second MAC address to a first HRR located on the physical NIC associated with the intermediate VNIC.

Abstract: A method and apparatus for distributing multiple interrupts among multiple processors is disclosed. According to one embodiment, an interrupt daemon monitors the interrupt load among the processors that results from an initial mapping of the interrupts to the processors. The interrupt daemon determines whether there is a sufficient imbalance of the interrupts among the processors. If so, the interrupt daemon triggers a reassignment routine that generates a new mapping of the interrupts among the processors, and if not, the interrupt daemon goes to sleep for a specified time period. If the new mapping produces a sufficient improvement in the distribution of interrupts among the processors, based on the same criteria used to detect the imbalance, the new mapping is used by the central hub for subsequent distribution of interrupts to the processors. However, if the new mapping does not provide a sufficient improvement, the original mapping continues to be used.

Abstract: A computer readable medium including instructions executable by a processor to perform a method, the method including obtaining a packet by a load balancer, obtaining queued packet information for a plurality of target hosts operatively connected to the load balancer, selecting the one of the plurality of target hosts using the queued packet information, and sending the packet to the selected target host using a first communication channel between the load balancer and the selected target host.

Abstract: A method for processing a packet that includes receiving a packet for a target, classifying the packet, and sending the packet to a receive ring based on the classification. The method also includes obtaining an identifier (ID) associated with the target based on the classification, and sending a request for virtual memory that includes the ID. Furthermore, the method includes determining, using the ID, whether the target has exceeded a virtual memory allocation associated with the target. In addition, the method includes allocating the virtual memory, storing the packet in the virtual memory, and updating the virtual memory allocation associated with the target to reflect the allocation of the virtual memory, all if the target does not exceed the virtual memory allocation. The method further includes waiting until the target is not exceeding the virtual memory allocation if the target exceeds the virtual memory allocation.

Abstract: A method for power management. The method includes gathering resource usage data for a first blade and a second blade on a blade chassis, migrating each virtual machine (VM) executing on the first blade to the second blade based on the resource usage data and a first migration policy, wherein the first migration policy defines when to condense the number of blades operating on the blade chassis, and powering down the first blade after each VM executing on the first blade is migrated from the first blade.

Abstract: A system for distributing network traffic among direct hardware access datapaths, comprising: a processor; one or more activated PNICs; a host operating system; and a virtual machine (VM). Each activated PNIC sends and receives data packets over a network. Each activated PNIC is configured with a virtual function. The VM includes a VNIC and a virtual link aggregator configured to maintain a list identifying each activated PNIC. Virtual function mappings for the VM associate the VM with virtual functions for the activated PNICs. The virtual link aggregator selects the first activated PNIC for servicing a network connection and determines a virtual function for the first activated PNIC. The VNIC for the first activated PNIC uses the virtual function to directly transfer network traffic for the network connection between the VM and the first activated PNIC.

Abstract: In general, embodiments of the invention relates to a method for controlling network traffic in a chassis. The method includes assigning control of a network express manager located in the chassis to a control virtual machine selected from a number of virtual machines. The method further includes configuring the network express manager, by the control virtual machine, where the network express manager is configured to route network traffic in the chassis. The method further includes implementing a virtual network path using the network express manager, where the virtual network path includes a virtual wire between a first VNIC and a second VNIC, where the first VNIC is located in a first computer and the second VNIC is located in a second computer.

Abstract: A method for enforcing network bandwidth partitioning. The method includes verifying that a guest driver in a guest operating system (OS) is configured to enforce a resource usage policy, wherein the guest OS resides on a host, mapping a hardware receive ring (HRR) residing on a physical network interface card (NIC) operatively connected to the host to the guest OS, wherein after the mapping the guest OS is configured to receive packets directly from the HRR, determining, using monitoring information, that the guest OS should not receive packets directly from the HRR, and in response to the determination, creating a data path from the HRR to a host OS executing on the host, receiving packets for the guest OS from the HRR by the host OS over the data path, and forwarding the packets from the host OS to the guest OS.

Abstract: A system for distributing network traffic among direct hardware access datapaths, comprising: a processor; one or more activated PNICs; a host operating system; and a virtual machine (VM). Each activated PNIC sends and receives data packets over a network. Each activated PNIC is configured with a virtual function. The VM includes a VNIC and a virtual link aggregator configured to maintain a list identifying each activated PNIC. Virtual function mappings for the VM associate the VM with virtual functions for the activated PNICs. The virtual link aggregator selects the first activated PNIC for servicing a network connection and determines a virtual function for the first activated PNIC. The VNIC for the first activated PNIC uses the virtual function to directly transfer network traffic for the network connection between the VM and the first activated PNIC.

Abstract: A method for controlling a denial of service attack involves receiving a plurality of packets from a network, identifying an attacking host based on a severity level of the denial of service attack from the network, wherein the attacking host is identified by an identifying attack characteristic associated with one of the plurality of packets associated with the attacking host, analyzing each of the plurality of packets by a classifier to determine to which of a plurality of temporary data structures each of the plurality of packet is forwarded, forwarding each of the plurality of packets associated with the identifying attack characteristic to one of the plurality of temporary data structures matching the severity level of the denial of service attack as determined by the classifier, requesting a number of packets from the one of the plurality of temporary data structures matching the severity level by the virtual serialization queue, and forwarding the number of packets to the virtual serialization queue.

Abstract: In general, the invention relates to a creating a network model on a host. The invention includes: gathering first component properties associated with a first physical network device on a target network; creating a first container using first component properties; determining that a second physical network device is operatively connected to the first physical network device via a physical network link; gathering second component properties associated with the physical network link; creating a first VNIC associated with the first container; determining that at least one virtual network device is executing on the second physical network device; gathering third component properties associated with the at least one virtual network device; creating a second container, wherein the second container is configured using the third component properties; and creating a second VNIC associated with the second container.

Abstract: A system including first and second virtualized execution environments and a hypervisor for sending packets between virtualized execution environments. The first virtualized execution environment includes a first VNIC associated with a first hardware address (HA), a first proxy VNIC associated with a second HA, and a virtual switch. A Vswitch table for the virtual switch includes entries associating the first HA with the first VNIC and the second HA with the first proxy VNIC. The second virtualized execution environment includes a second proxy VNIC associated with the first HA. The virtual switch receives a first packet associated with the second HA. The virtual switch sends the first packet to the first proxy VNIC when Vswitch table entry associates the second HA with the first proxy VNIC. The first VNIC proxy sends the first packet from the first virtualized execution environment to the second virtualized execution environment using the hypervisor.

Abstract: One embodiment of the present invention provides a system for accessing an encrypted file through a file system. During operation, the system receives a request to access the encrypted file. In response to the request, the system sends an encrypted file key for the encrypted file from the file system to a tamper-resistant module. Next, the tamper-resistant module uses a master secret to decrypt the encrypted file key to restore the file key, wherein the master secret is obtained from an external source by the tamper-resistant module. The system then uses the file key to access the encrypted file.

Abstract: In general, the invention relates to reclaiming transmit descriptors by configuring a media access control (MAC) to execute a first MAC layer thread to reclaim a first number of transmit descriptors (TDs) from a first hardware transmit ring (HTR) using a first reclaim algorithm, where the first reclaim algorithm is associated with a first transmission pattern and a first TDR status. The invention further includes receiving, by a virtual NIC (VNIC) executing within the MAC layer, a first number of packets, forwarding the first number of packets to a device driver on the host associated with the physical NIC, and forwarding the first number of packets from the device driver to the physical NIC using the first number of TDs, where the first plurality of TDs are reclaimed by the first MAC layer thread according to the first reclaim algorithm.

Abstract: One embodiment of the present invention provides a system that specifies a MAC identifier for a network-interface-device in a computing device. In this system, the network-interface-device is configured to connect to a network though a port. During operation, the network-interface-device receives data packets through this port, and accepts a data packet if the data packet contains a destination that matches the MAC identifier for the network-interface-device, which can be a universally-administered MAC identifier. The system is also configured to determine whether the network-interface-device supports one or more additional MAC identifiers. If so, the system adds and activates an additional MAC identifier. By activating the newly-added MAC identifier in the computing device, the system allows the network-interface-device to logically separate data packets based on MAC identifiers.