摘要:
An Ethernet network device includes a port logic module that is associated with a device port of the Ethernet network device. A packet processing module includes an ingress processing module that receives an incoming packet and that generates a control traffic tag. An ingress command execution module receives the incoming packet and the control traffic tag, generates a duplicate packet that is identical to the incoming packet, and generates a device interface code that identifies the port logic module based on the control traffic tag. A control traffic routing module receives the duplicate packet and the device interface code and forwards the duplicate packet to the port logic module. A network traffic analysis device receives the duplicate packet. The port logic module replaces a first destination header of the duplicate packet with a second destination header that is identical to a destination header of the incoming packet.
摘要:
A method, apparatus, and computer-readable media for a switch comprising a plurality of network ports and a central processing unit (CPU) interface comprises receiving, on one of the network ports, a packet comprising a source media access control (MAC) address; sending, to the CPU interface, a request to approve an association between the one of the network ports and the source MAC address when no request to approve the association between the one of the network ports and the source MAC address has been sent to the CPU interface; and sending, to the CPU interface, the request to approve the association between the one of the network ports and the source MAC address when an association between the source MAC address and a different one of the network ports has been approved.
摘要:
A method of managing network traffic. The method includes initializing a database in communication with a network device. The database includes a number of MAC address entries and a network flooding entry associated with each of the number of MAC address entries. Each of the number of MAC address entries is associated with a station known to the network. The method also includes receiving network traffic at the network device. The network traffic is associated with a MAC source address. The method further includes determining whether the MAC source address is included in the database, automatically learning a location associated with the MAC source address, and forwarding the network traffic over the network if the MAC source address is included in the database. Additionally, the method includes dropping or trapping the network traffic if the MAC source address is not included in the database. Dropping the network traffic is performed without interaction with a CPU.
摘要:
A network switch including a port, a memory, and a controller. The port has a port identifier and receives a packet (including an address of the source device) transmitted from a source device to the network switch. The memory is configured to store entries, each entry including (i) an identifier of a port of the network switch and (ii) an address of a network device. The controller is configured to (i) determine whether the address of the source device and the port identifier of the packet are stored in the memory and (ii) send a message to a processor requesting approval of the packet. The controller is configured to send the message when (i) the address of the source device is not stored in the memory or (ii) the port identifier of the packet is not stored with the address of the source device as one of the entries.
摘要:
A method of detecting address spoofing includes receiving an ARP packet at a network device. The ARP packet includes a first address associated with a first network layer and a second address associated with a second network layer. The method also includes accessing a first memory searchable by the first address to obtain a memory reference and retrieving a third address associated with the second network layer from a second memory using the memory reference. The method further includes comparing the second address with the third address and detecting address spoofing if a match is not present between the second address and the third address.
摘要:
A network device comprises a plurality of physical ports, and a packet processing pipeline coupled to the plurality of physical ports. The packet processing pipeline is configured to assign a virtual port from a plurality of virtual ports to a packet received via one of the physical ports, wherein a quantity of the plurality of virtual ports is larger than a quantity of the plurality of physical ports, and wherein, for each of at least some of the physical ports, multiple virtual ports correspond to one physical port. The packet processing pipeline is also configured to assign a virtual domain from a plurality of virtual domains to the packet based on the assigned virtual port, and process the packet based on one or more of i) the assigned virtual port, ii) the assigned virtual domain, and iii) a header field of the packet, including determining zero, one, or more physical ports to which the packet is to be forwarded.
摘要:
A network device including a processor having an internet protocol (IP) address, and a processor port configured to communicate exclusively with the processor. The network device also includes a plurality of network ports configured to communicate with network nodes external to the network device. In addition, the network device includes a forwarding engine configured to selectively transfer packets (i) among the plurality of network ports, and (ii) between the processor port and the plurality of network ports; receive a broadcast packet from one of the plurality of network ports, the broadcast packet including a target IP address; and forward the broadcast packet to the processor, via the processor port, only when both (i) the broadcast packet is a control packet, and (ii) the target IP address of the broadcast packet matches the IP address of processor.
摘要:
A network device for use in a networking system. The network device includes a packet processor adapted to receive control packets at a network port of the network device. The packet processor is also adapted to assign a CPU code to the control packets. The network device also includes a CPU in communication with the packet processor and a lookup table indexed by the CPU code and in communication with the packet processor. According to embodiments of the present invention, one or more entries in the lookup table define a rate limit in accordance with which packets characterized by the CPU code are delivered from the packet processor to the CPU.
摘要:
A network device comprises a plurality of physical ports, and a packet processing pipeline coupled to the plurality of physical ports. The packet processing pipeline is configured to assign a virtual port from a plurality of virtual ports to a packet received via one of the physical ports, wherein a quantity of the plurality of virtual ports is larger than a quantity of the plurality of physical ports, and wherein, for each of at least some of the physical ports, multiple virtual ports correspond to one physical port. The packet processing pipeline is also configured to assign a virtual domain from a plurality of virtual domains to the packet based on the assigned virtual port, and process the packet based on one or more of i) the assigned virtual port, ii) the assigned virtual domain, and iii) a header field of the packet, including determining zero, one, or more physical ports to which the packet is to be forwarded.
摘要:
The invention provides novel methods of forwarding multicast data packets to selected egress ports in a MAC bridging environment. A multicast data packet is received via an ingress port. A source IP address and a destination multicast IP address are retrieved from the multicast packet. In a forwarding database, different groups of egress ports correspond to different combinations of a source address, a destination multicast address, and a virtual local area network identifier (VLAN-ID). The forwarding database is accessed, based on the retrieved source address, the retrieved destination multicast address, and a VLAN-ID, to thereby determine a corresponding group of egress ports. The multicast packet is then forwarded to the corresponding group of egress ports.