(19) United States
`(12) Patent Application Publication (10) Pub. No.: US 2009/0037977 A1
`(43) Pub. Date:
`Feb. 5, 2009
`Gaiet al.
`
`US 20090037977A1
`
`(54) APPARATUS AND METHOD FORAPPLYING
`NETWORK POLICY ATANETWORK
`DEVICE
`
`(75) Inventors:
`
`Silvano Gai, Groveland, CA (US);
`Claudio DeSanti, Berkeley, CA
`(US); James Paul Rivers, Saratoga,
`CA (US)
`
`Correspondence Address:
`SCHWEGMAN, LUNDBERG & WOESSNER,
`P.A.
`P.O. BOX 2938
`MINNEAPOLIS, MN 55402 (US)
`
`(73) Assignee:
`
`Nuova Systems, Inc., sanjose, CA
`(US)
`
`(21) Appl. No.:
`
`12/140,224
`
`(22) Filed:
`
`Jun. 16, 2008
`
`Related U.S. Application Data
`(60) Provisional application No. 60/944,443, filed on Jun.
`15, 2007.
`Publication Classification
`
`(51) Int. Cl.
`(2006.01)
`H04L 9/00
`(52) U.S. Cl. ............................................................ 726/1
`(57)
`ABSTRACT
`This document discusses, among other things, applying net
`work policy at a network device. In an example embodiment
`fibre channel hard Zoning information may be received that
`indicates whether a fibre channel frame is permitted to be
`communicated between two fibre channel ports. Some
`example embodiments include identifying a media access
`control addresses associated with the fibre channel ports. An
`example embodiment may include generating one or more
`access control entries based on the fibre channel identifica
`tions of the fibre channel ports and the Zoning information.
`The access control entries may be distributes to an Ethernet
`port to be inserted into an existing access controllist and used
`to enforce a Zoning policy upon fibre channel over Ethernet
`frames.
`
`A- AW
`
`
`
`
`
`
`
`
`
`
`
`
`
`RECEIVE ZONING INFORMATION INDICATING
`WHETHER ANFC FRAME IS PERMITTED TO BE
`COMMUNICATED BETWEEN A FIRST PORT
`HAVING A FIRST FC ID AND A SECOND PORT
`HAVING ASECOND FC ID
`
`A2
`
`DENTIFY A MAC ADDRESS ASSOCIATED WITH
`THE FIRST FC ID AND A FURTHER MAC
`ADDRESS ASSOCATED WITH THE SECOND FC ID
`
`AyA
`
`CENERATE ONE OR MORE ACES BASED ON
`THE FIRST AND SECOND FC IDS AND THE
`ZONING INFORMATION
`
`Af
`
`DISTRIBUTE THE ONE OR MORE ACES TO AN
`ETHERNET PORT TO BEINSERTED INTO AN
`EXISTING ACL
`
`Code200, UAB v. Bright Data Ltd.
`Code200's Exhibit 1019
`Page 1 of 15
`
`

`

`Patent Application Publication
`
`Feb. 5, 2009 Sheet 1 of 8
`
`US 2009/0037977 A1
`
`
`
`\,\#EEEE| INEGI
`
`—
`
`u
`
`\\
`
`
`
`
`
`300N 3003
`
`Code200, UAB v. Bright Data Ltd.
`Code200's Exhibit 1019
`Page 2 of 15
`
`

`

`Patent Application Publication
`
`Feb. 5, 2009 Sheet 2 of 8
`
`US 2009/0037977 A1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`| ±0 ||d?TJ003
`
`TIO
`
`| ¡ ¿ | ||
`
`0\\
`
`HOdTNM
`
`Code200, UAB v. Bright Data Ltd.
`Code200's Exhibit 1019
`Page 3 of 15
`
`

`

`Patent Application Publication
`
`Feb. 5, 2009 Sheet 3 of 8
`
`US 2009/0037977 A1
`
`2-3)
`
`3.
`C D 1
`- 1 SA-FCoE MAC, DA-FCF MAC, ET=FCoE, PERMIT
`9-ET=FCOE, DENY
`N.
`N. Dy AL
`3)
`
`DATABASE
`
`ACL
`Q
`
`3)A
`
`
`
`32,
`
`ACL MODULE
`
`FIG 3
`
`Code200, UAB v. Bright Data Ltd.
`Code200's Exhibit 1019
`Page 4 of 15
`
`

`

`Patent Application Publication
`
`Feb. 5, 2009 Sheet 4 of 8
`
`US 2009/0037977 A1
`
`A- AW
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`RECEIVE ZONING INFORMATION INDICATING
`WHETHER AN FC FRAME IS PERMITTED TO BE
`COMMUNICATED BETWEEN A FIRST PORT
`HAVING A FIRST FC ID AND A SECOND PORT
`HAVING ASECOND FC ID
`
`
`
`A2
`
`DENTFY A MAC ADDRESS ASSOCATED WITH
`THE FIRST FC ID AND A FURTHER MAC
`ADDRESS ASSOCATED WITH THE SECOND FC ID
`
`
`
`AyA
`
`CENERATE ONE OR MORE ACES BASED ON
`THE FIRST AND SECOND FC IDS AND THE
`ZONING INFORMATION
`
`DISTRIBUTE THE ONE OR MORE ACES TO AN
`ETHERNET PORT TO BEINSERTED INTO AN
`EXISTING ACL
`
`
`
`
`
`A6
`
`AR
`
`FIG, 4
`
`Code200, UAB v. Bright Data Ltd.
`Code200's Exhibit 1019
`Page 5 of 15
`
`

`

`Patent Application Publication
`
`Feb. 5, 2009 Sheet 5 of 8
`
`US 2009/0037977 A1
`
`2-5)
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`RECEIVE ONE OR MORE ACES CENERATED
`BASED ON FC ZONING INFORMATION
`
`52
`
`INSERT THE ONE OR MORE ACES INTO AN
`EXISTING ACL
`
`SA
`
`RECEIVE AN FCOE FRAME ENCODING ASOURCE
`MAC ADDRESS ASSOCATED WITH A SOURCE FC
`ID AND A DESTINATION MAC ADDRESS
`ASSOCATED WITH A DESTINATION FC D
`
`y
`
`REFERENCE AN ACL TO DETERMINE WHETHER
`THE FCOE FRAME IS PERMITTED TO BE
`RECEIVED AT THE DESTINATION MAC ADDRESS
`
`SQR
`
`
`
`
`
`REGULATE THE COMMUNICATION OF THE FCOE
`FRAMEBASED ON THE ACL
`
`5)
`
`FIG. 5
`
`Code200, UAB v. Bright Data Ltd.
`Code200's Exhibit 1019
`Page 6 of 15
`
`

`

`Patent Application Publication
`
`Feb. 5, 2009 Sheet 6 of 8
`
`US 2009/0037977 A1
`
`Code200, UAB v. Bright Data Ltd.
`Code200's Exhibit 1019
`Page 7 of 15
`
`

`

`Patent Application Publication
`
`Feb. 5, 2009 Sheet 7 of 8
`
`US 2009/0037977 A1
`
`2-7)
`
`
`
`
`
`DETECT A LOGIN MESSAGE BETWEEN AN FC
`NODE AND ANFC SWITCHING ELEMENT
`
`(2.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`EXTRACT FROM THE MESSAGE AN FC ID AND
`A MAC ADDRESS ASSIGNED TO THE FC NODE
`
`(A
`
`OBTAIN AN FC ZONING POLICY ASSOCATED
`WITH THE FC DRESPONSIVE TO EXTRACTING
`THE FC ID AND THE MAC ADDRESS ASSIGNED
`TO THE FC NODE
`
`GENERATE ONE OR MORE ACES BASED ON
`THE ZONING Poussociat WITH THE
`
`DISTRIBUTE THE ONE OR MORE ACES TO AN
`ETHERNET PORT ASSOCATED WITH THE FC ID
`TO BEINSERTED INTO AN EXISTING AC
`
`(6
`
`(
`
`AQ
`
`FIG 7
`
`Code200, UAB v. Bright Data Ltd.
`Code200's Exhibit 1019
`Page 8 of 15
`
`

`

`Patent Application Publication
`
`Feb. 5, 2009 Sheet 8 of 8
`
`US 2009/0037977 A1
`
`By
`
`/
`
`VIDEO
`DISPLAY
`
`2.
`
`
`
`
`
`
`
`
`
`
`
`APHA-NUMERIC
`REVE" -82.
`
`CURSOR CONTROL
`DEVICE
`
`86
`
`R2)
`MACHINE-
`READABLE DYI 22
`INSTRUCTIONS H2A
`
`SIGNAL
`CENERATION
`DEVICE
`
`BA)
`
`PROCESSOR
`
`INSTRUCTIONS
`
`QA
`2A
`
`() t
`
`INSTRUCTIONS
`
`2A
`
`88
`
`AA
`S2A
`
`
`
`
`
`INSTRUCTIONS
`
`- NETWORKINTERFACE
`DEVICE
`
`so-GO
`
`FIG. 8
`
`Code200, UAB v. Bright Data Ltd.
`Code200's Exhibit 1019
`Page 9 of 15
`
`

`

`US 2009/0037977 A1
`
`Feb. 5, 2009
`
`APPARATUS AND METHOD FORAPPLYING
`NETWORK POLICY ATANETWORK
`DEVICE
`
`0012 FIG. 8 shows a diagrammatic representation of
`machine in the example form of a computer system, in accor
`dance with an example embodiment.
`
`RELATED MATTER
`
`0001. This application claims the benefit under 35 U.S.C.
`119(e) of U.S. provisional patent application Ser. No. 60/944,
`443 filed Jun. 15, 2007, entitled “APPARATUS AND
`METHOD FORAPPLYING NETWORK POLICYATNET
`WORK DEVICE, the entire contents of which is incorpo
`rated herein by reference.
`
`TECHNICAL FIELD
`
`0002 This patent document pertains generally to network
`communication and more particularly, but not by way of
`limitation, to applying network policy at a network device.
`
`BACKGROUND
`
`0003 Network policy enforcement is commonly applied
`to nodes in a network. For example, network policy enforce
`ment may be applied at an input/output (I/O) interface for
`example to: control a node's ability to access other nodes,
`control a node's scope of privileges, prevent denial of service
`attacks and to enforce firewall policies. An appropriate policy
`may be selected based on the identification (ID) or lack
`thereof of a node or a user.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`0004. In the drawings, which are not necessarily drawn to
`scale, like numerals describe substantially similar compo
`nents throughout the several views. Like numerals having
`different letter suffixes represent different instances of sub
`stantially similar components. The drawings illustrate gener
`ally, by way of example, but not by way of limitation, various
`embodiments discussed in the present document.
`0005 FIG. 1 is a block diagram illustrating a network
`system in accordance with an example embodiment;
`0006 FIG. 2 is a block diagram showing a network con
`nection between a fibre channel over Ethernet (FCoE) node
`and a FCoE forwarder 216, in accordance with an example
`embodiment;
`0007 FIG. 3 shows a diagram illustrating an example
`mechanism for applying an ACL to a frame, in accordance
`with an example embodiment;
`0008 FIG. 4 is a flow diagram illustrating an example
`method for propagating FC hard Zoning rules in an Ethernet
`network, in accordance with an example embodiment;
`0009 FIG. 5 is a flow diagram of a method for enforcing
`network policy derived from FC hard Zoning policy, in accor
`dance with an example embodiment;
`0010 FIG. 6 is a flow ladder diagram illustrating a domain
`logon process, in accordance with an example embodiment;
`0011
`FIG. 7 is a flow diagram illustrating a further
`example method for propagating FC hard Zoning rules in an
`Ethernet network, in accordance with an example embodi
`ment; and
`
`DETAILED DESCRIPTION
`0013 The following detailed description includes refer
`ences to the accompanying drawings, which form a part of the
`detailed description. The drawings show, by way of illustra
`tion, specific embodiments in which the invention may be
`practiced.
`0014. Overview
`0015 This overview is intended to provide an overview of
`the Subject matter of the present patent application. It is not
`intended to provide an exclusive or exhaustive explanation of
`the invention. The detailed description is included to provide
`further information about the subject matter of the present
`patent application.
`0016. A method and system are described for providing at
`an Ethernet enabled device or interface (e.g., an Ethernet
`switch), a network policy behavior that is equivalent to that of
`fiber channel (FC) hard Zoning (e.g. also referred to as Zon
`ing), which is traditionally applied to FC frames by an FC
`device (e.g., an FC switch). In example embodiments, the FC
`hard Zoning that is configured to regulate FC IDs assigned to
`FC ports may be enforced upon Ethernet frames at the data
`link layer by regulating media access control (MAC)
`addresses with Ethernet access control lists (ACLs).
`0017. In various example embodiments, FC hard Zoning
`policy information received by an FCoE forwarder is con
`verted into access control entries (ACEs) to be inserted in one
`or more ACLS. In some example embodiments, the Zoning
`policy may be enforced upon FCoEframes at an I/O port of an
`Ethernet enabled device (e.g. a network interface card (NIC)),
`by applying an Ethernet ACL.
`0018. In some example embodiments an FCoE forwarder
`generates a set of ACES corresponding to a Zoning policy for
`an FCID and a MAC address associated with the FCID. In an
`example embodiment, ACEs may be generated when a sys
`tem administrator manually or automatically updates a Zon
`ing policy. Some example embodiments may include gener
`ating the ACEs based on an FCoE node (e.g., FCoE enabled
`I/O card) logging into an FCoE network over a particular port
`(e.g., with a FLOGI or NPIV request and accept exchange
`protocol). Logging in to the FCoE network may include the
`FCoE node requesting an FC ID from an FCoE forwarder and
`the FCoE node receiving the FC ID and an assigned MAC
`address from the FCoE enabled module.
`(0019. The example FCoE forwarder may distribute the set
`of ACEs to an Ethernet interface (e.g., an Ethernet port) where
`the ACEs may be inserted into Ethernet ACLs, which may be
`used to enforce the Zoning policy upon incoming FCoE
`frames.
`0020. In some example embodiments, a virtual FC port
`(e.g., VN Port) associated with a single Ethernet I/O port is
`assigned MAC address based on the FC ID of the virtual FC
`port. In a Substantially similar way as described above, an
`Ethernet port may use ACEs and ACLs to enforce FC Zoning
`upon frames having MAC addresses associated with the FC
`ID of the virtual FC enabled I/O module.
`0021. These embodiments, which are also referred to
`herein as “examples.” are described in enough detail to enable
`those skilled in the art to practice the invention. The embodi
`ments may be combined, other embodiments may be utilized,
`or structural, logical and electrical changes may be made
`
`Code200, UAB v. Bright Data Ltd.
`Code200's Exhibit 1019
`Page 10 of 15
`
`

`

`US 2009/0037977 A1
`
`Feb. 5, 2009
`
`without departing from the scope of the present invention.
`The following detailed description is, therefore, not to be
`taken in a limiting sense, and the scope of the present inven
`tion is defined by the appended claims and their equivalents.
`0022. In this document, the terms “a” or “an are used, as
`is common in patent documents, to include one or more than
`one. In this document, the term 'or' is used to refer to a
`nonexclusive or, such that “A or B' includes “A but not B.” “B
`but not A and “A and B, unless otherwise indicated. Fur
`thermore, all publications, patents, and patent documents
`referred to in this document are incorporated by reference
`herein in their entirety, as though individually incorporated
`by reference. In the event of inconsistent usages between this
`document and those documents so incorporated by reference,
`the usage in the incorporated reference(s) should be consid
`ered Supplementary to that of this document; for irreconcil
`able inconsistencies, the usage in this document controls.
`0023 FIG. 1 is a block diagram showing an example net
`work 100, in accordance with an example embodiment. The
`example network 100 is shown to include an FCoE node 102
`communicatively coupled to an Ethernet network 107 and an
`Ethernet bridge 110 via the transmission media 106. The
`physical interfaces 104 and 108 connect the FCoE node 102
`and the Ethernet bridge 110 respectively to the transmission
`media 106. The Ethernet bridge 110 is shown to be commu
`nicatively coupled to the Internet cloud 130 via the physical
`interface 109 and the transmission media 106. The Internet
`cloud 130 is shown to be communicatively coupled to Internet
`interfaces 132,134 and 136 via the transmission media 106.
`0024. The Ethernet bridge 110 is shown to be communi
`catively coupled to an FCoE forwarder 116 via the physical
`interfaces 112 and 114 via the transmission media 106. The
`FCoE forwarder 116 is shown to be communicatively
`coupled to the FC fabric 126 via the physical interface 122
`and the transmission media 124. The FC fabric 126 is shown
`to be communicatively coupled to a storage array 125 via the
`transmission media 124. The FC fabric 126 may also be
`coupled to an administrator interface 128 via the transmission
`media 124.
`0025. The Ethernet network 107 may be a type of Ethernet
`local area network (LAN) over which frames are transferred
`between network nodes such as an FCoE node 102 and the
`Ethernet bridge 110. As nodes on the Ethernet network 107.
`the FCoE node 102 and the Ethernet bridge 110 are each
`associated with one or more MAC addresses. MAC addresses
`include information used to identify network nodes con
`nected to the Ethernet network 107. A MAC address is an
`element of the data link layer of the open systems intercon
`nection (OSI) basic reference model.
`0026 FCoE protocol encapsulates FC protocol within an
`Ethernet frame that includes one or more MAC address to
`identify source and destination network nodes. FCoE frames
`may allow for the transfer Small computer system interface
`(SCSI) protocol data over Ethernet. Relative to the Ethernet
`network 107 the FCoE node 102 is an Ethernet node, while
`relative to a FC network, the FCoE node may be considered to
`be a FC node (discussed in more detail below). The FCoE
`forwarder 116 may also be a member of an Ethernet and a FC
`network.
`0027. The Example Ethernet bridge 110 may connect mul
`tiple network devices, via the transmission media 106 and its
`physical interfaces 108, 109 and 112. In an example embodi
`ment, functionality of the Ethernet bridge 110 includes using
`source and/or destination MAC addresses to provide security,
`
`switching, forwarding, flow control or other Ethernet bridge
`services to the Ethernet network. Some Ethernet bridges 110
`may include a capability to affect frames based on other
`layers of the OSI model.
`(0028. The physical interfaces 108, 109 and 112 of the
`Ethernet bridge 110 may include NICS to receive and trans
`mit frames. A physical interface 108, 109 and 112 such as a
`NIC may process a received frame to determine a MAC
`address of the frame's source and a MAC address of the
`frame's destination port. The physical interfaces 108,109 and
`112 may be associated with one or more ports and/or MAC
`addresses at which frames may be received from other ports
`(e.g., the physical interface 104) and transmitted to the other
`ports.
`0029. In an example embodiment, the Ethernet network
`107 is implemented in a configuration to reduce frame loss
`between network nodes. Such a configuration may be referred
`to as lossless Ethernet. In example embodiments in which
`lossless Ethernet is employed, physical interfaces (e.g., 104.
`108, 109, 112 and 114) connected to the Ethernet network
`include Ethernet MACs supporting full duplex, 2.5 kilobyte
`jumbo frames over the transmission media 106. The physical
`interfaces (e.g., 104, 108, 109 and 112) may further imple
`ment an Ethernet extension allowing a pause mechanism to
`avoid Ethernet frame loss due to congestion. Ethernet bridg
`ing elements (e.g., Ethernet bridge 110 and/or bridging ele
`ment within FCoE forwarder) that are communicatively
`coupled to the example network 107 may be adapted to sup
`port the capabilities of the Ethernet MACs of the above con
`figuration.
`0030. The FCoE node 102 is a network node that is able to
`communicate Ethernet protocol and SCSI over a single physi
`cal interface 104. In an example embodiment, the FCoE Node
`is a FC node with one or more Ethernet MACs coupled to an
`FCoE controller (discussed in more detail below).
`0031. The FCoE node 102 may be communicatively
`coupled to a physical machine (e.g., a microprocessor-based
`computer, not shown) and may interface with one or more
`operating systems running on the physical machine. In an
`example embodiment, the physical machine may include one
`or more central processing units (CPUs) that execute instruc
`tions to implement one or more virtual machines on the physi
`cal machine.
`0032. In a virtual environment (e.g., a virtual server), a
`single physical device may present the appearance to other
`hardware and software that the single physical device is mul
`tiple logical devices (e.g., multiple virtual devices). Some
`network devices (e.g., physical devices) include one or more
`virtual interfaces each of which connects one or more virtual
`machines to the network.
`0033. Virtual interfaces may allow applications, services
`and operating systems to separately access a network through
`the virtual interfaces using a common physical I/O to the
`network. When virtual interfaces are used, network policy
`may be enforced with hardware or software. The enforcement
`may occur within each network node or external to each node
`but within the network.
`0034. A virtual machine may execute one or more operat
`ing systems that in turn may execute multiple Software appli
`cations.
`0035. In some example embodiments, the FCoE node 102
`includes one or more virtual ports. The example virtual ports
`may serve as an interface between an operating system
`
`Code200, UAB v. Bright Data Ltd.
`Code200's Exhibit 1019
`Page 11 of 15
`
`

`

`US 2009/0037977 A1
`
`Feb. 5, 2009
`
`executed by a physical or virtual machine and the transmis
`sion media 106 connected by the physical interface 104.
`0036. The FCoE forwarder 116 may receive FCoE frames
`from FCoE nodes such as the FCoE node 102 and forward
`FCoE frames or FC frames (e.g., decapsulated from the FCoE
`frame) based on a FC destination ID encapsulated within the
`FC frame (and e.g., FC frames are encapsulated within FCoE
`frames). In various example embodiments, the FCoE for
`warder includes a FC switch (not shown) and a physical
`interface 122 that includes a hostbus adapter (HBA) to com
`municate with FC devices connected to the FC fabric 126 over
`the transmission media 124 (e.g., twisted pair, fiber optic
`cables, etc). The FCoE forwarder 116 is shown to include a
`logon module 118 to facilitate network logon and a mapping
`module 120 to map FC Zoning policy into ACEs. The logon
`module 118 and the mapping module 120 are to be discussed
`in more below).
`0037. The FC fabric 126 may include an FC switch (not
`shown) to switch FC frames received from the FCoE for
`warder 116 to various disks within the storage array 125.
`0038. The administrator interface 128 is to be used by a
`storage administrator or other authorized party to perform
`various administrative tasks. In an example embodiment FC
`Zoning rules may be administered to the FC fabric via the
`administrator interface 128. FC Zoning rules may limit the
`ability of an FC node to access other FC nodes and or FC
`Switches. FC Zoning rules may include grouping FC nodes
`into subgroups within an FC fabric to provide security and/or
`decrease traffic, etc. In an example embodiment, Zoning rules
`may be applied to FCoE frames transmitted from or to nodes
`such as the FCoE node 102.
`0039. The Internet cloud 130 represents a network that
`may share the transmission media 106 with the Ethernet
`network 107. In an example embodiment IP packets of the
`Internet protocol, Ethernet frames of the Ethernet protocol
`and FCoE frames of the FCoE protocol may each be carried
`over the transmission media 106.
`0040 FIG. 2 is a block diagram showing a network con
`nection 200 between an FCoE node 202 and an FCoE for
`warder 216, in accordance with an example embodiment. The
`FCoE node 202 and the FC forwarder 216 of FIG.2 may be
`substantially similar to the FCoE node 102 and the FCoE
`forwarder 116 of FIG. 1. The Ethernet port 204 of the FCoE
`node 202 is shown to be communicatively coupled to the
`Ethernet port 214 of the FCoE forwarder 216, the Ethernet
`network 207 via the transmission media 206.
`0041. Features within the FCoE node 202 and the FCoE
`forwarder 216 may be organized into a FC layer 258, an FCoE
`layer 260 and an Ethernet layer 262.
`0042. In the FC layer 258 of the FCoE node 202, the upper
`FC levels 230-232 process data received from operating sys
`tems (not shown) wishing to transmit data to a FC node within
`the FC network. The VN Ports 234-236 may receive FC
`frames from the upper FC levels 230-232 and forward them to
`the FCoE layer. The VN ports 234-236 may receive FC
`frames from the FCoE layer 260 and forward the frames to the
`upper layers 230-232.
`0043 AVN Port may be the data forwarding component
`ofa FC entity 233 that emulates an N Port (e.g., a FC protocol
`N. Port) and is dynamically instantiated by a logon module
`(e.g., the logon module 244) upon Successful completion of a
`FC network logon procedure (e.g. FIP. FLOGI, NPIV etc.,
`described below) with the FCoE forwarder 216. AVN Port
`
`may be assigned an address (e.g., an FCoE MAC address) by
`the FCoE forwarder 216 during the logon procedure.
`0044) The FCoE layer 260 of the FCoE node 202 is to
`receive FC frames from the VN Ports 234-235 and FCoE
`frames from the Ethernet MAC 205.
`0045. An FCoE framer in the FCoE layer may perform
`encapsulation of FC frames into FCoE frames in transmission
`and the decapsulation of FCoE frames into FC frames in
`reception. An FCoE framer on an FCoE node (e.g., the FCoE
`framer 238,239 or 240) may forman endpoint of a virtual link
`(e.g., one of the virtual links 261, 263 or 265) between the
`FCoE node 202 and an FCoE framer (e.g. the FCoE framer
`256,255 or 254) on an FCoE forwarder. When encapsulating
`FC frames into FCoE frames, the MAC address of a local link
`endpoint (e.g. on the FCoE node 202) may be used as a source
`address and the MAC address of a remote link endpoint (e.g.
`on the FCoE forwarder 216) may be used as a destination
`address of the FCoE frame. When decapsulating FC frames
`from FCoE frames, the FCoE framer may verify that a desti
`nation address of the receive FCoE frame is equal to the MAC
`address of the local endpoint and may verify that the source
`address of the received FCoE frame is equal to the MAC
`address of the remote link endpoint.
`0046. The MAC address of the local link endpoint may be
`a MAC address associated with its VN Port (e.g., the MAC
`addresses VN Port(1)-VN Port(3) 270-273) and the remote
`link endpoint address is the FC forwarder 216 MAC address
`associated with the Ethernet MAC 215 and remote VF. Port
`(e.g., FCF MAC 274-276).
`0047. The FC layer 258 of the FCoE forwarder 216
`includes the FC switching element 246. The FC switching
`element may be a functional entity performing FC Switching
`among other FC switches and to FC nodes.
`0048 AVF Port may be a data forwarding component of
`an FC entity 248 that emulates an F Port (e.g., a FC protocol
`F Port) and is dynamically instantiated upon Successful
`completion of a logon procedure by operation of the logon
`module 245. AVF Port Such as the VF. Port 250 receives FC
`frames from the FC switching element (e.g., the FC switching
`element 246) and sends them to an appropriate FCoE framer
`(e.g., framers 254-256) for encapsulation and transmission
`over a virtual link (e.g., out of the Ethernet port 214 and over
`the transmission medium 206).
`0049 VN Ports instantiated upon successful logon (e.g.,
`the VN Ports 234-236) as described above may be associated
`to the same VF. Port instantiated by the VF. Port (e.g., the
`VF. Port 250) upon the successful logon (e.g., facilitated by
`the logon module 245).
`0050. At the FCoE layer 260, the FCoE framers 254-256
`may perform substantially the same functions as the FCoE
`framers 238-240 described above.
`0051
`Referring again to FIG. 1, as described above, the
`FCoE node 102 may include multiple virtual ports (e.g.,
`VN Ports 234-236) to interface with one or more operating
`systems and form virtual links (e.g., the virtual FC links
`261-263) over Ethernet with the FCoE forwarder 116.
`0.052
`FIG. 3 shows a diagram illustrating an example
`mechanism 300 for applying an ACL 306 to a frame, in
`accordance with an example embodiment. An ACL 306 may
`include a list composed of ACEs 308-311 that may be refer
`enced to determine whether certain privileges are to be
`granted or not to be granted to Subject matter. In example
`
`Code200, UAB v. Bright Data Ltd.
`Code200's Exhibit 1019
`Page 12 of 15
`
`

`

`US 2009/0037977 A1
`
`Feb. 5, 2009
`
`embodiments, ACLs may be used to regulate FCoE frames
`based on an FCoE frame's MAC source address and/or des
`tination address.
`0053 FIG. 4 is a flow diagram illustrating an example
`method 400 for propagating FC hard Zoning rules in an Eth
`ernet network, in accordance with an example embodiment.
`The example method 400 may be implemented at least in part
`by the mapping module 120 of FIG.1. The mapping module
`120 may be hardware, software or a combination of hardware
`and Software. In some example embodiments, the mapping
`module 120 includes instructions executed by a processor
`(not shown) integrated into the FCoE forwarder 116.
`0054. At block 402, the method 400 may include receiving
`Zoning information indicating whether an FC frame is per
`mitted to be communicated between a first port having a first
`FCID and a second port having a second FCID. In FIG.1. FC
`Zoning policy may be pushed to the FCoE forwarder 116 by
`the Administrative interface 128 across the FC fabric 126 over
`the transmission media 124 where the Zoning information
`may be received by an HBA (e.g., the physical interface 122).
`In an example embodiment, the Zoning information is a rule
`that determines whether a VN Port (e.g., having an FC ID)
`within the FCoE node 102 may connect with a VF Port
`within the FCoE forwarder 116. In some example embodi
`ments, the pushed Zoning information is an update to existing
`Zoning policy currently being enforced.
`0055. After a virtual port has logged on, an association
`may be established between the virtual port's assigned FC ID
`and the virtual port's MAC address. As will be described
`below, each virtual port (e.g., VN Port 234-236 in FIG. 2) is
`assigned an FCID when the virtual port logs on to a particular
`domain with an FCoE forwarder. Also during logon, an FCoE
`forwarder may assign a MAC address to the virtual port.
`0056. In some example embodiments, the FCoE for
`warder 116 is to derive a MAC address for the VN Port within
`the FCoE node 102 that is based on the assigned FC ID.
`Alternatively or additionally, the VN Port may select its own
`MAC address and the FC Forwarder may associate the
`assigned FC ID with the VN Port's selected MAC address in
`a data structure.
`0057. At block 404, the example method may include
`identifying a MAC address associated with the first FCID and
`a further MAC address associated with the second FC ID. In
`Some example embodiments, the mapping module 120 may
`reference a table to identify MAC addresses previously asso
`ciated (e.g., following domain logon) with assigned FC IDS.
`In various example embodiments, MAC addresses derived by
`the FCoE forwarder 116 are 48 bits long and 24 of the bits
`encode the assigned FC ID. The mapping module 120 may
`use the first and second FC IDs as indexes to find the FC IDs
`within the derived MAC address.
`0058. At block 406, the example method 400 includes
`generating one or more ACES based on the first and second FC
`IDS and the Zoning information. The mapping module 120
`may extract the policy from the Zoning information and apply
`it to the MACs identified as being associated with the first
`ands second FC IDs. For example, in FIG. 2, and ACE may
`relate to the virtual link 261 formed between the MAC
`address VN Port 20 and VF Port 256.
`0059. At block 408, the example method 400 may include
`distributing the one or more ACEs to an Ethernet port to be
`inserted into an existing ACL. The ACEs may be transmitted
`over the Ethernet network.
`
`0060 FIG. 5 is a flow diagram illustrating an example
`method 500 for enforcing FC Zoning with an ACL, in accor
`dance with an example embodiment. For example, in FIG. 1
`the physical interfaces 104, 108, 112 and 114 may enforce
`ACLs on frames traveling between the FCoE node 102 and
`the FCoE forwarder 116. Alternatively or additionally,
`instructions may be executed outside of the physical inter
`faces 104, 108, 112 and 114 but along the path connecting
`virtual ports.
`0061. At block 502, the example method 500 may include
`receiving one or more ACES generated based on FC Zoning
`information. In some example embodiments, the mapping
`module is to generate Ethernet ACEs that may be inserted into
`existing ACLS at specific Ethernet ports that connect the
`transmission media 106 carrying virtual links between a
`VN Port within the FCoE node 102 and a VF Port within the
`FCoE forwarder 116. In FIG. 3, ACL modules positioned
`along the path of the virtual link (e.g., in the Ethernet ports
`114, 112, 108 and 106) may receive one or more ACE from
`the mapping module 120.
`0062. At block 504 the example method 500 may include
`inserting the one or more ACES into an existing ACL. Refer
`ring to FIG. 3, the example ACL module 302 may access a
`database 304 to insert the one or more ACE into the example
`ACL 306.
`0063. At block 506, the example method 500 may include
`receiving an FCoE frame encoding a source MAC address
`associated with a source FC ID and a destination MAC
`address associated with a destination FCID, and at block 508
`referencing an ACL to determine whether the FCoE frame is
`permitted to be received at the destination MAC address.
`0064. In FIG. 3, the source and destination MAC
`addresses of a received FCoE frame may be forwarded to the
`ACL module 302, which may be implemented in any appro
`priate ports or network devices as described above. The ACL
`module 302 may identify an applicable ACL within the data
`base 304 and search each ACE 308-311 for Source MAC
`address, destination MAC addresses and ethertype matching
`those appearing in the received FCoE frame. In an example
`embodiment, the ACL module sequentially searches each
`ACE within the ACL until a match is identified.
`0065. At block 510, the example method 500 may include
`regulating the communication of the FCoE frame based on
`the ACL. In FIG. 3, when the ACL module 302 identifies a
`matching ACE 308-311 within the ACL306, the ACL module
`302 may regulate the FCoE frame according to the privileges
`indicated in the ACE. In FIG.3, the ACE 308 indicates that the
`FCoE frame should be permitted to reach the destination
`MAC address when the source MAC address is MAC
`VN Port(1), the destination MAC address is FCoE forwarder
`MAC and the ethertype is FCoE. An FCoE frame may not be
`permitted to reach the destination MAC address in cases that
`a matching ACL indicates that the frame should be denied.
`The example ACE 309 indicates that a frame that does not
`include the MAC addresses in the ACE 308 but