Method and system for traffic isolation in a network

US 9,270,580 B1
Filed: 08/28/2009
Issued: 02/23/2016
Est. Priority Date: 08/28/2009
Status: Expired due to Fees

First Claim

Patent Images

1. A method for facilitating traffic isolation in a switch, the method comprising:

configuring one or more ports of the switch as members of first a traffic isolation zone, wherein a traffic isolation zone is a subset of ports in the switch and precludes a data flow not belonging to the traffic isolation zone from reaching a port within the traffic isolation zone;

identifying that a data flow belongs to the first traffic isolation zone based on the subset of ports belonging to the first traffic isolation zone;

in response to a port of the first traffic isolation zone being available, associating the data flow with the port as an output port;

in response to the port not being available, determining whether a failover option for the first traffic isolation zone is enabled; and

in response to the failover option being enabled, associating the data flow with a second port as an output port, wherein the second port is a member of a second traffic isolation zone, and wherein the second traffic isolation zone is distinct from the first traffic isolation zone.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention provides a system that facilitates traffic isolation (TI) in a network. During operation, the system configures a set of switch ports as members of a TI zone. The switch ports are part of an end-to-end path across one or more switch domains between a source and a destination. The switch ports within the TI zone and outside the TI Zone belong to a common storage area network (SAN) zone which compartmentalizes data for security purposes. The system then determines whether a data flow entering a switch domain belongs to the TI zone. The system subsequently forwards the data flow to the next port within the TI zone if the data flow belongs to the TI zone.

Citations

24 Claims

1. A method for facilitating traffic isolation in a switch, the method comprising:
- configuring one or more ports of the switch as members of first a traffic isolation zone, wherein a traffic isolation zone is a subset of ports in the switch and precludes a data flow not belonging to the traffic isolation zone from reaching a port within the traffic isolation zone;
  
  identifying that a data flow belongs to the first traffic isolation zone based on the subset of ports belonging to the first traffic isolation zone;
  
  in response to a port of the first traffic isolation zone being available, associating the data flow with the port as an output port;
  
  in response to the port not being available, determining whether a failover option for the first traffic isolation zone is enabled; and
  
  in response to the failover option being enabled, associating the data flow with a second port as an output port, wherein the second port is a member of a second traffic isolation zone, and wherein the second traffic isolation zone is distinct from the first traffic isolation zone.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - using the first traffic isolation zone to enforce one or more Quality-of-Service (QoS) parameters for a QoS class.
  - 3. The method of claim 1, wherein configuring the ports as members of the first traffic isolation zone comprises:
    - propagating the configuration of the first traffic isolation zone across one or more switches;
      
      determining whether a local switch is part of the first traffic isolation zone; and
      
      updating a local forwarding table with the configuration of the first traffic isolation zone.
  - 4. The method of claim 1, wherein the method further comprises associating the data flow with the second port as an output port in response to a next-hop port within the first traffic isolation zone for the data flow not being available, wherein a next-hop port within the second traffic isolation zone for the data flow is available.
  - 5. The method of claim 1, wherein the method further comprises dropping the data flow belonging to the first traffic isolation zone in response to the failover option not being enabled.
  - 6. The method of claim 1, wherein the ports configured as members of the first traffic isolation zone are Fibre Channel ports and comprise one or more of N_Ports, E_Ports, and EX_Ports.
  - 7. The method of claim 6, wherein the first traffic isolation zone comprises a set of inter-switch links (ISLs) coupling adjacent E_Ports that form an end-to-end path.
  - 8. The method of claim 6, wherein the first traffic isolation zone comprises one or more EX_Ports and is configurable to traverse Fibre Channel routers (FCRs) and FCR-coupled fabrics.

9. A non-transitory computer-readable medium storing instructions which when executed by a computer cause the computer to perform a method for facilitating traffic isolation in a network, the method comprising:
- configuring one or more ports of a switch as members of a first logical group, wherein a logical group is a subset of ports in the switch and precludes a data flow not belonging to the logical group from reaching a port within the logical group;
  
  identifying that a packet belongs to the first logical group based on the subset of ports belonging to the first traffic isolation zone;
  
  in response to a port of the first logical group being available, associating the packet with the port as an output port;
  
  in response to the port not being available, determining whether a failover option for the first logical group is enabled; and
  
  in response to the failover option being enabled, associating the packet with a second port as an output port, wherein the second port is a member of a second logical group, and wherein the second logical group is distinct from the first logical group.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer-readable medium of claim 9, wherein the method further comprises using the first logical group to enforce one or more Quality-of-Service (QoS) parameters for a QoS class.
  - 11. The computer-readable medium of claim 9, wherein configuring the ports as members of the first logical group comprises:
    - propagating the configuration of the first logical group across one or more switches;
      
      determining whether a local switch is part of the first logical group; and
      
      updating a local forwarding table with the configuration of the first logical group.
  - 12. The computer-readable medium of claim 9, wherein the method further comprises associating the packet with the second port as an output port in response to a next-hop port within the first logical group for the packet not being available, wherein a next-hop port within the second logical group for the data flow is available.
  - 13. The computer-readable medium of claim 9, wherein the method further comprises dropping the packet belonging to the first logical group in response to the failover option not being enabled.
  - 14. The computer-readable medium of claim 9, wherein the ports configured as members of the first logical group are Fibre Channel ports and comprise one or more of N_Ports, E_Ports, and EX_Ports.
  - 15. The computer-readable medium of claim 14, wherein the first logical group comprises a set of inter-switch links (ISLs) coupling adjacent E_Ports that form an end-to-end path.
  - 16. The computer-readable medium of claim 14, wherein the first logical group comprises one or more EX_Ports and is configurable to traverse Fibre Channel routers (FCRs) and FCR-coupled fabrics.

17. A switch for facilitating traffic isolation in a network, the switch comprising:
- a set of ports operable as members of a first logical group, wherein a logical group is a subset of ports in the switch and precludes a data flow not belonging to the logical group from reaching a port within the logical group;
  
  a logical-group mapping module adapted to;
  
  identify that a packet belongs to the first logical group based on the subset of ports belonging to the first logical group; and
  
  determine whether a failover option for the first logical group is enabled in response to a port of the first logical group not being available;
  
  anda forwarding module adapted to;
  
  associate the packet with the port as an output port in response to the port being available; and
  
  associate the packet with a second port as an output port in response to the failover option being enabled, wherein the second port is a member of a second logical group, and wherein the second logical group is distinct from the first logical group.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The switch of claim 17, further comprising a Quality-of-Service (QoS) enforcement module adapted to enforce one or more QoS parameters for a QoS class based on the first logical group.
  - 19. The switch of claim 17, further comprising a logical-group configuration module adapted to:
    - propagate the configuration of the first logical group across one or more switches;
      
      determine whether a local switch domain is part of the logical group; and
      
      update a local forwarding table with the configuration of the first logical group.
  - 20. The switch of claim 17, wherein the forwarding module is further adapted to associate the packet with the second port as an output port in response to a next-hop port within the first logical group for the packet not being available, wherein a next-hop port within the second logical group for the data flow is available.
  - 21. The switch of claim 17, wherein the forwarding module is further operable to drop the packet belonging to the first logical group port in response to the failover option not being enabled.
  - 22. The switch of claim 21, wherein the ports are adapted to operate as members of the first logical group are Fibre Channel ports and comprise one or more of N_Ports, E_Ports, and EX_Ports.
  - 23. The switch of claim 21, wherein the first logical group comprises a set of inter-switch links (ISLs) coupling adjacent E_Ports that form an end-to-end path.
  - 24. The switch of claim 21, wherein the first logical group comprises one or more EX_Ports and is operable to traverse Fibre Channel routers (FCRs) and FCR-coupled fabrics.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Brocade Communications Systems, Inc. (Broadcom, Inc.)
Inventors
Abraham, Vineet M., Tadisina, Shashank R., Chung, Daniel Ji Yong Park, Gnanasekaran, Sathish K., Lai, Raymond Yimin
Primary Examiner(s)
Vu, Huy D
Assistant Examiner(s)
Duffy, James P

Application Number

US12/550,227
Time in Patent Office

2,370 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 45/22 Alternate routing

H04L 45/28 using route fault recovery

Method and system for traffic isolation in a network

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for traffic isolation in a network

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links