| 摘要 |
Ternary content-addressable memory (TCAM) of an ingress appliance in a visibility fabric may include rules for filtering traffic received by the ingress appliance. But the TCAM has limited space for rules and can become easily exhausted. By migrating rules to other visibility nodes in the visibility fabric, the techniques introduced here allow the TCAM to be virtually extended across multiple visibility nodes. More specifically, upon receiving a data packet at an ingress port, the ingress visibility node can tag the data packet with an identifier based on which ingress port received the data packet. The ingress visibility node can then determine, based on the identifier, whether the data packet should be filtered using a rule stored in the TCAM of the ingress visibility node or a rule stored in the TCAM of some visibility node in the visibility fabric. |
| 主权项 |
1. A method of utilizing ternary content-addressable memory (TCAM) distributed across network appliances within a network traffic visibility fabric, the method comprising:
receiving a first data packet at a first ingress port of a first network appliance and a second data packet at a second ingress port of the first network appliance; tagging, by the first network appliance, the first data packet with a first identifier based on the first ingress port; tagging, by the first network appliance, the second data packet with a second identifier based on the second ingress port; determining, by the first network appliance, whether each of the first data packet and the second data packet should be filtered using a first set of filtering rules stored within the first network appliance or a second set of filtering rules stored within a second network appliance,
wherein said determining is based on the identifier with which the first data packet and the second data packet are tagged; upon determining that the first data packet should be filtered using the first set of filtering rules,
applying, by the first network appliance, a first filtering rule of the first set of filtering rules to the first data packet,
wherein the first filtering rule is determined based on the first identifier with which the first data packet is tagged; andtransmitting, by the first network appliance, the first data packet to the second network appliance; and upon determining that the second data packet should be filtered using the second set of filtering rules,
transmitting, by the first network appliance, the second data packet to the second network appliance; andapplying, by the second network appliance, a second filtering rule of the second set of filtering rules to the second data packet,
wherein the second filtering rule is determined based on the second identifier with which the second data packet is tagged. |
