METHOD OF HANDLING DATA PACKETS THROUGH A STATE TRANSITION TABLE AND APPARATUS USING THE SAME

Abstract

The apparatus (SW) has a plurality of input/output ports (P1, P2, P3, P4, P5) for receiving and transmitting data packets, and comprises a data packets handling circuitry (DPL) arranged to forward data packets between the input/output ports (P1, P2, P3, P4, P5) and an internal apparatus controller (CPL) arranged to control the data packet handling circuitry (DPL); the apparatus (SW) has a control port (PC) for communication between the internal apparatus controller (CPL) and an external network controller (NWC); the apparatus controller (CPL) is arranged to store (MEM) at least one state transition table (TT) to be used for controlling the forwarding of data packets by the data packets handling circuitry (DPL); the apparatus controller (DPL) is arranged to use said at least one state transition table (TT) for implementing at least one finite state machine (FSM); the apparatus controller (DPL) is arranged to use said at least one state transition table (TT) for handling separately distinct incoming data packets flows through corresponding distinct instances of finite state machine; the apparatus controller (DPL) is arranged to receive said at least one state transition table (TT) through the control port (PC).

Claims

1. Apparatus having a plurality of input/output ports for receiving and transmitting data packets, and comprising a data packets handling circuitry arranged to forward data packets between the input/output ports and an internal apparatus controller arranged to control said data packet handling circuitry, the apparatus having a control port for communication between the internal apparatus controller and an external network controller, wherein the apparatus controllers is arranged to store at least one state transition table to be used for controlling the forwarding of data packets by the data packets handling circuitry, wherein the apparatus controller is arranged to use said at least one state transition table for implementing at least one finite state machine, wherein the apparatus controller is arranged to use said at least one state transition table for handling separately distinct incoming data packets flows through corresponding distinct instances of finite state machine, wherein the apparatus controller is arranged to receive said at least one state transition table through the control port.

2. Apparatus according to claim 1, wherein said at least one state transition table corresponds to the combination of a state table and a flow table, wherein the apparatus controller is arranged to store the state table and the flow table, wherein the apparatus controller is arranged to receive the flow table through the control port, wherein optionally the apparatus controller is arranged to receive the state table through the control port.

3. Apparatus according to claim 2, wherein the state table comprises a key column and a state column, and the apparatus controller is arranged to determine through the state table state data based on data in incoming data packets, and wherein the flow table comprises a state column, an event column, an action column and an update column, and the apparatus controller is arranged to determine through the flow table action information and update information based on information on events occurring at the input/output ports and on state data determined through the state table, the action information relating to forwarding actions to be performed on incoming data packets, the update information relating to row updates to be performed on data in the state table.

4. Apparatus according to claim 1, wherein the apparatus controller is arranged to use said at least one state transition table for handling separately distinct incoming data packets flows through corresponding distinct instances of finite state machine, wherein the apparatus controller is arranged to handle distinct incoming data packets flows independently or dependently from each other through relations between instances of finite state machine.

5. Apparatus according to claim 3, wherein the update information relates to the same instance of finite state machine or to a different instance of finite state machine.

6. Apparatus according to claim 2, wherein the apparatus controller is arranged to implement at least one key extraction function.

7. Apparatus according to claim 6, wherein the apparatus controller is arranged to apply a first key extraction function to data in incoming data packets for the purpose of querying the state table.

8. Apparatus according to claim 6, wherein the apparatus controller is arranged to apply a second key extraction function to data in incoming data packets for the purpose of updating the state table.

9. Apparatus according to claim 6, wherein the apparatus controller is arranged to receive one or two key extraction rules through the control port to be used for the key extraction function or functions.

10. Method of handling data packets in an apparatus having a plurality of input/output ports for receiving and transmitting data packets, comprising the steps: A) receiving an data packet at a first one of the plurality of input/output ports determining state data based on data in the data packets by looking into a state table, B) determining action information and update information based on information on an event corresponding to step A and on the state data determined at step B by looking into a flow table, C) forwarding the data packet to no input/output ports or to at least a second one of the plurality of input/output ports according to the action information determined at step C, D) updating the state table according to the update information determined at step C, and E) typically transmitting the data packet in accordance to the result of step D.

11. Method according to claim 10, wherein the flow table is received and possibly the state table is received from a network controller.

12. Apparatus according to claim 4, wherein the update information relates to the same instance of finite state machine or to a different instance of finite state machine.

13. Apparatus according to claim 3, wherein the apparatus controller is arranged to implement at least one key extraction function.

14. Apparatus according to claim 4, wherein the apparatus controller is arranged to implement at least one key extraction function.

15. Apparatus according to claim 5, wherein the apparatus controller is arranged to implement at least one key extraction function.

16. Apparatus according to claim 7, wherein the apparatus controller is arranged to apply a second key extraction function to data in incoming data packets for the purpose of updating the state table.

17. Apparatus according to claim 7, wherein the apparatus controller is arranged to receive one or two key extraction rules through the control port to be used for the key extraction function or functions.

18. Apparatus according to claim 8, wherein the apparatus controller is arranged to receive one or two key extraction rules through the control port to be used for the key extraction function or functions.

19. Apparatus according to claim 3, wherein the apparatus controller is arranged to use said at least one state transition table for handling separately distinct incoming data packets flows through corresponding distinct instances of finite state machine, wherein the apparatus controller is arranged to handle distinct incoming data packets flows independently or dependently from each other through relations between instances of finite state machine, wherein the update information relates to the same instance of finite state machine or to a different instance of finite state machine.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0060] The present invention will be described in the following with the aid of annexed drawings wherein:

[0061] FIG. 1 shows a simplified block diagram of an embodiment of an apparatus according to the present invention,

[0062] FIG. 2 shows schematically the use of a state table and a flow table according to an embodiment of a method according to the present invention,

[0063] FIG. 3 shows a flow chart of an embodiment of a method according to the present invention,

[0064] FIG. 4 shows a state diagram and two tables relating to a first example of application of the present invention, and

[0065] FIG. 5 shows two tables relating to a second example of application of the present invention.

[0066] Such description and such drawings are not to be considered as limiting the present invention that is only defined by the annexed claims; in fact, it will clear to one skilled in the art that the embodiments described in the following may be subject to modifications and variants in their details and that alternative embodiments are possible.

DETAILED DESCRIPTION OF THE INVENTION

[0067] The network forwarding apparatus SW of the embodiment of FIG. 1, that may be called a “switch”, has five input/output ports P1, P2, P3, P4, P5 for receiving and transmitting IP packets, and comprises two basic building blocks: an IP packets handling circuitry DPL, a so-called “data plane”, and an internal apparatus controller CPL, a so-called “control plane”; circuitry DPL is arranged to forward IP packets between the input/output ports P1, P2, P3, P4, P5; the internal controller CPL is arranged to control circuitry DPL. Apparatus SW has also a control port PC for communication between the internal apparatus controller CPL and an external network controller NWC; external controller NWC is arranged to control not only apparatus SW, but also many other similar network apparatuses.

[0068] Controller CPL comprises a memory MEM that is designed to store at least one state transition table TT to be used by the controller CPL for controlling the forwarding of IP packets by circuitry DPL; controller CPL is arranged to use the state transition table TT for implementing at least one finite state machine FSM and for handling separately distinct incoming IP packets flows through corresponding distinct instances of finite state machine. From the theoretical point of view, the transition table TT might be considered part of the “data plane”; in this case, the controller CPL would manage the transition table TT as an external component.

[0069] In the embodiment of FIG. 1, state transition table TT corresponds to the combination of a state table ST and a flow table FT. Apparatus internal controller CPL is arranged to receive transition table TT through the control port PC from the network external controller NWC; in particular, it receives flow table FT with full data content and state table ST with some initial data content; during operation of apparatus SW, data content is built and partially added and partially replaced to the initial data content of state table ST.

[0070] FIG. 2 shows the state table ST and the flow table FT; the state table FT comprises a key column KC and a state column SC; the flow table FT comprises a state column SC, an event column EC, an action column AC and an update column UC.

[0071] FIG. 2 shows also a first key extraction function KE1 that uses first key information (corresponding to a first key extraction rule) for key extraction, and a second key extraction function KE2 that uses second key information (corresponding to a second key extraction rule) for key extraction.

[0072] In general, data relating to the tables ST and FT and the functions KE1 and KE2, if used, are received from the network external controller NWC during configuration of the apparatus SW.

[0073] Event information EI is provided by the data plane DPL to the control plane CPL for each IP packet received by the apparatus SW; typically, event information EI consists in the packet header of the received IP packet and the port number Pi of the i/o port where the IP packet has been received.

[0074] Action information AI is provided by the control plane CPL to the data plane DPL for each IP packet received by the apparatus SW; typically, action information AI consists in the packet header of the received IP packet and the port number Pj of the i/o port where the IP packet has to be forwarded and then, typically, transmitted.

[0075] The first key extraction function KE1 extracts key data K1 from the packet header. Key data K1 are used to query the state table ST.

[0076] The result of the state table query is state data SD.

[0077] State data SD and event information EI (the port number Pi, or selected data in the packet header, or port number Pi and selected data in the packet header) are used to query flow table. Usually, not the whole event information EI is used for the query, but any combination of switch port number, source MAC address, destination MAC address, source IP address, destination IP address, source TCP port, destination TCP port, and even Wireless LAN ID, IP protocol, Ethernet type. Matching for the purpose of querying the flow table FT is based on the state column SC (in relation to the stated data) and the event column EC (in relation to the event information).

[0078] The result of flow table query is update information UI and action information AI.

[0079] The second key extraction function KE2 extracts key data K2 from the packet header.

[0080] Key data K2 and event information EI are used to update the state table ST.

[0081] The processing shown by the flow chart of FIG. 3 refers to the element shown in FIG. 2; it has a start S30 and a stop S39, and comprises the following steps: [0082] S31: receiving the flow table FT (structure and full data) at control port PC from network controller NWC (configuration of apparatus SW), [0083] S32: receiving the state table ST (structure and some data) at control port PC from network controller NWC (configuration from apparatus SW), [0084] S33: receiving an IP packet at a first one port Pi of the plurality of input/output ports P1, P2, P3, P4, P5, [0085] S34: determining state data SD based on data in the IP packets by looking into the state the table ST, [0086] S35: determining action information AI and update information UI based on information on an event corresponding to step S33 and on the state data SD determined at step S34 by looking into the flow table FT, [0087] S36: forwarding the IP packet to no input/output ports or to at least a second one port Pj of the plurality of input/output ports P1, P2, P3, P4, P5 according to the action information AI determined at step S35, [0088] S37: updating the state table ST according to the update information UI determined at step S35, [0089] S38: transmitting the IP packet in accordance to the result of step S36.

[0090] The processing shown by the flow chart of FIG. 3 is repeated from step S33 to S38 for any new IP packets received by input/output ports P1, P2, P3, P4, P5 of apparatus SW.

[0091] Steps S31 and S32 may be repeated in case of reconfiguration of apparatus SW by network controller NWC.

First Example of Application—“Port Knocking”

[0092] The example that will described in the following with the aid of FIG. 4 relates to the opening of a data link between nodes of a network if such opening is subject to a preliminary “port knocking” phase.

[0093] According to this example, a source node may send data to a destination node only through TCP port #22 and the preliminary “port knocking” sequence corresponds to #5123, #6234, #7345, #8456. In other words, if a first node wants to send data packets to another node, at first the first node must send an IP packet wherein TCPdport (i.e. “TCP destination port”)=#5123, then the first node must send an IP packet wherein TCPdport=#6234, then the first node must send an IP packet wherein TCPdport=#7345, finally the first node must send an IP packet wherein TCPdport=#8456; afterwards, the first node may send IP packets carrying data to another node but specifying TCPdport=#22.

[0094] Therefore, according to this example, IP packets flows are identified by the IP address of the source node.

[0095] For the sake of simplicity, this example considers only the opening of a data link between nodes of a network and does not consider the subsequent closing of the data link.

[0096] The state diagram of the procedure of this example is shown in FIG. 4A; it comprises five states labeled: “STATE-0”, “STATE-1”, “STATE-2”, “STATE-3”, “STATE-4”; “STATE-0” is considered the “DEFAULT” state (the data link is closed) and “STATE-4” is considered the “OPEN” state (the data link is open).

[0097] FIG. 4B shows a flow table FT that is used for implementing the procedure of this example according to the present invention; such flow table is stored into the control plane CPL of the apparatus SW during configuration of the apparatus SW by the network controller NWC.

[0098] FIG. 4C shows a state table ST that is used for implementing the procedure of this example according to the present invention as it is at the beginning, i.e. just after configuration of the apparatus SW by the network controller NWC; according to this example, such state table is stored into the control plane CPL of the apparatus SW during configuration of the apparatus SW by the network controller NWC.

[0099] At the beginning, an IP packet is received at an i/o port of the apparatus SW; this is an event, i.e. the first event.

[0100] Event information EI is provided by the data plane DPL to the control plane CPL; event information EI consists in the packet header of the received IP packet and the port number Pi of the i/o port where the IP packet has been received.

[0101] The activities described in the following occur within the control plane CPL.

[0102] Key data K1 are extracted from the packet header based on first key information and used to query the state table ST; in this example, the first key information specifies that key data to be extracted from the header of the received IP correspond to IPsrc (i.e. “source IP address”).

[0103] For example, the key data K1 of the currently handled IP packet is “1.10.100.1”.

[0104] At the beginning, the state table ST contains, for example and as shown in FIG. 4C, only the following row:

TABLE-US-00001 KC SC * STATE-0
wherein “*” is symbol of data that match with any key data.

[0105] The state table ST is scanned from top to bottom in order to find the first row that matches with the key data extracted from the just received IP packet. The result of the query, i.e. state data SD, is “STATE-0” as there is only one row and as “*” matches with “1.10.100.1”.

[0106] State data SD are used to query the flow table FT.

[0107] Event data ED are extracted from the event information EI and are used to query the flow table FT; in this example, the event data ED is the TCPdport (i.e. “TCP destination port”) in the header of the received IP packet.

[0108] Thus the flow table FT is queried through the state data SD and the event data ED, i.e. it is scanned from top to bottom in order to find the first row that matches with the state data SD and the event data ED.

[0109] At this point, data SD=“STATE-0”.

[0110] If the TCPdport in the currently handled IP packet is different from 5123, i.e. ED is different from 5123, a match occurs only with the last row of the flow table FT. The result of the query, the action information AI is “drop” and the update information UI is “STATE-0”.

[0111] Based on the action information AI (that is provided by the control plane CPL to the data plane DPL), the received IP packet is dropped.

[0112] Based on the update information UI the state table ST is updated.

[0113] In order to carry out the updating, key data K2 are extracted from the packet header based on second key information; in this example, the second key information specifies that key data to be extracted from the header of the received IP correspond to IPsrc (i.e. “source IP address”); it is to be noted that, according to this example, the first key information and the second key information coincide and therefore the key data K1 and key data K2 are identical. In this case, the key data K2 of the currently handled IP packet is “1.10.100.1”.

[0114] At this stage a row is added to the state table ST using key data K2, i.e. “1.10.100.1”, and update information UI, “STATE-0”, see below.

TABLE-US-00002 KC SC 1.10.100.1 STATE-0 * STATE-0

[0115] If the TCPdport in the currently handled IP packet is equal to 5123, i.e. ED is equal to 5123, a match occurs with the first row of the flow table FT. The result of the query, the action information AI is “drop” and the update information UI is “STATE-1”.

[0116] Based on the action information AI (that is provided by the control plane CPL to the data plane DPL), the received IP packet is dropped.

[0117] Based on the update information UI the state table ST is updated.

[0118] In order to carry out the updating, key data K2 are extracted from the packet header based on second key information; in this example, the second key information specifies that key data to be extracted from the header of the received IP correspond to IPsrc (i.e. “source IP address”); it is to be noted that, according to this example, the first key information and the second key information coincide and therefore the key data K1 and key data K2 are identical. In this case, the key data K2 of the currently handled IP packet is “1.10.100.1”.

[0119] At this stage a row is added to the state table ST using key data K2, i.e. “1.10.100.1”, and update information UI, “STATE-1”, see below.

TABLE-US-00003 KC SC 1.10.100.1 STATE-1 * STATE-0

[0120] Considering now a further IP packet received, for example, from node “1.10.100.1” and wherein the TCPdport is equal to 6234.

[0121] ED is equal to 6234 and a match occurs with the second row of the flow table FT. The result of the query, the action information AI is “drop” and the update information UI is “STATE-2”.

[0122] Based on the action information AI (that is provided by the control plane CPL to the data plane DPL), the received IP packet is dropped.

[0123] Based on the update information UI the state table ST is updated.

[0124] In order to carry out the updating, the key data K2 are extracted from the packet header based on the second key information; in this case, the key data K2 of the currently handled IP packet is “1.10.100.1”.

[0125] At this stage a row is updated to the state table ST using key data K2, i.e. “1.10.100.1”, and update information UI, “STATE-2”, see below, as there is already a row in state table ST wherein the key data in the key column KC is equal to the key data extracted from the handled IP packet.

TABLE-US-00004 KC SC 1.10.100.1 STATE-2 * STATE-0

[0126] At this point other received IP packets are handled in the same way as described above.

[0127] After handling a certain number of received IP packets, the state table ST may be, for example as below.

TABLE-US-00005 KC SC 1.10.100.1 STATE-2 1.10.100.2 STATE-0 1.10.200.5 STATE-0 1.20.500.8 STATE-0 1.10.100.3 STATE-4 * STATE-0
data link from node 1.10.100.1 is on the way to be opened
data link from node 1.10.100.2 is closed
data link from node 1.10.200.5 is closed
data link from node 1.20.500.8 is closed
data link from node 1.10.100.3 is open

[0128] Till now, five IP packets flows have been handled with: one from node 1.10.100.1, one from node 1.10.100.2, one from node 1.10.100.3, one from node 1.10.200.5, and one from node 1.20.500.8.

[0129] It is apparent that each IP packets flow is dealt with independently. In practice, through the combination of the state table ST and the flow table FT a plurality of distinct instances of finite state machine is implemented; in particular, the heart of the finite state machine is the flow table while the state table allows to have a plurality of instances.

[0130] Considering now a further IP packet received, for example, from node “1.10.100.3”.

[0131] If the TCPdport in this IP packet is equal to 22, i.e. ED is equal to 22, a match occurs with the fifth row of the flow table FT. The result of the query, the action information AI is “forward” and the update information UI is “STATE-4”.

[0132] Based on the action information AI (that is provided by the control plane CPL to the data plane DPL), the received IP packet is forwarded.

[0133] Based on the update information UI the state table ST should be updated. Anyway, there is already a row wherein the key is “1.10.100.3” and the state is “STATE-4”; therefore, there is nothing to add or update.

[0134] The handling of further IP packets follow in the same way as described above.

[0135] According to the above description, tables ST and FT are scanned from top to bottom in order to find a match; anyway, it is to be understood that the matching priority may be determined in different ways (see for example OpenFlow).

Second Example of Application—“Mac Learning”

[0136] The example that will described in the following with the aid of FIG. 5 relates to the forwarding of Ethernet frames by the switch SW based on MAC address of the destination node of the incoming Ethernet frames.

[0137] In order to carry out a good performance, the switch SW must decide, for each of the received Ethernet frames, to which of its five i/o ports P1, P2, P, P4, P5 the Ethernet frame, i.e. the handled data packet, is to be forwarded and then transmitted based on the MAC address of the destination node of the packets; therefore, according to this example, Ethernet frames flows are identified by the destination MAC address.

[0138] The state diagram of the procedure of this example comprises six states labeled: “STATE-0”, “STATE-1”, “STATE-2”, “STATE-3”, “STATE-4”, “STATE-5”; “STATE-0” is considered the “DEFAULT” state and corresponds to the state when the switch SW does not know the correct/best port for the forwarding action; “STATE-1” corresponds to the state when the correct/best port for the forwarding action is port P1; etc.; the action “flood” means forwarding the received Ethernet frames to all the i/o ports of the switch SW.

[0139] FIG. 5A shows a flow table FT that is used for implementing the procedure of this example according to the present invention; such flow table is stored into the control plane CPL of the apparatus SW during configuration of the apparatus SW by the network controller NWC.

[0140] FIG. 5B shows a state table ST that is used for implementing the procedure of this example according to the present invention as it is at the beginning, i.e. just after configuration of the apparatus SW by the network controller NWC; according to this example, such state table is stored into the control plane CPL of the apparatus SW during configuration of the apparatus SW by the network controller NWC. The table of FIG. 5B means that the switch SW has no knowledge of the population and topology of the network.

[0141] At the beginning, an IP packet is received at an i/o port of the apparatus SW; this is an event, i.e. the first event.

[0142] Event information EI is provided by the data plane DPL to the control plane CPL; event information EI consists in the packet header of the received Ethernet frame and the port number Pi of the i/o port where the Ethernet frame has been received.

[0143] The activities described in the following occur within the control plane CPL.

[0144] Key data K1 are extracted from the packet header based on first key information and used to query the state table ST; in this example, the first key information specifies that key data to be extracted from the header of the received Ethernet frame correspond to MACdst (i.e. “destination MAC address”).

[0145] For example, the key data K1 of the currently handled Ethernet frame is Address_003.

[0146] At the beginning, the state table ST contains, for example and as shown in FIG. 5B, only the following row:

TABLE-US-00006 KC SC * STATE-0
wherein “*” is symbol of data that match with any key data.

[0147] The state table ST is scanned from top to bottom in order to find the first row that matches with the key data extracted from the just received IP packet. The result of the query, i.e. state data SD, is “STATE-0” as there is only one row and as “*” matches with Address_1.

[0148] State data SD are used to query the flow table FT.

[0149] Event data ED are extracted from the event information EI and are used to query the flow table FT; in this example, the event data ED is the port # where the currently handled Ethernet frame has been received, for example port P2.

[0150] Thus the flow table FT is queried through the state data SD and the event data ED, i.e. it is scanned from top to bottom in order to find the first row that matches with the state data SD and the event data ED.

[0151] A match occurs with the seventh row of the flow table FT.

[0152] The result of the query, the action information AI is “flood” and the update information UI is “STATE-2”.

[0153] Based on the action information AI (that is provided by the control plane CPL to the data plane DPL), the received Ethernet frame is flooded, i.e. forwarded to all the i/o ports of the switch SW.

[0154] Based on the update information UI the state table ST is updated.

[0155] In order to carry out the updating, key data K2 are extracted from the packet header based on second key information; in this example, the second key information specifies that key data to be extracted from the header of the received Ethernet frame correspond to MACsrc (i.e. “source MAC address”); it is to be noted that, according to this example, the first key information is different from the second key information coincide. In this case, the key data K2 of the currently handled Ethernet frame is Address_008.

[0156] At this stage a row is added to the state table ST using key data K2, i.e. Address_008, and update information UI, “STATE-2”, see below.

TABLE-US-00007 KC SC Address_008 STATE-2 * STATE-0

[0157] We assume now that an IP packet is received at port P3 coming from a node having MAC address equal to Address_005 and directed to a node having MAC address equal to Address_008.

[0158] Key data K1 are extracted from the packet header based on first key information. The extracted key data K1 is Address_008.

[0159] The state table ST is queried. i.e. the state table ST is scanned from top to bottom in order to find the first row that matches with the key data extracted from the just received Ethernet frame.

[0160] The result of the query, i.e. state data SD, is “STATE-2”.

[0161] State data SD are used to query the flow table FT.

[0162] Event data ED are extracted from the event information EI; in this case, the event data ED is port P3.

[0163] Thus the flow table FT is queried through the state data SD and the event data ED, i.e. it is scanned from top to bottom in order to find the first row that matches with the state data SD and the event data ED.

[0164] The result of the query, the action information AI is “forward(P2)” and the update information UI is “STATE-3”.

[0165] Based on the action information AI (that is provided by the control plane CPL to the data plane DPL), the received Ethernet frame is forwarded to port P2 of the switch SW.

[0166] Based on the update information UI the state table ST is updated.

[0167] In order to carry out the updating, key data K2 are extracted from the packet header based on second key information; in this example, the second key information specifies that key data to be extracted from the header of the received Ethernet frame correspond to MACsrc (i.e. “source MAC address”). In this case, the key data K2 of the currently handled IP packet is Address_005.

[0168] At this stage a row is added to the state table ST using key data K2, i.e. Address_005, and update information UI, “STATE-3”, see below.

TABLE-US-00008 KC SC Address_005 STATE-3 Address_008 STATE-2 * STATE-0
node with MAC address Address_005 may be reached from port P3
node with MAC address Address_008 may be reached from port P2

[0169] The handling of further Ethernet frames follow in the same way as described above.

[0170] Till now, two IP packets flows have been handled with: one from node with MAC address Address_005, and one from node with MAC address Address_008.

[0171] It is apparent that each Ethernet frames flow is dealt with dependently due to the “MAC learning function”. In practice, through the combination of the state table ST and the flow table FT a plurality of distinct instances of finite state machine is implemented; in particular, the heart of the finite state machine is the flow table while the state table allows to have a plurality of instances.

[0172] The dependence between the handling of Ethernet frames flows is due to the relation between the instances of finite state machine; in fact, an instance of finite state machine causes changes in other instances of finite state machine, in particular updates in the rows of the state table ST relating to other instances of finite state machine.

[0173] According to the above description, tables ST and FT are scanned from top to bottom in order to find a match; anyway, it is to be understood that the matching priority may be determined in different ways (see for example OpenFlow).