Abstract: A method and system for propagating network traffic flows between end points based on service and priority policies. Specifically, the method and system disclosed herein entail configuring network elements with network-disseminated traffic management policies. Each traffic management policy guides the handling of a network traffic flow between origination and termination end points (i.e., source and destination hosts), which may be defined through data link layer, network layer, and/or transport layer header information, as well as group assignment information, associated with the source and destination hosts.

Abstract: Systems and methods are provided herein for implementing multi-table OpenFlow flows that have combinations of packet edits. This may be accomplished by a network device receiving a first flow entry with a first set of actions to be installed into a flow table. The network device may determine that the first set of actions includes edits to a plurality of fields of a matched data packet. In response, the network device may change the first set of actions of the first flow entry to edit a first field of the data packet and create a second flow entry with a second set of actions to edit a second field of the data packet. The network device may install the first and second flow entries into one or more flow tables of the network device.

Abstract: A method and system for propagating network traffic flows between end points based on service and priority policies. Specifically, the method and system disclosed herein entail configuring network elements with network-disseminated traffic management policies. Each traffic management policy guides the handling of a network traffic flow between origination and termination end points (i.e., source and destination hosts), which may be defined through data link layer, network layer, and/or transport layer header information, as well as group assignment information, associated with the source and destination hosts.

Abstract: Techniques for implementing multi-table OpenFlow using a parallel hardware table lookup architecture are provided. In certain embodiments, these techniques include receiving, at a network device from a software-defined networking (SDN) controller, flow entries for installation into flow tables of the network device, where the flow entries are structured in a manner that assumes the flow tables can be looked-up serially by a packet processor of the network device, but where the flow tables are implemented using hardware lookup tables (e.g., TCAMs) that can only be looked-up in parallel by the packet processor. The techniques further include converting, by the network device, the received flow entries into a format that enables the packet processor to process ingress network traffic correctly using the flow entries, despite the packet processor's parallel lookup architecture, and installing the converted flow entries into the flow tables/hardware lookup tables.

Abstract: Incoming packets in a switch are associated with one or more group identifiers based on content contained in the incoming packets. Rules for processing the corresponding outgoing packets are identified based at least on the group identifiers associated with the incoming packets. Actions associated with matched rules are applied to the outgoing packets.

Abstract: A method and system for processing network traffic is disclosed. The method includes receiving one or more service policies from a control plane service. For each of service policies, a value pattern is generated using at least one of a source group data item and a destination group data item, and a pattern mask is generated on subset of bit locations in the value pattern. The method includes updating a lookup table to incorporate each of the one or more service policies that entails allocating memory for consolidating a new entry in a portion of the lookup table designated for control plane policies. The new entry includes a binding relating the value pattern and the pattern mask to a lookup table result, and the lookup table result specifies a traffic flow instruction and a priority level included in a service policy of the one or more service policies.

Abstract: Techniques for ensuring that, in the context of network traffic load-balanced across a plurality of service devices connected to a network device, all of the bi-directional traffic between a given pair of hosts residing in different domains is sent to the same service device, where a “domain” is a group of one or more hosts/subnets that is reachable by a service device via an interface of that device. In one set of embodiments, these techniques can include (1) creating a load balancer group on the network device for each domain defined on the service devices, such that the load balancer group for a given domain D includes all of the service device interfaces mapped to D, (2) enabling symmetric hashing with respect to each load balancer group, and (3) synchronizing the hash tables of the load balancer groups such that a given hash bucket (across all hash tables) maps to an interface of a single service device.

Abstract: Methods and systems for managing network device fabrics. The methods and systems may entail the re-assignment of enforcement responsibilities, pertinent to one or more traffic management and/or access rules, from a service device to a network device fabric.

Abstract: Systems and methods are provided for programming a network device. A method includes receiving a wild card entry at the network device, the network device including a ternary content addressable memory (TCAM) table and an exact match (EM) table. The method determines whether the wild card entry is compatible with the EM table. In response to determining that the wild card entry is compatible with the EM table, the method determines the available space in the EM table, the usage of the TCAM table, and at least one flow characteristic of the wild card entry. The method evaluates the determined available space in the EM table, usage of the TCAM table, and the at least one flow characteristic against a set of stored rules that select the EM table or the TCAM table. The method programs the wild card entry in the EM table or TCAM table based upon the selection.

Abstract: Systems and methods are provided herein for implementing multi-table OpenFlow flows that have combinations of packet edits. This may be accomplished by a network device receiving a first flow entry with a first set of actions to be installed into a flow table. The network device may determine that the first set of actions includes edits to a plurality of fields of a matched data packet. In response, the network device may change the first set of actions of the first flow entry to edit a first field of the data packet and create a second flow entry with a second set of actions to edit a second field of the data packet. The network device may install the first and second flow entries into one or more flow tables of the network device.

Abstract: Security policies are translated into access-control list entries and can be stored by switches in the computer network. When a new device is connected to the computer network, the device may be resolved to the group for which it is a member and an ACL entry may be created for the new device. In networks having redundant switches, the ACL entries may be stored by each redundant network switch.

Abstract: A method and system for steering bidirectional network traffic to a same service device. Specifically, the disclosed method and system entail the maintaining and synchronization of link aggregation group (LAG) tables tied to a pair of LAG ports instantiated on a network element directly connected to a pair of peer linking service devices. Network traffic (i.e., MAC frames) arriving at the network element, from a first host and intended for a second host (e.g., indicative of a first direction of the network traffic), may be steered towards one of the pair of service devices based on hashing of information included in a received MAC frame in conjunction with the LAG table tied to the LAG port (of the pair of LAG ports) that which received the MAC frame.

Abstract: Systems and methods are provided herein for implementing multi-table OpenFlow flows that have combinations of packet edits. This may be accomplished by a network device receiving a first flow entry with a first set of actions to be installed into a flow table. The network device may determine that the first set of actions includes edits to a plurality of fields of a matched data packet. In response, the network device may change the first set of actions of the first flow entry to edit a first field of the data packet and create a second flow entry with a second set of actions to edit a second field of the data packet. The network device may install the first and second flow entries into one or more flow tables of the network device.

Abstract: Systems and methods are provided herein for implementing multi-table OpenFlow flows that have combinations of packet edits. This may be accomplished by a network device receiving a first flow entry with a first set of actions to be installed into a flow table. The network device may determine that the first set of actions includes edits to a plurality of fields of a matched data packet. In response, the network device may change the first set of actions of the first flow entry to edit a first field of the data packet and create a second flow entry with a second set of actions to edit a second field of the data packet. The network device may install the first and second flow entries into one or more flow tables of the network device.

Abstract: A method and system for optimizing service device traffic management. Specifically, the method and system disclosed herein entail filtering network traffic flows directed to service devices, distributed throughout a network, for inspection. Through the aforementioned filtering, a targeted subset of network traffic flows may be identified and excluded from service device processing. The filtering thus alleviates traffic congestion and improves traffic throughput at the service device(s), thereby optimizing the management and/or processing of network traffic flows redirected to the service device(s).

Abstract: Incoming packets in a switch are associated with one or more group identifiers based on content contained in the incoming packets. Rules for processing the corresponding outgoing packets are identified based at least on the group identifiers associated with the incoming packets. Actions associated with matched rules are applied to the outgoing packets.

Abstract: A method and system for propagating network traffic flows between end points based on service and priority policies. Specifically, the method and system disclosed herein entail configuring network elements with network-disseminated traffic management policies. Each traffic management policy guides the handling of a network traffic flow between origination and termination end points (i.e., source and destination hosts), which may be defined through data link layer, network layer, and/or transport layer header information, as well as group assignment information, associated with the source and destination hosts.

Abstract: A method and system for steering network traffic towards a service device. Specifically, the disclosed method and system entail the installation of multiple service devices around a network. Service policies are cloned across the multiple service devices, and further, each service device is assigned common virtual routing and bridging addresses. Using at least these common virtual routing and bridging addresses, intercept virtual tunnel end points (VTEPs) redirect or bridge network traffic to a service device.

Abstract: Techniques for ensuring that, in the context of network traffic load-balanced across a plurality of service devices connected to a network device, all of the bi-directional traffic between a given pair of hosts residing in different domains is sent to the same service device, where a “domain” is a group of one or more hosts/subnets that is reachable by a service device via an interface of that device. In one set of embodiments, these techniques can include (1) creating a load balancer group on the network device for each domain defined on the service devices, such that the load balancer group for a given domain D includes all of the service device interfaces mapped to D, (2) enabling symmetric hashing with respect to each load balancer group, and (3) synchronizing the hash tables of the load balancer groups such that a given hash bucket (across all hash tables) maps to an interface of a single service device.

Abstract: Techniques for implementing multi-table OpenFlow using a parallel hardware table lookup architecture are provided. In certain embodiments, these techniques include receiving, at a network device from a software-defined networking (SDN) controller, flow entries for installation into flow tables of the network device, where the flow entries are structured in a manner that assumes the flow tables can be looked-up serially by a packet processor of the network device, but where the flow tables are implemented using hardware lookup tables (e.g., TCAMs) that can only be looked-up in parallel by the packet processor. The techniques further include converting, by the network device, the received flow entries into a format that enables the packet processor to process ingress network traffic correctly using the flow entries, despite the packet processor's parallel lookup architecture, and installing the converted flow entries into the flow tables/hardware lookup tables.