Abstract: In one embodiment, a network device includes an interface to receive packets from sources in a network for forwarding to destinations in the network, the sources and destinations being assigned to groups, each packet including a source and destination identifier, a memory configured to store a source-group mapping table that maps source identifiers to source-groups, a destination-group mapping table that maps destination identifiers to destination-groups, and an intergroup access-control list that maps source-destination-group pairs to forwarding rules, and a single IC chip configured, for each packet, to find a source-group for the source identifier in the source-group mapping table, find a destination-group for the destination identifier in the destination-group mapping table, find a forwarding rule for a source-destination pair including the found source and destination-group in the intergroup access-control list, and forward or drop the packet according to the found forwarding rule.

Abstract: Communication apparatus includes multiple interfaces configured to be connected to a network so as to receive and transmit data packets having respective packet headers that includes a basic header record and one or more optional records. Parsing instructions specify one or more types of the optional records and indicate, for each specified type, an offset within an optional record of the specified type. Upon receiving each packet, routing logic parses the basic header record in the packet, parses the one or more optional records so as to identify any optional records of the one or more specified types, extracts header data from the identified optional records at the offset indicated for the specified type, and processes and forwards the data packets via the interfaces to the network in accordance with information parsed from the basic header record and the extracted header data.

Abstract: A network element connects over a network to a network node via a member link of a Multi-Chassis—Link Aggregation Link Group (MC-LAG), and further connects, using inter-peer ports, to peer network elements coupled to the network node via other MC-LAG member links. A processor of the network element is configured to receive from the network first packets destined to the network node, to receive via the inter-peer ports information indicative of second packets received from the network by the peer network elements that are destined to the network node, to select at least some of the first packets for transmission at an egress rate that jointly with egress rates of the peer network elements does not exceed a predefined MC-LAG maximal rate, based on the first packets and the information, and to transmit the selected first packets to the network node at the egress rate.

Abstract: A network element connects over a network to a network node via a member link of a Multi-Chassis—Link Aggregation Link Group (MC-LAG), and further connects, using inter-peer ports, to peer network elements coupled to the network node via other MC-LAG member links. A processor of the network element is configured to receive from the network first packets destined to the network node, to receive via the inter-peer ports information indicative of second packets received from the network by the peer network elements that are destined to the network node, to select at least some of the first packets for transmission at an egress rate that jointly with egress rates of the peer network elements does not exceed a predefined MC-LAG maximal rate, based on the first packets and the information, and to transmit the selected first packets to the network node at the egress rate.

Abstract: A network switch includes multiple ports that serve as ingress ports and egress ports for connecting to a communication network, and processing circuitry. The processing circuitry is configured to receive packets via the ingress ports, select one or more of the packets for mirroring, create mirror copies of the selected packets and output the mirror copies for analysis, mark the packets for which mirror copies have been created with mirror-duplicate indications, and forward the packets to the egress ports, including the packets that are marked with the mirror-duplicate indications.

Abstract: Packet classification apparatus includes a plurality of switches, including one or more leaf switches and one or more spine switches, each including a memory configured to hold packet classification entries. The ports of the leaf switches include external ports for connection to a packet network and internal ports, which are connected to the ports of at least one of the spine switches. The packet classification entries are selected from a database, which includes an outer partition, which is stored in the memory of the leaf switches, and at least one inner partition, which is stored in the memory of the one or more spine switches.

Abstract: A method for packet generation includes designating a group of one or more ports, from among multiple ports of one or more network elements, to perform the packet generation. A circular packet path, which traverses one or more buffers of the ports in the group, is configured. A burst of one or more packets is provided to the group, so as to cause the burst of packets to repeatedly traverse the circular packet path. A packet stream, including the repeated burst of packets, is transmitted from one of the ports.

Abstract: A method for packet processing includes representing a routing table for a network as a binary search tree of address prefixes ordered by prefix lengths. For each node j in the binary search tree, a respective hash table is stored, including entries representing the address prefixes of length Lj. Each address prefix includes Lj-c most significant bits (MSB) and c least significant bits (LSB), and each entry in the respective hash table includes a matching value corresponding to the Lj-c MSB of one or more of the address prefixes and one or more action codes indexed by the c LSB of the one or more of the address prefixes. Upon receiving from the network a data packet having a destination address, the binary search tree is traversed to find a longest prefix match by performing, at each node j, a hash lookup in the respective hash table.

Abstract: A collection of rules comprising fields that may have wildcard values. The method includes defining first and second subsets of the fields, the second subset being exclusive of the first subset. Intersections of overlapping fields of the first subset are added to the first subset to form an augmented first subset. Metadata from the augmented first subset and the fields not selected for the first subset are combined to define second parts of the rules. Data items are classified by matching a search key to one of the first parts and one of the second parts of the rules.

Abstract: A network element includes a plurality of ports and processing circuitry. The ports are configured for connecting to a communication network. The processing circuitry is configured to receive a packet from the communication network via one of the ports, to assign the packet to a selected queue, to verify whether the packet matches a rule, wherein matching the packet to the rule depends on whether the selected queue is congested, and, when the packet matches the rule, to apply to the packet an action associated with the rule.

Abstract: A method for packet processing includes representing a routing table for a network as a binary search tree of address prefixes ordered by prefix lengths. For each node j in the binary search tree, a respective hash table is stored, including entries representing the address prefixes of length Lj. Each address prefix includes Lj?c most significant bits (MSB) and c least significant bits (LSB), and each entry in the respective hash table includes a matching value corresponding to the Lj?c MSB of one or more of the address prefixes and one or more action codes indexed by the c LSB of the one or more of the address prefixes. Upon receiving from the network a data packet having a destination address, the binary search tree is traversed to find a longest prefix match by performing, at each node j, a hash lookup in the respective hash table.

Abstract: A data packet is received in a network element. The network element has a cache memory in which cache entries represent a portion of addresses stored in a main memory, The destination address and the cache entries each comprise a binary number. A hash function is applied to the masked destination address to access a hash table. When the number of most significant bits corresponding to the value in the hash table in one of the cache entries and in the destination address are identical, routing information for the packet is retrieved from the cache entry.

Abstract: In a network element cache operation is enhanced by extracting a set of fields from a packet, constructing a hash key from the extracted fields, and identifying a subset of the fields, wherein the field values thereof fail to exist in a set of classification rules. The hash key by is modified by masking the subset of the extracted fields. A hash lookup is performed using the modified hash key in a cache memory that stores a portion of the classification rules. The packet is processed responsively to the lookup.

Abstract: Communication apparatus includes a TCAM, which stores a corpus of rules, including respective sets of unmasked and masked bits. The rules conform to respective rule patterns, each defining a different, respective sequence of masked and unmasked bits to which one or more of the rules conform. A RAM caches rule entries corresponding to rules belonging to one or more of the rule patterns that have been selected for caching. Decision logic extracts respective classification keys from data packets, each key including a string of bits extracted from selected fields in a given data packet, and classifies the data packets by first matching the respective classification keys to the cached rule entries in the RAM and, when no match is found in the RAM, by matching the respective classification keys to the rules in the TCAM.

Abstract: Communication apparatus includes a plurality of interfaces and routing logic coupled between the interfaces. The routing logic includes a parser, which extracts header data from selected fields of each data packet received from the network through an ingress interface. At least one hash calculator computes a hash over a first set of the header data extracted by the parser from each received data packet. A virtual routing and forwarding (VRF) instance selector selects a VRF instance for each received data packet responsively to both an ingress indicator associated with the received data packet and a second set of the header data extracted by the parser from the received data packet. A lookup engine selects an egress interface responsively to the selected VRF instance and the computed hash. Forwarding and switching logic forwards the data packet to the selected egress interface for transmission to the network.

Abstract: A data packet is received in a network element. The network element has a cache memory in which cache entries represent a portion of addresses stored in a main memory, The destination address and the cache entries each comprise a binary number. A hash function is applied to the masked destination address to access a hash table. When the number of most significant bits corresponding to the value in the hash table in one of the cache entries and in the destination address are identical, routing information for the packet is retrieved from the cache entry.

Abstract: A network element includes circuitry and multiple ports. The ports are configured to transmit packets to a common destination via multiple paths of a communication network. Each port includes multiple serializers that serially transmit the packets over respective physical lanes. The power consumed by each port is a nonlinear function of the number of serializers activated in the port. The circuitry is configured to select one or more serializers among the ports to (i) meet a throughput demand via the ports and (ii) minimize an overall power consumed by the ports under a constraint of the nonlinear function, and to activate only the selected serializers. The circuitry is configured to choose for a packet received in the network element and destined to the common destination a port in which at least one of the serializers is activated, and to transmit the packet to the common destination via the chosen port.

Abstract: Communication apparatus includes multiple interfaces configured to be connected to a network so as to receive and transmit data packets having respective packet headers that includes a basic header record and one or more optional records. Parsing instructions specify one or more types of the optional records and indicate, for each specified type, an offset within an optional record of the specified type. Upon receiving each packet, routing logic parses the basic header record in the packet, parses the one or more optional records so as to identify any optional records of the one or more specified types, extracts header data from the identified optional records at the offset indicated for the specified type, and processes and forwards the data packets via the interfaces to the network in accordance with information parsed from the basic header record and the extracted header data.

Abstract: Communication apparatus includes multiple interfaces configured to be connected to a network so as to receive and transmit data packets having respective packet headers, which can include sub-headers of different, respective types. A memory stores instructions for parsing each type of sub-headers and a transition table, which indicates, for each of the types, a location of the instructions for parsing a subsequent sub-header depending upon the type of the subsequent sub-header. A plurality of predefined types are represented in the transition table by a common alias. Routing logic parses the first sub-header in a packet, reads the type of the second sub-header from the first sub-header, and accesses the transition table using the common alias in place of the type of the first sub-header so as to locate and read the instructions for parsing the second sub-header.

Abstract: ECMP routing is carried out in fabric of network entities by representing valid destinations and invalid destinations in a group of the entities by a member vector. The order of the elements in the member vector is permuted. A portion of the elements in the permuted vector is pseudo-randomly masked. A flow of packets is transmitted to the first valid destination in the masked member vector.