Abstract: Various embodiments of a virtual output queue system within a network element enables per-input port virtual output queues within a network data processor of the network element. In one embodiment, each port managed by a network data processor has an associated set of virtual output queues for each output port on the network data element. In one embodiment, network data processor hardware supports per-processor VOQs and per-input port VOQs are enabled in hardware for layer 3 forwarding by overloading layer 2 forwarding logic. In such embodiment, a mapping table is generated to enable virtual per-input port VOQs for layer 3 forwarding logic using layer 2 logic that is otherwise unused during layer 3 forwarding. In one embodiment, multiple traffic classes can be managed per-input port when using per-input port VOQs. In one embodiment, equal cost multi-path (ECMP) and link aggregation support is also enabled.

Abstract: Described herein are various embodiments of a network element including an access control list processing module to process an access control list of the network element. In one embodiment, the access control list processing module converts the access control list into set of subsections of rules, where each rule of a subsection mutually exclusive of each other rule in the subsection. The network element may then make forwarding decisions for network data using the set of subsections of rules. In one embodiment, semantics preserving transformations can be applied to rules and data to enable more efficient processing of filtering or rules.

Abstract: A method and apparatus of a device that determines a match for a destination address using an exact match table and a longest prefix match table of a network element is described. In an exemplary embodiment, the network element receives a data packet that includes a destination address. The network element generates a key for the destination address, wherein the key represents more addresses than the destination address. The network element further performs an address lookup using the key in an exact match table. Furthermore, a match in the address lookup indicates a first transmitting interface of the network element. The network element additionally performs an address lookup using the destination address with a longest prefix match table, wherein a match in the address lookup indicates a second transmitting interface of the network element.

Abstract: Various embodiments of a network element comprising a control plane including stream tracer logic are described herein. The network element additionally includes a data plane coupled to the control plane, where the data plane includes forwarding logic to forward a unit of network data from an ingress interface to an egress interface. The stream tracer logic can be configured to cause marking logic to mark selected units of network data for to be counted by counting logic and to cause the counting logic to count marked units of network data. The stream tracer logic can determine whether units of network data are dropped within the forwarding logic via comparison of an ingress count of the marked units of network data with an egress count of the marked units of network data.

Abstract: A method and apparatus of a device that determines a match for a destination address using an exact match table and a longest prefix match table of a network element is described. In an exemplary embodiment, the network element receives a data packet that includes a destination address. The network element generates a key for the destination address, wherein the key represents more addresses than the destination address. The network element further performs an address lookup using the key in an exact match table. Furthermore, a match in the address lookup indicates a first transmitting interface of the network element. The network element additionally performs an address lookup using the destination address with a longest prefix match table, wherein a match in the address lookup indicates a second transmitting interface of the network element.

Abstract: Methods, computer readable mediums, and systems for securing network traffic data. The method of securing network traffic data may include obtaining a network traffic data unit, that includes: a payload; forwarding information, that includes: a first forwarding portion; and a second forwarding portion that indicates a network tunnel; encryption type information; and encryption location information; analyzing a first segment of the first forwarding portion to obtain a first forwarding location; modifying the network traffic data unit, based on the encryption type information and the encryption location information, to obtain a modified network traffic data unit; and transmitting the modified network traffic data unit to the first forwarding location.

Abstract: Embodiments of the invention may relate to methods, systems, and/or non-transitory computer readable mediums for sidelining Such sidelining may include making a first determination, by a first network device, that a first network device state has degraded and making a first request, based on the first determination, to receive a first sideline token from a network controller. The network controller, in response to the first request, may make a second determination that a remaining sideline token is available. The method may also include receiving, by the first network device and based on the second determination, the remaining sideline token from the network controller and initiating, by the first network device, a graceful offlining based on receiving the remaining sideline token.

Abstract: Methods and systems for modifying network traffic data. The method of modifying network traffic may include receiving a network traffic data unit that includes an identifier, at a proxy port; based on the identifier, performing a proxy port action set to obtain a modified network traffic data unit; and transmitting the modified network traffic data unit towards an egress port.

Abstract: Various embodiments of a network element comprising a control plane including stream tracer logic are described herein. The network element additionally includes a data plane coupled to the control plane, where the data plane includes forwarding logic to forward a unit of network data from an ingress interface to an egress interface. The stream tracer logic can be configured to cause marking logic to mark selected units of network data for to be counted by counting logic and to cause the counting logic to count marked units of network data. The stream tracer logic can determine whether units of network data are dropped within the forwarding logic via comparison of an ingress count of the marked units of network data with an egress count of the marked units of network data.

Abstract: Accelerating monitoring of network traffic by: configuring a first network chip of a non-accelerated line card with a VOQ associated with an internal interface that is connected to a second network chip of a first accelerated line card; receiving, at the first network chip, a data unit; selecting, by the first network chip, the data unit based on a traffic sampling rate; adding information identifying the data unit as having been selected for sampling to obtain a selected data unit; and sending the selected data unit from the first network chip to the second network chip using the VOQ and the internal interface. The second network chip identifies the selected data unit and, based on the identification, appends a sampling header to the data unit to obtain a sampled data unit, and transmits the sampled data unit to the sampling engine of the first accelerated line card.

Abstract: A method and system for accelerating monitoring of network traffic. The method may include receiving, at a network chip of a network device, a network traffic data unit; selecting, by the network chip, the network traffic data unit based on a traffic sampling rate; processing, by the network chip, the network traffic data unit to obtain sample information; truncating the network traffic data unit to obtain a network traffic data unit portion; generating a flow sample header comprising the sample information; storing, in storage of the network chip, a flow sample comprising the flow sample header and the network traffic data unit portion; constructing a flow datagram comprising the flow sample and a plurality of other flow samples; sending the flow datagram to a collector; and clearing the flow sample and the plurality of other flow samples from the storage of the network chip.

Abstract: A method and system of accelerating monitoring of network traffic. The method may include receiving, at a network chip of a network device, a network traffic data unit; capturing, by the network chip, the network traffic data unit based on a traffic sampling rate; adding, by the network chip, a sampling header to the network traffic data unit to obtain a sampled network traffic data unit; sending the sampled network traffic data unit from the network chip to a sampling engine; receiving, from the sampling engine, a flow datagram that includes a network traffic data unit portion and a flow datagram header; generating a flow network data traffic unit that includes the flow datagram; and transmitting the flow network data traffic unit towards a collector.

Abstract: A method and apparatus of a network element that processes control plane data in a network element is described. In an exemplary embodiment, the network element receives control plane data and determines a class of the control plane data. In addition, the network element marks the control plane data based on at least on an existence of an indication of whether the network element had previously processed other data in the same class as the class of the control plane data. Furthermore, the network element queues the control plane data.

Abstract: A method and apparatus of a network element that processes control plane data in a network element is described. In an exemplary embodiment, the network element receives network data and determines a class of the network data. The network element additionally determines that this class of the network data is to be processed. The network element further marks the network data based on at least on an existence of an indication of whether the network element had previously processed other data in the same class as the class of the network data. Furthermore, the network element queues the network data.

Abstract: A method and apparatus of a device that determines a match for a destination address using an exact match table and a longest prefix match table of a network element is described. In an exemplary embodiment, the network element receives a data packet that includes a destination address. The network element generates a key for the destination address, wherein the key represents more addresses than the destination address. The network element further performs an address lookup using the key in an exact match table. Furthermore, a match in the address lookup indicates a first transmitting interface of the network element. The network element additionally performs an address lookup using the destination address with a longest prefix match table, wherein a match in the address lookup indicates a second transmitting interface of the network element.

Abstract: Various embodiments of a virtual output queue system within a network element enables per-input port virtual output queues within a network data processor of the network element. In one embodiment, each port managed by a network data processor has an associated set of virtual output queues for each output port on the network data element. In one embodiment, network data processor hardware supports per-processor VOQs and per-input port VOQs are enabled in hardware for layer 3 forwarding by overloading layer 2 forwarding logic. In such embodiment, a mapping table is generated to enable virtual per-input port VOQs for layer 3 forwarding logic using layer 2 logic that is otherwise unused during layer 3 forwarding. In one embodiment, multiple traffic classes can be managed per-input port when using per-input port VOQs. In one embodiment, equal cost multi-path (ECMP) and link aggregation support is also enabled.

Abstract: A method and apparatus of a device that determines a match for a destination address using an exact match table and a longest prefix match table of a network element is described. In an exemplary embodiment, the network element receives a data packet that includes a destination address. The network element generates a key for the destination address, wherein the key represents more addresses than the destination address. The network element further performs an address lookup using the key in an exact match table. Furthermore, a match in the address lookup indicates a first transmitting interface of the network element. The network element additionally performs an address lookup using the destination address with a longest prefix match table, wherein a match in the address lookup indicates a second transmitting interface of the network element.

Abstract: Various embodiments of a virtual output queue system within a network element enables per-input port virtual output queues within a network data processor of the network element. In one embodiment, each port managed by a network data processor has an associated set of virtual output queues for each output port on the network data element. In one embodiment, network data processor hardware supports per-processor VOQs and per-input port VOQs are enabled in hardware for layer 3 forwarding by overloading layer 2 forwarding logic. In such embodiment, a mapping table is generated to enable virtual per-input port VOQs for layer 3 forwarding logic using layer 2 logic that is otherwise unused during layer 3 forwarding. In one embodiment, multiple traffic classes can be managed per-input port when using per-input port VOQs. In one embodiment, equal cost multi-path (ECMP) and link aggregation support is also enabled.

Abstract: A method and apparatus of a device that determines a match for a destination address using an exact match table and a longest prefix match table of a network element is described. In an exemplary embodiment, the network element receives a data packet that includes a destination address. The network element generates a key for the destination address, wherein the key represents more addresses than the destination address. The network element further performs an address lookup using the key in an exact match table. Furthermore, a match in the address lookup indicates a first transmitting interface of the network element. The network element additionally performs an address lookup using the destination address with a longest prefix match table, wherein a match in the address lookup indicates a second transmitting interface of the network element.

Abstract: Methods and systems for per-input port, per-control plane network data traffic class control plane policing in a network element are described. In one embodiment, the method comprises receiving control plane network data at an input port of a network element, wherein the control plane network data is data that is processed by the control plane. The method may also include classifying the control plane network data based on characteristics of the control plane network data. Furthermore, the method may include storing the control plane network data in one of a plurality of output queues for the input port based on a class of the control plane network data, and forwarding control plane network data from a selected one of the plurality of output queues to a control plane of the network element.