Abstract: Systems and methods are provided herein for using a network device's software (e.g., programs executed on a CPU) to maintain and export flow data while offloading network resource intensive tasks to the network device's hardware. This may be accomplished by a network device determining whether a new flow should be tracked using only the software table (e.g., table stored only on the CPU) of the network device or whether certain flow tracking tasks (e.g., counting/parsing) can be offloaded to a hardware table (e.g., counter table in a hardware flow cache) of the network device. The network device may use one or more conditions to determine whether the new flow should be tracked using the software table or by both the software and the hardware table. The conditions can relate to the characteristics of the new flow, resource information, prioritization of the new flow, etc.

Abstract: A switching system manager programmed to obtain a base lookup data structure comprising nodes that enumerate all prefixes of a first traffic management policy of a first type and all prefixes of a second traffic management policy of a second type, modify the base lookup data structure based on a first set of inheritance rules associated with the first traffic management policy to generate an updated lookup data structure comprising first traffic management policy label allocations, modify the updated lookup data structure based on a second set of inheritance rules associated with the second traffic management policy to generate a combined lookup data structure comprising the first traffic management policy label allocations and second traffic management policy label allocations, program packet classification hardware of the switching system to adapt the switching system to process packets based on the combined lookup data structure.

Abstract: A method and apparatus of a network element that processes control plane data in a network element is described. In an exemplary embodiment, the network element receives control plane data and determines a class of the control plane data. In addition, the network element marks the control plane data based on at least on an existence of an indication of whether the network element had previously processed other data in the same class as the class of the control plane data. Furthermore, the network element queues the control plane data.

Abstract: A method and apparatus of a network element that processes control plane data in a network element is described. In an exemplary embodiment, the network element receives control plane data and determines a class of the control plane data. In addition, the network element marks the control plane data based on at least on an existence of an indication of whether the network element had previously processed other data in the same class as the class of the control plane data. Furthermore, the network element queues the control plane data.

Abstract: Embodiments described herein relate to techniques for distributing shaped subinterfaces among physical interfaces of a port channel. Such techniques include receiving a request to configure a shape rate for a port channel subinterface; generating a physical interface set specifying: a first physical interface and a first allocated bandwidth associated with the first physical interface; and a second physical interface and a second allocated bandwidth associated with the second physical interface; making a selection, using the physical interface set, of the first physical interface based on the first allocated bandwidth being lesser than the second allocated bandwidth; assigning the first physical interface as a first anchor interface for the first port channel subinterface; and adding the first shape rate to the first allocated bandwidth to obtain a first new allocated bandwidth for the first physical interface.

Abstract: Systems and methods are provided herein for using a network device's software (e.g., programs executed on a CPU) to maintain and export flow data while offloading network resource intensive tasks to the network device's hardware. This may be accomplished by a network device determining whether a new flow should be tracked using only the software table (e.g., table stored only on the CPU) of the network device or whether certain flow tracking tasks (e.g., counting/parsing) can be offloaded to a hardware table (e.g., counter table in a hardware flow cache) of the network device. The network device may use one or more conditions to determine whether the new flow should be tracked using the software table or by both the software and the hardware table. The conditions can relate to the characteristics of the new flow, resource information, prioritization of the new flow, etc.

Abstract: Systems and methods for allocating a per-interface access control list (ACL) counter are disclosed. An ACL is applied to a data packet received at an interface of the network element. In response to matching the highest priority ACL rule, a counter value is obtained based on a combination of a base index and an expansion index value. The base index, expansion index, and counter values are stored in their respective tables. The counter value is uniquely associated with the specific ACL rule hit and the interface used to receive the data packet. Systems and methods also allocate a next set of expansion and counter tables when their storage capacity is exceeded. When the next set of tables are allocated, the older set of tables along with their index mappings and entries are preserved.

Abstract: Systems and methods are provided herein for using a network device's software (e.g., programs executed on a CPU) to maintain and export flow data while offloading network resource intensive tasks to the network device's hardware. This may be accomplished by a network device determining whether a new flow should be tracked using only the software table (e.g., table stored only on the CPU) of the network device or whether certain flow tracking tasks (e.g., counting/parsing) can be offloaded to a hardware table (e.g., counter table in a hardware flow cache) of the network device. The network device may use one or more conditions to determine whether the new flow should be tracked using the software table or by both the software and the hardware table. The conditions can relate to the characteristics of the new flow, resource information, prioritization of the new flow, etc.

Abstract: Each switch unit in a networking system shares its local state information among other switch units in the networking system, collectively referred to as the shared forwarding state. Each switch unit creates a respective set of output queues that correspond to ports on other switch unites based on the shared forwarding state. A received packet on an ingress switch unit operating in accordance with a first routing protocol instance can be enqueued on an output queue in the ingress switch; the packet is subsequently processed by the egress switch unit, operating in accordance with a second routing protocol instance that corresponds to the output queue.

Abstract: A network device includes a switching system for directing packets between ingress ports and egress ports of the network device. The network device also includes a switching system manager that makes an identification of a state change of a virtual output queue of the switching system; and performs an action set, based on the state change, to modify a latency of the virtual output queue to meet a predetermined latency in response to the identification.

Abstract: A method and apparatus of a network element that processes network data using a transformed packet classification list in a network element is described. A network element receives a packet classification list and transforms a first set of the plurality of range sets corresponding to a first one of the two or more types of packet characteristics into a first set of range labels. In addition, the network element transforms a second set of the plurality of range sets corresponding to a second one of the two or more types of packet characteristics into a second set of range labels. The network element may create a set of combination labels. The network element further processes network data by performing a first lookup to derive a first combination packet label, performing a second lookup of at least the first combination packet label, and applying a rule resulting from the second lookup to the network data.

Abstract: Embodiments of the present disclosure automatically set a maximum burst size in a policer to optimize the flow of traffic in a network. In one embodiment, a method includes receiving a policer rate set by a first policy, a maximum rate corresponding to one or more communications channels, and maximum burst time for performing at data burst. A maximum burst size is determined automatically based on the received policer rate, maximum rate, and maximum burst time. A policer in a network device is configured to limit traffic received at the one or more communications channels based on the maximum burst size.

Abstract: A network device includes a switching system for directing packets between ingress ports and egress ports of the network device. The network device also includes a switching system manager that makes an identification of a state change of a virtual output queue of the switching system; and performs an action set, based on the state change, to modify a latency of the virtual output queue to meet a predetermined latency in response to the identification.

Abstract: Systems and methods for allocating a per-interface access control list (ACL) counter are disclosed. An ACL is applied to a data packet received at an interface of the network element. In response to matching the highest priority ACL rule, a counter value is obtained based on a combination of a base index and an expansion index value. The base index, expansion index, and counter values are stored in their respective tables. The counter value is uniquely associated with the specific ACL rule hit and the interface used to receive the data packet. Systems and methods also allocate a next set of expansion and counter tables when their storage capacity is exceeded. When the next set of tables are allocated, the older set of tables along with their index mappings and entries are preserved.

Abstract: A switching system manager programmed to obtain a base lookup data structure comprising nodes that enumerate all prefixes of a first traffic management policy of a first type and all prefixes of a second traffic management policy of a second type, modify the base lookup data structure based on a first set of inheritance rules associated with the first traffic management policy to generate an updated lookup data structure comprising first traffic management policy label allocations, modify the updated lookup data structure based on a second set of inheritance rules associated with the second traffic management policy to generate a combined lookup data structure comprising the first traffic management policy label allocations and second traffic management policy label allocations, program packet classification hardware of the switching system to adapt the switching system to process packets based on the combined lookup data structure.

Abstract: Embodiments described herein relate to techniques for distributing shaped subinterfaces among physical interfaces of a port channel. Such techniques include receiving a request to configure a shape rate for a port channel subinterface; generating a physical interface set specifying: a first physical interface and a first allocated bandwidth associated with the first physical interface; and a second physical interface and a second allocated bandwidth associated with the second physical interface; making a selection, using the physical interface set, of the first physical interface based on the first allocated bandwidth being lesser than the second allocated bandwidth; assigning the first physical interface as a first anchor interface for the first port channel subinterface; and adding the first shape rate to the first allocated bandwidth to obtain a first new allocated bandwidth for the first physical interface.

Abstract: Systems and methods are provided herein for using a network device's software (e.g., programs executed on a CPU) to maintain and export flow data while offloading network resource intensive tasks to the network device's hardware. This may be accomplished by a network device determining whether a new flow should be tracked using only the software table (e.g., table stored only on the CPU) of the network device or whether certain flow tracking tasks (e.g., counting/parsing) can be offloaded to a hardware table (e.g., counter table in a hardware flow cache) of the network device. The network device may use one or more conditions to determine whether the new flow should be tracked using the software table or by both the software and the hardware table. The conditions can relate to the characteristics of the new flow, resource information, prioritization of the new flow, etc.

Abstract: Methods, computer readable mediums, and systems for securing network traffic data. The method of securing network traffic data may include obtaining a network traffic data unit, that includes: a payload; forwarding information, that includes: a first forwarding portion; and a second forwarding portion that indicates a network tunnel; encryption type information; and encryption location information; analyzing a first segment of the first forwarding portion to obtain a first forwarding location; modifying the network traffic data unit, based on the encryption type information and the encryption location information, to obtain a modified network traffic data unit; and transmitting the modified network traffic data unit to the first forwarding location.

Abstract: Each switch unit in a networking system shares its local state information among other switch units in the networking system, collectively referred to as the shared forwarding state. Each switch unit creates a respective set of output queues that correspond to ports on other switch unites based on the shared forwarding state. A received packet on an ingress switch unit operating in accordance with a first routing protocol instance can be enqueued on an output queue in the ingress switch; the packet is subsequently processed by the egress switch unit, operating in accordance with a second routing protocol instance that corresponds to the output queue.

Abstract: A network device includes a switching system for directing packets between ingress ports and egress ports of the network device. The network device also includes a switching system manager that makes an identification of a state change of a virtual output queue of the switching system; and performs an action set, based on the state change, to modify a latency of the virtual output queue to meet a predetermined latency in response to the identification.