Abstract: Network traffic flows can be processed by routers, switches, or service nodes. Service nodes may be ASICs that can provide the functionality of a switch or a router. Service nodes can be configured in a circular replication chain, thereby providing benefits such as high reliability. The service nodes can implement methods that include receiving a first packet that includes a source address in a source address field and that includes a destination address in a destination address field, routing the first packet to a selected service node that is in a circular replication chain that includes a plurality of service nodes that have local flow tables and are configured for chain replication of the local flow tables, producing a second packet by using a matching flow table entry of the first packet to process the first packet, and sending the second packet toward a destination indicated by the destination address.

Abstract: Network appliances can record log entries in log objects. An object store can receive the log objects and can use the log objects to create index objects and flow log objects. Each flow log object and index object can be associated with a time period wherein the flow log object includes flow log entries received during that time period. The index object includes shard tables that can be stored in different nonvolatile memories and can thereby be concurrently searched. Shard entries in the shard tables indicate flow entry indicators. The flow entry indicators indicate log entries in the flow log object. An internally indexed searchable object can include the flow log object and the index object. Numerous indexed fields in the flow log entries and can be indexed with each indexed field searchable via the shard entries.

Abstract: Synchronizing the databases maintained by network appliances can support high availability or high throughput topologies, but also consumes the devices' processing resources. To address that resource consumption, the network appliance's packet processing pipeline circuits can process synchronization packets to thereby synchronize the databases. A local data structure can be in a first local state. Processing a network packet can result in changing the local data structure to a second local state. A state sync packet can include state transition data that indicates a state difference between the first local state and the second local state. The state sync packet can be sent to a peer device that is configured to process the state transition data using the peer device's packet processing pipeline circuit. The peer device's packet processing pipeline can use the state transition data to update a peer device data structure that is in the peer device.

Abstract: Network traffic flows can be processed by routers, switches, or service nodes. Service nodes may be ASICs that can provide the functionality of a switch or a router. Service nodes can be configured in a circular replication chain, thereby providing benefits such as high reliability. The service nodes can implement methods that include receiving a first packet that includes a source address in a source address field and that includes a destination address in a destination address field, routing the first packet to a selected service node that is in a circular replication chain that includes a plurality of service nodes that have local flow tables and are configured for chain replication of the local flow tables, producing a second packet by using a matching flow table entry of the first packet to process the first packet, and sending the second packet toward a destination indicated by the destination address.

Abstract: Network appliances can record log entries in log objects. An object store can receive the log objects and can use the log objects to create index objects and flow log objects. Each flow log object and index object can be associated with a time period wherein the flow log object includes flow log entries received during that time period. The index object includes shard tables that can be stored in different nonvolatile memories and can thereby be concurrently searched. Shard entries in the shard tables indicate flow entry indicators. The flow entry indicators indicate log entries in the flow log object. An internally indexed searchable object can include the flow log object and the index object. Numerous indexed fields in the flow log entries and can be indexed with each indexed field searchable via the shard entries.

Abstract: Network appliances can record log entries in log objects. An object store can receive the log objects and can use the log objects to create index objects and flow log objects. Each flow log object and index object can be associated with a time period wherein the flow log object includes flow log entries received during that time period. The index object includes shard tables that can be stored in different nonvolatile memories and can thereby be concurrently searched. Shard entries in the shard tables indicate flow entry indicators. The flow entry indicators indicate log entries in the flow log object. An internally indexed searchable object can include the flow log object and the index object. Numerous indexed fields in the flow log entries and can be indexed with each indexed field searchable via the shard entries.

Abstract: Described are platforms, systems, and methods for processing a chain of operations through an input output (IO) subsystem without central processing unit (CPU) involvement. In one aspect, a computer-implemented method comprises: providing, via the CPU, the chain of operations to the IO subsystem, wherein the IO subsystem is coupled to the one or more processors over Peripheral Component Interconnect Express (PCIe); processing, with the IO subsystem, the chain of operations by: retrieving, from a memory, data associated with the chain of operations; executing each of the operations in the chain to determine an output based on the data and output determined for any prior executed operation in the chain; and providing the output of each the executed operations for execution of the respective next operation in the chain; and providing, via the IO subsystem, an output for the chain of operations to the CPU.

Abstract: A network appliance can queue a first packet and a second packet of a network traffic flow in an input queue of a match-action pipeline. The match-action pipeline can be implemented via a packet processing circuit of the network appliance and can be configured to process a plurality of network traffic flows. Submitting the first packet to the match-action pipeline can cause a first flow miss. The second packet can be moved to a burst queue of the network appliance and a match-action configuration can be generated based on the first packet. The second packet can be moved from the burst queue to the input queue after the match-action pipeline is configured with the match-action configuration. The match-action pipeline can then process the second packet.

Abstract: A network appliance can queue a first packet and a second packet of a network traffic flow in an input queue of a match-action pipeline. The match-action pipeline can be implemented via a packet processing circuit of the network appliance and can be configured to process a plurality of network traffic flows. Submitting the first packet to the match-action pipeline can cause a first flow miss. The second packet can be moved to a burst queue of the network appliance and a match-action configuration can be generated based on the first packet. The second packet can be moved from the burst queue to the input queue after the match-action pipeline is configured with the match-action configuration. The match-action pipeline can then process the second packet.

Abstract: Described are programmable IO devices installed on a host device and configured to execute instructions that cause the programmable IO device to perform operations to establish a virtual link between another programmable IO device installed on the host device and provide a data plane using the virtual link. These operations comprise: establishing the virtual link with the other programmable IO device installed on the host device, wherein the virtual link provides a communication channel between the programmable IO devices; providing the data plane by establishing, with the other programmable IO device via the virtual link, a data path associated with the data plane; receiving a packet in the data plane destined for the other programmable IO device; and forwarding the packet to the other programmable IO device via the virtual link.

Abstract: Described are platforms, systems, and methods for processing a chain of operations through an input output (IO) subsystem without central processing unit (CPU) involvement. In one aspect, a computer-implemented method comprises: providing, via the CPU, the chain of operations to the IO subsystem, wherein the IO subsystem is coupled to the one or more processors over Peripheral Component Interconnect Express (PCIe); processing, with the IO subsystem, the chain of operations by: retrieving, from a memory, data associated with the chain of operations; executing each of the operations in the chain to determine an output based on the data and output determined for any prior executed operation in the chain; and providing the output of each the executed operations for execution of the respective next operation in the chain; and providing, via the IO subsystem, an output for the chain of operations to the CPU.

Abstract: Disclosed are systems, methods, and computer-readable storage media for guaranteeing symmetric bi-directional policy based redirect of traffic flows. A first switch connected to a first endpoint can receive a first data packet transmitted by the first endpoint to a second endpoint connected to a second switch. The first switch can enforce an ingress data policy to the first data packet by applying a hashing algorithm to a Source Internet Protocol (SIP) value and a Destination Internet Protocol (DIP) value of the first data packet, resulting in a hash value of the first data packet. The first switch can then route the first data packet to a first service node based on the hash value of the first data packet.

Abstract: Disclosed are systems, methods, and computer-readable storage media for guaranteeing symmetric bi-directional policy based redirect of traffic flows. A first switch connected to a first endpoint can receive a first data packet transmitted by the first endpoint to a second endpoint connected to a second switch. The first switch can enforce an ingress data policy to the first data packet by applying a hashing algorithm to a Source Internet Protocol (SIP) value and a Destination Internet Protocol (DIP) value of the first data packet, resulting in a hash value of the first data packet. The first switch can then route the first data packet to a first service node based on the hash value of the first data packet.

Abstract: Disclosed are systems, methods, and computer-readable storage media for guaranteeing symmetric bi-directional policy based redirect of traffic flows. A first switch connected to a first endpoint can receive a first data packet transmitted by the first endpoint to a second endpoint connected to a second switch. The first switch can enforce an ingress data policy to the first data packet by applying a hashing algorithm to a Source Internet Protocol (SIP) value and a Destination Internet Protocol (DIP) value of the first data packet, resulting in a hash value of the first data packet. The first switch can then route the first data packet to a first service node based on the hash value of the first data packet.

Abstract: Disclosed are systems, methods, and computer-readable storage media for guaranteeing symmetric bi-directional policy based redirect of traffic flows. A first switch connected to a first endpoint can receive a first data packet transmitted by the first endpoint to a second endpoint connected to a second switch. The first switch can enforce an ingress data policy to the first data packet by applying a hashing algorithm to a Source Internet Protocol (SIP) value and a Destination Internet Protocol (DIP) value of the first data packet, resulting in a hash value of the first data packet. The first switch can then route the first data packet to a first service node based on the hash value of the first data packet.

Abstract: Systems, methods, and computer-readable storage media for executing a copy service. A copy service engine can monitoring network data flow in a network, detect packet data containing a contract defining copy parameters for the execution of a copy service, and determine, based on the contract, when the particular data flow hits a particular network node specified in the contract parameters. When the data flow hits the specified node, the copy service engine can execute the copy service which copies the particular data flow, determines one or more endpoints for sending the copied data flow, and deploys the copies to the one or more endpoints.

Abstract: An administrator can define or modify one or more service graphs. Next, the administrator can register service appliances along with their device package files with a controller. Then, the controller can establish the capabilities of the service devices, and classify the service devices as legacy or service tag switching (STS) capable devices. Then, the controller can create one or more instances of the service graph, by populating the service nodes into the service graph. Then, the application owner can attach their endpoint groups (EPGs) to the service graphs created by the administrator. Then, a service in the network can be automatically provisioned using the service graph to configure one or more nodes in an associated service chain of the service according to information in the service graph.

Abstract: Disclosed are systems, methods, and computer-readable storage media for guaranteeing symmetric bi-directional policy based redirect of traffic flows. A first switch connected to a first endpoint can receive a first data packet transmitted by the first endpoint to a second endpoint connected to a second switch. The first switch can enforce an ingress data policy to the first data packet by applying a hashing algorithm to a Source Internet Protocol (SIP) value and a Destination Internet Protocol (DIP) value of the first data packet, resulting in a hash value of the first data packet. The first switch can then route the first data packet to a first service node based on the hash value of the first data packet.

Abstract: Systems, methods, and computer-readable storage media for executing a copy service. A copy service engine can monitoring network data flow in a network, detect packet data containing a contract defining copy parameters for the execution of a copy service, and determine, based on the contract, when the particular data flow hits a particular network node specified in the contract parameters. When the data flow hits the specified node, the copy service engine can execute the copy service which copies the particular data flow, determines one or more endpoints for sending the copied data flow, and deploys the copies to the one or more endpoints.

Abstract: An administrator can define or modify one or more service graphs. Next, the administrator can register service appliances along with their device package files with a controller. Then, the controller can establish the capabilities of the service devices, and classify the service devices as legacy or service tag switching (STS) capable devices. Then, the controller can create one or more instances of the service graph, by populating the service nodes into the service graph. Then, the application owner can attach their endpoint groups (EPGs) to the service graphs created by the administrator. Then, a service in the network can be automatically provisioned using the service graph to configure one or more nodes in an associated service chain of the service according to information in the service graph.