Abstract: A network device may receive information regarding a service set identifying service to apply to a data flow received via a particular interface of the network device; receive the data flow via the particular interface; identify a service to provide to the data flow based on the information regarding the service set; identify a processing device to process the data flow; and provide the data flow to the processing device. The processing device may be different than the network device and may process the data flow, on behalf of the network device, to form a processed data flow. The processed data flow may include the data flow with the service applied to the data flow. The network device may further receive the processed data flow from the processing device and transmit the processed data flow toward a destination device.

Abstract: A network device may receive network traffic from a first device. The network device may identify, based on the network traffic and a service level agreement, stored by the network device, that a service is to be applied to the network traffic. The network device may send the network traffic to a second device, the second device using a service plane to apply the service to the network traffic. The network device may receive the network traffic from the second device, the network traffic having the service applied by the second device; and send the network traffic, having the service applied by the second device, to a third device.

Abstract: A network device may receive information regarding a service set identifying service to apply to a data flow received via a particular interface of the network device; receive the data flow via the particular interface; identify a service to provide to the data flow based on the information regarding the service set; identify a processing device to process the data flow; and provide the data flow to the processing device. The processing device may be different than the network device and may process the data flow, on behalf of the network device, to form a processed data flow. The processed data flow may include the data flow with the service applied to the data flow. The network device may further receive the processed data flow from the processing device and transmit the processed data flow toward a destination device.

Abstract: A network device may receive information regarding a service set identifying service to apply to a data flow received via a particular interface of the network device; receive the data flow via the particular interface; identify a service to provide to the data flow based on the information regarding the service set; identify a processing device to process the data flow; and provide the data flow to the processing device. The processing device may be different than the network device and may process the data flow, on behalf of the network device, to form a processed data flow. The processed data flow may include the data flow with the service applied to the data flow. The network device may further receive the processed data flow from the processing device and transmit the processed data flow toward a destination device.

Abstract: An example network device includes a network interface and a control unit that receives a packet having header information. The control unit includes a forwarding structure having a plurality of entries that each refers to one of a plurality of logical interfaces, a forwarding engine configured to access the forwarding structure to select a first logical interface to which to forward the packet based on the header information, wherein the first logical interface comprises a pseudo-device interface (PDI). The control unit also includes a PDI module that tunnels the packet to an external service complex (ESC) by at least applying a set of metadata to the packet, encapsulating the packet with a header, and forwarding the packet to the ESC via the network interface, and wherein the metadata allows the ESC to determine a set of services to be applied to the packet based on the metadata.

Abstract: A network device may receive network traffic from a first device. The network device may identify, based on the network traffic and a service level agreement, stored by the network device, that a service is to be applied to the network traffic. The network device may send the network traffic to a second device, the second device using a service plane to apply the service to the network traffic. The network device may receive the network traffic from the second device, the network traffic having the service applied by the second device; and send the network traffic, having the service applied by the second device, to a third device.

Abstract: A network device may receive network traffic from a first device. The network device may identify, based on the network traffic and a service level agreement, stored by the network device, that a service is to be applied to the network traffic. The network device may send the network traffic to a second device, the second device using a service plane to apply the service to the network traffic. The network device may receive the network traffic from the second device, the network traffic having the service applied by the second device; and send the network traffic, having the service applied by the second device, to a third device.

Abstract: A network device may receive information regarding a service set identifying service to apply to a data flow received via a particular interface of the network device; receive the data flow via the particular interface; identify a service to provide to the data flow based on the information regarding the service set; identify a processing device to process the data flow; and provide the data flow to the processing device. The processing device may be different than the network device and may process the data flow, on behalf of the network device, to form a processed data flow. The processed data flow may include the data flow with the service applied to the data flow. The network device may further receive the processed data flow from the processing device and transmit the processed data flow toward a destination device.

Abstract: A network device may receive information regarding a service set identifying service to apply to a data flow received via a particular interface of the network device; receive the data flow via the particular interface; identify a service to provide to the data flow based on the information regarding the service set; identify a processing device to process the data flow; and provide the data flow to the processing device. The processing device may be different than the network device and may process the data flow, on behalf of the network device, to form a processed data flow. The processed data flow may include the data flow with the service applied to the data flow. The network device may further receive the processed data flow from the processing device and transmit the processed data flow toward a destination device.

Abstract: A network device may receive information regarding a service set identifying service to apply to a data flow received via a particular interface of the network device; receive the data flow via the particular interface; identify a service to provide to the data flow based on the information regarding the service set; identify a processing device to process the data flow; and provide the data flow to the processing device. The processing device may be different than the network device and may process the data flow, on behalf of the network device, to form a processed data flow. The processed data flow may include the data flow with the service applied to the data flow. The network device may further receive the processed data flow from the processing device and transmit the processed data flow toward a destination device.

Abstract: By using an extended bitmap window and arrival sequence numbers, a multiprocessor system may perform anti-replay checks on incoming packets in a similar order as a single processor system. In one implementation, a device may provide an anti-replay check window that includes an original window and an extension window, the original window being contiguous to the extension window. In addition, the device may receive a packet with an anti-replay sequence number and receive another packet whose anti-replay sequence number is within a range of the original window. In addition, the device may determine if the packet has arrived before the other packet by less than a threshold if the anti-replay sequence number of the packet falls within a range of the extension window. Further, the device may retain the packet if the packet has arrived before the other packet by less than the threshold.

Abstract: An example network device includes a network interface and a control unit that receives a packet having header information. The control unit includes a forwarding structure having a plurality of entries that each refers to one of a plurality of logical interfaces, a forwarding engine configured to access the forwarding structure to select a first logical interface to which to forward the packet based on the header information, wherein the first logical interface comprises a pseudo-device interface (PDI). The control unit also includes a PDI module that tunnels the packet to an external service complex (ESC) by at least applying a set of metadata to the packet, encapsulating the packet with a header, and forwarding the packet to the ESC via the network interface, and wherein the metadata allows the ESC to determine a set of services to be applied to the packet based on the metadata.

Abstract: A method may include receiving a packet at an ingress line interface in a forwarding plane of a network element, the packet including header information. The method may also include conducting a flow table lookup in the forwarding plane to identify an existing flow for the packet and determining, in the forwarding plane and based on the header information, whether a predicted flow can be identified for the packet if an existing flow can not be identified. The method may further include performing a service access control list (ACL) lookup in the forwarding plane if a predicted flow can not be identified; and forwarding the packet to one of a services plane or an egress line interface in the forwarding plane based on one of the existing flow, the predicted flow, or the service ACL lookup.

Abstract: A network device receives control plane packets and data plane packets from a network. The network device includes a forwarding component that forwards the data plane packets in accordance with routing information maintained by a routing component. The forwarding component directs the control plane packets to a firewall component that processes the control plane packets to apply firewall services and detect network attacks. After processing, the firewall component loops the control plane packets back to the forwarding components for forwarding to the routing component. The firewall component may be a security service card.

Abstract: A network device receives control plane packets and data plane packets from a network. The network device includes a forwarding component that forwards the data plane packets in accordance with routing information maintained by a routing component. The forwarding component directs the control plane packets to a firewall component that processes the control plane packets to apply firewall services and detect network attacks. After processing, the firewall component loops the control plane packets back to the forwarding components for forwarding to the routing component. The firewall component may be a security service card.

Abstract: A scalable cluster system that provides scalable services for client applications is provided with a forwarding list. The scalable services are transparent to the client application. To facilitate this transparent scalability, the system provides a forwarding list. For various operational reasons, such as tuning the system, an operator may change the work distribution weights between nodes of a scalable cluster system. Such a change in work distribution weights may change how packets are assigned to nodes. Forwarding lists are provided so that if the work distribution weights are changed while there are existing connections the forwarding lists allow packets from existing connections to go to the same node as earlier packets from the same connection.

Abstract: One embodiment of the present invention provides a system that uses a packet distribution table to distribute packets to server nodes in a cluster of nodes that operate in concert to provide at least one service. The system operates by receiving a packet at an interface node in the cluster of nodes. This packet includes a source address specifying a location of a client that the packet originated from, and a destination address specifying a service provided by the cluster of nodes (and possibly a protocol). The system uses the destination address to lookup a packet distribution table. The system then performs a function that maps the source address to an entry in the packet distribution table, and retrieves an identifier specifying a server node from the entry in the packet distribution table. Next, the system forwards the packet to the server node specified by the identifier so that the server node can perform a service for the client.