Abstract: Techniques for providing a reflexive access control list (ACL) on a virtual switch are provided. Embodiments receive a first packet corresponding to a first network flow and a second packet corresponding to a second network flow. Upon determining that a SYN flag is set within the first packet, a first entry is created in the reflexive ACL for the first network flow. Upon determining that the first packet was received over a client port of the first physical switch, the first packet is forwarded to a second physical switch within virtual switch. Upon determining that the second packet has a SYN flag enabled, a second entry is created in the reflexive ACL. Finally, upon determining that the second packet was received from the second physical switch, the second packet is forwarded over an uplink port to a destination defined by the second packet.

Abstract: Disclosed are systems, methods, and computer-readable storage media for minimizing the number of entries in network access control lists (ACLs). In some embodiments of the present technology a networking device can receive, from a first computing device, a first data transmission intended for a second computing device, the first data transmission including first transmission data. The networking device can normalize at least a subset of the first transmission data based on a predetermined normalization algorithm, yielding a first normalized data set for the first data transmission. Subsequently, the networking device can identify a first access control list entry from a set of access control list entries based on the first normalized data set, the first access control list entry identifying a first action, and implement the first action in relation to the first data transmission.

Abstract: In one embodiment, a next set of packets in a first flow may be identified. A counter may be incremented, where the counter indicates a first number of initial sets of packets in first flow that have been identified. The identified next set of packets may be prioritized such that the first number of initial sets of packets in the first flow are prioritized and a sequential order of all packets in the first flow is maintained. The identifying, incrementing, and prioritizing may be repeated until no further sets of packets in the first flow remain to be identified or the first number of initial sets of packets is equal to a first predefined number.

Abstract: Presented herein are techniques for performing packet forwarding or routing using a pipeline of a plurality of tiles. A method includes receiving a packet, parsing the packet to generate a vector, passing the vector to a first tile dedicated to a first type of lookup, performing a lookup in the first tile, storing a result of the first type of lookup in the vector to obtain a first updated vector, passing the first updated vector to a second tile dedicated to a second type of lookup, performing a lookup in the second tile, storing a result of the second type of lookup in the vector to obtain a second updated vector, and transmitting the packet from the network routing device via an output port thereof selected based on the second updated vector.

Abstract: Systems, methods, and computer-readable media for improving debugging and troubleshooting of datacenter networks, and more particularly improving the speed of forwarding/data path related problems without going into ASIC level debugging. A switch could, for example, have a processor which communicates with an ASIC. The processor can receive flow information and a notification from the ASIC, the notification indicating a predefined error condition has been identified in a packet. The processor can modify the ASIC programming based on the notification, such that the ASIC records additional, more-detailed, flow information for the switch. The processor can then receive, from the modified ASIC, the additional flow information. The additional flow information can then be used (either by the processor or by an operator) to identify the exact reason for the errors in the flow path.

Abstract: Techniques for providing a reflexive access control list (ACL) on a virtual switch are provided. Embodiments receive a first packet corresponding to a first network flow and a second packet corresponding to a second network flow. Upon determining that a SYN flag is set within the first packet, a first entry is created in the reflexive ACL for the first network flow. Upon determining that the first packet was received over a client port of the first physical switch, the first packet is forwarded to a second physical switch within virtual switch. Upon determining that the second packet has a SYN flag enabled, a second entry is created in the reflexive ACL. Finally, upon determining that the second packet was received from the second physical switch, the second packet is forwarded over an uplink port to a destination defined by the second packet.

Abstract: Presented herein are techniques for performing packet forwarding or routing using a pipeline of a plurality of tiles. A method includes receiving a packet, parsing the packet to generate a vector, passing the vector to a first tile dedicated to a first type of lookup, performing a lookup in the first tile, storing a result of the first type of lookup in the vector to obtain a first updated vector, passing the first updated vector to a second tile dedicated to a second type of lookup, performing a lookup in the second tile, storing a result of the second type of lookup in the vector to obtain a second updated vector, and transmitting the packet from the network routing device via an output port thereof selected based on the second updated vector.

Abstract: Systems, methods, and computer-readable media for improving debugging and troubleshooting of datacenter networks, and more particularly improving the speed of forwarding/data path related problems without going into ASIC level debugging. A switch could, for example, have a processor which communicates with an ASIC. The processor can receive flow information and a notification from the ASIC, the notification indicating a predefined error condition has been identified in a packet. The processor can modify the ASIC programming based on the notification, such that the ASIC records additional, more-detailed, flow information for the switch. The processor can then receive, from the modified ASIC, the additional flow information. The additional flow information can then be used (either by the processor or by an operator) to identify the exact reason for the errors in the flow path.

Abstract: In one embodiment, a next set of packets in a first flow may be identified. A counter may be incremented, where the counter indicates a first number of initial sets of packets in first flow that have been identified. The identified next set of packets may be prioritized such that the first number of initial sets of packets in the first flow are prioritized and a sequential order of all packets in the first flow is maintained. The identifying, incrementing, and prioritizing may be repeated until no further sets of packets in the first flow remain to be identified or the first number of initial sets of packets is equal to a first predefined number.

Abstract: According to one aspect, a method includes determining whether at least one memory storage unit in a first stage of a multi-stage array is available for use by a first counter associated with the first stage, and allocating the at least one memory storage unit for use by the first counter when the at least one memory storage unit is available. When the at least one memory storage unit is not available for use by the first counter, the method includes identifying a second counter stored in a first location in the first stage, the first location including a first memory storage unit and a second memory storage unit, and moving the second counter to a second stage of the multi-stage array, storing a pointer to the second stage in the first memory storage unit, and allocating the second memory storage unit to the first counter.

Abstract: In one embodiment, a next set of packets in a first flow may be identified. A counter may be incremented, where the counter indicates a first number of initial sets of packets in first flow that have been identified. The identified next set of packets may be prioritized such that the first number of initial sets of packets in the first flow are prioritized and a sequential order of all packets in the first flow is maintained. The identifying, incrementing, and prioritizing may be repeated until no further sets of packets in the first flow remain to be identified or the first number of initial sets of packets is equal to a first predefined number.

Abstract: Disclosed are systems, methods, and computer-readable storage media for minimizing the number of entries in network access control lists (ACLs). In some embodiments of the present technology a networking device can receive, from a first computing device, a first data transmission intended for a second computing device, the first data transmission including first transmission data. The networking device can normalize at least a subset of the first transmission data based on a predetermined normalization algorithm, yielding a first normalized data set for the first data transmission. Subsequently, the networking device can identify a first access control list entry from a set of access control list entries based on the first normalized data set, the first access control list entry identifying a first action, and implement the first action in relation to the first data transmission.

Abstract: According to one aspect, a method includes determining whether at least one memory storage unit in a first stage of a multi-stage array is available for use by a first counter associated with the first stage, and allocating the at least one memory storage unit for use by the first counter when the at least one memory storage unit is available. When the at least one memory storage unit is not available for use by the first counter, the method includes identifying a second counter stored in a first location in the first stage, the first location including a first memory storage unit and a second memory storage unit, and moving the second counter to a second stage of the multi-stage array, storing a pointer to the second stage in the first memory storage unit, and allocating the second memory storage unit to the first counter.

Abstract: In some implementations, network traffic can be routed along equal cost paths based on weights assigned to each path. For example, weighted equal cost multipath routing can be implemented by assigning weights to each equal cost path (e.g., uplink, next hop node) to a destination device. When the network device receives a packet, the network device can generate a key (e.g., a random value, a hash value based on packet data, a value between 0 and n, etc.). The key can be used to select an uplink or path upon which to forward the packet. A key can be generated for a packet flow or flowlet. Each flow can be associated with the same key so that each packet in a flow will be forwarded along the same path. Each flowlet can be forwarded along a different uplink.

Abstract: In one embodiment, a next set of packets in a first flow may be identified. A counter may be incremented, where the counter indicates a first number of initial sets of packets in first flow that have been identified. The identified next set of packets may be prioritized such that the first number of initial sets of packets in the first flow are prioritized and a sequential order of all packets in the first flow is maintained. The identifying, incrementing, and prioritizing may be repeated until no further sets of packets in the first flow remain to be identified or the first number of initial sets of packets is equal to a first predefined number.

Abstract: In some implementations, network traffic can be routed along equal cost paths based on weights assigned to each path. For example, weighted equal cost multipath routing can be implemented by assigning weights to each equal cost path (e.g., uplink, next hop node) to a destination device. When the network device receives a packet, the network device can generate a key (e.g., a random value, a hash value based on packet data, a value between 0 and n, etc.). The key can be used to select an uplink or path upon which to forward the packet. A key can be generated for a packet flow or flowlet. Each flow can be associated with the same key so that each packet in a flow will be forwarded along the same path. Each flowlet can be forwarded along a different uplink.

Abstract: In one embodiment, a method includes receiving a packet at an interface at a network device having a plurality of interfaces connected to a plurality of links forming a bundle, performing a Reverse Path Forwarding (RPF) check on the received packet, and forwarding the packet if it passes the RPF check. The RPF check includes a lookup in an RPF table having a plurality of entries for the bundle, each of the entries including the bundle and one of the links in the bundle, and verification that the interface receiving the packet is connected to one of the links in the bundle identified in the lookup. An apparatus is also disclosed.

Abstract: Techniques are provided for forwarding packets via an intermediate network device. A packet comprising a destination MAC address is received at a first port of a network device having a plurality of bi-directional ports. A second port of the network device to which the packet should be forwarded is identified through the use of at least an approximate ingress table at the first port comprising a plurality of compressed destination MAC addresses each having an associated egress port, and the packet is forwarded to the second port. At the second port, a subsequent network device to which the packet should be forwarded is identified through the use of an exact egress table at the second port including exact destination MAC addresses each associated with a network device connected to the second port, and the packet is forwarded to the subsequent network device.

Abstract: In one embodiment, a method includes receiving a packet at an interface at a network device having a plurality of interfaces connected to a plurality of links forming a bundle, performing a Reverse Path Forwarding (RPF) check on the received packet, and forwarding the packet if it passes the RPF check. The RPF check includes a lookup in an RPF table having a plurality of entries for the bundle, each of the entries including the bundle and one of the links in the bundle, and verification that the interface receiving the packet is connected to one of the links in the bundle identified in the lookup. An apparatus is also disclosed.

Abstract: Methods and systems for performing parallel membership queries to Bloom filters for Longest Prefix Matching, where address prefix memberships are determined in sets of prefixes sorted by prefix length. Hash tables corresponding to each prefix length are probed from the longest to the shortest match in the vector, terminating when a match is found or all of the lengths are searched. The performance, as determined by the number of dependent memory accesses per lookup, is held constant for longer address lengths or additional unique address prefix lengths in the forwarding table given that memory resources scale linearly with the number of prefixes in the forwarding table. For less than 2 Mb of embedded RAM and a commodity SRAM, the present technique achieves average performance of one hash probe per lookup and a worst case of two hash probes and one array access per lookup.