Abstract: A method for handling a unicast reverse-path forwarding (uRPF) violation can include, at a network device residing on a network: receiving an incoming packet from a source Internet Protocol (IP) address, the incoming packet having a destination IP address, the network device comprising an application-specific integrated circuit (ASIC) chip; performing an uRPF check on the incoming packet; and responsive to the incoming packet failing the uRPF check, notifying a network controller external to the network device. The network controller is operable to determine, based on a rule or by searching a routing information base (RIB), whether a flow from the source IP address to the designation IP address is legitimate and, in accordance with a result from the determination, drop the incoming packet or forward the incoming packet to the destination IP address.

Abstract: Packet processing in a EVPN L2 MPLS deployment includes performing tag editing operations in the egress pipeline. More particularly, tag manipulation is based on the egress port. Packet processing further includes performing ESI label selection in the egress pipeline, and includes selecting the ESI label based on the ingress port where the ingress port can be a physical port or a subinterface configured on a physical port.

Abstract: Prefix compression routes provided via exact match using redirection and mirroring Forwarding Equivalence Class entries in hardware. In a network device, a first table is stored having a first entry, a second table is stored having a second entry, and a third table is stored having a third entry including routing information for routing data packets. The first entry references a first memory location in the second table, the second memory location stores the second entry, and the second entry referencing a second memory location in the third table. A data packet is received, and the first entry is accessed based on a destination address of the data packet. Routing information is obtained as a result of accessing the first entry. The data packet is sent by the network device according to the routing information.

Abstract: A network device or a system can be used to implement a private virtual local area network (VLAN). Such network device or system can receive a packet via an ingress port, perform a VLAN mapping lookup to identify a private VLAN domain based on the ingress port and an ingress subdomain associated with a primary VLAN or a secondary VLAN in the private VLAN domain, set a forwarding domain of the packet to the private VLAN domain, store the ingress subdomain and optionally the private VLAN domain as metadata, perform learning and forwarding lookups using the private VLAN domain to identify the ingress port and an egress port for the packet, reset the forwarding domain of the packet back to the ingress subdomain by the end of the forwarding lookup, and perform VLAN filtering based on the ingress subdomain.

Abstract: Packet processing in a EVPN L2 MPLS deployment includes performing tag editing operations in the egress pipeline. More particularly, tag manipulation is based on the egress port. Packet processing further includes performing ESI label selection in the egress pipeline, and includes selecting the ESI label based on the ingress port where the ingress port can be a physical port or a subinterface configured on a physical port.

Abstract: A network device or a system can be configured to support split virtual routing and forwarding (VRF) for unicast reverse path forwarding (RPF). A method is provided that includes receiving a data packet, performing VRF mapping lookup to identify a forwarding VRF identifier and a source VRF identifier, storing at least the source VRF identifier and a VRF profile as metadata, passing the packet through one or more stages in a packet processing pipeline, extracting the source VRF identifier from the metadata, performing RPF lookup based on the extracted source VRF identifier or the forwarding VRF identifier based on the extracted VRF profile from the metadata and a source address of the packet, selectively dropping the packet, performing forwarding lookup based on the forwarding VRF identifier and a destination address of the packet, and selectively forwarding the packet.

Abstract: Systems and methods for the storing and distribution of routes with different length prefixes between different tables in network devices utilizing lookup strengths associated with prefix lengths are disclosed. The results from performing lookups in these tables may have associated lookup strengths based on the prefix length of the associated routes, and the evaluation of which route to utilize for packet processing can be determined utilizing these associated lookup strengths. In this manner, a desired route for such packet processing may be determined regardless of the table where a route resides.

Abstract: Packet processing in a EVPN L2 MPLS deployment includes performing tag editing operations in the egress pipeline. More particularly, tag manipulation is based on the egress port. Packet processing further includes performing ESI label selection in the egress pipeline, and includes selecting the ESI label based on the ingress port where the ingress port can be a physical port or a subinterface configured on a physical port.

Abstract: A network device includes multiple interconnected network chips where the packet processing functionality is distributed between ingress and egress pipelines. TCP MSS clamping can be implemented in the egress pipeline. Processing in the egress pipeline can identify the presence of a TCP MSS value in the packet. The egress pipeline can compare the packet TCP MSS value with a user configured TCP MSS value. The egress pipeline can replace the packet TCP MSS value with the user configured TCP MSS value if the former is greater than the latter, and recompute a checksum. The packet with the replaced TCP MSS value and replaced checksum is then forwarded from the switch toward its eventual destination.

Abstract: Packet processing in a EVPN L2 MPLS deployment includes performing tag editing operations in the egress pipeline. More particularly, tag manipulation is based on the egress port. Packet processing further includes performing ESI label selection in the egress pipeline, and includes selecting the ESI label based on the ingress port where the ingress port can be a physical port or a subinterface configured on a physical port.

Abstract: A network device includes multiple interconnected network chips where the packet processing functionality is distributed between ingress and egress pipelines. TCP MSS clamping can be implemented in the egress pipeline. Processing in the egress pipeline can identify the presence of a TCP MSS value in the packet. The egress pipeline can compare the packet TCP MSS value with a user configured TCP MSS value. The egress pipeline can replace the packet TCP MSS value with the user configured TCP MSS value if the former is greater than the latter, and recompute a checksum. The packet with the replaced TCP MSS value and replaced checksum is then forwarded from the switch toward its eventual destination.

Abstract: Prefix compression routes provided via exact match using redirection and mirroring Forwarding Equivalence Class entries in hardware. In a network device, a first table is stored having a first entry, a second table is stored having a second entry, and a third table is stored having a third entry including routing information for routing data packets. The first entry references a first memory location in the second table, the second memory location stores the second entry, and the second entry referencing a second memory location in the third table. A data packet is received, and the first entry is accessed based on a destination address of the data packet. Routing information is obtained as a result of accessing the first entry. The data packet is sent by the network device according to the routing information.

Abstract: Systems and methods are provided herein for allocating the same ESI label on multihomed peers for a given ES. In some embodiments, each network device that provides multihoming to a host using an ES, advertises EVPN AD per ES routes to each other, wherein the EVPN AD per ES routes comprise an ESI label associated with the ES. Because the network devices advertise the same ESI label for the ES, a first network device generates a bitmap. The first network device uses the bitmap to include the advertised ESI label in replicated packets that the first network device forwards to the other network devices that provide multihoming to the host via the ES. The network devices that consider themselves non-DF devices will drop the packet. The network devices that consider themselves the DF device will not forward the packet to the host via the ES because of the ESI label.

Abstract: Systems and methods are provided herein for allocating the same ESI label on multihomed peers for a given ES. In some embodiments, each network device that provides multihoming to a host using an ES, advertises EVPN AD per ES routes to each other, wherein the EVPN AD per ES routes comprise an ESI label associated with the ES. Because the network devices advertise the same ESI label for the ES, a first network device generates a bitmap. The first network device uses the bitmap to include the advertised ESI label in replicated packets that the first network device forwards to the other network devices that provide multihoming to the host via the ES. The network devices that consider themselves non-DF devices will drop the packet. The network devices that consider themselves the DF device will not forward the packet to the host via the ES because of the ESI label.

Abstract: Systems and methods for configuring and evaluating policies that direct processing of one or more data streams are described. A configuration interface is described for allowing users to specify object oriented policies. These object oriented policies may allow any data structures to be applied with respect to a payload of a received packet stream, including any portions of HTTP traffic. A configuration interface may also allow the user to control the order in which policies and policy groups are executed, in addition to specifying actions to be taken if one or more policies are undefined. Systems and methods for processing the policies may allow efficient processing of object-oriented policies by applying potentially complex data structures to unstructured data streams. A device may also interpret and process a number of flow control commands and policy group invocation statements to determine an order of execution among a number of policies and policy groups.

Abstract: Systems and methods for configuring and evaluating policies that direct processing of one or more data streams are described. A configuration interface is described for allowing users to specify object oriented policies. These object oriented policies may allow any data structures to be applied with respect to a payload of a received packet stream, including any portions of HTTP traffic. A configuration interface may also allow the user to control the order in which policies and policy groups are executed, in addition to specifying actions to be taken if one or more policies are undefined. Systems and methods for processing the policies may allow efficient processing of object-oriented policies by applying potentially complex data structures to unstructured data streams. A device may also interpret and process a number of flow control commands and policy group invocation statements to determine an order of execution among a number of policies and policy groups.

Abstract: Systems and methods for configuring and evaluating policies that direct processing of one or more data streams are described. A configuration interface is described for allowing users to specify object oriented policies. These object oriented policies may allow any data structures to be applied with respect to a payload of a received packet stream, including any portions of HTTP traffic. A configuration interface may also allow the user to control the order in which policies and policy groups are executed, in addition to specifying actions to be taken if one or more policies are undefined. Systems and methods for processing the policies may allow efficient processing of object-oriented policies by applying potentially complex data structures to unstructured data streams. A device may also interpret and process a number of flow control commands and policy group invocation statements to determine an order of execution among a number of policies and policy groups.

Abstract: Systems and methods for configuring and evaluating policies that direct processing of one or more data streams are described. A configuration interface is described for allowing users to specify object oriented policies. These object oriented policies may allow any data structures to be applied with respect to a payload of a received packet stream, including any portions of HTTP traffic. A configuration interface may also allow the user to control the order in which policies and policy groups are executed, in addition to specifying actions to be taken if one or more policies are undefined. Systems and methods for processing the policies may allow efficient processing of object-oriented policies by applying potentially complex data structures to unstructured data streams. A device may also interpret and process a number of flow control commands and policy group invocation statements to determine an order of execution among a number of policies and policy groups.

Abstract: Systems and methods for configuring and evaluating policies that direct processing of one or more data streams are described. A configuration interface is described for allowing users to specify object oriented policies. These object oriented policies may allow any data structures to be applied with respect to a payload of a received packet stream, including any portions of HTTP traffic. A configuration interface may also allow the user to control the order in which policies and policy groups are executed, in addition to specifying actions to be taken if one or more policies are undefined. Systems and methods for processing the policies may allow efficient processing of object-oriented policies by applying potentially complex data structures to unstructured data streams. A device may also interpret and process a number of flow control commands and policy group invocation statements to determine an order of execution among a number of policies and policy groups.

Abstract: Systems and methods for configuring and evaluating policies that direct processing of one or more data streams are described. A configuration interface is described for allowing users to specify object oriented policies. These object oriented policies may allow any data structures to be applied with respect to a payload of a received packet stream, including any portions of HTTP traffic. A configuration interface may also allow the user to control the order in which policies and policy groups are executed, in addition to specifying actions to be taken if one or more policies are undefined. Systems and methods for processing the policies may allow efficient processing of object-oriented policies by applying potentially complex data structures to unstructured data streams. A device may also interpret and process a number of flow control commands and policy group invocation statements to determine an order of execution among a number of policies and policy groups.