Some embodiments provide a set of one or more network controllers that communicates with a wide range of devices, ranging from switches to appliances such as firewalls, load balancers, etc. The set of network controllers communicates with such devices to connect them to its managed virtual networks. The set of network controllers can define each virtual network through software switches and/or software appliances. To extend the control beyond software network elements, some embodiments implement a database server on each dedicated hardware. The set of network controllers accesses the database server to send management data. The hardware then translates the management data to connect to a managed virtual network.

A stateful packet processing system includes: a first stateful stage including a first state table and a first finite state machine (“FSM”) table; and a second stateful stage including a second state table and a second FSM table. The system performs a distribution operation defining when a flow is processed by the first and/or the second stateful stage. The first and/or second FSM table is extended with states and transitions that support the distribution operation. The first and/or second stateful stage executes an evaluation operation that executes the distribution operation. The evaluation operation provides a criterion for moving a particular flow from one of the first or second stateful stage to the other stateful stage. The first and second stateful stages are included in a software-defined networking (“SDN”) switch. The distribution operation operates within defined capabilities of a software and/or hardware pipeline of the SDN switch.

A system is disclosed, comprising: a centralized routing node configured to: identify a set of congested links based on the link utilization statistics, each congested link having at least one traffic flow that may be active, each traffic flow having at least one traffic source and a path set comprising a set of nodes and links that may be used by the traffic flow as packets travel from the at least one traffic source to one or more destinations; identify a set of non-congested links based on the link utilization statistics, each non-congested link sharing at least one traffic source with a traffic flow of a congested link in the set of congested links; identify a path fork in a path set between a source and a destination of a particular traffic flow associated with a particular congested link in the set of congested links; and compute a new utilization level for the particular congested link that would result from moving the particular traffic flow from the particular congested link to a particular non-congested link in the set of non-congested links.

An extended service-function chain (SFC) proxy is hosted on a network node and connected to a service path formed by one or more network nodes hosting a chain of service-functions applied to packets traversing the service path. The packets each include a service header having a service path identifier and a service index. A packet of a traffic flow destined for a service-function is received from the service path and sent to the service-function. An indication to offload the traffic flow is received from the service-function. The indication is stored in a flow table having entries each identifying a respective traffic flow. A subsequent packet of the traffic flow is received from the service path. The flow table is searched for the indication to offload the traffic flow. Upon finding the indication, the service-function is bypassed, and the subsequent packet is forwarded along the service path.

For a managed network, some embodiments provide a method for a set of service nodes in an active-active service node cluster in conjunction with a host computer hosting a destination data compute node (DCN) to improve the efficiency of directing a data message to a service node storing state information for the flow to which the data message belongs. a first service node receives a data message in a particular data message flow for which it does not maintain state information. The first service node then identifies a second service node to process the data message and forwards the data message to the second service node. The second service node sends state information for the particular data message flow to the first service node, for the first service node to use to process subsequent data messages in the particular data message flow.

The present disclosure involves systems and methods for managing a trie routing table for a networking device of a communication or computer network. In one implementation, the networking device may utilize a dynamic algorithm for associating hashing functions with pivot tiles of the routing table to improve hash utilization and avoid hash collisions. Further, route prefixes may be relocated from pivot tiles in an attempt to free the tiles for reallocation to other prefix base width or may be relocated to other possible pivot tiles or to a general storage space when a hash collision is detected. This provides for even distribution of pivots within tiles which have base widths in range of a pivot route. The above implementations may occur together or separately to improve the operation of the networking device and provide faster route lookup.

The present disclosure involves systems and methods for managing a trie routing table for a networking device of a communication or computer network. In one implementation, the networking device may utilize a dynamic algorithm for associating hashing functions with pivot tiles of the routing table to improve hash utilization and avoid hash collisions. Further, route prefixes may be relocated from pivot tiles in an attempt to free the tiles for reallocation to other prefix base width or may be relocated to other possible pivot tiles or to a general storage space when a hash collision is detected. This provides for even distribution of pivots within tiles which have base widths in range of a pivot route. The above implementations may occur together or separately to improve the operation of the networking device and provide faster route lookup.

A packet processing method, a network node, and a system includes obtaining, by a first network node, a first packet that includes a segment list, where the segment list includes a segment identifier of a network node on a path used to forward the first packet, obtaining, by the first network node, a segment identifier of a second network node from the segment list, where the second network node is a next-hop segment node of the first network node on the path, replacing, by the first network node, a destination address of the first packet with the segment identifier of the second network node, and adding a network performance parameter of the first network node to the segment list to generate a second packet, and sending, by the first network node, the second packet to the second network node.

A TSN-based distributed antenna system including a headend unit, one or more TSN switches, and one or more remote units and a fronthaul transport network constituted by the headend unit, the TSN switch, and the remote unit is provided. The packet-based fronthaul network constituted by the headend unit, the TSN switch, and the remote unit transmits traffic in a time-deterministic manner while minimizing packet loss through Ethernet to which TSN standards are applied.

This application discloses a method and an apparatus for defending against a network attack, to resolve a problem that network defense costs are relatively high. The method includes: a network security device receives a first packet sent by an external device, and matches a destination IP address of the first packet with configuration information of a fake network. If an IP address of a node in the configuration information of the fake network has a same subnet prefix as the destination IP address, the network security device processes the first packet based on a fake network policy; if no IP address of a node in the configuration information of the fake network has a same subnet prefix as the destination IP address, the network security device processes the first packet based on a firewall policy.