A transition protocol is provided herein in which a first rule set for routing packets received by a group of switches during a first time period is to be updated to a second rule set. During a transition period, at least some switches in the group of switches route packets to a controller, while other switches in the group of switches route packets to a next hop that is unchanged by the change in the rule set. The controller forwards packets that are received from at least some of the switches in the group to a destination node each of the packets, as determined from the updated rule set.

A method by a first controller in a software defined networking (SDN) network for programming a switch in the SDN network to use a controller port as a watch port. The method includes generating an instruction for the switch to create a first group entry for a first group in a packet processing pipeline of the switch, where the first group entry includes a first bucket that specifies a first controller port as a watch port and an action for the switch to forward packets to the first controller via the first controller port, where the first controller port being specified as the watch port in the first bucket indicates that execution of the action specified by the first bucket is to be contingent upon a liveness of the first controller port and sending the instruction to the switch to cause the switch to create the first group entry.

A Software-Defined Network (SDN) authorizes Application Programming Interface (API) calls from user SDN applications to user SDN controllers. A user SDN application transfers an embedded code to an authorization SDN controller. The authorization SDN controller translates the embedded code into an SDN controller network address and an SDN application privilege data set. The authorization SDN controller transfers the SDN controller network address to the user SDN application. The authorization SDN controller transfers the SDN application privilege data set to the user SDN controller. The user SDN application transfers an SDN API call to the user SDN controller using the SDN controller network address. The user SDN controller determines if the SDN API call is authorized by the SDN application privilege data set. The user SDN controller services the API call if the SDN API call is authorized and inhibits an unauthorized API call.

A packet processing method includes a first network device receiving a first Bit Index Explicit Replication (BIER) packet including a first BIER header. When the first BIER packet is a packet sent to a second network device, and in response to determining that the second network device is an edge node device in a BIER communication network and does not support BIER packet forwarding, the first network device determines a target label used for a reverse path forwarding (RPF) check, updates the first BIER packet to obtain a second BIER packet, where the second BIER packet includes the target label but does not include the first BIER header, and sends the second BIER packet to the second network device.

A packet processing method includes a first network device receiving a first Bit Index Explicit Replication (BIER) packet including a first BIER header. When the first BIER packet is a packet sent to a second network device, and in response to determining that the second network device is an edge node device in a BIER communication network and does not support BIER packet forwarding, the first network device determines a target label used for a reverse path forwarding (RPF) check, updates the first BIER packet to obtain a second BIER packet, where the second BIER packet includes the target label but does not include the first BIER header, and sends the second BIER packet to the second network device.

A method by a software defined networking (SDN) controller to configure a switch to perform translation module bypass in a container orchestration system. The method includes receiving a translation rule for a flow from a load balancer, sending translation module bypass instructions to a switch in response to receiving the translation rule for the flow, where the translation module bypass instructions include instructions for the switch to stop sending packets belonging to the flow to the translation module and to apply a network address translation specified by the translation rule for the flow to the packets belonging to the flow, and send an indication to the load balancer that the packets belonging to the flow are to bypass the translation module to cause the load balancer to disable timeout processing for the flow in the translation module.

A service packet transmission method includes: A control device delivers respective attribute information of at least two transmission paths to a first forwarding device. In this way, after obtaining traffic requirement information, the first forwarding device may determine, based on the traffic requirement information and the respective attribute information of the transmission paths, a first transmission path that meets a traffic requirement. Then, the first transmission path sends a received service packet to a second forwarding device through the first transmission path.

Embodiments of the present invention relate to a Lookup and Decision Engine (LDE) for generating lookup keys for input tokens and modifying the input tokens based on contents of lookup results. The input tokens are parsed from network packet headers by a Parser, and the tokens are then modified by the LDE. The modified tokens guide how corresponding network packets will be modified or forwarded by other components in a software-defined networking (SDN) system. The design of the LDE is highly flexible and protocol independent. Conditions and rules for generating lookup keys and for modifying tokens are fully programmable such that the LDE can perform a wide variety of reconfigurable network features and protocols in the SDN system.

Embodiments of the present invention disclose a flow table processing method. The method is applied to a virtual switch, the virtual switch is connected to M virtual machines and N network interface cards. The method may include establishing a mapping relationship between N port identifiers of N logical ports corresponding to the N network interface cards and a target port identifier, to aggregate the N logical ports into a first port, where the logical port corresponding to each network interface card is a logical port formed by aggregating physical ports of each network interface card based on a link aggregation control protocol (LACP). The method may also include offloading an exact match flow table to the N network interface cards through the first port.

Systems and methods for source address verification and/or retention for access devices.