In some implementations, a network device may determine, based on a routing table, a plurality of routing paths from the network device to another network device, wherein the plurality of routing paths are respectively associated with a plurality of security classifications. The network device may receive network traffic that is destined for the other network device and that is associated with a particular security classification of the plurality of security classifications. The network device may forward the network traffic based on a particular routing path, of the plurality of routing paths, that is associated with the other network device and the particular security classification.

In some implementations, a network device may determine, based on a routing table, a plurality of routing paths from the network device to another network device, wherein the plurality of routing paths are respectively associated with a plurality of security classifications. The network device may receive network traffic that is destined for the other network device and that is associated with a particular security classification of the plurality of security classifications. The network device may forward the network traffic based on a particular routing path, of the plurality of routing paths, that is associated with the other network device and the particular security classification.

In one embodiment, an offload platform is an compute platform, adjunct to a router or other packet switching device, that performs packet processing operations including determining an egress forwarding value corresponding to the next-hop node of the packet switching device to which to send an offload-platform processed packet. The offload platform downloads forwarding information from the router, and augments it, such as, but not limited to, representing interfaces of the router as identifiable virtual interface(s) on the offload platform, and including each of one or more next-hop nodes of the router represented as an identifiable virtual adjacency and identifiable tunnel (e.g., identified by the egress forwarding value). In one embodiment, the egress forwarding value is an Multiprotocol Label Switching (MPLS) label or Segment Routing Identifier. The router identifies packets of certain packet flows to send to the adjunct offload platform, rather than processing per its routing information base.

In one embodiment, an offload platform is an compute platform, adjunct to a router or other packet switching device, that performs packet processing operations including determining an egress forwarding value corresponding to the next-hop node of the packet switching device to which to send an offload-platform processed packet. The offload platform downloads forwarding information from the router, and augments it, such as, but not limited to, representing interfaces of the router as identifiable virtual interface(s) on the offload platform, and including each of one or more next-hop nodes of the router represented as an identifiable virtual adjacency and identifiable tunnel (e.g., identified by the egress forwarding value). In one embodiment, the egress forwarding value is an Multiprotocol Label Switching (MPLS) label or Segment Routing Identifier. The router identifies packets of certain packet flows to send to the adjunct offload platform, rather than processing per its routing information base.

Systems, methods, and computer-readable media are disclosed for a scalable process for validating multiple paths used for routing network traffic in a network using segment routing. In one aspect, a method includes identifying, by a first network hop, one or more second network hops, for each of the one or more second network hops, determining a corresponding flow label, the corresponding flow label including a corresponding test packet for validating packet forwarding between the first network hop and a corresponding second network hop, and performing a validation process for validating packet forwarding from the first network hop to the corresponding second network hop using at least the corresponding flow label. The method further includes determining a queue of additional network hops to be validated based on a result of the validation process, and iteratively validating packet forwarding for each additional network hop in the queue.

Systems, methods, and computer-readable media are disclosed for a scalable process for validating multiple paths used for routing network traffic in a network using segment routing. In one aspect, a method includes identifying, by a first network hop, one or more second network hops, for each of the one or more second network hops, determining a corresponding flow label, the corresponding flow label including a corresponding test packet for validating packet forwarding between the first network hop and a corresponding second network hop, and performing a validation process for validating packet forwarding from the first network hop to the corresponding second network hop using at least the corresponding flow label. The method further includes determining a queue of additional network hops to be validated based on a result of the validation process, and iteratively validating packet forwarding for each additional network hop in the queue.

Some embodiments provide novel methods for performing services for machines operating in one or more datacenters. For instance, for a group of related guest machines (e.g., a group of tenant machines), some embodiments define two different forwarding planes: (1) a guest forwarding plane and (2) a service forwarding plane. The guest forwarding plane connects to the machines in the group and performs L2 and/or L3 forwarding for these machines. The service forwarding plane (1) connects to the service nodes that perform services on data messages sent to and from these machines, and (2) forwards these data messages to the service nodes. In some embodiments, the guest machines do not connect directly with the service forwarding plane. For instance, in some embodiments, each forwarding plane connects to a machine or service node through a port that receives data messages from, or supplies data messages to, the machine or service node. In such embodiments, the service forwarding plane does not have a port that directly receives data messages from, or supplies data messages to, any guest machine. Instead, in some such embodiments, data associated with a guest machine is routed to a port proxy module executing on the same host computer, and this other module has a service plane port. This port proxy module in some embodiments indirectly can connect more than one guest machine on the same host to the service plane (i.e., can serve as the port proxy module for more than one guest machine on the same host).

Some embodiments provide novel methods for performing services for machines operating in one or more datacenters. For instance, for a group of related guest machines (e.g., a group of tenant machines), some embodiments define two different forwarding planes: (1) a guest forwarding plane and (2) a service forwarding plane. The guest forwarding plane connects to the machines in the group and performs L2 and/or L3 forwarding for these machines. The service forwarding plane (1) connects to the service nodes that perform services on data messages sent to and from these machines, and (2) forwards these data messages to the service nodes. In some embodiments, the guest machines do not connect directly with the service forwarding plane. For instance, in some embodiments, each forwarding plane connects to a machine or service node through a port that receives data messages from, or supplies data messages to, the machine or service node. In such embodiments, the service forwarding plane does not have a port that directly receives data messages from, or supplies data messages to, any guest machine. Instead, in some such embodiments, data associated with a guest machine is routed to a port proxy module executing on the same host computer, and this other module has a service plane port. This port proxy module in some embodiments indirectly can connect more than one guest machine on the same host to the service plane (i.e., can serve as the port proxy module for more than one guest machine on the same host).

This application discloses a packet transmission method, an apparatus, a device, and a readable storage medium, and relates to the field of communication technologies. The method applied to a second network device includes: First, a first packet sent by a first network device is received, and then a second packet, a first dwell time period, and a second dwell time period are obtained based on the first packet. Then, a time difference between the second dwell time period and the first dwell time period is determined. Then, a third dwell time period and a fourth dwell time period are determined, to encapsulate the third dwell time period, the fourth dwell time period, and the second packet to obtain a third packet.

This application discloses a packet transmission method, an apparatus, a device, and a readable storage medium, and relates to the field of communication technologies. The method applied to a second network device includes: First, a first packet sent by a first network device is received, and then a second packet, a first dwell time period, and a second dwell time period are obtained based on the first packet. Then, a time difference between the second dwell time period and the first dwell time period is determined. Then, a third dwell time period and a fourth dwell time period are determined, to encapsulate the third dwell time period, the fourth dwell time period, and the second packet to obtain a third packet.