Systems, computer-readable media, and methods are disclosed for parallel data processing for service function chains with network functions spanning multiple servers. An example system includes a first server hosting a first network function of a service function chain, a second server hosting a second network function of the service function chain, a mirror function deployed in a first switch to replicate a plurality of packets received by the system and to send respective copies of the plurality of packets to the first network function and to at least one of the second network function and a third network function of the service function chain, and a merge function deployed in a second switch to merge respective outputs of the first network function and the at least one of the second network function and the third network function.

A method for a hypervisor supported by a source host to implement a port mirroring session in a virtualized computing environment includes receiving a packet passing through a first virtual port supported by the source host, wherein the packet is destined for a destination virtual machine on a destination host. The method also includes based on a first media access control (MAC) address of a first virtual network interface controller (VNIC) associated with a first monitoring virtual machine (VM), obtaining a first IP address associated with a first host that supports the first VNIC and the first monitoring VM, generating a port mirroring packet with the first IP address and a mirrored copy of the packet, wherein the port mirroring packet comprises a first Generic Network Virtualization Encapsulation (Geneve) base header, which includes the first MAC address, and transmitting the port mirroring packet to the first host.

A fabric control protocol is described for use within a data center in which a switch fabric provides full mesh interconnectivity such that any of the servers may communicate packet data for a given packet flow to any other of the servers using any of a number of parallel data paths within the data center switch fabric. The fabric control protocol enables spraying of individual packets for a given packet flow across some or all of the multiple parallel data paths in the data center switch fabric and, optionally, reordering of the packets for delivery to the destination. The fabric control protocol may provide end-to-end bandwidth scaling and flow fairness within a single tunnel based on endpoint-controlled requests and grants for flows. In some examples, the fabric control protocol packet structure is carried over an underlying protocol, such as the User Datagram Protocol (UDP).

A network switch includes multiple ports that serve as ingress ports and egress ports for connecting to a communication network, and processing circuitry. The processing circuitry is configured to receive packets via the ingress ports, select one or more of the packets for mirroring, create mirror copies of the selected packets and output the mirror copies for analysis, mark the packets for which mirror copies have been created with mirror-duplicate indications, and forward the packets to the egress ports, including the packets that are marked with the mirror-duplicate indications.

A packet control device includes a processor that receives a first packet to be input or output through a port. The processor determines whether the first packet is to be mirrored. The processor determines, upon determining that the first packet is to be mirrored, whether the first packet has been mirrored, based on a value of an area of the first packet. Upon determining that the first packet has not been mirrored, the processor generates a second packet by duplicating the first packet, sets a first value indicating completion of mirroring to the area of the second packet, transfers the second packet to a transfer destination, and transmits the first packet to a transmission destination. Upon determining that the first packet has been mirrored, the processor sets a second value indicating incompletion of mirroring to the area of the first packet, and transmits the first packet to the transmission destination.

A relay device is usable as one of a plurality of relay devices providing a communication network. Each of the plurality of relay devices has a plurality of ports including at least two redundant ports. A relay device includes a determining unit, a copying unit and a selecting unit. The selecting unit is configured to compare traffics of the at least two redundant ports when the determining unit determines that a port mirroring instruction transmitted from a diagnostic device is received by any of the at least two redundant ports. The selecting unit is configured to select an output redundant port to output a mirror frame copied by the copying unit based on a comparison result among the at least two redundant ports, and output the mirror frame from the output redundant port to transfer the mirror frame to the diagnostic device.

Provided are systems and methods for modifying a forwarding decision for a packet being processed by a network device. The forwarding decision can include a final determination whether to forward the packet from the network device and onto a network. In various implementations, an integrated circuit device of the network device can receive packet information for the packet, where the packet information includes a forwarding decision. The forwarding decision can include a decision type. The integrated circuit device can further determine a redirection includes using the decision type. The redirection information can include a redirection entry for each of one or more decision types. The integrated circuit device can further modify the packet information using values from the particular redirection entry, excluding modification of values associated with an outbound packet header that can be used to forward the particular packet.

The network switch architecture permits modifications to the network topology in real time without the need for manual intervention. In this architecture, a switching core is capable of switching data paths directly from the ingress or egress of the switching core to alternate destination ports in real time, either under software or hardware control.

A system that includes a switch, a network authentication server (NAS), and a threat management server. The NAS sends a device identifier for an endpoint device to the threat management server in response to the device connecting to a port on the switch. The threat management server determines the endpoint device is present in a device log file. The threat management server determines the number of times the endpoint device has failed authentication exceeds a first threshold value within a first time period and the number of times the endpoint device has passed authentication is less than a second threshold value within a second time period. The threat management server determines the endpoint device does not have a lease for the port on the switch and sends a reroute command to the switch to transform the destination of traffic associated with the endpoint device to a safe zone.

A computer-implemented method of transferring a mirror packet includes obtaining a first mirror packet, transferring, based on a first virtual local area network identifier added to the first mirror packet when only a first port permits passage of a mirror packet to which the first virtual local area network identifier is added, the first mirror packet to the first port, and transferring, based on the first virtual local area network identifier added to the first mirror packet when a plurality of ports permit passage of a mirror packet to which the first virtual local area network identifier is added, the first mirror packet to a second port for which only a single destination address is registered, the second port being included in the plurality of ports.