A data flow is received at a network processor that includes a plurality of frames. A first set of frames in the plurality of frames are passed from the network processor to a general processor for processing by the general processor. A flow acceleration request is received at the network processor from the general processor based at least in part on inspection of a first frame in the first set of frames. The flow acceleration request is received subsequent to passing at least two of the first set of frames to the general processor. A particular frame in the plurality of frames received subsequent to the first set of frames is processed by the network processor such that it is accelerated relative to processing of the first set of frames by the general processor and bypasses the general processor.

A method for creating a secure link between any two endpoints in a network comprises: assigning a unique identifier to each endpoint of a network; for each endpoint in the network, transmitting the unique identifiers associated with each of the remaining endpoints in the network to said endpoint; establishing a secure link between a source endpoint and a destination comprising: transmitting a data-session establishment packet from the source endpoint to the destination endpoint via a symmetric NAT device; wherein the data-session establishment packet comprises the unique identifier associated with the source endpoint; performing a matching operation at the destination endpoint to match the unique identifier associated with the source endpoint with a unique identifier known to the destination endpoint; and upon matching of unique identifiers then creating a forwarding table entry for the destination endpoint based on the source address and source port associated with the source endpoint.

An exact-match flow table structure stores flow entries. Each flow entry includes a Flow Id. A flow entry is generated from an incoming packet. The flow table structure determines whether there is a stored flow entry, the Flow Id of which is an exact-match for the generated Flow Id. In one novel aspect, a programmable reduce table circuit is used to generate a Flow Id. A selected subset of bits of an incoming packet is supplied as an address to an SRAM, so that the SRAM outputs a data value. The data value is supplied to a programmable lookup circuit such that the lookup circuit performs a selected type of lookup operation, and outputs a result value of a reduced number of bits. A multiplexer circuit is used to form a Flow Id such that the result value is a part of the Flow Id.

A method and an apparatus for transmitting data and a network device are provided. In an example of the method, after an interface board and a logical channel both corresponding to first data to be sent are determined, when the logical channel has a capability to send the first data, second data is obtained by adding header information of an interface board identifier and a logical channel identifier to the first data, and stored in a buffer corresponding to the logical channel. Next, when the second data is sent, the second data is read from the buffer, the interface board identifier and the logical channel identifier are obtained from the header information of the read second data, the first data is obtained by removing the header information from the read second data, and the obtained first data is sent to the interface board corresponding to the interface board identifier.

System and method for supporting multiple concurrent SL to VL mappings in a high performance computing environment. In accordance with an embodiment, systems and methods can provide for two or more SL to VL mappings per ingress switch port in a network switched fabric. By allowing for multiple such mappings, greater virtual lane independence can be achieved while continuing to achieve quality of service guarantees.

System and method for supporting a partitioned switch forwarding table in a high performance computing environment. Described methods and systems can support partitioned switch forwarding tables (e.g., partitioned LFTs) by setting up hardware registers that divide the LFT into at least two partitions, a first partition that supports legacy forwarding (e.g., standard LID based forwarding without the need to use portions of the GRH), and a second partition to support the GRH based forwarding that is described above. In such a manner, switches and other hardware within a core fabric can behave as legacy nodes/switches having standard LFTs, while also being able to support the extended addressing supplied through the use of portions of the GRH.

Methods and devices for processing packets are provided. The processing device may include an input interface for receiving data units containing header information of respective packets; a first module configurable to perform packet filtering based on the received data units; a second module configurable to perform traffic analysis based on the received data units; a third module configurable to perform load balancing based on the received data units; and a fourth module configurable to perform route lookups based on the received data units.

A method of sending data to a switch fabric includes assigning a destination port of an output module to a data packet based on at least one field in a first header of the data packet. A module associated with a first stage of the switch fabric is selected based on at least one field in the first header. A second header is appended to the data packet. The second header includes an identifier associated with the destination port of the output module. The data packet is sent to the module associated with the first stage. The module associated with the first stage is configured to send the data packet to a module associated with a second stage of the switch fabric based on the second header.

A first set of bits is extracted from a header of a first packet. A second set of bits is extracted from a header of a second packet. The first set of bits and the second set of bits are combined into a combined single data unit representing the first packet and the second packet. The combined single data unit is transferred to a packet processing device. The packet processing device decomposes the single data unit to extract the first set of bits corresponding to the first packet and the second set of bits corresponding to the second packet. A first reduced set of processing operations is performed to process the first packet using the first set of bits corresponding to the first packet. A second reduced set of processing operations is performed to process the second packet using the second set of bits corresponding to the second packet.

Some embodiments provide novel methods for performing services for machines operating in one or more datacenters. For instance, for a group of related guest machines (e.g., a group of tenant machines), some embodiments define two different forwarding planes: (1) a guest forwarding plane and (2) a service forwarding plane. The guest forwarding plane connects to the machines in the group and performs L2 and/or L3 forwarding for these machines. The service forwarding plane (1) connects to the service nodes that perform services on data messages sent to and from these machines, and (2) forwards these data messages to the service nodes. In some embodiments, the guest machines do not connect directly with the service forwarding plane. For instance, in some embodiments, each forwarding plane connects to a machine or service node through a port that receives data messages from, or supplies data messages to, the machine or service node. In such embodiments, the service forwarding plane does not have a port that directly receives data messages from, or supplies data messages to, any guest machine. Instead, in some such embodiments, data associated with a guest machine is routed to a port proxy module executing on the same host computer, and this other module has a service plane port. This port proxy module in some embodiments indirectly can connect more than one guest machine on the same host to the service plane (i.e., can serve as the port proxy module for more than one guest machine on the same host).