Some embodiments provide a method for implementing a logical router in a network. The method receives a definition of a logical router for implementation on a set of network elements. The method defines several routing components for the logical router. Each of the defined routing components includes a separate set of routes and separate set of logical interfaces. The method implements the several routing components in the network. In some embodiments, the several routing components include one distributed routing component and several centralized routing components.

Some embodiments of the invention provide a forwarding element that can be configured through in-band data-plane messages from a remote controller that is a physically separate machine from the forwarding element. The forwarding element of some embodiments has data plane circuits that include several configurable message-processing stages, several storage queues, and a data-plane configurator. A set of one or more message-processing stages of the data plane are configured (1) to process configuration messages received by the data plane from the remote controller and (2) to store the configuration messages in a set of one or more storage queues. The data-plane configurator receives the configuration messages stored in the set of storage queues and configures one or more of the configurable message-processing stages based on configuration data in the configuration messages.

A method in a network element includes processing input packets using a set of two or more functions that are defined over parameters of the input packets. Each function in the set produces respective interim actions applied to the input packets and the entire set produces respective end-to-end actions applied to the input packets. An end-to-end mapping, which maps the parameters of at least some of the input packets directly to the corresponding end-to-end actions, is cached in the network element. The end-to-end mapping is queried with the parameters of a new input packet. Upon finding the parameters of the new input packet in the end-to-end mapping, an end-to-end action mapped to the found parameters is applied to the new input packet, without processing the new input packet using the set of functions.

An on-chip data packet processing method and corresponding integrated circuit, wherein data packets are received at an ingress port and processed with an on-chip wire-speed engine. The processing comprises adding metadata to the data packets, forwarding the processed data to an on-chip QoS unit, altering the metadata of the data packets and/or providing further metadata to the data packets. The data packets are forwarded from the on-chip QoS unit to an on-chip data consumer. If the data consumer is a processing unit the data packets are processed in a first processing step, redirected from the processing unit to the QoS unit and the step of forwarding the data packets to an on-chip data consumer is repeated.

A network switch to support multiple virtual switch instances comprises a control CPU configured to run a plurality of network switch control stacks, wherein each of the network switch control stacks is configured to manage and control operations of one or more virtual switch instances of a switching logic circuitry of the network switch. The network switch further includes said switching logic circuitry partitioned into a plurality of said virtual switch instances, wherein each of the virtual switch instances is provisioned and controlled by one of the network switch control stacks and is dedicated to serve and route data packets for a specific client of the network switch.

A command processing system facilitates pipeline configuration. Each stage of a packet processing pipeline may access certain memory locations for processing of a data packet as it passes through each stage. The command processing system facilitates changing the memory locations in an atomic manner.

Embodiments of a method and device are disclosed. In an embodiment, an in-vehicle network interface device includes a data port to send and receive data packets, a plurality of packet processing pipelines coupled to the data port, each to inspect a single data packet to determine an action to perform on the single data packet, and a safety module to receive the determined action from each packet processing pipeline and to select one of the determined actions to perform on the single data packet and to cause a selected one of the packet processing pipelines to perform the selected action.

Methods, systems, and devices for techniques for instruction perturbation for improved device security are described. A device may assign a set of executable instructions to an instruction packet based on a parameter associated with the instruction packet, and each executable instruction of the set of executable instructions may be independent from other executable instructions of the set of executable instructions. The device may select an order of the set of executable instructions based on a slot instruction rule associated with the device, and each executable instruction of the set of executable instructions may correspond to a respective slot associated with memory of the device. The device may modify the order of the set of executable instructions in a memory hierarchy post pre-decode based on the slot instruction rule and process the set of executable instructions of the instruction packet based on the modified order.

A method and network device for network traffic flooding. Specifically, the method and network device disclosed herein implement the mitigation of the lack of data-link layer (or L2) addressing resolutions, usually learned by or programmed manually into the network device, through the flooding of affected network traffic across identified network broadcast domains. Flooding of the network traffic in the aforementioned manner may ensure that at least the destination(s) of the network traffic receives the network traffic at least in scenarios where which it is unknown out of which particular physical network interface(s) should the network traffic be transmitted to reach the destination(s).

Methods and system for directing traffic flows to a fast data path or a slow data path are disclosed. Parsers can produce packet header vectors (PHVs) for use in match-action units. The PHVs are also used to generate feature vectors for the traffic flows. A flow training engine produces a classification model. Feature vectors input to the classification model result in output predictions predicting if a traffic flow will be long lived or short lived. The classification models are used by network appliances to install traffic flows into fast data paths or the slow data paths based on the predictions.