A network appliance or smart switch can include service devices as well as a switching device such as those used in high-speed switches having limited processing ability and are stateless with respect to sessions. Service devices can provide stateful and complex processing. A first exposed port of a switching device can receive network packets and can determine which network packets the service devices are to process to produce processed network packets. A network packet can be sent to a service device in a redirected packet. A processed network packet can be received from a service device in a reinjected packet that is used to recover a port identifier of the first exposed port. The port identifier can be used to determine a network destination of the processed network packet. The processed network packet can be sent from a second exposed port of the switching device toward the network destination.

A network appliance or smart switch can include service devices as well as a switching device such as those used in high-speed switches having limited processing ability and are stateless with respect to sessions. Service devices can provide stateful and complex processing. A first exposed port of a switching device can receive network packets and can determine which network packets the service devices are to process to produce processed network packets. A network packet can be sent to a service device in a redirected packet. A processed network packet can be received from a service device in a reinjected packet that is used to recover a port identifier of the first exposed port. The port identifier can be used to determine a network destination of the processed network packet. The processed network packet can be sent from a second exposed port of the switching device toward the network destination.

There is described a Precision Time Protocol (“PTP”) transparent clock for inter-VLAN forwarding comprising a Layer 2 switch and a PTP module. The switch includes a first port associated with a first VLAN and a second port associated with a second VLAN. The switch detects a PTP frame at the first port and the PTP module receives the PTP frame. The switch forwards the PTP frame to the second port in response to the PTP module determining that the PTP frame is a forwardable frame. For another embodiment, the switch includes a ternary content-addressable memory (“TCAM”), and the PTP module configures the TCAM to include forwarding rules. The Layer 2 switch forwards the PTP frame to the second port in response to identifying a particular forwarding rule associated with forwarding the PTP frame.

A method is implemented by a switch in a software defined networking (SDN) network managed by a controller to achieve hitless resynchronization during a controller upgrade. The method includes installing an upgraded set of flow entries so that a packet processing pipeline of the switch includes both a non-upgraded set of flow entries and the upgraded set of flow entries, processing non-tunneled packets using the non-upgraded set of flow entries, processing tunneled packets that have a tunnel upgrade status indicator set in a tunnel header using the non-upgraded set of flow entries, while processing tunneled packets that do not have a tunnel upgrade status indicator set in a tunnel header using the upgraded set of flow entries, and processing non-tunneled packets using the upgraded set of flow entries after all switches managed by the controller have installed upgraded flow entries.

A method is implemented by a switch in a software defined networking (SDN) network managed by a controller to achieve hitless resynchronization during a controller upgrade. The method includes installing an upgraded set of flow entries so that a packet processing pipeline of the switch includes both a non-upgraded set of flow entries and the upgraded set of flow entries, processing non-tunneled packets using the non-upgraded set of flow entries, processing tunneled packets that have a tunnel upgrade status indicator set in a tunnel header using the non-upgraded set of flow entries, while processing tunneled packets that do not have a tunnel upgrade status indicator set in a tunnel header using the upgraded set of flow entries, and processing non-tunneled packets using the upgraded set of flow entries after all switches managed by the controller have installed upgraded flow entries.

Example methods are provided a network device to perform service insertion in a public cloud environment that includes a first virtual network and a second virtual network. In one example method, in response to receiving a first encapsulated packet from a first virtualized computing instance located in the first virtual network, the network device may generate a decapsulated packet by performing decapsulation to remove, from the first encapsulated packet. The method may also comprise identifying a service path specified by a service insertion rule, and sending the decapsulated packet to the service path to cause the service path to process the decapsulated packet according to one or more services. The method may further comprise: in response to the network device receiving the decapsulated packet processed by the service path, sending the decapsulated packet, or generating and sending a second encapsulated packet, towards a destination address.

Example methods are provided a network device to perform service insertion in a public cloud environment that includes a first virtual network and a second virtual network. In one example method, in response to receiving a first encapsulated packet from a first virtualized computing instance located in the first virtual network, the network device may generate a decapsulated packet by performing decapsulation to remove, from the first encapsulated packet. The method may also comprise identifying a service path specified by a service insertion rule, and sending the decapsulated packet to the service path to cause the service path to process the decapsulated packet according to one or more services. The method may further comprise: in response to the network device receiving the decapsulated packet processed by the service path, sending the decapsulated packet, or generating and sending a second encapsulated packet, towards a destination address.

Information Security and privacy are the most critical aspects of the internet. The majority of the individuals that have access to the Internet have great difficulty understanding the basics of computers and how they work. This limits the ability of Internet users to protect themselves and their information while browsing the internet. With the creation and testing of SADD (Scalable Anonymous Disposable Desktops), Internet users no longer have to worry about protecting their computer or privacy.

Information Security and privacy are the most critical aspects of the internet. The majority of the individuals that have access to the Internet have great difficulty understanding the basics of computers and how they work. This limits the ability of Internet users to protect themselves and their information while browsing the internet. With the creation and testing of SADD (Scalable Anonymous Disposable Desktops), Internet users no longer have to worry about protecting their computer or privacy.

Some embodiments provide a novel method for deploying different virtual networks over several public cloud datacenters for different entities. For each entity, the method (1) identifies a set of public cloud datacenters of one or more public cloud providers to connect a set of machines of the entity, (2) deploys managed forwarding nodes (MFNs) for the entity in the identified set of public cloud datacenters, and then (3) configures the MFNs to implement a virtual network that connects the entity's set of machines across its identified set of public cloud datacenters. In some embodiments, the method identifies the set of public cloud datacenters for an entity by receiving input from the entity's network administrator. In some embodiments, this input specifies the public cloud providers to use and/or the public cloud regions in which the virtual network should be defined. Conjunctively, or alternatively, this input in some embodiments specifies actual public cloud datacenters to use.