Some embodiments of the invention provide a a method of processing packets associated with a logical switching element implemented by multiple physical switching elements executing on multiple host computers on which multiple machines execute. At a first physical switching element of a first host computer, the method receives a packet from a first machine associated with the logical switching element. For the packet, the method identifies a logical ingress port of the logical switch that is associated with the packet. For the packet, the method also uses the logical ingress port to identify a logical egress port of the logical switch that is associated with the packet. For the packet, the method also uses the logical egress port to identify a physical egress port of the first host computer to use to send the packet along to a second machine associated with the logical egress port. From the identified physical egress port, the method forwards the packet with an encapsulating header that stores the logical egress port.

Example methods and systems for a programmable virtual network interface controller (VNIC) to perform packet processing are described. In one example, the programmable VNIC may modify a packet processing pipeline based on the instruction. The modification may include injecting a second packet processing stage among the multiple first packet processing stages of the packet processing pipeline. In response to detecting an ingress packet that requires processing by the programmable VNIC, the ingress packet may be steered towards the modified packet processing pipeline. The ingress packet may then be processed using the modified packet processing pipeline by performing the second packet processing stage (a) to bypass at least one of the multiple first processing stages, or (b) in addition to the multiple first processing stages.

In some aspects, the disclosure is directed to methods and systems for providing an architecture for building high performance silicon components that support a rich set of networking and security features. In many implementations, the architecture splits network and security functions into two functional and logical blocks (which may physically be on the same die or integrated circuit in some implementations, or may be split on separate integrated circuits). The network functions may be executed via an integrated network interface card and accelerator subsystem with a high throughput execution pipeline. Security functions may be executed asynchronously from the network processing functions, in many implementations.

In some aspects, the disclosure is directed to methods and systems for providing an architecture for building high performance silicon components that support a rich set of networking and security features. In many implementations, the architecture splits network and security functions into two functional and logical blocks (which may physically be on the same die or integrated circuit in some implementations, or may be split on separate integrated circuits). The network functions may be executed via an integrated network interface card and accelerator subsystem with a high throughput execution pipeline. Security functions may be executed asynchronously from the network processing functions, in many implementations.

A communication network comprises a central processing unit, data ingress ports and data egress ports configured to exchange data with a further network device of the communication network, and a plurality of co-processors that comprises frame normalization co-processors, ingress queuing co-processors, filtering and policing co-processors, intermediate queuing co-processors, a gatewaying co-processor, egress queuing co-processors, and a traffic shaping co-processor. The central processing unit configures and controls the data ingress ports, the data egress ports, and the plurality of co-processors to implement data processing paths in parallel or in a pipeline between the ingress ports and the egress ports.

A communication network comprises a central processing unit, data ingress ports and data egress ports configured to exchange data with a further network device of the communication network, and a plurality of co-processors that comprises frame normalization co-processors, ingress queuing co-processors, filtering and policing co-processors, intermediate queuing co-processors, a gatewaying co-processor, egress queuing co-processors, and a traffic shaping co-processor. The central processing unit configures and controls the data ingress ports, the data egress ports, and the plurality of co-processors to implement data processing paths in parallel or in a pipeline between the ingress ports and the egress ports.

A control system including several controllers for managing several switching elements. A first controller registers a second controller for receiving a notification when a data tuple changes in a network information base (NIB) storage of the first controller that stores data for managing a set of switching elements. The first controller changes the data tuple in the NIB. The first controller sends the notification to the second controller of the change to the data tuple in the NIB. The first and second controllers operate on two different computing devices. Each controller receives logical control plane data for specifying logical datapath sets and converts the logical control plane data to physical control plane data for enabling the switching elements to implement the logical datapath sets.

A method of implementing a logical switching element. The method generates data for programming a set of two or more physical forwarding elements to implement the logical switching element. The method uses a first controller to distribute at least a first portion of the generated data to a first plurality of physical forwarding elements in the set of physical forwarding elements. The first controller serves as the master controller for the first plurality of physical forwarding elements. The method uses a second controller to distribute at least a second portion of the generated data to a second plurality of physical forwarding elements in the set of physical forwarding elements. The second controller serves as the master controller for the second plurality of physical forwarding elements.

A method of implementing a logical switching element. The method generates data for programming a set of two or more physical forwarding elements to implement the logical switching element. The method uses a first controller to distribute at least a first portion of the generated data to a first plurality of physical forwarding elements in the set of physical forwarding elements. The first controller serves as the master controller for the first plurality of physical forwarding elements. The method uses a second controller to distribute at least a second portion of the generated data to a second plurality of physical forwarding elements in the set of physical forwarding elements. The second controller serves as the master controller for the second plurality of physical forwarding elements.

A software-defined network (SDN) system, device and method comprise one or more input ports, a programmable parser, a plurality of programmable lookup and decision engines (LDEs), programmable lookup memories, programmable counters, a programmable rewrite block and one or more output ports. The programmability of the parser, LDEs, lookup memories, counters and rewrite block enable a user to customize each microchip within the system to particular packet environments, data analysis needs, packet processing functions, and other functions as desired. Further, the same microchip is able to be reprogrammed for other purposes and/or optimizations dynamically.