When a network grows large enough, it becomes useful to centralize certain network resources. The resources may then be shared between assets within the network (e.g., network devices), which may be more efficient than the assets individually performing the tasks assigned to the centralized resources. In various examples, these centralized resources may perform a variety of functions relating to, encryption, software defined network control, proxy services, quality of service, law enforcement, logging, and so forth. One technique for providing access to these types of shared resources is known as service insertion.
One example service insertion model begins with a packet entering a network. In various examples, the packet may enter the network at a networking device (e.g., switch, router, wireless access point). The packet may enter the network from, for example, an external source, a source inside of the network, and so forth. At this point, instead of forwarding the packet towards its ultimate destination, the networking device may forward the packet via a service insertion tunnel to a device that performs an inserted service. After the inserted service has been performed, the packet may be returned to the networking device via the reverse path of the service insertion tunnel so the packet may continue on its path to its ultimate destination. Consequently, the inserted service appears to operate as if it were performed by the networking device originating the service insertion tunnel, instead of at a device performing the inserted service.