Techniques described and suggested herein include various systems and methods for determining risk levels associated with transiting data, and routing portions of the data in accordance with the determined risk levels. For example, a risk analyzer may apply risk classifiers to transiting data to determine overall risk levels of some or all of the transiting data. A traffic router may route transiting data according to determined risk profiles for the data. A sandbox may be implemented to compare, for a given input, expected and observed outputs for a subset of transiting data, so as to determine risk profiles associated with at least the subset.

A method of calculating a new route for a media data traffic flow on a computer network when a device is connected to the network, the network comprising a first and a second network switch connected by a link, the method comprising: determining whether media data traffic already flows between the first and second network switch over the link; applying a weighting to the link whose value is based on whether media data traffic already flows over the link; and determining the new route for media data traffic by using a least cost path generation algorithm using the weighting.

A packet processing method and a gateway device are provided. The method includes: A first gateway device receives, by using a first link, a first one-arm BFD echo packet returned by a network device, where the first one-arm BFD echo packet includes identification information, and the identification information is used to uniquely identify a second gateway device. The first gateway device determines, based on the identification information, to forward the first one-arm BFD echo packet to the second gateway device. The first gateway device sends the first one-arm BFD echo packet to the second gateway device. The network device is multi-homed connected to the first gateway device and the second gateway device. The first gateway device and the second gateway device form a multi-active gateway. According to the method, efficiency of detecting, by using a one-arm BFD echo session in a VXLAN multi-active gateway scenario is improved.

A method is provided in one example embodiment and includes configuring on a network element a first tunnel from the network element to a first network, wherein the configuring comprises mapping a nexthop address of the local network element to a transport address of the tunnel on the network to create a first nexthop-to-transport mapping for the network element; and advertising the first nexthop-to-transport mapping along with routing information for the network element to remote network elements.

On-demand quality of service guarantees are provided in a wireless network environment. The system determines an on-demand quality of service for a segment of a communication path between a user equipment communicating with a radio access network connected to a core network and an external network connected to the core network. The system then determines if the on-demand quality of service for the segment meets a quality of service requirement. If the on-demand quality of service for the segment does not meet the quality of service requirement, the system identifies an alternate communication path between the user equipment and the external network, wherein the alternate communication path differs from the communication path. The system can then setup the alternate communication path for traffic between the user equipment and the external network.

In one embodiment, a device uses a classification model to determine whether implementation of a routing change suggested by a predictive routing engine for a network will result in a violation of one or more network policies. The device computes a trust score, based on performance metrics for the classification model. The device causes, based in part on the trust score, implementation of the routing change in the network, when the classification model determines that application of the routing change will not result in a violation of the one or more network policies.

Systems, methods, and software are disclosed herein for routing in-bound communications to an infrastructure service. In an implementation, an infrastructure service receives a request from an end point for content associated with an origin. The service sends a connection request to the origin from an initial network address. After detecting a failure of the origin to respond to the connection request, the service sends multiple connection requests to the origin from different network addresses. Upon receiving one or more replies to the connection requests, the service identifies which reply was received first and a network address to which the reply was sent. The service proceeds to establish a connection with the origin using the identified network address and obtains the content from the origin over the connection. The infrastructure service may then send the content to the end point.

A network device includes processing circuitry and multiple ports. The multiple ports are configured to connect to a communication network. The processing circuitry is configured to select a first port among the multiple ports to serve as an egress port for a packet, and to forward the packet to the first port, irrespective of whether or not the first port is usable as the egress port. The processing circuitry is further configured to, when the first port is usable as the egress port, transmit the packet to the communication network via the first port, and when the first port is unusable as the egress port, forward the packet from the first port to a second port among the multiple ports and transmit the packet to the communication network via the second port.

The disclosure provides an approach for pre-filtering traffic in a logical network. One method includes receiving, by a hypervisor, a packet from a virtual computing instance (VCI) and determining a service path for the packet based on a service table. The method further includes setting, by the hypervisor, a pre-filter component as a next hop for the packet based on the service path. The method further includes receiving, by the pre-filter component, the packet. The method further includes making a determination, by the pre-filter component, of whether the packet requires processing by the security component. The method further includes performing, by the pre-filter component, based on the determination, one of: forwarding the packet to its destination and bypassing the security component; or forwarding the packet to the security component.

In one embodiment, a supervisory service for a software-defined wide area network (SD-WAN) obtains telemetry data from one or more edge devices in the SD-WAN. The service trains, using the telemetry data as training data, a machine learning-based model to predict tunnel failures in the SD-WAN. The service receives feedback from the one or more edge devices regarding failure predictions made by the trained machine learning-based model. The service retrains the machine learning-based model, based on the received feedback.