Systems and methods for connecting devices via a virtual global network are disclosed. In one embodiment the network system may comprise a first device in communication with a first endpoint device and a second device in communication with a second endpoint device. The first and second devices may be connected with a communication path. The communication path may comprise one or more intermediate tunnels connecting each endpoint device to one or more intermediate access point servers and one or more control servers.

A fabric manager includes: a processing unit having a service chain creation module configured to create a service chain by connecting some of a plurality of nodes via virtual links; wherein the some of the plurality of nodes represent respective network components of an auxiliary network configured to obtain packets from a traffic production network; and wherein the service chain is configured to control an order of the network components represented by the some of the plurality of nodes packets are to traverse.

A software defined networking (SDN)-based distributed denial of service (DDoS) attack prevention method, an apparatus, and a system, where a controller delivers a traffic statistics collection instruction to a first packet forwarding device. The traffic statistics collection instruction instructs the first packet forwarding device to perform traffic statistics collection, and carries a destination Internet Protocol (IP) address. The controller collects statistical data reported by the first packet forwarding device, obtains, according to the statistical data, a statistical value of global traffic flowing to the destination IP address, and delivers a DDoS prevention policy to a second packet forwarding device based on a determining result that the statistical value of the global traffic exceeds the preset threshold. Correspondingly, the second packet forwarding device receives the DDoS prevention policy from the controller, and performs, according to the DDoS prevention policy, prevention process on the traffic flowing to the destination IP address.

An embedded communications network of a vehicle is a deterministic switched Ethernet network using virtual links, including a set of subscribers and a set of switches. A first subscriber is connected to a first switch and a third switch, and a second subscriber is connected to a second switch and to a fourth switch. A first virtual link is formed from the first subscriber to at least the second subscriber via a first subset of switches, and a second virtual link is formed from the first subscriber to at least the second subscriber via a second subset of switches, the switches of the first subset of switches all being separate from the switches of the second subset of switches. The communications network includes at least one connection, used by a third virtual link, between a switch of the first subset and a switch of the second subset.

Controller(s) in a software defined network (SDN) are able to determine a control path towards each network switch by performing a switch-originated discovery and using an in-band control network that is an overlay on the data network. A topology tree is maintained, where each controller being the root of the tree, and where messages from the root to any switch may pass through neighboring switches to reach that switch (and vice-versa). Each switch in the SDN attempts to connect to the controller when it does not have a readily configured control connection towards the controller. Once the controller learns about the presence of a new switch and at least one or more paths to reach that switch through a novel discovery process, it can select, adjust and even optimize the control path's route towards that switch.

A Software Defined Wide Area Network (SD-WAN) edge node is disclosed. The SD-WAN edge node includes edge node SD-WAN ports coupled to untrusted underlay networks. The SD-WAN edge node transmits a first Border Gateway Protocol (BGP) update message advertising WAN (Wide Area Network) properties of the edge node SD-WAN ports to a local controller via an encrypted channel over the untrusted underlay network. The SD-WAN edge node receives a second BGP update message from the local controller, the second BGP update message advertising WAN properties of peer node SD-WAN ports of a peer node. The SD-WAN edge node establishes a security association with the peer node over the untrusted underlay networks based on the WAN properties of the edge node SD-WAN ports and the WAN properties of the peer node SD-WAN ports.

A Software Defined Wide Area Network (SD-WAN) edge node is disclosed. The SD-WAN edge node includes edge node SD-WAN ports coupled to untrusted underlay networks. The SD-WAN edge node transmits a first Border Gateway Protocol (BGP) update message advertising WAN (Wide Area Network) properties of the edge node SD-WAN ports to a local controller via an encrypted channel over the untrusted underlay network. The SD-WAN edge node receives a second BGP update message from the local controller, the second BGP update message advertising WAN properties of peer node SD-WAN ports of a peer node. The SD-WAN edge node establishes a security association with the peer node over the untrusted underlay networks based on the WAN properties of the edge node SD-WAN ports and the WAN properties of the peer node SD-WAN ports.

A system for multicast packet management in a first switch in an overlay tunnel fabric is provided. The system can operate the first switch as part of a virtual switch in conjunction with a second switch of the fabric. The virtual switch can operate as a gateway for the fabric. During operation, the system can receive a join request for a multicast group. The system can then determine whether to forward the join request to the second switch based on a type of a first ingress connection of the join request. Upon receiving a data packet for the multicast group, the system can determine how to forward the data packet based on respective types of a second ingress connection and an egress connection of the data packet. The type of a respective connection can indicate whether the connection includes an overlay tunnel.

A system for multicast packet management in a first switch in an overlay tunnel fabric is provided. The system can operate the first switch as part of a virtual switch in conjunction with a second switch of the fabric. The virtual switch can operate as a gateway for the fabric. During operation, the system can receive a join request for a multicast group. The system can then determine whether to forward the join request to the second switch based on a type of a first ingress connection of the join request. Upon receiving a data packet for the multicast group, the system can determine how to forward the data packet based on respective types of a second ingress connection and an egress connection of the data packet. The type of a respective connection can indicate whether the connection includes an overlay tunnel.

The disclosure provides an approach for pre-filtering traffic in a logical network. One method includes receiving, by a hypervisor, a packet from a virtual computing instance (VCI) and determining a service path for the packet based on a service table. The method further includes setting, by the hypervisor, a pre-filter component as a next hop for the packet based on the service path. The method further includes receiving, by the pre-filter component, the packet. The method further includes making a determination, by the pre-filter component, of whether the packet requires processing by the security component. The method further includes performing, by the pre-filter component, based on the determination, one of: forwarding the packet to its destination and bypassing the security component; or forwarding the packet to the security component.