In an example, a server architecture is described for a dynamic cascaded node chain providing a resource cluster. The cascaded node chain may include one or more resource instances provisioned as a head node, zero or more middle nodes, and a tail node. Each node may include a discrete number of available resource entries in a flow table. As traffic enters the head node, each node attempts to match the traffic to an entry in its flow table. If no match is found, the packet is downlinked to the next node in the chain. If the packet reaches the tail node without a match, it is punted to the controller. The controller may then provision a matching entry if an entry is available. If not, the controller may spawn a new resource instance. When the full capacity of the cluster is reached, non-matching entries may be dropped.

The present technology discloses methods, systems, and non-transitory computer-readable media for defining, for a network primitive in a network domain, whether the network primitive can receive data carrying an assigned context associated from one or more source nodes through a software-defined wide area network (SDWAN) fabric overlay; advertising a capability of the network primitive, the capability stating whether the network primitive can receive the data carrying the assigned context; and controlling selective transmission of the data carrying the assigned context from the one or more source nodes to the network primitive through the SDWAN fabric overlay based on the capability of the network primitive to receive the data carrying the assigned context.

Routing of a traffic in a fabric network may be provided. A first traffic may be received at a first node. It may be determined that the first traffic is coming from a provider virtual network. In response to determining that the first traffic is coming from the provider virtual network, it may be determined that a first subnet associated with the first traffic is associated with a subscriber virtual network. In response to determining that the first subnet associated with the first traffic is associated with the subscriber virtual network, a first virtual network associated with the first traffic may be changed to the subscriber virtual network. A lookup for the first traffic may be changed to a first virtual routing and forwarding of the subscriber virtual network.

Embodiments of the present disclosure include methods and apparatuses for enabling data path selection. In an EPG, ILNP mobility signaling is received. The ILNP signaling may include a destination locator for a BNG. A signaling message is sent to the BNG in response to the received ILNP signaling. An acknowledgement is received from the BNG. Traffic is tunneled between a mobile device and a RGW over a LTE interface. In a BNG, a signaling message is received. A message is sent to a SDN controller. A notification is received from the SDN controller that configuration of a RGW to tunnel traffic over a LTE interface is complete. An acknowledgement is sent to an EPG. In a RGW, a message is received from a SDN controller. Traffic is tunneled between a NAS and an EPG over a LTE interface based on the message received from the SDN controller.

Features are disclosed for managing routing rules stored by a routing device and used to manage network traffic in a network. A computing device can receive multiple routing rules corresponding to multiple routing devices in the network. The computing device can use a formal specification and a snapshot to generate a model of the network. The computing device may use the model in order to statically determine the set of possible paths without causing the transmission of data between a routing device and a destination. the computing device may compare the identified routing rules and the possible paths in order to determine excess routing rules. The computing device may remove the excess routing rules from the routing rules for each routing device such that each routing device routes subsequent network traffic based on the updated routing rules.

A method by a first controller in a software defined networking (SDN) network for programming a switch in the SDN network to use a controller port as a watch port. The method includes generating an instruction for the switch to create a first group entry for a first group in a packet processing pipeline of the switch, where the first group entry includes a first bucket that specifies a first controller port as a watch port and an action for the switch to forward packets to the first controller via the first controller port, where the first controller port being specified as the watch port in the first bucket indicates that execution of the action specified by the first bucket is to be contingent upon a liveness of the first controller port and sending the instruction to the switch to cause the switch to create the first group entry.

A method by a first controller in a software defined networking (SDN) network for programming a switch in the SDN network to use a controller port as a watch port. The method includes generating an instruction for the switch to create a first group entry for a first group in a packet processing pipeline of the switch, where the first group entry includes a first bucket that specifies a first controller port as a watch port and an action for the switch to forward packets to the first controller via the first controller port, where the first controller port being specified as the watch port in the first bucket indicates that execution of the action specified by the first bucket is to be contingent upon a liveness of the first controller port and sending the instruction to the switch to cause the switch to create the first group entry.

A cloud controller performs, when an attack on a VM in any of data centers in a system is detected, setting of NAT of a private IP address of a VM(A), for a boundary router of each data center other than a data center that the VM(A) belongs to, the VM(A) being a victim. Next, the cloud controller performs setting for a redirecting device in the same data center as the VM(A), such that the redirecting device redirects access from a user terminal to a host under a boundary router of any of the respective data centers other than the data center. Thereafter, the cloud controller changes a private IP address of the VM(A) in a NAT setting of a boundary router of the data center to a private IP address of the redirecting device.

The present disclosure relates to a network device that indicates a master network controller in a virtual redundant router protocol (VRRP) peer. In example implementations, the network device determines a bake-off time and refrains from sending packets during the bake-off time to a network. Also, the network device determines whether a first packet is received from the network. If either the bake-off time expires or the first packet is received from the network, the network device determines whether a spanning tree protocol (STP) convergence has completed. If so, the network device starts a VRRP state machine. If both the STP convergence has completed and the VRRP state machine has been started, the network device transmits a broadcast message indicating that the network device acts as a master network controller in the network.

Some embodiments of the invention provide a novel network architecture for providing edge services of a virtual private cloud (VPC) at host computers hosting machines of the VPC. The host computers in the novel network architecture are reachable from external networks through a gateway router of an availability zone (AZ). The gateway router receives a data message from the external network addressed to one or more data compute nodes (DCNs) in the VPC and forwards the data message to a particular host computer identified as providing a distributed edge service for the VPC. The particular host computer, upon receiving the forwarded data message, performs the distributed edge service and provides the serviced data message to a destination DCN.