The techniques described herein enable the use of a time factor for traffic management and routing. A system is configured to analyze traffic for a service over a period of time and identify (e.g., learn) traffic patterns that reflect a substantial effect on traffic during a particular real-world event. Using the traffic patterns identified via the analysis, the system can provide valuable time-based traffic information to service providers. A service provider can then create a predefined time-based profile that is used by a traffic manager to switch from a current traffic routing configuration to a different traffic routing configuration that better accommodates an expected traffic load for various endpoints. The predefined time-based profile specifies a scheduled time at which the switch is to occur, and this scheduled time can correspond to a start time for a real-world event that is known to cause an increase or decrease in traffic.

Techniques are disclosed for capturing network traffic in a distributed computing environment comprising a plurality of computing devices executing a plurality of Kubernetes pods. A customer resource definition defines one or more capture filters. Based on the capture filters, a configuration map object specifying data packets to be captured is generated. Capture sidecars are injected at the Kubernetes pods. At each Kubernetes pod the configuration map object is read and a capture of the specified data packets is initiated.

Network appliances can use packet processing pipeline circuits to implement network rules for processing network packet flows by configuring the pipeline's processing stages to execute specific policies for specific network packets in accordance with the network rules. Trace reports that indicate network rules implemented at specific processing stages can be more informative than those indicating policies implemented by the processing stages. A method implemented by a network appliance can store network rules for processing network flows by the processing stages of a packet processing pipeline circuit. The method can produce a trace report in response to to receiving a trace directive for one of the network flows wherein one of the processing stages has applied a network rule to a network packet in one of the network flows. The trace report can indicate the network rule in association with the processing stage and the network flow.

Intelligent, adaptive scheduling weight adjustment is enabled, e.g., to improve network performance. For instance, A non-transitory machine-readable medium can comprise executable instructions that, when executed by a processor, facilitate performance of operations, comprising based on key performance indicators corresponding to data traffic flows via a network, determining quality of service data representative of respective qualities of service for the data traffic flows, using a scheduling weight data traffic model generated using machine learning and trained using past quality of service data representative of past qualities of service of past data traffic flows via the network, from prior to the data traffic flows, and past scheduling weight settings applied to the past data traffic flows, determining a scheduling weight setting to be applied to a data traffic flow of the data traffic flows, and applying the scheduling weight setting to the data traffic flow.

This disclosure pertains to systems and methods for identifying and configuring a host in a software defined network (SDN) configured to communicate using a parallel redundancy protocol (PRP). In one embodiment, a system may include a first communication host and a second communication host configured to transmit information through a network. An SDN controller in communication with the network may include a PRP identification subsystem to monitor traffic transmitted by the first communication host to the second communication host, determine that the traffic comprises at least one data packet that conforms to PRP. Upon detection of a host configured to use PRP, a traffic routing subsystem creates a plurality of communication flows between the first communication host and the second communication host to route PRP traffic between the first communication host and the second communication host.

A system for facilitating sender-side granular congestion control is provided. During operation, the first and second processes of an application can run on sender and receiver nodes, respectively. A first buffer on the sender node can be allocated to the first process. For the first process, the system can then identify a second buffer at a last-hop switch of the receiver node. The system can determine, based on in-flight packets, the utilization of the second buffer. The system can also determine a fraction of available space in the second buffer for packets from the first buffer based on the utilization. Subsequently, the system can determine whether the fraction of the available space can accommodate the next packet from the first buffer. If the fraction of the available space can accommodate the next packet, the system can allow the first process to send the next packet to the second process.

An orchestrator can send trace directives to network appliances that indicate a network flow to trace. The network appliances can include packet processing pipelines that each include numerous processing stages. The network appliances implement network rules for processing network flows by configuring the pipeline's processing stages to execute specific policies for specific network packets in accordance with the network rules. The processing stages can also be configured to produce metadata indicating the policies implemented at each stage to process certain network packets in network flows indicated by trace directives. The metadata can be used to produce a trace report that indicates a network packet of the network flow, a first network rule that was applied to the network packet by a one of the first appliance processing stages, and the one of the first appliance processing stages that applied the first network rule to the network packet.

Route exchange in a plurality of network controller appliances on a per-tenant basis is disclosed. In one aspect, a method includes receiving, from a network management system and at a first network controller appliance, a designation of at least two tenants to be hosted on the first network controller appliance, the first network controller appliance being one of a plurality of network controller appliances in a SD-WAN; sending, from the first network controller appliance to other network controller appliances of the plurality of network controller appliances, a tenant list query message to obtain a corresponding tenant list of each of the other network controller appliances; and receiving a corresponding response from each of the other network controller appliances indicating the corresponding tenant list of each of the other network controller appliances, the corresponding response being used to update the tenant list on the first network controller appliance.

Techniques are disclosed for processing data packets by a hardware-based networking device configured to disaggregate processing of data packets from hosts of a virtualized computing environment. The hardware-based networking device includes a hardware-based component implementing a plurality of behavioral models indicative of packet processing graphs for data flows in the virtualized computing environment. A data packet having a source from or destination to an endpoint in a virtual network of the virtualized computing environment is received. Based on determining that the data packet is a first packet of a data flow to or from the endpoint, one of the behavioral models is mapped to the data flow. The packet is modified in accordance with the mapped behavioral model. A state of the data flow is stored. Subsequent data packets of the data flow are processed based on the stored state.

Embodiments of the present invention provide a system for dynamically monitoring and filtering data packets associated with accessing one or more entity resources. The system is configured for identifying a data packet in a network comprising at least a first data unit and a second data unit, determining that the first data unit and the second data unit of the data packet are attempting to access an entity resource, determining that first data associated with the first data unit and second data associated with the second data unit cannot access the entity resource at a same instance based on a first signature bit associated with the first data unit and a second signature bit associated with the second data unit, and attenuating the first data unit or the second data unit from the data packet based on the first signature bit and the second signature bit.