In one embodiment, an apparatus includes one or more processors and one or more computer-readable non-transitory storage media coupled to the one or more processors. The one or more computer-readable non-transitory storage media include instructions that, when executed by the one or more processors, cause the apparatus to perform operations including receiving a user credential from a remote access client within a network and communicating the user credential to an authentication, authorization and accounting (AAA) server within the network. The operations also include receiving a user attribute from the AAA server and generating a contextual label based on the user attribute. The contextual label includes routing instructions associated with traffic behavior within the network. The operations further include advertising a control message, which includes the contextual label, to the remote access client.

Some embodiments provide novel methods for performing services for machines operating in one or more datacenters. For instance, for a group of related guest machines (e.g., a group of tenant machines), some embodiments define two different forwarding planes: (1) a guest forwarding plane and (2) a service forwarding plane. The guest forwarding plane connects to the machines in the group and performs L2 and/or L3 forwarding for these machines. The service forwarding plane (1) connects to the service nodes that perform services on data messages sent to and from these machines, and (2) forwards these data messages to the service nodes. In some embodiments, the guest machines do not connect directly with the service forwarding plane. For instance, in some embodiments, each forwarding plane connects to a machine or service node through a port that receives data messages from, or supplies data messages to, the machine or service node. In such embodiments, the service forwarding plane does not have a port that directly receives data messages from, or supplies data messages to, any guest machine. Instead, in some such embodiments, data associated with a guest machine is routed to a port proxy module executing on the same host computer, and this other module has a service plane port. This port proxy module in some embodiments indirectly can connect more than one guest machine on the same host to the service plane (i.e., can serve as the port proxy module for more than one guest machine on the same host).

This relates to message propagation in an opportunistic communication network. Nodes of the network each have a ranking which is compared when the nodes connect, and message is transferred from one node to the other in dependence on the relative values of their respective rankings. The ranking is dependent on a plurality of parameters. One parameter is a social parameter determined by the social contacts of a user associate with a node, for example determined from the contact directory of that person either locally or from a central database such that located on a Face book servicer. Another parameter is the number of physical connections established by a node. The ranking values of connecting nodes is updated when they connect. By combining both parameters, a more efficient forwarding path for messages is obtained.

An apparatus in a first computing device is provided. During operation, the apparatus can present, to a processor of the first computing device, a virtual interface switch (VIS) coupled to an interface port of the processor. The apparatus can present to the processor that a target device, which is reachable via a remote apparatus of a second computing device, is coupled to the VIS. The apparatuses can be coupled via at least a first fabric and a second fabric. A respective fabric may facilitate communication based on a fabric switching protocol. The apparatus can obtain a set of packets, which can be issued from the interface port via the VIS and directed to the target device. The apparatus can then forward, to the remote apparatus, a first subset of the set of packets via the first fabric and a second subset of the set of packets via the second fabric.

Methods and apparatus for processing data packets in a computer network are described. One general method includes receiving a data packet; examining the data packet to classify the data packet including classifying the data packet as a L2 or L3 packet and including determining at least one zone associated with the packet; processing the packet in accordance with one or more policies associated with the zone; determining forwarding information associated with the data packet; and if one or more policies permit, forwarding the data packet toward an intended destination using the forwarding information.

In one embodiment, a method includes determining, by a first router, service level agreement (SLA) requirements for an application and generating, by the first router, first SLA characteristics for the first router. The first router is in an active mode within a network. The method also includes comparing, by the first router, the first SLA characteristics for the first router to the SLA requirements and determining, by the first router, second SLA characteristics for a second router. The second router is in a standby mode within the network. The method further includes comparing, by the first router, the second SLA characteristics for the second router to the SLA requirements and determining, by the first router, whether to lower a first hop redundancy protocol (FHRP) priority of the first router.

Some embodiments override network or router level path selection with application or server controlled path selection by repurposing the type-of-service (ToS) or differentiated services header field. A mapping table maps different ToS values to different available transit provider paths to a particular destination. A server generating a packet to the destination selects one of the available paths according to any of load balanced, failover, or performance optimization criteria. The server sets the packet header ToS field with the value assigned to the selected path. A router operating in the same network as the server is configured with policy based routing rules that similarly map the ToS values to different transit provider paths to the particular destination network. Upon receiving the server generated packet, the router routes the packet to the destination network through the transit provider path identified in the packet header by the server set ToS value.

Methods, systems, devices, and software are disclosed for providing application levels of service over a network. Embodiments of the invention maintain a list of registered applications (or application providers) that have registered with a network resources provider. Customers of the network resources provider may authenticate some or all of the registered applications, indicating a desire to allow traffic relating to those applications over their access networks. Customers may further set application levels of service with respect to those authenticated applications. Certain embodiments may manage network traffic to accord with the application levels of service.

An approach for cloud provisioning of consumer services based on requested services. The approach uses customer request for services and current network utilization patterns to most efficiently and effectively provision network resources. For example, a network manager establishes one or more terms for a cloud provider based on one or more provider network provisions. The network manager further determines a customer profile subscription based on customer credentials, cloud provider credentials, and a combination thereof. Then, the network manager delivers one or more credentials based on the cloud provider, and generates a routing path to the cloud provider based on the subscription and/or service request.

Disclosed is a system and method of providing a segment routing as a service application. The method includes receiving a configuration of an internet protocol environment. The configuration can be a layer 3 configuration of a single cloud environment or even across multiple cloud environments. The configuration defines routing, forwarding, and paths in the environment between different entities such as virtual machines. The method includes receiving a parameter associated with a workload of a tenant. The parameter can be a service level agreement (i.e., a best bandwidth available), a pathway requirement, a parameter associated with specific workload, and so forth. Based on the configuration and the parameter, the method includes generating tenant-defined layer 3 overlay segment routing rules that define how the workload of the tenant will route data in the internet protocol environment using segment routing.