A software-defined wide area network (SD-WAN) environment that leverages network virtualization management deployment is provided. Edge security services managed by the network virtualization management deployment are made available in the SD-WAN environment. Cloud gateways forward SD-WAN traffic to managed service nodes to apply security services. Network traffic is encapsulated with corresponding metadata to ensure that services can be performed according to the desired policy. Point-to-point tunnels are established between cloud gateways and the managed service nodes to transport the metadata to the managed service nodes using an overlay logical network. Virtual network identifiers (VNIs) in the metadata are used by the managed service nodes to identify tenants/policies. A managed service node receiving a packet uses provider service routers (T0-SR) and tenant service routers (T1-SRs) based on the VNI to apply the prescribed services for the tenant, and the resulting traffic is returned to the cloud gateway that originated the traffic.

The method of some embodiments selects a set of links to forward packets of a data flow from an application running on a machine connected to an SD-WAN that has multiple exits. The method, based on computed sets of attributes for a first set of links and a second set of links, selects between the first set of links and the second set of links. At least the first set of links has multiple links and at least one attribute of the first set of links is an attribute that is computed by aggregating an attribute of each of the links in the first set of links. The method uses the selected set of links to forward the packets of the data flow of the application to an egress managed forwarding element of the SD-WAN.

A software-defined wide area network (SD-WAN) environment that leverages network virtualization management deployment is provided. Edge security services managed by the network virtualization management deployment are made available in the SD-WAN environment. Cloud gateways forward SD-WAN traffic to managed service nodes to apply security services. Network traffic is encapsulated with corresponding metadata to ensure that services can be performed according to the desired policy. Point-to-point tunnels are established between cloud gateways and the managed service nodes to transport the metadata to the managed service nodes using an overlay logical network. Virtual network identifiers (VNIs) in the metadata are used by the managed service nodes to identify tenants/policies. A managed service node receiving a packet uses provider service routers (T0-SR) and tenant service routers (T1-SRs) based on the VNI to apply the prescribed services for the tenant, and the resulting traffic is returned to the cloud gateway that originated the traffic.

Described herein are systems, methods, and software to manage processing queue allocation based on addressing attributes of an inner packet. In one implementation, a first gateway identifies processing queues at a second gateway and assigns a unique flow label to each of the processing queues. The first gateway further receives a packet from a computing node that is directed toward the second gateway. The first gateway hashes addressing information in the packet to select a flow label, encapsulates the packet with the flow label in the outer encapsulation header for the encapsulated packet, and forwards the packet toward the second gateway.

Embodiments of this application disclose a session establishment method and a network device. One example method includes: A first network device receives a first message from a second network device, where the first message includes configuration information corresponding to a first interface, the second network device is connected to the first network device through the first interface, and the configuration information corresponding to the first interface includes an internet protocol IP address of the first interface; and the first network device establishes a BGP session with the second network device based on the configuration information corresponding to the first interface.

A packet header information obtaining method. The method includes: obtaining, by a communications device, a first packet, where the first packet includes a plurality of extension packet headers; and obtaining an extension header self-describing option from the first packet, where the extension header self-describing option is used to indicate information about the plurality of extension packet headers. Therefore, the communications device obtains, based on the extension header self-describing option in the first packet, a first extension packet header included in the plurality of extension packet headers. Packet header information of the extension packet header in the first packet can be obtained by using the extension header self-describing option, and the first extension packet header that needs to be parsed can be directly located from the first packet by using the obtained packet header information.

Embodiments of the present disclosure provide an in-situ flow detection method and an electronic device. The method includes: receiving a first service packet carrying a first packet header, where the first packet header includes at least a first in-situ flow detection option which is added to the first packet header by an ingress node of a first network domain and is for indicating an in-situ flow detection; and when the network device is an ingress node of a second network domain, forwarding a second service packet in the second network domain; where the second service packet is obtained by encapsulating a second packet header in an outer layer of the first service packet, the second packet header includes at least a second in-situ flow detection option.

This disclosure relates to transmitting data packets from a source to a destination within a communications network. A data packet is received from the source located in a local sub-network of the network. The data packet includes a first network layer protocol header having a source address containing the local sub-network address of the source, a destination address of the destination, a first field indicating a length of the source address and a second field indicating a length of the destination address. The first network layer protocol header is transformed by modifying the source address and the first field indicating the length of the source address, such that the modifying includes appending to the local sub-network address a prefix of the sub-network to make the source address an address of a higher-level network. The data packet is then forwarded toward the destination in the higher-level network.

The present technology pertains to a group-based network policy using Segment Routing over an IPv6 dataplane (SRv6). After a source application sends a packet, an ingress node can receive the packet, and if the source node is capable, it can identify an application policy and apply it. The ingress node indicates that the policy has been applied by including policy bits in the packet encapsulation. When the packet is received by the egress node, it can determine whether the policy was already applied, and if so, the packet is forward to the destination application. If the egress node determines that the policy has not be applied the destination application can apply the policy. Both the ingress node and egress nodes can learn of source application groups, destination application groups, and applicable policies through communication with aspects of the segment routing fabric.

Disclosed are systems, apparatuses, methods, and computer-readable media to implement circuit-style network with co-routed bidirectional network paths. A method includes receiving a request for a circuit policy between a source node and a destination node, the circuit policy defining a co-routed bidirectional policy between the source node and the destination node; requesting a path compute service to identify a path between the source node and the destination node that satisfies the circuit policy through a first network; receiving a path identifying a first set of network nodes that satisfy the circuit policy; configuring each node in the first set of network nodes within the first network with the circuit policy; and establishing a connection using the path that satisfies the circuit policy between the source node and the destination node.