Systems and methods of the present disclosure are directed to a method performed by a receiving node. The method includes receiving a packet/frame comprising Per Packet Value (PPV) information from a transmitting node, wherein the PPV information indicates a level of importance of the packet/frame determined based on a marking policy of the transmitting node, and wherein the packet/frame comprises (a) an Ethernet packet, (b) an IPv4 packet, (c) an IPv6 packet, (d) a Multi-Protocol Label Switching (MPLS) packet, or (e) a multilayer packet descriptive of one or more of (a)-(d). The method includes processing the PPV information in the received packet/frame when the receiving node is configured to handle the PPV information.

A multicast communication method is applied to a software-defined wide area network SD-WAN. In the multicast communication method, a bit index explicit replication (Bit Index Explicit Replication, BIER) capability is deployed on a site device in the SD-WAN, a site device through which a multicast packet needs to pass is indicated by a bit index explicit replication IPv6 encapsulation (Bit Index Explicit Replication IPv6 encapsulation, BIERv6) header in the multicast packet, and a multicast distribution tree does not need to be constructed. In addition, the multicast packet is forwarded through an SD-WAN tunnel between site devices, and an intermediate node does not need to sense a multicast service. In this way, a network device has a small quantity of multicast entries and the multicast entries are converged quickly, ensuring normal running of the multicast service.

A secure IGP topology or other link state topology can be implemented by a network security unit that runs in a centralized environment on servers separate from a network associated with the IGP topology. The network security unit acquires the topology information, such as by participating in IGP or through border gateway protocol with link state (BGP-LS). The network security unit detects possible network problems, such as indicators of potential network attacks. Once an indicator of a potential network attack is detected, the network security unit identifies the node that is compromised. Once the compromised node is identified, the network security unit can report the node for manual or automated intervention. In some aspects, the network security unit can isolate the compromised node by shutting down links connected to the compromised node.

A secure IGP topology or other link state topology can be implemented by a network security unit that runs in a centralized environment on servers separate from a network associated with the IGP topology. The network security unit acquires the topology information, such as by participating in IGP or through border gateway protocol with link state (BGP-LS). The network security unit detects possible network problems, such as indicators of potential network attacks. Once an indicator of a potential network attack is detected, the network security unit identifies the node that is compromised. Once the compromised node is identified, the network security unit can report the node for manual or automated intervention. In some aspects, the network security unit can isolate the compromised node by shutting down links connected to the compromised node.

Techniques for utilizing a cloud service to compute an end-to-end SLA-aware path using dynamic software-defined cloud interconnect (SDCI) tunnels between a user device and an access point-of-presence (POP) node and inter-POP tunnels of the SDCI. The cloud service may include a performance aware path instantiation (PAPI) component including a POP database for storing performance metrics associated with the POPs of the SDCI, an enterprise policy database for storing user specific policies, and/or a path computation component. The path computation component may compute the path, based on the user specific policies, performance metrics associated with the POP nodes, and/or real-time contextual data associated with the user device and/or destination device. The path may include a first tunnel between the user device and the most optimal access POP node of the SDCI and a second tunnel between the access POP node, through the internal POP nodes, and to the destination device.

A first network device includes a processor and a memory having instructions stored thereon that, when executed by the processor, cause the first network device to: obtain a first virtual private network (VPN) route sent by a second network device. The first VPN route includes first identification information that uniquely identifies a first VPN instance in the second network device. The first network device is also caused to generate a second VPN route according to a second VPN instance accessing a third network device and the first VPN route. The second VPN route carries second identification information and routing information of the first VPN route. The second identification information uniquely identifies the second VPN instance in the third network device. The first identification information is different from the second identification information. The first network device is further caused to send the second VPN route to the third network device.

Systems and methods for performing User Plane (UP) path selection or reselection over a communications network with a 3.sup.rd party entity, and for notifying network entities of UP changes in a communications network, are disclosed. The method includes: receiving an application program interface based request for UP path selection from the 3.sup.rd party entity; performing a validation and authorization procedure with the request; transmitting a UP path selection configuration request to a Control Plane Function that maintains configuration data; obtaining a reference number confirming the UP path selection configuration request; and installing the UP path selection according to the reference number.

A first network device includes a processor and a memory having computer readable instructions stored thereon that, when executed by the processor, cause the first network device to obtain a Flow Specification (FlowSpec) rule with redirect indication information. The redirect indication information includes identification information identifying a first virtual private network (VPN) instance configured on a second network device. The indication information also includes instructions for the second network device to redirect data stream matching the FlowSpec rule to the first VPN instance. The first network device is also caused to advertise the FlowSpec rule with the redirect indication information to the second network device.

One embodiment provides a system and method for managing, at a network node, a data structure indicating neighbor node address information. During operation, the system can determine, based on a media access control (MAC) address or an Internet protocol (IP) address associated with an entry in the data structure, a type of the entry, and set a timeout value for the entry based on the determined type. In response to detecting that an entry corresponding to the MAC address expires in a MAC table maintained by the network node, the system can identify an interface on the network node to which a neighbor associated with the MAC address was previously coupled and transmit a unicast neighbor-probe packet on the identified interface to determine a connection status of the neighbor.

A first data center interconnection (DCI) device in a first data center receives a first packet from a Border Gateway Protocol Ethernet virtual private network (BGP EVPN) neighbor, where the first packet includes routing information of a first forwarding instance of an access device in the first data center and an export route target of the first forwarding instance. The first DCI device obtains a second forwarding instance that corresponds to the first packet, where an import route target of the second forwarding instance matches the export route target of the first forwarding instance. The first DCI device generates a second packet that includes routing information of the second forwarding instance and an export route target of the second forwarding instance, which includes a DCI interworking route target. The first DCI device sends the second packet to a second DCI device in a second data center.