This application provides a packet processing method, a device, a system, and a storage medium. A first network device receives an original packet, generates an IPv6 packet based on the original packet and endpoint group (EPG) information, where the IPv6 packet comprises an IPv6 extension header and the original packet, and the IPv6 extension header comprises the EPG information, and sends the IPv6 packet. A second network device receives the IPv6 packet; obtains the EPG information from the IPv6 extension header, and processes the IPv6 packet according to a group based policy corresponding to the EPG information.

Embodiments of this application describe an in-situ flow detection-based packet processing method. After receiving a first packet encapsulated by using a first bearer protocol, a first node may obtain, based on the first packet, a second packet encapsulated by using a second bearer protocol. A first packet header of the first packet includes first in-situ flow detection information, and a packet header of the second packet also includes the first in-situ flow detection information. It can be learned that, when re-encapsulating the first packet by using the second bearer protocol, the first node does not remove the first in-situ flow detection information, but adds the first in-situ flow detection information to the packet encapsulated by using the second bearer protocol. Therefore, even if the first bearer protocol and the second bearer protocol are deployed in a detection domain, the first in-situ flow detection information is not removed due to re-encapsulation of the packet, and may be transmitted across the entire detection domain.

The present application relates to traffic routing for overlay paths in a public cloud network. A path orchestrator receives a configuration of a set of overlay paths for a wide area network virtualization from a client, each overlay path including virtual routing nodes associated with respective geographic regions and at least one policy for a link between the virtual routing nodes. The path orchestrator is configured to instantiate a plurality of virtual routers on computing resources of the public cloud network located within the respective geographic regions based on the configuration, each virtual router configured to route traffic according to the policy for each link associated with the virtual routing node corresponding to the virtual router. The path orchestrator is configured to scale the plurality of virtual routers based on traffic for the client on the set of overlay paths.

A method of setting a user-defined virtual network is disclosed. A method of setting a virtual network includes configuring a virtual network including a controller, at least one network address translation (NAT) and at least one edge node, checking an operation type of the at least one edge node, setting a tunnel between the at least one edge node based on the operation type, and performing data transmission between the at least one edge node through the set tunnel.

A method for obtaining segment routing over Internet Protocol version 6 data plane (SRv6) tunnel information of Internet Protocol version 6 segment routing, including sending, by a first network device, a request packet to a second network device, where the request packet is used to request to detect reachability of an SRv6 tunnel and obtain SRv6 tunnel information of the second network device, and the second network device is a network device on the SRv6 tunnel, receiving, by the first network device, a response packet from the second network device, where the response packet includes the SRv6 tunnel information of the second network device, and obtaining, by the first network device, the SRv6 tunnel information of the second network device based on the response packet.

A method for fetching a content from a web server to a client device is disclosed, using tunnel devices serving as intermediate devices. The tunnel device is selected based on an attribute, such as IP Geolocation. A tunnel bank server stores a list of available tunnels that may be used, associated with values of various attribute types. The tunnel devices initiate communication with the tunnel bank server, and stays connected to it, for allowing a communication session initiated by the tunnel bank server. Upon receiving a request from a client to a content and for specific attribute types and values, a tunnel is selected by the tunnel bank server, and is used as a tunnel for retrieving the required content from the web server, using standard protocol such as SOCKS, WebSocket or HTTP Proxy. The client only communicates with a super proxy server that manages the content fetching scheme.

The disclosure describes examples where a first data center includes a first gateway router, a first set of computing devices, and a second set of computing devices. The first set of computing devices is configured to execute a software defined networking (SDN) controller cluster to facilitate operation of one or more virtual networks within the first data center. The second set of computing devices is configured to execute one or more control nodes to exchange route information, between the first gateway router and a second gateway router of a second data center different than the first data center, for a virtual network between computing devices within the second data center, and to communicate control information for the second data center to the second set of computing devices, wherein the one or more control nodes form a subcluster of the SDN controller cluster.

This disclosure provides a method and an apparatus for implementing a composed VPN. The method includes: obtaining a business type and a customer site that are input by a user; determining an access point corresponding to the customer site; determining one or more segment VPNs according to the business type and the access point corresponding to the customer site; obtaining a composed VPN according to the one or more segment VPNs; and outputting an access point list and a segment VPN list of the composed VPN to the user. In the solutions provided in this application, a user can learn a correlation between businesses in different domains related to a composed VPN, and can readily estimate a range affected by a business change of the composed VPN.

A method includes receiving, at a home controller of a home domain and from a first device in the home domain, a first message concerning a user device that is anchored to the home domain and that has roamed from the home domain to a visitor domain. The method also includes, in response to determining that the first device is a router, opening a tunnel between the home controller and a visitor controller of the visitor domain and communicating the first message to the user device through the tunnel. The method further includes receiving, at the home controller and from a second device in the home domain, a second message concerning the user device and in response to determining that the second device is not a router, communicating, to the second device, a proxy response to the second message.

This disclosure describes systems, devices, and techniques for migrating virtualized resources between the main region and edge locations. Live migration enables virtualized resources to remain operational during migration. Edge locations are typically separated from secure data centers via the Internet, a direct connection, or some other intermediate network. Accordingly, to place virtualized resources within an edge location, the virtualized resources must be migrated over a secure communication tunnel that can protect virtualized resource data during transmission over the intermediate network. The secure communication tunnel may have limited data throughput. To efficiently utilize resources of the secure communication tunnel, and to reduce the impact of migrations on virtualized resource operations, virtualized resource migrations may be carefully scheduled in advance. For instance, virtualized resources may be selectively migrated at times-of-day in which they are likely to be relatively idle, or at times when the communication tunnel is predicted to have sufficient bandwidth.