A method may include receiving a data flow of an application directed to the destination in a software-defined network (SDN). The method may also include identifying a classification of the application. The method may additionally include identifying a set of performance thresholds associated with the classification of the application. The method may also include determining a current performance of the data flow of the application in the SDN. The method may also include generating a performance score for the application based on the set of performance thresholds and the current performance of the data flow of the application in the SDN. The method may further include causing the performance score for the application to be presented via an interface.

Systems and methods for managing a global virtual network connection between an endpoint device and an access point server are disclosed. In one embodiment the network system may include an endpoint device, an access point server, and a control server. The endpoint device and the access point server may be connected with a first tunnel. The access point server and the control server may be connected with a second tunnel.

In one embodiment, an offload platform is an compute platform, adjunct to a router or other packet switching device, that performs packet processing operations including determining an egress forwarding value corresponding to the next-hop node of the packet switching device to which to send an offload-platform processed packet. The offload platform downloads forwarding information from the router, and augments it, such as, but not limited to, representing interfaces of the router as identifiable virtual interface(s) on the offload platform, and including each of one or more next-hop nodes of the router represented as an identifiable virtual adjacency and identifiable tunnel (e.g., identified by the egress forwarding value). In one embodiment, the egress forwarding value is an Multiprotocol Label Switching (MPLS) label or Segment Routing Identifier. The router identifies packets of certain packet flows to send to the adjunct offload platform, rather than processing per its routing information base.

A system described herein may provide for the separation of functions associated with a User Plane Function (“UPF”) in a wireless network (e.g., a Fifth Generation (“5G”) network), such that routing devices associated with the wireless network may perform functionality that would otherwise be performed by virtualized hosts or other configurable resources. For example, routing components which form a backhaul or other portion of the network may process traffic according to a suitable set of policies (e.g., Quality of Service (“QoS”) policies, content filtering policies, queueing policies, and/or other policies) instead of transmitting such traffic to a UPF associated with the network core for processing.

This disclosure describes techniques to operate a control plane in a network fabric. The techniques include determining a stateless rule corresponding to communication between a first segment of the network fabric and a second segment of the network fabric. The techniques further include configuring the control plane to enforce the stateless rule.

Some embodiments of the invention provide a method for processing data messages for routable subnets of a logical network, the logical network implemented by a software-defined network (SDN) and connecting multiple machines. The method receives an inbound data message. The method performs a DNAT (destination network address translation) operation on the received data message to identify a record associated with a destination IP (Internet protocol) address of the data message. From the record, the method identifies a VLAN (virtual local area network) identifier, an LNI (logical network identifier), and a destination host computer IP address for the data message. The method encapsulates the data message with an outer header containing the destination host computer IP address and the VLAN identifier. The method forwards the encapsulated data message to the destination host computer.

A cloud extension agent can be provided on a customer premise for interfacing, via an outbound secure connection, cloud based services. The cloud extension agent can reach the cloud based services through existing firewall infrastructure, thereby providing simple, secure deployment. Furthermore, the secure connection can enable substantially real-time communication with a cloud service to provide web-based, substantially real time control or management of resources on the customer premises via the cloud extension agent.

Described embodiments provide systems and apparatuses for enhanced quality of service, steering and policy enforcement for https traffic via intelligent in-line path discovery of a TLS terminating node. The system may include a first network device having a secure connection traversing through the first network device, and in communication with a second network device. The first network device and the second network device may be intermediary to a client device and a server. The first network device may determine that the second network device terminates the secure connection. The first network device may receive key generation information of the secure connection from the second network device following determining the second network device terminates the secure connection. The first network device may decipher packet(s) of the secure connection destined for the device or the server using the received key generation information, to regulate network traffic of the secure connection at the first network device.

Management of a plurality of sub-tunnels is disclosed herein. Resource utilization of a plurality of sub-tunnels of a network tunnel implementing a Resource Reservation Protocol is monitored. A resource utilization of a first set of the sub-tunnels exceeding a defined utilization threshold is detected. As a result of the detection, an adjusted resource utilization is determined for a second set of the sub-tunnels. The resource utilization of the second set of sub-tunnels may be less than a defined utilization threshold. The adjusted resource utilization is established for the second set of sub-tunnels for a next measurement interval. The adjusted resource utilization of each sub-tunnel of the second subset of sub-tunnels may be less than a lowest resource utilization among the first set of sub-tunnels.

Some embodiments configure an edge forwarding element to perform service insertion operations to identify stateful services to perform for data messages received for forwarding by the edge forwarding element at multiple virtual interfaces of the edge forwarding element. The service insertion operation, in some embodiments, includes applying a set of service insertion rules. The service insertion rules (1) specify a set of criteria and a corresponding action to take for data messages matching the criteria and (2) are associated with a set of interfaces to which the service insertion rules are applied. In some embodiments, the action is specified using a universally unique identifier (UUID) that is then used as a matching criteria for a subsequent policy lookup that identifies a type of service insertion and a set of next hop data.