A method for processing data packets in a communication network includes establishing a path for a flow of the data packets through the communication network. At a node along the path having a plurality of aggregated ports, a port is selected from among the plurality to serve as part of the path. A label is chosen responsively to the selected port. The label is attached to the data packets in the flow at a point on the path upstream from the node. Upon receiving the data packets at the node, the data packets are switched through the selected port responsively to the label.

Systems and methods for managing a global virtual network connection between an endpoint device and an access point server are disclosed. In one embodiment the network system may include an endpoint device, an access point server, and a control server. The endpoint device and the access point server may be connected with a first tunnel. The access point server and the control server may be connected with a second tunnel.

A first network device may communicate, in association with a tunnel establishment network protocol, with a second network device to cause a network tunnel between the first network device and the second network device to be established. The first network device may determine, based on communicating with the second network device to cause the network tunnel to be established, that the network tunnel is to support network micro-tunnel functionality within the network tunnel. The first network device may communicate, based on determining that the network tunnel is to support network micro-tunnel functionality, with the second network device to identify a traffic class, of one or more traffic classes, to which network micro-tunnel functionality within the network tunnel is to be applied. The first network device may cause a network micro-tunnel to be established within the network tunnel for traffic associated with the traffic class.

A node in a Segment Routing network includes a plurality of ports and a switching fabric between the plurality of ports, wherein, for an Ethernet Tree (E-tree) service, a port is configured to transmit a packet with a plurality of Segment Identifiers (SID) including a first SID, a second SID, and a third SID, wherein the first SID identifies one of multicast, ingress replication for broadcast, and a destination node including any of a node SID and an anycast SID, wherein the second SID identifies a service including the E-tree service, and wherein the third SID identifies a source of the packet. A second port of the node is connected to a customer edge, and wherein the third SID is based on whether the customer edge is a leaf node or a root node in the E-tree service.

This disclosure describes techniques for employing a collaborate traffic balancer in communications among network devices. The techniques include dynamic traffic engineering concepts to improve network communications. The techniques may include causing a headend device to establish a secure communication session between a client device and a server in a resource infrastructure supporting the service. The techniques may include selecting a tunnel for the secure communication session to reach the resource infrastructure. The techniques may further include migrating the secure communication session from a current tunnel to a new tunnel where a degradation in quality of the secure communication session is predicted.

Some embodiments provide stateful services in a chain of services identified for some data messages. The edge forwarding element receives a data message at a particular interface of the edge forwarding element that is traversing the edge forwarding element in a forward direction between two machines. The edge forwarding element identifies (1) a set of stateful services for the received data message and (2) a next hop associated with the identified set of stateful services in the forward direction and a next hop associated with the identified set of stateful services in the reverse direction. Based on the identified set of services and the next hops for the forward and reverse directions, the edge forwarding element generates and stores first and second connection tracking records for the forward and reverse data message flows, respectively used to forward data messages received subsequently for the flow.

The present disclosure discloses a packet processing method, device, and system. The system includes: a controller, configured to: allocate a service label to a service processing manner of an FEC, establish a mapping relationship between the service label and the service processing manner, send the service label to a source node, and send the mapping relationship to a destination node; the source node, configured to: receive the service label sent by the controller, receive a first packet, insert the service label to the first packet to obtain a second packet, and send the second packet to the destination node; the destination node, configured to: receive the mapping relationship sent by the controller, receive the second packet sent by the source node, and pop the service label from the second packet according to the mapping relationship, to obtain the first packet.

Some embodiments provide novel inline switches that distribute data messages from source compute nodes (SCNs) to different groups of destination service compute nodes (DSCNs). In some embodiments, the inline switches are deployed in the source compute nodes datapaths (e.g., egress datapath). The inline switches in some embodiments are service switches that (1) receive data messages from the SCNs, (2) identify service nodes in a service-node cluster for processing the data messages based on service policies that the switches implement, and (3) use tunnels to send the received data messages to their identified service nodes. Alternatively, or conjunctively, the inline service switches of some embodiments (1) identify service-nodes cluster for processing the data messages based on service policies that the switches implement, and (2) use tunnels to send the received data messages to the identified service-node clusters. The service-node clusters can perform the same service or can perform different services in some embodiments. This tunnel-based approach for distributing data messages to service nodes/clusters is advantageous for seamlessly implementing in a datacenter a cloud-based XaaS model (where XaaS stands for X as a service, and X stands for anything), in which any number of services are provided by service providers in the cloud.

Provided are a provider edge (PE) device and a method for Ethernet virtual private network (EVPN). A first PE device performs label assignment procedure with a second PE device such that the first and second PE devices share an Ethernet segment identifier (ESI)-excluded label and know a correspondence between the ESI-excluded label and a label combination of an ESI label and a VPN label. The first PE device encapsulates a packet of broadcast, unknown unicast or multicast (BUM) traffic, with the ESI-excluded label instead of the label combination. The first PE device sends the encapsulated packet to the second PE device.

Techniques for sending encrypted data includes establishing a plurality of different links between a first node and a different second node. The different links are different physical layer links or different virtual private network (VPN) links or some combination. The method also includes encrypting plaintext using a first value for an encryption parameter to produce ciphertext. Further, the method includes sending a first plurality of messages that indicate the ciphertext using at least one link of the plurality of different links. Still further, the method includes sending a different second plurality of messages that indicate the first value for the encryption parameter using at least one different link of the plurality of different links without introducing a random bit error.