Networks primitives are provided for establishing and maintaining channels and secure channels. In one embodiment, requests to open a new channel are handled only in a listen mode and, after authentication, the channel provides secure communication. In one embodiment, a secure channel is initialized and fixed if broken so that a plurality of threads may share it. In one embodiment, a no listen mode is applied if the number of new channels handled per time period is more than a threshold.

A cell site gateway located at a cell site of an access network receives one or more first packets, from a network gateway, via a first interface of the cell site gateway. The cell site gateway receives one or more second packets, from a cellular base station, via a second interface of the cell site gateway. The cell site gateway receives control information, from a control server, via a third interface of the cell site gateway, wherein the control information is for a forwarding layer of the cell site gateway, the control information comprising a first label for removal by the forwarding layer and a second label for attachment by the forwarding layer. The forwarding layer of the cell site gateway removes the first label from the one or more first packets. The forwarding layer of the cell site gateway attaches the second label to the one or more second packets. The forwarding layer of the cell site gateway transmits the one or more second packets to the network gateway.

In some implementations, a first endpoint device may assign a first metric to a first Internet Protocol security (IPsec) tunnel and a second metric to a second IPsec tunnel. The first IPsec tunnel may be a first communication channel for transmitting data between the first endpoint device and a second endpoint device, and the second IPsec tunnel may be a second communication channel for transmitting the data between the first endpoint device and the second endpoint device. The first endpoint device may select, based on the first metric and the second metric, the first IPsec tunnel or the second IPsec tunnel as a selected IPsec tunnel for transmitting the data toward the second endpoint device. The first endpoint device may transmit the data toward the second endpoint device via the selected IPsec tunnel.

A method for processing data packets in a communication network includes establishing a path for a flow of the data packets through the communication network. At a node along the path having a plurality of aggregated ports, a port is selected from among the plurality to serve as part of the path. A label is chosen responsively to the selected port. The label is attached to the data packets in the flow at a point on the path upstream from the node. Upon receiving the data packets at the node, the data packets are switched through the selected port responsively to the label.

Route exchange in a plurality of network controller appliances on a per-tenant basis is disclosed. In one aspect, a method includes receiving, from a network management system and at a first network controller appliance, a designation of at least two tenants to be hosted on the first network controller appliance, the first network controller appliance being one of a plurality of network controller appliances in a SD-WAN; sending, from the first network controller appliance to other network controller appliances of the plurality of network controller appliances, a tenant list query message to obtain a corresponding tenant list of each of the other network controller appliances; and receiving a corresponding response from each of the other network controller appliances indicating the corresponding tenant list of each of the other network controller appliances, the corresponding response being used to update the tenant list on the first network controller appliance.

A first cloud extension agent that facilitates internet-based management of a first set of local computing resources of a network is provided by a remote network management platform. A first connection is established to the first cloud extension agent. A second cloud extension agent that facilitates internet-based management of a second set of local computing resources of a network is provided by the remote network management platform. A second connection is established to the second cloud extension agent. A first set of instructions is provided to the first cloud extension via the first connection and a second set of instructions is provided to the second cloud extension via the second connection.

A backbone service exposes network parameters, such as a minimum available bandwidth, latency, or packet loss, in a tunnel path between any source-destination pairs. The network parameters can be mapped as a function of time so that service teams can schedule when to use the backbone with minimized interruption to other users. The data generated by the backbone service can be transmitted, stored or displayed for informational purposes to provide insights to service teams on how to better leverage the network and create awareness of the current status of the backbone. The backbone service can be extended to provide bandwidth brokerage for controlling traffic distribution in the network. The backbone service can further provide triggered messages that inform service teams about failures in the network that could reduce the available bandwidth. The messages can further target users of affected source-destination pairs.

In one embodiment, an offload platform is an compute platform, adjunct to a router or other packet switching device, that performs packet processing operations including determining an egress forwarding value corresponding to the next-hop node of the packet switching device to which to send an offload-platform processed packet. The offload platform downloads forwarding information from the router, and augments it, such as, but not limited to, representing interfaces of the router as identifiable virtual interface(s) on the offload platform, and including each of one or more next-hop nodes of the router represented as an identifiable virtual adjacency and identifiable tunnel (e.g., identified by the egress forwarding value). In one embodiment, the egress forwarding value is an Multiprotocol Label Switching (MPLS) label or Segment Routing Identifier. The router identifies packets of certain packet flows to send to the adjunct offload platform, rather than processing per its routing information base.

Establishing peer-to-peer tunnels between clients in a mobility domain. In normal operation, clients attached to a network having access nodes connected to a central controller transfer all traffic through the central controller. This traffic is passed using tunnels between the access node and the central controller. Tunnels may be encrypted, and GRE tunnels may be used. A mobility manager operating in the controller tracks access nodes connected to the controller, and clients connected to those access nodes. When the mobility controller recognizes traffic passing between clients in its mobility domain that is eligible for peer-to-peer forwarding, it instructs the access nodes supporting the clients to establish a peer-to-peer tunnel between the nodes, and direct the client traffic through this peer-to-peer tunnel. The peer-to-peer tunnel may be session based, or may be aged. Eligibility of traffic for peer-to-peer tunnels may be controlled by rules, such as limiting peer-to-peer tunnels by source or destination, by port or protocol, and the like.

Exemplary payment networks and methods are provided for facilitating data transfers. One exemplary method includes determining a subset of network routers that offer access to a regional hub based on network address summaries for first and second routers and prioritizing the first router over the second router, based on a specificity value of each of the first and second routers, as defined by the network address summaries. The method also includes checking whether a connection to the first router provides a viable data transfer path to the regional hub and recording the path to the first router in a routing table, when the connection to the first router is viable. Further, the method includes receiving a request to transfer data to the regional hub and transferring the data, via the path recorded in the routing table, to the regional hub.