In some implementations, a network device may determine throughput rate metrics for a plurality of processing units of the network device that are processing network traffic of a network. The network device may maintain the throughput rate metrics in a status table associated with the plurality of processing units. The network device may receive tunnel traffic associated with a particular tunnel of the network. The network device may determine, based on a characteristic of the tunnel traffic, a potential throughput rate associated with processing the tunnel traffic. The network device may direct the tunnel traffic to a particular processing unit, of the plurality of processing units, based on the potential throughput rate and the throughput rate metrics indicated in the status table.

This application provides a multicast data packet processing method and a forwarding device. The method implemented by a first forwarding device includes: establishing a segment routing header SRH-based tunnel with a third forwarding device, wherein the SRH-based tunnel passes through a second forwarding device that does not support bit index explicit replication BIER; generating a first multicast data packet based on a multicast data packet from a multicast source and the SRH-based tunnel, wherein the first multicast data packet includes a first packet header, a second packet header, and the multicast data packet from the multicast source, the first packet header includes an SRH header, and a destination address included in the second packet header is an address of the second forwarding device; and sending the first multicast data packet to the second forwarding device through the SRH-based tunnel.

Methods and systems for providing a virtual private network service on a per mobile application basis are presented. In some embodiments, a mobile device that is connected to private network may determine that one of its mobile applications is requesting to communicate with a private network. The mobile device may intercept one or more system calls to communicate with the private network issued by the mobile application. The mobile device may generate a communication link to a virtual private network (VPN) server on a port of the mobile device through which to transmit communications from the mobile application to the private network. The mobile device may instruct the VPN server to transmit one or more messages from the mobile application to an access gateway for forwarding to the private network.

A system described herein may provide for the separation of functions associated with a User Plane Function (“UPF”) in a wireless network (e.g., a Fifth Generation (“5G”) network), such that routing devices associated with the wireless network may perform functionality that would otherwise be performed by virtualized hosts or other configurable resources. For example, routing components which form a backhaul or other portion of the network may process traffic according to a suitable set of policies (e.g., Quality of Service (“QoS”) policies, content filtering policies, queueing policies, and/or other policies) instead of transmitting such traffic to a UPF associated with the network core for processing.

Techniques are described for specifying and constructing multi-protocol label switching (MPLS) rings. Routers may signal membership within MPLS rings and automatically establish ring-based label switch paths (LSPs) as components of the MPLS rings for packet transport within ring networks. In one example, a router includes a processor configured to establish an MPLS ring having a plurality of ring LSPs. Each of the ring LSPs is configured to transport MPLS packets around the ring network to a different one of the routers operating as an egress router for the respective ring LSP. Moreover, each of the ring LSPs comprises a bidirectional, multipoint-to-point (MP2P) LSP for which any of the routers can operate as an ingress to source packet traffic into the ring LSP for transport to the respective egress router for the ring LSP. Separate protection paths, bypass LSPs, detours or loop-free alternatives need not be signaled.

A cloud extension agent can be provided on a customer premise for interfacing, via an outbound secure connection, cloud based services. The cloud extension agent can reach the cloud based services through existing firewall infrastructure, thereby providing simple, secure deployment. Furthermore, the secure connection can enable substantially real-time communication with a cloud service to provide web-based, substantially real time control or management of resources on the customer premises via the cloud extension agent.

In one embodiment, a source transmits one or more data packets to a destination over a primary pseudowire (PW). When a device on the primary PW detects a downstream failure of the primary PW, and in response to receiving one or more data packets from a source from the failed primary PW, the device adds a loopback packet identifier to the one or more received data packets, and returns the one or more data packets with the loopback packet identifier to the source upstream on the primary PW. Accordingly, in response to receiving the data packet returned with a loopback packet identifier from the primary PW (in response to the downstream failure), the source retransmits the one or more data packets to the destination over a backup PW.

In one embodiment, a device in a network detects an anomaly in the network using an anomaly detector. The anomaly corresponds to an anomalous behavior exhibited by one or more nodes in the network. The device computes an anomaly score for the anomaly that represents a measure of the anomalous behavior. The device adjusts the anomaly score using a boost score. The boost score is generated by a boosting function that accounts for domain-specific biases of the anomaly detector. The device reports the anomaly to a supervisory device based on whether the adjusted anomaly score exceeds a reporting threshold.

A network element (NE) in a network, comprising a memory configured to store time-based traffic engineering (TE) information associated with network resource reservations on a link attached to the NE in a series of time intervals each having a predetermined start time and a predetermined end time, and a processor coupled to the memory and configured to reserve, at a first current time, a network resource for a temporal tunnel service (TTS) on the link to carry traffic during a scheduled time interval subsequent to the first current time, wherein the scheduled time interval comprises a scheduled start time and a scheduled end time, and update, at the first current time, the time-based TE information in the scheduled time interval according to the network resource reserved to produce a first updated TE information in the scheduled time interval.

The disclosed computer-implemented method may include (1) receiving, at a network node within a network, a packet from another network node within the network, (2) identifying, within the packet, a label stack that includes a plurality of labels that collectively represent at least a portion of a label-switched path within the network, (3) popping, from the label stack, a label that corresponds to a next hop of the network node, (4) determining, based at least in part on the label, that the next hop has experienced a failure that prevents the packet from reaching a destination via the next hop, (5) identifying a backup path that merges with the label-switched path at a next-to-next hop included in the label-switched path, and then (6) forwarding the packet to the next-to-next hop via the backup path. Various other methods, systems, and apparatuses are also disclosed.