This invention presents a method to create tunnel portals for exchange of information between client and server partitions by using protected messages. Tunnel portals replace function call APIs in order to achieve full isolation between client and server portals for security. They are capable of performing efficient multiblock data transfers as well as exchanging commands and responses. Client access to tunnel portals is limited at run time and can be priority-based. Servers can have multiple tunnel portals to access multiple subservers.

Aspects of the subject disclosure may include, for example, storing, in a database, subscriber information associated with a plurality of subscribers of a wireless carrier, the subscriber information comprising first subscriber information associated with a first subscriber of the wireless carrier, the first subscriber information comprising first configuration data for a first router of the first subscriber, the first router being located at a first physical location; wirelessly receiving from a second router of the first subscriber, via a wireless service of the wireless carrier, a first registration request made by the second router, the second router being located at a second physical location; responsive to receiving the first registration request, generating first provisioning information, the first provisioning information being based at least in part upon the first configuration data for the first router that is stored in the database; and wirelessly sending to the second router, via the wireless service of the wireless carrier, the first provisioning information, the first provisioning information enabling the first router and the second router to communicate with one another via the wireless service through a first tunnel mechanism. Other embodiments are disclosed.

Some embodiments facilitate the provision of a service reachable at a virtual internet protocol (VIP) address. The VIP address is used by clients to access a set of service nodes in the logical network. Facilitating the provision of the service, in some embodiments, includes returning a serviced data message to a load balancer that selected a service node to provide the service for the load balancer to track the state of the connection using the service logical forwarding element. To use the service logical forwarding element, some embodiments configure an egress datapath of the service nodes to intercept the serviced data message before being forwarded to a logical forwarding element in the datapath from the client to the service node, and determine if the serviced data message requires routing by the routing service provided as a service by the edge forwarding element.

Systems and methods for providing multi-perimeter firewalls via a virtual global network are disclosed. In one embodiment the network system may comprise an egress ingress point in communication with a first access point server, a second access point server in communication with the first access point server, an endpoint device in communication with the second access point server, a first firewall in communication with the first access point server, and a second firewall in communication with the second access point server. The first and second firewalls may prevent traffic from passing through their respective access point servers. The first and second may be in communication with each other and exchange threat information.

In one embodiment, a device predicts a range of bitrates expected to be required by one or more applications associated with traffic conveyed via a particular path in a network. The device obtains telemetry data indicative of observed bitrates associated with the traffic conveyed via the particular path in the network. The device identifies, a presence of congestion along the particular path in the network, by comparing the observed bitrates to the range of bitrates expected to be required by the one or more applications. The device causes at least a portion of the traffic to be re-routed from the particular path to a second path in the network, when the device identifies the presence of congestion along the particular path.

Provided are a method and apparatus for determining identification information about a cross-domain path, and a storage medium. The method includes: receiving a path computation request from a first child path computation element (PCE), wherein the path computation request carries a compression identifier for identifying compression of path segments and a path set-up type (PST); after identification information about a path from a source node to a destination node is acquired, instructing, according to the compression identifier and the PST, each of sub-PCEs corresponding to the one or more path segments to compress identification information about a respective one of the one or more path segments; and receiving the compressed identification information about each path segment.

A router is configured for deployment in a first domain of a network. The router includes a processor and a transmitter. The processor is configured to access addresses of egress routers for a multicast flow that are partitioned into local addresses of egress routers in the first domain and external addresses of egress routers in a second domain of the network. The processor is also configured to prepend an explicit multicast route (EMR) to a packet in the multicast flow to form a first EMR packet. The EMR includes information representing the external addresses. The transmitter is configured to unicast the first EMR packet to an advertising border router (ABR) that conveys the multicast flow from the first domain to the second domain. In some cases, the router includes a receiver configured to receive another EMR packet from another router in another domain via a tunnel between the routers.

This application describes a tunnel establishment method. The method may include receiving, by a first network device, a first request message sent by a previous-hop network device, where the first request message is used to request to obtain an RSVP-TE label of the first network device, the first network device supports RSVP-TE and SR-TE, and the previous-hop network device supports RSVP-TE. The method may also include that when the first network device determines that at least one network device in downstream network devices of the first network device on a path of a to-be-established tunnel supports SR-TE, establishing an SR-TE tunnel from the first network device to a second network device, and generating a tunnel identifier used to identify the SR-TE tunnel. Furthermore, the method may include sending a first response message to the previous-hop network device, where the first response message includes the tunnel identifier.

In one embodiment, a device in a network obtains tunnel flappiness metrics associated with a particular tunnel in the network exhibiting flapping. The device makes, based on the tunnel flappiness metrics, a prediction that the particular tunnel is going to flap. The prediction is made using a machine learning model. The device proactively reroutes, based on the prediction, traffic from the particular tunnel onto an alternate tunnel, prior to the particular tunnel flapping. The device evaluates performance of the alternate tunnel, after proactively rerouting the traffic from the particular tunnel onto the alternate tunnel.

Some embodiments provide novel methods for providing different types of services for a logical network associated with an edge forwarding element acting between the logical network and an external network. The edge forwarding element receives data messages for forwarding and performs a service classification operation to select a set of services of a particular type for the data message. The particular type of service is one of multiple types of services that use different transport mechanisms to forward the data to a set of service nodes (e.g., service virtual machines, or service appliances, etc.) that provide the service. The edge forwarding element receives the data message after the selected set of services has been performed and performs a forwarding operation to forward the data message. In some embodiments, the method is also performed by edge forwarding elements that are at the edges of logical network segments within the logical network.