In some examples, a computing device comprises a first service function instance to apply a service function and a service function forwarder to: receive a first layer 3 routing protocol route advertisement that includes service function instance data for a second service function instance, the service function instance data indicating a service function type and a service identifier for the service function instance; receive a second layer 3 routing protocol route advertisement that includes service function chain data for a service function chain, the service function chain data indicating a service path identifier and one or more service function items; and send, to the second service function instance and based at least on determining a service function item of the one or more service function items indicates the second service function instance, a packet classified to the service function chain.

Novel techniques are described for gateway routing and/or processing of multi-tenant Internet-of-Things (IoT) device data streams. For example, a single IoT routing gateway can be used to route device data streams from IoT devices of multiple customers according to rule-based routing tiers. The routing tiers define routing protocols, including which communication technologies to use for transmission of the device data streams over a cloud network to remote servers. In some cases, the routing tiers further define processing protocols to facilitate rule-based edge processing (and/or remote processing) of some or all device data streams. Some routing tiers can define a primary and one or more secondary solution for routing and/or processing, according to customer-defined rules. In some cases, the routing tiers further enable rule-based control of interconnectivity among IoT devices.

An ingress network device may receive a core domain network segment identifier associated with a core domain network of the multi-domain network. The ingress network device may receive location data of an egress network device associated with a second leaf domain network of the multi-domain network, wherein the location data may include data identifying the core domain network segment identifier, a second leaf domain network segment identifier associated with the second leaf domain network, and an egress network device segment identifier associated with the egress network device. The ingress network device may store the core domain network segment identifier and the location data, and may utilize the core domain segment identifier and the location data to route traffic to the egress network device.

A packet transmission method includes, obtaining one or more control items, a first network device determines, based on a fact that a device identifier included in a first packet to which each control item belongs is a device identifier of a second network device, a target control item to be sent to the second network device. The first network device sends at least one second packet comprising the target control item to the second network device, where the target control item is located in the at least one second packet, and the second packet includes the device identifier of the second network device.

Techniques for utilizing Software-Defined Networking (SDN) controllers and network border leaf nodes of respective cloud computing networks to configure a data transmission route for a multicast group. Each border leaf node may maintain a respective external sources database, including a number of records indicating associations between a multicast data source, one or more respective border leaf nodes disposed in the same network as the multicast data source, and network capability information. A border leaf node, disposed in the same network as a multicast data source, may broadcast a local source discovery message to all border leaf nodes in remote networks to which it is communicatively coupled. A border leaf node may also communicate network capability information associated with one or more remote networks to a local SDN controller. The SDN controller may utilize the network capability information to configure a data transmission route to one or more destination nodes.

Techniques are disclosed for redirecting network traffic of virtualized application workload to a host-based firewall. For example, a system comprises a software defined networking (SDN) controller of a multi-tenant virtualized data center configured to: receive a security policy expressed as one or more tags to redirect traffic of a virtualized application workload to a host-based firewall (HBF) of the multi-tenant virtualized data center; configure network connectivity to the HBF in accordance with the security policy; a security controller that manages the HBF configured to: obtain the one or more tags from the SDN controller; receive one or more firewall policies expressed in terms of the one or more tags, wherein each of the one or more firewall policies specifies a function of the HBF; and configure the function of the HBF in accordance with the one or more firewall policies.

This disclosure describes techniques for improving speed of network convergence after node failure. In one example, a method includes storing, by SDN controller, an underlay routing table having routes for an underlay network of a data center and an overlay routing table having a set of routes for a virtual network of an overlay network for the data center, wherein the underlay network includes physical network switches, gateway routers, and a set of virtual routers executing on respective compute nodes of the data center; installing, within the underlay routing table, a route to a destination address assigned to a particular one of the virtual routers as an indicator of a reachability status to the particular virtual router in the underlay network. The SDN controller controls, based on presence or absence of the route within the underlay routing table, advertisement of the routes for the virtual network of the overlay network.

A routing system for distributing multicast routing information for a multicast service includes a plurality of routers including a multicast source router and a plurality of multicast receiver routers, the plurality of routers providing a multicast service, wherein the routers are configured to exchange multicast information associated with the multicast service including identification of multicast sources and the multicast receivers.

Techniques are described for computing lists of segment identifiers (SIDs) that satisfy each path in a multipath solution for a segment routing (SR) policy. In an example, a method includes obtaining, by a computing device, a plurality of paths through a network comprising one or more network nodes, each path of the plurality of paths representing a different sequence of links connecting pairs of the network nodes from a source to a destination; computing, by the computing device, one or more lists of segments identifiers (SIDs) that satisfy each path of the plurality of paths; and programming the network to forward network traffic based at least on the one or more lists of SIDs.

A method, a network device, and a system for delivering a message used for RPD are disclosed. In the solution provided in this application, a second network device may deliver a message used for route policy distribution (RPD) to a first network device. The message includes a route policy including a match condition field and an action field. When detecting that route information of a border gateway protocol (BGP) route matches a target feature carried in the match condition field, the first network device may automatically update a route attribute of the BGP route based on a route attribute carried in the action field. The first network device may automatically update the route attribute of the BGP route according to the route policy included in the message delivered by the second network device, and operation and maintenance personnel does not need to perform manual configuration.