The invention enables high-availability, high-scale, high security and disaster recovery for API computing, including in terms of capture of data traffic passing through proxies, routing communications between clients and servers, and load balancing and/or forwarding functions. The invention inter alia provides (i) a scalable cluster of proxies configured to route communications between clients and servers, without any single point of failure, (ii) proxy nodes configured for implementing the scalable cluster (iii) efficient methods of configuring the proxy cluster, (iv) natural resiliency of clusters and/or proxy nodes within a cluster, (v) methods for scaling of clusters, (vi) configurability of clusters to span multiple servers, multiple racks and multiple datacenters, thereby ensuring high availability and disaster recovery (vii) switching between proxies or between servers without loss of session.

A software defined networking (SDN)-based distributed denial of service (DDoS) attack prevention method, an apparatus, and a system, where a controller delivers a traffic statistics collection instruction to a first packet forwarding device. The traffic statistics collection instruction instructs the first packet forwarding device to perform traffic statistics collection, and carries a destination Internet Protocol (IP) address. The controller collects statistical data reported by the first packet forwarding device, obtains, according to the statistical data, a statistical value of global traffic flowing to the destination IP address, and delivers a DDoS prevention policy to a second packet forwarding device based on a determining result that the statistical value of the global traffic exceeds the preset threshold. Correspondingly, the second packet forwarding device receives the DDoS prevention policy from the controller, and performs, according to the DDoS prevention policy, prevention process on the traffic flowing to the destination IP address.

Disclosed is a computing apparatus implemented with a network hypervisor implementing software defined network (SDN)-based network virtualization. The computing apparatus include a statistics virtualization module configured to provide individual statistics to each of created virtual networks, a transmission disaggregation module configured to include a physical statistics cache that performs periodic monitoring of a plurality of physical switches and store statistics of the physical switches collected, and a physical statistics aggregation module configured to respond with statistics of the plurality of physical switches when a single monitoring request.

Embodiments disclosed include a method and apparatus for global traffic control and optimization for software-defined networks. In an embodiment, data traffic is optimized by distributing predefined metrics (data traffic information) to all controllers in the network. The predefined metrics are specific to local network switches and controllers, but are distributed to all peers at configurable intervals. “Local” as used herein implies one POP and its associated switch and controller. The method of distribution of local POP metrics is strictly in band using a packet as defined by the protocol used by the data network.

Embodiments of this application relate to the communication field, and disclose a method, a device, and a system for transmitting a node identifier, to reduce a limitation on delivery of an SR POLICY route and improve network performance The method includes: A forwarding device sends a node identifier to a controller. The forwarding device receives a first SR POLICY route from the controller, where a target attribute of the first SR POLICY route is the node identifier. The forwarding device determines that the node identifier matches the target attribute of the first SR POLICY route, and forwards a traffic packet according to the first SR POLICY route.

A switching system manager programmed to obtain a base lookup data structure comprising nodes that enumerate all prefixes of a first traffic management policy of a first type and all prefixes of a second traffic management policy of a second type, modify the base lookup data structure based on a first set of inheritance rules associated with the first traffic management policy to generate an updated lookup data structure comprising first traffic management policy label allocations, modify the updated lookup data structure based on a second set of inheritance rules associated with the second traffic management policy to generate a combined lookup data structure comprising the first traffic management policy label allocations and second traffic management policy label allocations, program packet classification hardware of the switching system to adapt the switching system to process packets based on the combined lookup data structure.

Distributed machine learning systems and other distributed computing systems are improved by compute logic embedded in extension modules coupled directly to network switches. The compute logic performs collective actions, such as reduction operations, on gradients or other compute data processed by the nodes of the system. The reduction operations may include, for instance, summation, averaging, bitwise operations, and so forth. In this manner, the extension modules may take over some or all of the processing of the distributed system during the collective phase. An inline version of the module sits between a switch and the network. Data units carrying compute data are intercepted and processed using the compute logic, while other data units pass through the module transparently to or from the switch. Multiple modules may be connected to the switch, each coupled to a different group of nodes, and sharing intermediate results. A sidecar version is also described.

Aspects of the subject disclosure may include, for example, a core network; an access network communicatively coupled with the core network, wherein the access network comprises a plurality of network resources; a network resource abstraction layer, wherein the network resource abstraction layer comprises descriptor objects that define a plurality of universal resource ports, and wherein each universal resource port of the plurality of universal resource ports corresponds to a respective network resource of the plurality of network resources; and a software-defined network configured to leverage the plurality of network resources, via the plurality of universal resource ports, to facilitate end-to-end service composition and delivery. Other embodiments are disclosed.

This disclosure describes techniques for software-defined service insertion. The techniques include a method of configuring a network for service insertion. The techniques include processing a master policy correlating an endpoint group pair, of source endpoint group and destination endpoint group, to a service graph. The service graph indicates a template service chain, and the template service chain indicates an ordering of a plurality of services. Processing the master policy includes disaggregating the master policy into at least one location specific policy, each of the at least one location specific policy corresponding to a separate location in the network and including traffic steering directives corresponding to a portion of the plurality of services associated with the separate location. The techniques further include causing each of the at least one location specific policy to be stored in association with the separate location to which that location specific policy corresponds.

Provided is a virtual circuit-based data packet processing method, which includes that: identification information of a next-hop Provider Edge (PE) node of a routing packet and identification information of an Original PE (OPE) node of the routing packet are determined according to the routing packet corresponding to a Virtual Private Network (VPN) service instance; a context virtual circuit is determined, wherein nodes at both ends of the context virtual circuit are respectively the current PE node and the OPE node; a virtual circuit label of the context virtual circuit is determined; a final data packet to be forwarded is obtained by carrying a VPN label of the routing packet and the virtual circuit label with an initial data packet of the VPN service instance; and the final data packet to be forwarded is forwarded to the next-hop PE node.