Abstract: The present disclosure includes systems and methods for symmetric routing and split-brain handling in high-availability (HA) networks using route priority and route affinity inversion. In one aspect, the method includes receiving, at a controller associated with a communication network, first status information associated with at least one of a first node or a second node. The first node and the second node are used in service of a first VPN. The controller determines, from the first status information, a preference associated with the first node over the second node for servicing traffic of the first VPN, and generates routing information for a third node of the communication network. The routing information specifies that the first node is preferred for serving traffic of the first VPN, and that the second node is available, but less preferred for servicing traffic of the first VPN.

Abstract: Techniques for utilizing a network gateway provisioned in a software-defined network to verify service readiness of one or more security service(s) of a service chain prior to redirecting network traffic along a given data-path to the security service(s). The gateway may be configured to open a specific port on a network device hosting a security service to transmit network policies and/or test network traffic to the security service. The network gateway may host a virtual source and/or a virtual destination and cause the virtual source to send test network traffic through the security service via the port and to the virtual destination. The gateway may then utilize the received test network traffic to determine whether a given security service satisfies a threshold health and/or functionality measurement. Once it is determined that the security service satisfies the thresholds, the gateway may cause network traffic to be redirected to the security service.

Abstract: This disclosure describes techniques and mechanisms for enabling intent-based application traffic steering in a network. The techniques may enable a controller to resolve affinity in data policies with TLOC lists and user intent. The techniques may enable branches to apply local affinity preference orders and data policies when routing traffic. The techniques enable network administrators to create and apply a single data policy across branches of a network, such that regardless of the number of hubs or the number of branches, the techniques described herein create just one data policy (e.g., a centralized data policy), resulting in significant simplification of the network configuration to be created, managed, and/or deployed.

Abstract: Edge router may receive, from a tenant of a multi-tenanted network, a request to access a Secured Internet Gateway (SIG) service associated with a cloud provider. The edge router may access one or more reference tables and add one or more hash entries to the one or more reference tables. The one or more hash entries includes one or more identifiers associated with the request. The edge router may transmit the request to the SIG service. The edge router may receive a response from the SIG service and may transmit the response to the tenant of the multi-tenanted network according to the one or more hash entries of the one or more reference tables.

Abstract: Techniques for automatically orchestrating routes configured to track behind-the-service endpoints executing in association with service endpoint devices in a service chain. A network controller may be utilized to override a tracker IP address for each HA pair in a service, allowing customers to configure the tracker IP address to be provisioned behind a service they wish to track, such that packets containing the tracker IP address will be forced to go through the service itself, allowing the network to gauge a status of the service (e.g., up, down, etc.). The network controller may be configured to automatically orchestrate a route that causes packets addressed to a service endpoint device hosting a service through an outgoing interface of the endpoint device, into the service, and to a behind-the-service IP address. These techniques may be utilized with tunnel connected services and/or services connected over physical interface(s) (e.g., IPv4 and/or IPv6).

Abstract: Techniques are described herein for providing bi-directional path selection based on indicated path preferences in policy data. Such techniques may be performed by a network node and may comprise generating a set of paths to a destination, a first path of the set of paths being labeled as a direct path and a second path of the set of paths being labeled as an indirect path. Such techniques may subsequently comprise receiving a communication from a source and directed to the destination, determining, based on a first indicated path preference for the destination and a second indicated path preference for the source, a path category, selecting a forwarding path as one of the first path or the second path based on the determined path category, and routing the communication to a next hop in the selected forwarding path.

Abstract: Techniques are described for providing service level agreement performance in a link aggregation group computer networking environment. A performance measurement data packet such as a bi-directional forwarding detection (BFD) packet is received. The performance measuring data packet can be considered a parent performance measurement data packet is split into multiple child performance measurement data packets which are each different constituent links of a link aggregation database. The performance of each constituent is tested to determine which constituents satisfy service level agreement parameters. Data packets can then be sent to constituents that meet the data packet's service level agreement performance parameters while still allowing link aggregation grouping.

Abstract: Present disclosure includes determining, at two or more gateway nodes that each communicate with a plurality of branch nodes and a plurality of resources, dynamically a path between each of the plurality of branch nodes and each of the plurality of resources, wherein the path includes one or more virtual routers; generating, at the two or more gateways, dynamically a path length based upon a number of virtual routers each path traverses; automatically translating the path length to an overlay management protocol route preference for each of the plurality of resources.

Abstract: A process can include determining affinity information indicative of route preferences between branch routers and gateway routers. A prefix can be determined for a subnet of branch routers located at a same branch location. An affinity position of a first gateway router can be determined based on affinity information of the branch routers in the subnet. A mapping can be determined between a local preference Border Gateway Protocol (BGP) community attribute and the affinity position of the first gateway router, wherein a mapped local preference BGP community attribute and the affinity position are indicative of a same routing preference. The mapped local preference BGP community attribute can be attached to routes from the first gateway router into a cloud service provider. Affinity-based route preferences are indicated to the cloud service provider by redistributing the routes from the first gateway router with the mapped local preference BGP community attribute attached.

Abstract: A system facilitates communication between branches of an SD-WAN and a service chain element. A hub node receives a data packet of a flow from a source branch over a VPN segment to be transmitted to a destination branch, extracts flow information from the data packet including VPN segment information to be stored in a flow table before transmitting the data packet to the service chain element over a service chain VPN. Upon return of the data packet from the service chain element, the hub node uses packet tuple information to retrieve the flow information with VPN segment information from the flow table. The hub node can then forward the data packet to the destination branch over the VPN segment. The hub node can generate and store an Auto Service Chaining Key that connects bidirectional flows so that the hub node can apply service-chaining to bidirectional traffic.

Abstract: A system facilitates communication between branches of an SD-WAN and a service chain element. A hub node receives a data packet of a flow from a source branch over a VPN segment to be transmitted to a destination branch, extracts flow information from the data packet including VPN segment information to be stored in a flow table before transmitting the data packet to the service chain element over a service chain VPN. Upon return of the data packet from the service chain element, the hub node uses packet tuple information to retrieve the flow information with VPN segment information from the flow table. The hub node can then forward the data packet to the destination branch over the VPN segment. The hub node can generate and store an Auto Service Chaining Key that connects bidirectional flows so that the hub node can apply service-chaining to bidirectional traffic.

Abstract: Disclosed are systems, apparatuses, methods, computer readable medium, and circuits for ordering services in a service chain comprising: receiving, at an edge router, one or more data packets; determining, at the edge router, a sequence order of service chain elements for the one or more data packets based upon an established sequence, the sequence order modifies the established sequence to performing an altering service that alters a payload of the one or more packets prior to one or more remaining services that inspect the one or more packets; transmitting and receiving, by the edge router in the sequence order, the one or more data packets to and from the service chain elements; transmitting, by the edge router, the one more data packets to a destination after a last of the service chain elements has been performed.

Abstract: Techniques for enabling service insertion using dynamic service path selection are described herein. In some aspects, the techniques described herein relate to avoiding a service route that passes through a service router when the second-leg path from the service router to a destination router is unreachable. In some cases, the techniques described herein relate to avoiding a route that includes a service router that does not have a path to a viable target in a core service region.

Abstract: Generally, Software-Defined Wide Area Networks (SD-WAN) generally do not support network segmentation. The concepts disclosed herein connects IPSec SD-WAN fabric to a Virtual Routing and Forwarding (VRF) router and make use of a Software Defined Cloud Interconnect (SDCI) Router to route traffic from IPSec SD-WAN to various cloud services from the SDCI Router in the fabric. The concepts disclosed herein also provides for tunnel multi-plexing that takes incoming and outgoing traffic and maps VPNs to any service VRF associated with the cloud based services.

Abstract: Techniques are described for providing service level agreement performance in a link aggregation group computer networking environment. A performance measurement data packet such as a bi-directional forwarding detection (BFD) packet is received. The performance measuring data packet can be considered a parent performance measurement data packet is split into multiple child performance measurement data packets which are each different constituent links of a link aggregation database. The performance of each constituent is tested to determine which constituents satisfy service level agreement parameters. Data packets can then be sent to constituents that meet the data packet's service level agreement performance parameters while still allowing link aggregation grouping.

Abstract: Techniques are described for detecting a change in Path Maximum Transfer Unit (PMTU) in a network and initiating a PMTU discovery process. A Bidirectional Forwarding Detection (BFD) data packet is generated having enhanced headers configured to record a largest packet sent value and a largest packet received value. The BFD data packet is sent from a first network device (such as a first router) to a second network device (such as a second router). A largest packet sent value and a largest packet received value are each recorded in the BFD data packet. If the largest data packet sent value is larger than the largest data packet received value, then a determination can be made that a path change has resulted in a reduction in PMTU which has resulted in either a data packet being fragmented, a data packet being dropped or both. A PMTU discovery can then be performed.

Abstract: Techniques for enabling service insertion using dynamic service path selection are described herein. In some aspects, the techniques described herein relate to avoiding a service route that passes through a service router when the second-leg path from the service router to a destination router is unreachable. In some cases, the techniques described herein relate to avoiding a route that includes a service router that does not have a path to a viable target in a core service region.

Abstract: The present disclosure is directed to making service-chains routable and intent-based within an enterprise network. In one aspect, a method for simplifying steering of network traffic includes receiving an intent-based description of one or more services to be applied to the network traffic; defining a type for a service chain that includes the one or more services based on the intent-based description, the type serving as an address for the service chain for routing the network traffic to and from the one or more service included in the service chain; implementing the service chain at one or more network hubs; and implementing a traffic steering policy in the network for steering the network traffic to the one or more network hubs to be serviced by the one or more services.

Abstract: One or more aspects of the present disclosure are directed to providing a single hierarchical construct for defining requirements (connectivity parameters) of a service in a service chain. In one aspect, a single construct for identifying a service in a service chain includes a first object identifying at least one path for accessing an instance of the service within a communication network, a second object identifying a respective communication protocol for the at least one path; and a third object identifying at least a transmission specification for the respective communication protocol in the second object, wherein the second object and the third object are embedded within the first object.

Abstract: Techniques for utilizing a network gateway provisioned in a software-defined network to verify service readiness of one or more security service(s) of a service chain prior to redirecting network traffic along a given data-path to the security service(s). The gateway may be configured to open a specific port on a network device hosting a security service to transmit network policies and/or test network traffic to the security service. The network gateway may host a virtual source and/or a virtual destination and cause the virtual source to send test network traffic through the security service via the port and to the virtual destination. The gateway may then utilize the received test network traffic to determine whether a given security service satisfies a threshold health and/or functionality measurement. Once it is determined that the security service satisfies the thresholds, the gateway may cause network traffic to be redirected to the security service.