Abstract: In one aspect, a method useful for implementing high availability (HA) enhancements to a computer network, comprising the steps of: providing a first edge device of a local area network (LAN); providing a second edge device of the LAN; providing a gateway system to the LAN from a wide area network; detecting that an HA cable between the first edge device and the second edge device is disconnected; establishing a network connection between the gateway system and the second edge device; with the gateway system: determining that the first edge device is active and passing network traffic, implementing a network tunneling protocol with second edge device.

Abstract: In one aspect, A computerized method of a gateway distributing routes learned through routing protocols (RP) into a Border Gateway Protocol (BGP) includes the step of providing a first gateway that receives a route over a routing protocol. The method includes the step of with the first gateway, redistributing the route to one or more peer routers as a BGP route based on one or more specified criteria. The method includes the step of setting a gateway precedence based on the redistribution of the route to the one or more peer routers as the BGP route.

Abstract: In one aspect, A computerized method of a gateway distributing routes learned through routing protocols (RP) into a Border Gateway Protocol (BGP) includes the step of providing a first gateway that receives a route over a routing protocol. The method includes the step of with the first gateway, redistributing the route to one or more peer routers as a BGP route based on one or more specified criteria. The method includes the step of setting a gateway precedence based on the redistribution of the route to the one or more peer routers as the BGP route. The method includes the step of, based on the gateway precedence, setting a second gateway to automatically redistribute the route with different priorities to influence steering of traffic to a preferred gateway.

Abstract: In one aspect, a computerized system useful for implementing a virtual private network (VPN) including an edge device that automatically establishes an Internet Protocol Security (IPsec) tunnel alongside an unsecure Multipath Protocol (MP) tunnel with a gateway device in preparation for a transmission of a secure traffic communication. The edge device has a list of local subnets. The edge device sends the list of local subnets to the gateway during an initial MP tunnel establishment handshake message exchange between the edge device and the gateway device. Each subnet includes an indication of whether the subnet is reachable over the VPN. A gateway device that automatically establishes the IPsec tunnel alongside the unsecure MP tunnel with the edge device. An enterprise datacenter server that comprises an orchestrator module that receives a toggle the VPN command and enables the VPN on the orchestrator.

Abstract: Some embodiments provide a method for quantifying quality of several service classes provided by a link between first and second forwarding nodes in a wide area network (WAN). At a first forwarding node, the method computes and stores first and second path quality metric (PQM) values based on packets sent from the second forwarding node for the first and second service classes. The different service classes in some embodiments are associated with different quality of service (QoS) guarantees that the WAN offers to the packets. In some embodiments, the computed PQM value for each service class quantifies the QoS provided to packets processed through the service class. In some embodiments, the first forwarding node adjusts the first and second PQM values as it processes more packets associated with the first and second service classes. The first forwarding node also periodically forwards to the second forwarding node the first and second PQM values that it maintains for the first and second service classes.

Abstract: Some embodiments provide a method for quantifying quality of several service classes provided by a link between first and second forwarding nodes in a wide area network (WAN). At a first forwarding node, the method computes and stores first and second path quality metric (PQM) values based on packets sent from the second forwarding node for the first and second service classes. The different service classes in some embodiments are associated with different quality of service (QoS) guarantees that the WAN offers to the packets. In some embodiments, the computed PQM value for each service class quantifies the QoS provided to packets processed through the service class. In some embodiments, the first forwarding node adjusts the first and second PQM values as it processes more packets associated with the first and second service classes. The first forwarding node also periodically forwards to the second forwarding node the first and second PQM values that it maintains for the first and second service classes.

Abstract: In one aspect, a computerized system useful for implementing a virtual private network (VPN) including an edge device that automatically establishes an Internet Protocol Security (IPsec) tunnel alongside an unsecure Multipath Protocol (MP) tunnel with a gateway device in preparation for a transmission of a secure traffic communication. The edge device has a list of local subnets. The edge device sends the list of local subnets to the gateway during an initial MP tunnel establishment handshake message exchange between the edge device and the gateway device. Each subnet includes an indication of whether the subnet is reachable over the VPN. A gateway device that automatically establishes the IPsec tunnel alongside the unsecure MP tunnel with the edge device. An enterprise datacenter server that comprises an orchestrator module that receives a toggle the VPN command and enables the VPN on the orchestrator.

Abstract: In one aspect, a computerized method includes the step of providing process monitor in a Gateway. The method includes the step of, with the process monitor, launching a Gateway Daemon (GWD). The GWD runs a GWD process that implements a Network Address Translation (NAT) process. The NAT process includes receiving a set of data packets from one or more Edge devices and forwarding the set of data packets to a public Internet. The method includes the step of receiving another set of data packets from the public Internet and forwarding the other set of data packets to the one or more Edge devices. The method includes the step of launching a Network Address Translation daemon (NATD). The method includes the step of detecting that the GWD process is interrupted; moving the NAT process to the NATD.

Abstract: Some embodiments provide a method for maintaining a virtual network that spans at least one cloud datacenter separate from multi-machine edge nodes of an entity. This method configures a gateway in the cloud datacenter to establish secure connections with several edge devices at several multi-machine edge nodes (e.g., branch offices, datacenters, etc.) in order to establish the virtual network. The method configures the gateway to assess quality of connection links with different edge devices, and to terminate a secure connection with a particular edge device for a duration of time after the assessed quality of the connection link to the particular edge device is worse than a threshold value. In some embodiments, the gateway is configured to distribute routes to edge devices at the edge nodes, and to forgo distributing any route to the particular edge device along the connection link for the duration of time when the assessed quality of the connection link is worse than (e.g., less than) a threshold value.

Abstract: Some embodiments provide a method for quantifying quality of several service classes provided by a link between first and second forwarding nodes in a wide area network (WAN). At a first forwarding node, the method computes and stores first and second path quality metric (PQM) values based on packets sent from the second forwarding node for the first and second service classes. The different service classes in some embodiments are associated with different quality of service (QoS) guarantees that the WAN offers to the packets. In some embodiments, the computed PQM value for each service class quantifies the QoS provided to packets processed through the service class. In some embodiments, the first forwarding node adjusts the first and second PQM values as it processes more packets associated with the first and second service classes. The first forwarding node also periodically forwards to the second forwarding node the first and second PQM values that it maintains for the first and second service classes.

Abstract: In one aspect, a computerized method of an application routing service includes the step of using a deep-packet inspection (DPI) technique on a first network flow to identify an applications The method includes the step of storing an Internet-protocol (IP) address and a port number used by the application and an identity of the application in a databases The method includes the step of detecting a second network flow. The method includes the step of identifying the IP address and the port number of the application in the second network flow. The method includes the step of looking up the IP address and the port number in the database. The method includes the step of identifying the application based on the IP address and the port number.

Abstract: In one aspect, a computerized method includes the step of providing process monitor in a Gateway. The method includes the step of, with the process monitor, launching a Gateway Daemon (GWD). The GWD runs a GWD process that implements a Network Address Translation (NAT) process. The NAT process includes receiving a set of data packets from one or more Edge devices and forwarding the set of data packets to a public Internet. The method includes the step of receiving another set of data packets from the public Internet and forwarding the other set of data packets to the one or more Edge devices. The method includes the step of launching a Network Address Translation daemon (NATD). The method includes the step of detecting that the GWD process is interrupted; moving the NAT process to the NATD.

Abstract: In one aspect, a computerized system useful for implementing a cloud-based multipath routing protocol to an Internet endpoint includes an edge device that provides an entry point into an entity's core network. The entity's core network includes a set of resources to be reliably accessed. The computerized system includes a cloud-edge device instantiated in a public-cloud computing platform. The cloud-edge device joins a same virtual routing and forwarding table as the edge device.

Abstract: In one aspect, a computerized method useful for connecting to a multipath hub in a cluster includes the step of, with a gateway in a same network as the cluster, receiving, from a branch edge, a request to connect to a logical identifier (ID) of the multipath hub. The gateway recognizes a logical ID representing a cluster. The gateway determines a least-loaded edge in the cluster to be the multipath hub. The gateway returns a connectivity information for the multipath hub. The branch edge configures a tunnel to the multipath hub.

Abstract: In one aspect, a computerized method of an application routing service includes the step of using a deep-packet inspection (DPI) technique on a first network flow to identify an application. The method includes the step of storing an Internet-protocol (IP) address and a port number used by the application and an identity of the application in a database. The method includes the step of detecting a second network flow. The method includes the step of identifying the IP address and the port number of the application in the second network flow. The method includes the step of looking up the IP address and the port number in the database. The method includes the step of identifying the application based on the IP address and the port number.

Abstract: Some embodiments provide a method for quantifying quality of several service classes provided by a link between first and second forwarding nodes in a wide area network (WAN). At a first forwarding node, the method computes and stores first and second path quality metric (PQM) values based on packets sent from the second forwarding node for the first and second service classes. The different service classes in some embodiments are associated with different quality of service (QoS) guarantees that the WAN offers to the packets. In some embodiments, the computed PQM value for each service class quantifies the QoS provided to packets processed through the service class. In some embodiments, the first forwarding node adjusts the first and second PQM values as it processes more packets associated with the first and second service classes. The first forwarding node also periodically forwards to the second forwarding node the first and second PQM values that it maintains for the first and second service classes.

Abstract: Some embodiments provide a method for quantifying quality of several service classes provided by a link between first and second forwarding nodes in a wide area network (WAN). At a first forwarding node, the method computes and stores first and second path quality metric (PQM) values based on packets sent from the second forwarding node for the first and second service classes. The different service classes in some embodiments are associated with different quality of service (QoS) guarantees that the WAN offers to the packets. In some embodiments, the computed PQM value for each service class quantifies the QoS provided to packets processed through the service class. In some embodiments, the first forwarding node adjusts the first and second PQM values as it processes more packets associated with the first and second service classes. The first forwarding node also periodically forwards to the second forwarding node the first and second PQM values that it maintains for the first and second service classes.

Abstract: In one aspect, a computerized system useful for implementing a cloud-based multipath routing protocol to an Internet endpoint includes an edge device that provides an entry point into an entity's core network. The entity's core network includes a set of resources to be reliably accessed. The computerized system includes a cloud-edge device instantiated in a public-cloud computing platform. The cloud-edge device joins a same virtual routing and forwarding table as the edge device. The cloud-edge device receives a set of sources and destinations of network traffic that are permitted to access the edge device and the set of resources.

Abstract: In one aspect, a computerized method useful for connecting to a multipath hub in a cluster includes the step of, with a gateway in a same network as the cluster, receiving, from a branch edge, a request to connect to a logical identifier (ID) of the multipath hub. The gateway recognizes a logical ID representing a cluster. The gateway determines a least-loaded edge in the cluster to be the multipath hub. The gateway returns a connectivity information for the multipath hub. The branch edge configures a tunnel to the multipath hub.

Abstract: In one aspect, a computer-networking method useful for implementing dynamic high-availability (HA) mode based on current wide area network (WAN) connectivity, comprising the steps of: providing a first edge device of a local area network (LAN) with the WAN; providing a second edge device of the LAN with the WAN; and synchronizing a state of plurality of links with the WAN that are connected to the first edge device and the second edge device.