Abstract: In an example, a method includes obtaining, for a software-defined wide area network (SD-WAN) system having a plurality of a wide area network (WAN) links for an SD-WAN service, a first service level agreement (SLA) rule that matches a first application, the first SLA rule having a first priority that indicates a priority of the first application; obtaining, for the SD-WAN system, a second SLA rule that matches a second application, the second SLA rule having a second priority that indicates a priority of the second application; assigning, for the SD-WAN system, the first application and the second application to a first WAN link of the plurality of WAN links; and in response to determining that the first WAN link has violated the first SLA rule that matches the first application, assigning, by the SD-WAN system, the second application to a second WAN link of the plurality of WAN links.

Abstract: A first network device may communicate, in association with a tunnel establishment network protocol, with a second network device to cause a network tunnel between the first network device and the second network device to be established. The first network device may determine, based on communicating with the second network device to cause the network tunnel to be established, that the network tunnel is to support network micro-tunnel functionality within the network tunnel. The first network device may communicate, based on determining that the network tunnel is to support network micro-tunnel functionality, with the second network device to identify a traffic class, of one or more traffic classes, to which network micro-tunnel functionality within the network tunnel is to be applied. The first network device may cause a network micro-tunnel to be established within the network tunnel for traffic associated with the traffic class.

Abstract: In general, the disclosure describes techniques for evaluating application quality of experience metrics over a software-defined wide area network. For instance, a network device may receive an application data packet of a data flow for an application. In response to receiving the application data packet, the network device may assign the data flow to a first link of a plurality of links and initiate a probing process for the data flow on the first link to determine one or more quality of experience (QoE) metrics for the first link. The network device may, at a later time, detect that the data flow is no longer being received. In response to detecting that the data flow is no longer being received, the network device may cease the probing process for the data flow on the first link.

Abstract: A first network device may communicate, in association with a tunnel establishment network protocol, with a second network device to cause a network tunnel between the first network device and the second network device to be established. The first network device may determine, based on communicating with the second network device to cause the network tunnel to be established, that the network tunnel is to support network micro-tunnel functionality within the network tunnel. The first network device may communicate, based on determining that the network tunnel is to support network micro-tunnel functionality, with the second network device to identify a traffic class, of one or more traffic classes, to which network micro-tunnel functionality within the network tunnel is to be applied. The first network device may cause a network micro-tunnel to be established within the network tunnel for traffic associated with the traffic class.

Abstract: A network device may receive, from an application on a user device, a first network packet associated with a packet flow. The network device may identify an application identifier of the first network packet, wherein the application identifier identifies the application on the user device. The network device may select, based on the application identifier, a security protocol, wherein the security protocol is associated with at least one of an authentication header (AH) or an encryption algorithm. The network device may selectively apply, to a second network packet associated with the packet flow, at least one of the AH or the encryption algorithm, associated with the security protocol, to generate a protected network packet. The network device may transmit the protected network packet.

Abstract: A network device may create an encrypted packet and may duplicate the encrypted packet to create a plurality of encrypted packets that includes a first set of encrypted packets that is associated with a first receiving network device and a second set of encrypted packets that is to be associated with a second receiving network device. The network device may modify the second set of encrypted packets by replacing a first virtual destination address in the second set of the plurality of encrypted packets with a second virtual destination address that identifies a virtual tunnel endpoint of the second receiving network device. The network device may encapsulate and may send, based on the first virtual destination address and the second virtual destination address, individual encapsulated encrypted packets to the first receiving network device or the second receiving network device.

Abstract: A network device includes a memory and one or more processors in communication with the memory. The one or more processors are configured to configure a proxy server to forward a request for data from a client device to a data server and to forward, from the data server to the client device, a response message that is responsive to the request for data. The one or more processors are further configured to receive an indication of a set of header fields for the response message that indicates a first time specifying when the data server received the request for data and a second time specifying when the response message was sent by the data server and generate a metric for a performance of the data server based on the first time and the second time.

Abstract: A network device may create an encrypted packet and may duplicate the encrypted packet to create a plurality of encrypted packets that includes a first set of encrypted packets that is associated with a first receiving network device and a second set of encrypted packets that is to be associated with a second receiving network device. The network device may modify the second set of encrypted packets by replacing a first virtual destination address in the second set of the plurality of encrypted packets with a second virtual destination address that identifies a virtual tunnel endpoint of the second receiving network device. The network device may encapsulate and may send, based on the first virtual destination address and the second virtual destination address, individual encapsulated encrypted packets to the first receiving network device or the second receiving network device.

Abstract: A first network device may communicate, in association with a tunnel establishment network protocol, with a second network device to cause a network tunnel between the first network device and the second network device to be established. The first network device may determine, based on communicating with the second network device to cause the network tunnel to be established, that the network tunnel is to support network micro-tunnel functionality within the network tunnel. The first network device may communicate, based on determining that the network tunnel is to support network micro-tunnel functionality, with the second network device to identify a traffic class, of one or more traffic classes, to which network micro-tunnel functionality within the network tunnel is to be applied. The first network device may cause a network micro-tunnel to be established within the network tunnel for traffic associated with the traffic class.

Abstract: In an example, a method includes obtaining, for a software-defined wide area network (SD-WAN) system having a plurality of a wide area network (WAN) links for an SD-WAN service, a first service level agreement (SLA) rule that matches a first application, the first SLA rule having a first priority that indicates a priority of the first application; obtaining, for the SD-WAN system, a second SLA rule that matches a second application, the second SLA rule having a second priority that indicates a priority of the second application; assigning, for the SD-WAN system, the first application and the second application to a first WAN link of the plurality of WAN links; and in response to determining that the first WAN link has violated the first SLA rule that matches the first application, assigning, by the SD-WAN system, the second application to a second WAN link of the plurality of WAN links.

Abstract: A network device may receive, from an application on a user device, a first network packet associated with a packet flow. The network device may identify an application identifier of the first network packet, wherein the application identifier identifies the application on the user device. The network device may select, based on the application identifier, a security protocol, wherein the security protocol is associated with at least one of an authentication header (AH) or an encryption algorithm. The network device may selectively apply, to a second network packet associated with the packet flow, at least one of the AH or the encryption algorithm, associated with the security protocol, to generate a protected network packet. The network device may transmit the protected network packet.

Abstract: A network node may receive a packet having an inner internet protocol (IP) header and an outer IP header. The inner IP header may be encrypted. A loose source routing (LSR) field of the outer IP header may identify a recipient address. The network node may determine, based on the recipient address identified in the LSR field, a tunnel endpoint associated with a receiving network node. The network node may update the outer IP header of the packet to obtain an updated packet with an updated outer IP header. A source address of the updated outer IP header may be updated to a tunnel endpoint associated with the network node, and the destination address of the updated outer IP header may be updated to a tunnel endpoint associated with the receiving network node. The network node may route the updated packet according to the updated outer IP header.

Abstract: A first network device may communicate, in association with a tunnel establishment network protocol, with a second network device to cause a network tunnel between the first network device and the second network device to be established. The first network device may determine, based on communicating with the second network device to cause the network tunnel to be established, that the network tunnel is to support network micro-tunnel functionality within the network tunnel. The first network device may communicate, based on determining that the network tunnel is to support network micro-tunnel functionality, with the second network device to identify a traffic class, of one or more traffic classes, to which network micro-tunnel functionality within the network tunnel is to be applied. The first network device may cause a network micro-tunnel to be established within the network tunnel for traffic associated with the traffic class.

Abstract: A network device may receive, from an application on a user device, a first network packet associated with a packet flow. The network device may identify an application identifier of the first network packet, wherein the application identifier identifies the application on the user device. The network device may select, based on the application identifier, a security protocol, wherein the security protocol is associated with at least one of an authentication header (AH) or an encryption algorithm. The network device may selectively apply, to a second network packet associated with the packet flow, at least one of the AH or the encryption algorithm, associated with the security protocol, to generate a protected network packet. The network device may transmit the protected network packet.

Abstract: A network device may create an encrypted packet and may duplicate the encrypted packet to create a plurality of encrypted packets that includes a first set of encrypted packets that is associated with a first receiving network device and a second set of encrypted packets that is to be associated with a second receiving network device. The network device may modify the second set of encrypted packets by replacing a first virtual destination address in the second set of the plurality of encrypted packets with a second virtual destination address that identifies a virtual tunnel endpoint of the second receiving network device. The network device may encapsulate and may send, based on the first virtual destination address and the second virtual destination address, individual encapsulated encrypted packets to the first receiving network device or the second receiving network device.

Abstract: A first network device may communicate, in association with a tunnel establishment network protocol, with a second network device to cause a network tunnel between the first network device and the second network device to be established. The first network device may determine, based on communicating with the second network device to cause the network tunnel to be established, that the network tunnel is to support network micro-tunnel functionality within the network tunnel. The first network device may communicate, based on determining that the network tunnel is to support network micro-tunnel functionality, with the second network device to identify a traffic class, of one or more traffic classes, to which network micro-tunnel functionality within the network tunnel is to be applied. The first network device may cause a network micro-tunnel to be established within the network tunnel for traffic associated with the traffic class.

Abstract: A network node may receive a packet having an inner internet protocol (IP) header and an outer IP header. The inner IP header may be encrypted. The network node may generate a copy of the packet to obtain a copied packet. The network node may perform decryption on one of the packet or the copied packet to identify a recipient address of the inner IP header. The network node may update the outer IP header of the other of the packet or the copied packet to obtain an updated packet with an updated outer IP header. A destination address of the updated outer IP header may be updated to a tunnel endpoint of a receiving network node that is associated with the recipient address. The network node may route the updated packet according to the updated outer IP header.

Abstract: A network device may receive, from an application on a user device, a first network packet associated with a packet flow. The network device may identify an application identifier of the first network packet, wherein the application identifier identifies the application on the user device. The network device may select, based on the application identifier, a security protocol, wherein the security protocol is associated with at least one of an authentication header (AH) or an encryption algorithm. The network device may selectively apply, to a second network packet associated with the packet flow, at least one of the AH or the encryption algorithm, associated with the security protocol, to generate a protected network packet. The network device may transmit the protected network packet.

Abstract: In general, the disclosure describes techniques for assigning traffic originating from an unknown application to a link based on known application quality of experience metrics. For instance, a network device may receive an application data packet of a data flow for an application and determine an application signature of the application data packet. The network device may determine whether the application signature matches an entry in an application signature database, and if the application signature does not match, the network device may identify a class of the application based on one or more characteristics of the application data packet. The network device may then assign the application data packet of the data flow to a first link of a plurality of links based on the class of the application and quality of experience (QoE) metrics for each link.

Abstract: A network node may receive a packet having an inner internet protocol (IP) header and an outer IP header. The inner IP header may be encrypted. A loose source routing (LSR) field of the outer IP header may identify a recipient address. The network node may determine, based on the recipient address identified in the LSR field, a tunnel endpoint associated with a receiving network node. The network node may update the outer IP header of the packet to obtain an updated packet with an updated outer IP header. A source address of the updated outer IP header may be updated to a tunnel endpoint associated with the network node, and the destination address of the updated outer IP header may be updated to a tunnel endpoint associated with the receiving network node. The network node may route the updated packet according to the updated outer IP header.