WO2023204985A1 - Systèmes et procédés de classification de trafic dans un réseau sd-wan hiérarchique - Google Patents

Systèmes et procédés de classification de trafic dans un réseau sd-wan hiérarchique Download PDF

Info

Publication number
WO2023204985A1
WO2023204985A1 PCT/US2023/017999 US2023017999W WO2023204985A1 WO 2023204985 A1 WO2023204985 A1 WO 2023204985A1 US 2023017999 W US2023017999 W US 2023017999W WO 2023204985 A1 WO2023204985 A1 WO 2023204985A1
Authority
WO
WIPO (PCT)
Prior art keywords
region
traffic
path
edge router
access
Prior art date
Application number
PCT/US2023/017999
Other languages
English (en)
Inventor
Jigar PAREKH
Mrigendra PATEL
Sanjay Sreenath
Laxmikantha Reddy PONNURU
Satyajit Das
Kaiyuan Xu
Hari Krishna DONTI
Tahir ALI
Hamzah Shuaib KARDAME
Original Assignee
Cisco Technology, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US17/815,614 external-priority patent/US20230344775A1/en
Application filed by Cisco Technology, Inc. filed Critical Cisco Technology, Inc.
Publication of WO2023204985A1 publication Critical patent/WO2023204985A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks

Definitions

  • the present disclosure relates generally to communication networks, and more specifically to systems and methods for classifying traffic in a hierarchical software-defined wide area network (SD-WAN) network.
  • SD-WAN software-defined wide area network
  • a hierarchical SD-WAN solution provides a simple and scalable option by segmenting the network into multiple access regions connected together by a core region.
  • border routers sit at the edge of the access and core regions while edge routers act as sentinels for traffic entering the access regions.
  • the core region typically acts as a transit for traffic between the access regions. Due to the architecture of the hierarchical SD-WAN network, the existing policy constructs have some constraints with capturing the different traffic flows at the border routers and edge routers.
  • FIGURE 1 illustrates a sy stem for classifying traffic in a hierarchical SD-WAN network, in accordance with certain embodiments.
  • FIGURE 2 illustrates different possible traffic flow directions on a border router in a hierarchical SD-WAN environment, in accordance with certain embodiments.
  • FIGURE 3 illustrates different traffic flow directions on an edge router in a hierarchical SD-WAN environment, in accordance with certain embodiments.
  • FIGURE 4 illustrates a method for classifying traffic on a border router based on match conditions, in accordance with certain embodiments.
  • FIGURE 5 illustrates different types of traffic that may be used by the system of FIGURE 1, in accordance with certain embodiments.
  • FIGURE 6 illustrates a method for classifying traffic on an edge router based on match conditions, in accordance with certain embodiments.
  • FIGURE 7 illustrates a method for classifying traffic on an edge router based on action conditions, in accordance with certain embodiments.
  • FIGURE 8 illustrates an example computer system, in accordance with certain embodiments.
  • a network node includes one or more processors and one or more computer-readable non-transitory storage media coupled to the one or more processors and including instructions that, when executed by the one or more processors, cause the network node to perform operations.
  • the operations include receiving traffic within a hierarchical SD-WAN network.
  • the operations also include determining a destination of the traffic.
  • the destination region may be within the hierarchical SD-WAN network.
  • the operations further include classifying the traffic based on a match condition.
  • the match condition may be associated with two or more destination regions.
  • the network node is a border router.
  • the two or more destination regions may include a core region, an access region, and a service region.
  • the match condition matches the traffic to the core region, the access region, or the service region.
  • the destination of the traffic is determined based on an Internet Protocol (IP) destination address associated with the traffic.
  • IP Internet Protocol
  • the network node is an edge router.
  • the two or more destination regions may include a primary region, a secondary region, and an other region.
  • the match condition matches intra-region traffic to the primary region, matches direct-tunnel, inter-region traffic to the secondary region, and matches multi-hop, inter-region traffic to the other region.
  • the primary region is a first access region that includes the edge router.
  • the secondary region is a region that is shared among the edge router of the primary region and an edge router of the second access region such that the secondary region is different from the first access region and the second access region.
  • the other region is a region that is outside of the primary region and the secondary region.
  • the operations include classifying the traffic based on an action condition.
  • the action condition may be associated with a direct-tunnel path, a multihop path, and an equal-cost multipath (ECMP) path.
  • the action condition matches the traffic to the direct-tunnel path, the multi-hop path, or the ECMP path.
  • the direct-tunnel path is a direct path from a first edge router of a first access region to a second edge router of a second access region.
  • the multi-hop path is a path from the first edge router of the first access region to a first border router bordering the first access region and a core region, from the first border router to a second border router bordering the core region and a second access region, and from the second border router to the second edge router in the second access region.
  • the ECMP path is either the direct-tunnel path or the multi-hop path.
  • a method includes receiving, by a network node, traffic within a hierarchical SD-WAN network.
  • the method also includes determining, by the network node, a destination of the traffic.
  • the destination region is within the hierarchical SD-WAN network.
  • the method further includes classifying, by the network node, the traffic based on a match condition.
  • the match condition is associated with two or more destination regions.
  • one or more computer-readable non- transitory storage media embody instructions that, when executed by a processor, cause the processor to perform operations.
  • the operations include receiving traffic within a hierarchical SD-WAN network.
  • the operations also include determining a destination of the traffic.
  • the destination region may be within the hierarchical SD-WAN network.
  • the operations further include classifying the traffic based on a match condition.
  • the match condition may be associated with two or more destination regions.
  • Technical advantages of certain embodiments of this disclosure may include one or more of the following.
  • traffic flows are simplified by providing the ability to match traffic that is destined within a core region, an access region, or t a service network using match conditions.
  • traffic flows are simplified by providing the ability to match traffic that is destined within a primary region, to a secondary region, or outside the primary region using match conditions.
  • traffic flows are simplified by providing the ability to match traffic that is destined to a direct path, a multi-hop path, or a default path using action conditions.
  • direct tunnels can be selected on specific colors when available for specific traffic.
  • a direct path may be selected if available at each priority of color preference.
  • Hierarchical SD-WAN may prevent traffic black holes (routing failure that can occur when a device responsible for one of the hops between the source and destination of a traffic flow is unavailable) caused by policy.
  • Hierarchical SD-WAN may provide end-to-end encryption of inter-region traffic.
  • hierarchical SD- WAN provides flexibility to select the best transport for each region. This flexibility can provide for better performance for traffic across geographical regions. Embodiments of this disclosure provide better control over traffic paths between regions.
  • hierarchical SD-WAN allows site-to-site traffic paths between disjoint providers (two providers that cannot provide direct IP routing reachability between them).
  • Tunneling may provide workarounds for networks that use protocols that have limited hop counts (e.g., Routing information Protocol (RIP) version 1, AppleTalk, etc.). Tunneling may be used to connect discontiguous subnetworks.
  • RIP Routing information Protocol
  • the hierarchical SD-WAN network includes independent policy domains with different policies that control traffic entering/ exiting the different regions of the network.
  • MSP managed service provider
  • the policy at border routers controlling how the traffic traverses the core region may be controlled by the service provider and may be very different from the policy that is used to traverse one or more access regions.
  • FIGURE 1 illustrates a system 100 for classifying traffic in a hierarchical SD- WAN network, in accordance with certain embodiments.
  • System 100 or portions thereof may be associated with an entity, which may include any entity, such as a business, company, or enterprise, that classifies traffic in a hierarchical SD-WAN.
  • the entity may be a service provider that classifies traffic in a hierarchical SD-WAN.
  • the components of system 100 may include any suitable combination of hardware, firmware, and software.
  • the components of system 1 0 may use one or more elements of the computer system of FIGURE 8.
  • system 100 includes a network 110, a service-side network 112, regions 120 (a core region 120a, an access region 120b, and an access region 120c), border routers 130 (a border router 130a, a border router 130b, a border router 130c, and a border router 130d), edge routers 140 (an edge router 140a, an edge router 140b.
  • Network 110 of system 100 is any type of network that facilitates communication between components of system 100.
  • Network 110 may connect one or more components of system 100.
  • One or more portions of network 110 may include an ad-hoc network, the Internet, an intranet, an extranet, a virtual private network (VPN), an Ethernet VPN (EVPN), a local area network (LAN), a wireless LAN (WLAN), a virtual LAN (VLAN), a WAN, a wireless WAN (WWAN), an SD-WAN, a metropolitan area network (MAN), a portion of the Public Switched Telephone Network (PSTN), a cellular telephone network, a Digital Subscriber Line (DSL), an Multiprotocol Label Switching (MPLS) network, a 3G/4G/5G network, a Long Term Evolution (LTE) network, a cloud network, a combination of two or more of these, or other suitable types of networks.
  • Network 110 may include one or more different types of networks.
  • Network 110 may be any communications network, such as a private network, a public network, a connection through the Internet, a mobile network, a WI-FI network, etc.
  • Network 110 may include a core network, an access network of a service provider, an Internet service provider (ISP) network, and the like.
  • An access network is the part of the network that provides a user access to a service.
  • a core network is the part of the network that acts like a backbone to connect the different parts of the access network(s).
  • One or more components of system 100 may communicate over network 110.
  • network 110 is a hierarchical SD-WAN.
  • Network 110 includes service-side network 112.
  • Service-side network 112 is a local network such as a LAN that is distinguishable from the transport side of network 110.
  • Service-side network 112 may include one or more service hosts.
  • Regions 120 represent distinct networks 110.
  • a user defines regions 120 such that different traffic transport services can be used for each region 120.
  • Regions 120 may be associated with different geographical locations and/or data centers.
  • core region 120a may be associated with an enterprise’s main office located in California
  • access region 120b may be associated with the enterprise’s branch office located in Texas
  • access region 120c may be associated with the enterprise’s branch office located in New York.
  • core region 120a may be associated with a data center located in US West
  • access region 120b may be associated with a data center located in US East
  • access region 120c may be associated with a data center located in Canada West.
  • regions 120 may employ different service providers.
  • core region 120a may be associated with a cloud services provider
  • access region 120b may be associated with a West Coast regional service provider
  • access region 120c may be associated with an East Coast regional service provider.
  • core region 120a is used to communicate traffic between distinct geographical regions. Core region 120a may use a premium transport service to provide a required level of performance and/or cost effectiveness for long-distance connectivity.
  • core region 120a is a “middle mile” network, which is the segment of a telecommunications network linking a network operator’s core network to one or more local networks. The “middle mile” network may include the backhaul network to the nearest aggregation point and/or any other parts of network 110 needed to connect the aggregation point to the nearest point of presence on the operator’s core network.
  • access region 120b may use a full mesh topology of SD-WAN tunnels and access region 120c may use a hub-and-spoke topology.
  • access regions 120 e.g., access region 120b and access region 120c
  • Each region 120 (core region 120a, access region 120b, and access region 120c) of system 100 may include one or more nodes.
  • Nodes are connection points within network 110 that receive, create, store and/or send data along a path.
  • Nodes may include one or more redistribution points that recognize, process, and forward data to other nodes of network 110.
  • Nodes may include virtual and/or physical nodes.
  • nodes may include one or more virtual machines, bare metal servers, and the like.
  • nodes may include data communications equipment such as computers, routers, servers, printers, workstations, switches, bridges, modems, hubs, and the like.
  • the nodes of network 110 may include one or more border routers 130, edge routers 140, controllers, etc.
  • Border routers 130 (border router 130a, border router 130b, border router 130c, and border router 130d) of system 100 are specialized routers that reside at a boundary of two or more different types of regions 120.
  • each border router 130 is an SD-WAN router.
  • Border routers 130 may provide inter-region connectivity by connecting access region 120b and access region 120c to a common backbone overlay (core region 120a).
  • core region 120a a common backbone overlay
  • border router 130a and border router 130b reside at the boundary of core region 120a and access region 120b
  • border router 130c and border router 130d reside at the boundary of core region 120a and access region 120c.
  • border routers 130 use static and/or dynamic routing to send data to and/or receive data from different regions 120 of system 100.
  • Border routers 130 may include one or more hardware devices, one or more servers that include routing software, and the like.
  • border routers 130 use VPN forwarding tables to route traffic flows between tunnel interfaces 160 that provide connectivity to core region 120a and tunnel interfaces 160 that provide connectivity to access region 120b and access region 120c.
  • Edge routers 140 (edge router 140a, edge router 140b, edge router 140c, edge router 140d, edge router 140e, and edge router 140f) of system 100 are specialized routers that reside at an edge of network 110.
  • edge routers 140 use static and/or dynamic routing to send data to and/or receive data from one or more networks 110 of system 100.
  • Edge routers 140 may include one or more hardware devices, one or more servers that include routing software, and the like.
  • edge router 140a, edge router 140b, and edge router 140c reside in access region 120b
  • edge router 140d, edge router 140e, and edge router 140f reside in access region 120c.
  • border routers 130 and edge routers 140 send data to and/or receive data from other border routers 130 and edge routers 140 via tunnels 150.
  • Tunnels 150 (core tunnels 150a, access tunnels 150b, and access tunnels 150c) of system 100 are links for communicating data between nodes of system 100.
  • the data plane of system 100 is responsible for moving packets from one location to another.
  • Tunnels 150 provide a way to encapsulate arbitrary packets inside a transport protocol. For example, tunnels 150 may encapsulate data packets from one protocol inside a different protocol and transport the data packets unchanged across a foreign network.
  • Tunnels 150 may use one or more of the following protocols: a passenger protocol (e g., the protocol that is being encapsulated such as AppleTalk, Connectionless Network Service (CLNS), IP, Internetwork Packet Exchange (IPX), etc.); a carrier protocol (i.e., the protocol that does the encapsulating such as Generic Routing Encapsulation (GRE), IP-in-IP, Layer Two Tunneling Protocol (L2TP), MPLS, Session Traversal Utilities for network address translation (NAT) (STUN), Data Link Switching (DLSw), etc.); a transport protocol (i.e., the protocol used to carry the encapsulated protocol); etc.
  • the main transport protocol is IP.
  • one or more tunnels 150 are IPSec tunnels.
  • IPSec provides secure tunnels between two peers (e.g., border routers 130 and/or edge routers 140).
  • a user may define which packets are considered sensitive and should be sent through secure IPSec tunnels 150. The user may also define the parameters to protect these packets by specifying characteristics of IPSec tunnels 150.
  • IPSec peers e.g., border routers 130 and/or edge routers 140
  • one or more tunnels 150 are GRE tunnels. GRE may handle the transportation of multiprotocol and IP multicast traffic between two sites that only have IP unicast connectivity.
  • one or more tunnels 150 may use IPSec tunnel mode in conjunction with a GRE tunnel.
  • core tunnels 150a are located in core region 120a, access tunnels 150b are located in access region 120b, and access tunnels 150c are located in access region 120c.
  • core region 120a uses a full mesh of core tunnels 150a for the overlay topology.
  • each border router 130 in core region 120a may have core tunnel 150a to each other border router 130 in core region 120a.
  • Core tunnels 150a may provide optimal connectivity for forwarding traffic from one region 120 to another.
  • core tunnels 150a connect border router 130a to border router 130c, connect border router 130a to border router 130d, connect border router 130b to border router 130c, and connect border router 130b to border router 130d.
  • Access tunnels 150b connect border routers 130 and/or edge routers 140 located on a boundary or edge of access region 120b.
  • access tunnels 150b may connect border router 130a to edge router 140a, connect border router 130a to edge router 140b, and connect border router 130a to edge router 140c.
  • access tunnels 150b may connect border router 130b to edge router 140a, connect border router 130b to edge router 140b, and connect border router 130b to edge router 140c.
  • access tunnels 150b may connect edge router 140a to edge router 140b, connect edge router 140a to edge router 140c, and connect edge router 140b to edge router 140c.
  • Access tunnels 150c connect border routers 130 and/or edge routers 140 located on a boundary or edge of access region 120c.
  • access tunnels 150c may connect border router 130c to edge router 140d, connect border router 130c to edge router 140e, and connect border router 130c to edge router 140f.
  • access tunnels 150c may connect border router 130d to edge router 140d, connect border router 130d to edge router 140e, and connect border router 130d to edge router 140f.
  • access tunnels 150c may connect edge router 140d to edge router 140e, connect edge router 140d to edge router 140f, and connect edge router 140e to edge router 140f.
  • Tunnels 150 use tunnel interfaces 160 to connect to border routers 130 and edge routers 140.
  • each tunnel interface 160 of system 100 is associated with a router port.
  • Tunnel interfaces 160 may be virtual (logical) interfaces that are used to communicate traffic along tunnel 150.
  • tunnel interfaces 160 are configured in a transport VPN. In some embodiments, tunnel interfaces 160 come up as soon as they are configured, and they stay up as long as the physical tunnel interface is up.
  • tunnel interfaces 160 are not tied to specific “passenger” or “transport” protocols. Rather, tunnel interfaces 160 may be designed to provide the services necessary' to implement any standard point-to-point encapsulation scheme. In certain embodiments, tunnel interfaces 160 have either IPv4 or IPv6 addresses assigned.
  • the router e.g., border router 130 and/or edge router 140
  • the router at each end of tunnel 150 may support the IPv4 protocol stack, the IPv6 protocol stack, or both the IPv4 and IPv6 protocol stacks.
  • One or more tunnel interfaces 160 may be configured with a tunnel interface number, an IP address, a defined tunnel destination, and the like.
  • Tunnel interfaces 160 of system 100 may include one or more IPSec tunnel interfaces, GRE tunnel interfaces, and the like.
  • policies such as data policies and application route policies may classify traffic based on numerous match catena (e.g., source IP address, destination IP address, destination prefix, port number, differentiated services code point (DSCP) field, protocol, etc.).
  • match catena e.g., source IP address, destination IP address, destination prefix, port number, differentiated services code point (DSCP) field, protocol, etc.
  • DSCP differentiated services code point
  • these options have constraints when classifying overlay traffic on border routers 130. Since border routers 130 are special devices sitting between two separate regions 120, border routers 130 must handle several different traffic paths.
  • traffic may flow from core region 120a to access region 120b and access region 120c, and from access region 120b and access region 120c to core region 120a.
  • border routers 130 There, packets go through two policy enforcement points in border routers 130: (1) from-tunnel; and (2) from-service.
  • the policy enforcement points may need to be distinguished based on traffic coming from core tunnels 150a, access tunnels 150b, and access tunnels 150c.
  • the local transport locator (TLOC) tunnel location
  • remote-TLOC is set to have the desired traffic flow based on the available path options.
  • TLOC tunnel location
  • the remote-TLOC is set to have the desired traffic flow based on the available path options.
  • TLOC tunnel location
  • remote-TLOC is set to have the desired traffic flow based on the available path options.
  • Policy configuration grows over time as the network grows, and hence the complexity.
  • Certain embodiments of this disclosure include additional points to enforce actions for traffic entering core region 120a, access region 120b, and access region 120c.
  • Classification engines 170 are components used by border routers 130 and/or edge routers 140 to classify traffic.
  • classification engine 170a is associated with border routers 130 (border router 130a, border router 130b, border router 130c, and border router 130d)
  • classification engine 170b and classification engine 170c are associated with edge routers 140 (edge router 140a, edge router 140b, edge router 140c, edge router 140d, edge router 140e, edge router 140f, edge router 140g).
  • Classification engine 170a associated with border routers 130 uses match conditions 172 to classify traffic into classifications 174.
  • match conditions 172 include one or more match statements that define match conditions 172.
  • match conditions 172 include to-core match condition 172a, to-access match condition 172b, and to-service match condition 172c.
  • Classifications 174 include to-core classification 174a, to-access classification 142b, and to-service classification 172c.
  • Classification engine 170a uses to-core match condition 172a to match traffic to to-core classification 174a, classification engine 170a uses to-access match condition 172b to match traffic to to-access classification 174b, and classification engine 170a uses to- service match condition 172c to match traffic to to-service classification 174c.
  • classification engine 170a of system 100 determines that incoming traffic on border router 130 (e.g., border router 130a, border router 130b, border router 130c, or border router 130d) is destined for core region 120a based on to-core match condition 172a, classification engine 170a matches the traffic to to-core classification 174a. If classification engine 270a of system 100 determines that incoming traffic on border router 130 (e.g., border router 130a, border router 130b, border router 130c, or border router 130d) is destined for access region 120b based on to-access match condition 172b, classification engine 270a matches the traffic to to-access classification 174b.
  • border router 130 e.g., border router 130a, border router 130b, border router 130c, or border router 130d
  • classification engine 270a of system 100 determines that incoming traffic on border router 130 (e.g., border router 130a, border router 130b, border router 130c, or border router 130d) is destined for service-side network 112 based on to-service match condition 172c, classification engine 270a matches the traffic to to-service classification 174c.
  • the traffic flow directions associated with match conditions 172 are illustrated in FIGURE 2.
  • Classification engine 170b associated with edge routers 140 uses match conditions 176 to classify traffic into classifications 178.
  • match conditions 176 include one or more match statements that define match conditions 176.
  • match conditions 176 include to-pnmary match condition 176a, to-secondary region match condition 176b, and to-other match condition 176c.
  • Classifications 178 include to-primary classification 178a, to-secondary condition 178b, and to-other classification 178c.
  • the primary region (e.g., primary region 320a of FIGURE 3) represents the access region (access region 120b or access region 120c) that edge router 140 is part of.
  • the primary region for edge router 140a, edge router 140b, and edge router 140c is access region 120b
  • the primary region for edge router 140d, edge router 140e, and edge router 140f is access region 120c.
  • the secondary region (e.g., secondary region 320b of FIGURE 3) is a region that is shared among edge routers 140 and is different from their respective primary regions. For example, a region having a direct tunnel connecting edge router 140a of access region 120b to edge router 140d of access region 120c is considered a secondary region.
  • the other region (e.g., other region 320c of FIGURE 3) is a region that is outside of the primary region and the secondary region.
  • the other region may be core region 120a.
  • classification engine 170b of system 100 determines that incoming traffic on edge router 140 (edge router 140a, edge router 140b, edge router 140c, edge router 140d, edge router 140e, or edge router 1401) is destined for a primary region based on to-primary match condition 176a, classification engine 170amatches the traffic to to-primary classification 178a.
  • classification engine 170b of system 100 determines that incoming traffic on edge router 140 (edge router 140a, edge router 140b, edge router 140c, edge router 140d, edge router 140e, or edge router 1401) is destined for a secondary region based on to-secondary region match condition 176b, classification engine 170b matches the traffic to to-secondary classification 178b. If classification engine 170b of system 100 determines that incoming traffic on edge router 140 (edge router 140a, edge router 140b, edge router 140c, edge router 140d, edge router 140e, or edge router 1401) is destined for the other region based on to-other match condition 176c, classification engine 270a matches the traffic to to-other classification 178c.
  • the traffic flow directions associated with match conditions 176 are illustrated in FIGURE 3.
  • Classification engine 170c associated with edge routers 140 uses action conditions 180 to classify traffic into classifications 182.
  • action conditions 180 include one or more action statements that define action conditions 180.
  • action conditions 180 include to-direct tunnel action condition 182a, to-multi-hop path action condition 180b, and a to-default path action condition 180c.
  • Classifications 182 include to-direct tunnel classification 182a, to-multi-hop path condition 182b, and to-default classification 182c.
  • To-direct tunnel classification 182a instructs edge router 140 (edge router 140a, edge router 140b, or edge router 140c) of access region 120b to form a direct session (e.g., a direct Bidirectional Forwarding Detection (BFD) session) with another edge router 140 (edge router 140d, edge router 140e, or edge router 1401) in access region 120c.
  • direct tunnels are selected on specific colors when available for specific traffic. Colors are SD-WAN software constructs that identify transport tunnels. In certain embodiments, colors are statically defined keywords that identify individual transports as either public or private.
  • the colors metro-ethemet, mpls, and privatel, private2, privates, private4, private5, and private6 may be considered private colors that are intended to be used for private networks or in places with no NAT addressing of the transport IP endpoints.
  • colors 3g, biz-intemet, blue, bronze, customl, custom2, custom3, default, gold, green, Ite, public-internet, red, and silver may be considered public colors that are intended to be used for public networks or in places that use public IP addressing of the transport IP endpoints (either natively or through NAT). Color may dictate the use of either private IP or public IP address when communicating through the control or data plane.
  • a direct tunnel may be selected if available at each priority of color preference.
  • To-multi-hop path classification 182b instructs edge router 140 (edge router 140a, edge router 140b, or edge router 140c) of access region 120b to select a path that includes multiple hops.
  • to-multi-hop path classification 182b may instruct edge router 140 to take a hierarchical path (e.g., hierarchical path 560 of FIGURE 5) between edge routers 140 in different regions 120.
  • a hierarchical path is a route that includes multiple hops from access region 120b to access region 120c through core region 120a.
  • To-default classification 182c instructs edge router 140 to select a default path such as a best path or an ECMP path.
  • a default path such as a best path or an ECMP path.
  • to-default classification 182c may instruct edge router 140 to select the best path between one or more hierarchical paths and one or more direct paths.
  • classification engine 170c of system 100 determines that incoming traffic on edge router 140 (edge router 140a, edge router 140b, edge router 140c, edge router 140d, edge router 140e, or edge router 1401) is destined for a direct tunnel (e g., direct tunnel 550 of FIGURE 5) based on to-direct tunnel action condition 180a, classification engine 170c matches the traffic to to-direct tunnel classification 182a.
  • a direct tunnel e g., direct tunnel 550 of FIGURE 5
  • classification engine 170c of system 100 determines that incoming traffic on edge router 140 (edge router 140a, edge router 140b, edge router 140c, edge router 140d, edge router 140e, or edge router 1401) is destined for a multihop path (e g., hierarchical path 560 of FIGURE 5) based on to-multi-hop path action condition 180b, classification engine 170c matches the traffic to to-multi-hop path classification 182b.
  • edge router 140 edge router 140a, edge router 140b, edge router 140c, edge router 140d, edge router 140e, or edge router 1401
  • classification engine 170c matches the traffic to to-multi-hop path classification 182b.
  • classification engine 170c of system 100 determines that incoming traffic on edge router 140 (edge router 140a, edge router 140b, edge router 140c, edge router 140d, edge router 140e, or edge router 1401) is destined for a default path (e.g., an ECMP path) based on to-default path action condition 182c, classification engine 270a matches the traffic to to-default classification 182c.
  • a default path e.g., an ECMP path
  • classification engine 270a matches the traffic to to-default classification 182c.
  • the traffic flow directions associated with action conditions 180 are illustrated in FIGURE 3.
  • border routers 130 and/or edge routers 140 apply centralized policies 190 based on destination match criterions.
  • border routers 130 may apply centralized polices based on match conditions 172 (to-core match condition 172a, to-access match condition 172b, and to-service match condition 172c).
  • edge routers 140 may apply centralized polices 190 based on match conditions 176 (to-primary match condition 176a, to-secondary match condition 176b, and to-other match condition 176c).
  • edge routers 140 apply centralized policies 190 based on action criterions.
  • edge routers 140 may apply centralized polices 190 based on action conditions 180 (to-direct tunnel action condition 180a, to-multi-hop path match condition 180b, and to-default path action condition 180c).
  • Policies 190 of system 100 are sets of rules that govern the behaviors of components in network 110.
  • border routers 130 and/or edge routers 140 of network 110 may use one or more policies 190.
  • Policies 190 may be associated with one or more match conditions 172, match conditions 176, action conditions 180, SLAs, QoSs, colors, and the like.
  • Policies 190 may be used to apply appropriate actions for traffic destined to core region 120a, access region 120b, and/or access region 120c.
  • match conditions 172, match conditions 176, and/or action conditions 180 are used with other match conditions 172, match conditions 176, and/or action conditions 180 to create complex policies 190 that influence inter-region and/or intra-region traffic.
  • border router 130a or edge router 140a receives traffic within hierarchical SD-WAN network 110 and determines destination region 120 (e.g., core region 120a, access region 120b, or access region 120b) of the traffic based on an IP destination address associated with the traffic.
  • Classification engine 170 e.g., classification engine 170a, classification engine 170b, or classification engine 170c
  • border router 130a or edge router 140a then classifies the traffic based on match conditions 172, match conditions 176, or action conditions 180.
  • classification engine 170a determines that destination region 120 is associated with core region 120a, access regions 120b or 120c, or service-side network 112 based on to-core match condition 172a, to-access match condition 172b, or to-service match condition 172c, respectively, classification engine 170a classifies the traffic into to-core classification 174a, to-access classification 174b, or to-service classification 174c, respectively.
  • classification engine 170b determines that destination region 120 is associated with a primary region, a secondary region, or an other region based on to-primary match condition 176a, to-secondary match condition 176b, or to-other match condition 176c, respectively. classification engine 170b classifies the traffic into to-primary classification 178a, to-secondary classification 178b, or to-other classification 178c, respectively.
  • classification engine 170c determines that destination region 120 is associated with a direct tunnel path, a multi-hop path, or a default (e.g., ECMP) path based on to-direct tunnel action condition 180a, to-multi-hop path action condition 180b, or to-default path action condition 180c, respectively.
  • classification engine 170c classifies the traffic into to-direct tunnel classification 182a, to-multi-hop path classification 182b, or to- default classification 182c, respectively.
  • border routers 130 and edge routers 140a of system 100 have the ability to match and take action on traffic based on various paths, which greatly simplifies the policy language in a hierarchical SD-WAN network.
  • FIGURE 1 illustrates a particular number of networks 110, serviceside networks 112, regions 120 (core region 120a, access region 120b, and access region 120c), border routers 130 (border router 130a, border router 130b, border router 130c, and border router 130d), edge routers 140 (edge router 140a, edge router 140b, edge router 140c, edge router 140d, edge router 140e, edge router 140f, and edge router 140g), tunnels 150 (core tunnels 150a, access tunnels 150b, and access tunnels 150c), tunnel interfaces 160, classification engines 170 (classification engine 170a, classification engine 170b, and classification engine 170c), match conditions 172 (to-core match condition 172a, to-access match condition 172b, and to-service match condition 172c), classifications 174 (to-core classification 174a, to-access classification 174b, and to-service classification 174c), match conditions 176 (to-primary match condition 176a, to-secondary match condition 176b, and toother match condition
  • FIGURE 1 illustrates a particular arrangement of network 110, service-side network 112, regions 120 (core region 120a, access region 120b, and access region 120c), border routers 130 (border router 130a, border router 130b, border router 130c, and border router 130d), edge routers 140 (edge router 140a, edge router 140b, edge router 140c, edge router 140d, edge router 140e, edge router 140f, and edge router 140g), tunnels 150 (core tunnels 150a, access tunnels 150b, and access tunnels 150c), tunnel interfaces 160, classification engines 170 (classification engine 170a, classification engine 170b, and classification engine 170c), match conditions 172 (to-core match condition 172a, to-access match condition 172b, and to-service match condition 172c), classifications 174 (to-core classification 174a, to-access classification 174b, and to-service classification 174c), match conditions 176 (to-primary match condition 176a, to-secondary match condition 176b, and toother match condition
  • FIGURE 1 describes and illustrates particular components, devices, or systems carrying out particular actions
  • this disclosure contemplates any suitable combination of any suitable components, devices, or systems carrying out any suitable actions.
  • FIGURE 2 illustrates different possible traffic flow directions 200 (traffic flow direction 200a, traffic flow direction 200b, traffic flow direction 200c, traffic flow direction 200d, traffic flow direction 200e, traffic flow direction 200f, and traffic flow direction 200g) on border router 130a of FIGURE 1 in a hierarchical SD-WAN environment, in accordance with certain embodiments.
  • Traffic flow direction 200a includes traffic flowing from service-side network 112 of FIGURE 1 to core region 120a of FIGURE 1.
  • incoming traffic having traffic flow direction 200a is matched with “to-core” traffic.
  • classification engine 170a of border router 130a may match incoming traffic having traffic flow direction 200a with to-core classification 174a based on to-core match condition 172a.
  • Traffic flow direction 200b includes traffic flowing from service-side network 112 of FIGURE 1 to access region 120b of FIGURE 1.
  • incoming traffic having traffic flow direction 200b is matched with “to-access” traffic.
  • classification engine 170a of border router 130a may match incoming traffic having traffic flow direction 200b with to-access classification 174b based on to-access match condition 172b.
  • Traffic flow direction 200c includes traffic flowing from core region 120a of FIGURE 1 back to core region 120a of FIGURE 1.
  • incoming traffic having traffic flow direction 200c is matched with “to-core” traffic.
  • classification engine 170a of border router 130a may match incoming traffic having traffic flow direction 200c with to-core classification 174a based on to-core match condition 172a.
  • Traffic flow direction 200d includes traffic flowing from core region 120a of FIGURE 1 to access region 120b of FIGURE 1.
  • incoming traffic having traffic flow direction 200d is matched with “to-access” traffic.
  • classification engine 170a of border router 130a may match incoming traffic having traffic flow direction 200d with to-access classification 174b based on to-access match condition 172b.
  • Traffic flow direction 200e includes traffic flowing from access region 120b of FIGURE 1 to core region 120a of FIGURE 1.
  • incoming traffic having traffic flow direction 200e is matched with “to-core” traffic.
  • classification engine 170a of border router 130a may match incoming traffic having traffic flow direction 200e with to-core classification 174a based on to-core match condition 172a.
  • Traffic flow direction 200f includes traffic flowing from access region 120b of FIGURE 1 to service-side network 112 of FIGURE 1.
  • incoming traffic having traffic flow direction 200f is matched with “to-service” traffic.
  • classification engine 170a of border router 130a may match incoming traffic having traffic flow direction 200f with to-service classification 174c based on to-service match condition 172c.
  • Traffic flow direction 200g includes traffic flowing from access region 120b of FIGURE 1 back to access region 120b of FIGURE 1. In certain embodiments, incoming traffic having traffic flow direction 200g is matched with “to-access” traffic.
  • classification engine 170a of border router 130a may match incoming traffic having traffic flow direction 200g with to-access classification 174b based on to-access match condition 172b.
  • border router 130a has the ability to match traffic to a core, access, or service path, which greatly simplifies the policy language in a hierarchical SD-WAN network.
  • FIGURE 2 illustrates a particular number of border routers 130 (border router 1 0a) and traffic flow directions 200 (traffic flow direction 200a, traffic flow direction 200b, traffic flow direction 200c, traffic flow direction 200d, traffic flow direction 200e, traffic flow direction 200f, and traffic flow direction 200g), this disclosure contemplates any suitable number of border routers 130 and flow directions 200.
  • FIGURE 2 illustrates a particular arrangement of border router 130a and traffic flow directions 200 (traffic flow direction 200a, traffic flow direction 200b, traffic flow direction 200c, traffic flow direction 200d, traffic flow direction 200e, traffic flow direction 200f, and traffic flow direction 200g), this disclosure contemplates any suitable arrangement of border router 130a and traffic flow directions 200.
  • FIGURE 2 describes and illustrates particular components, devices, or systems carrying out particular actions, this disclosure contemplates any suitable combination of any suitable components, devices, or systems carrying out any suitable actions.
  • FIGURE 3 illustrates different traffic flow directions 300 (traffic flow direction 300a, traffic flow direction 300b, and traffic flow direction 300c) on edge router 140a of FIGURE 1 in a hierarchical SD-WAN environment, in accordance with certain embodiments.
  • edge router 140a may use the destination IP address of the traffic to determine whether the destination is in the same region (primary region), the destination is reachable over a direct tunnel (secondary-region), or the destination is reachable only by traversing the core region (other regions).
  • the following construct may be used to capture traffic that is destined to different regions as a match condition: match destinationregion ⁇ primary-region/secondary-region/other-region>.
  • This construct allows for traffic to be classified by the destination region, which allows different actions such as QoS and SLAs to be applied to these aggregates. Once this traffic is classified, as an action, flows may be sent selectively via a direct tunnel or through a multi-hop-path traversing the core. Accordingly, the notion of path-preference is introduced to prefer one of the many paths available or all of them: path-preference ⁇ all-paths/direct-path/multi-hop-path>.
  • Traffic flow direction 300a includes traffic flowing from service-side network 112 of FIGURE 1 to primary region 320a.
  • primary region 320a is access region 120b (the region in which edge router 140a resides).
  • incoming traffic having traffic flow direction 300a is matched with “to-primary region” traffic.
  • classification engine 170b of edge router 140a may match incoming traffic having traffic flow direction 300a with to-primary classification 178a based on to-primary match condition 176a.
  • Traffic flow direction 300b includes traffic flowing from service-side network 112 of FIGURE 1 to secondary region 320b.
  • the secondary region may be a direct tunnel connecting edge router 140a of access region 120b and edge router 140d of access region 120c.
  • incoming traffic having traffic flow direction 300b is matched with “to-secondary region” traffic.
  • classification engine 170b of edge router 140a may match incoming traffic having traffic flow direction 300b with to-secondary classification 178b based on to- secondary region match condition 176b.
  • Traffic flow direction 300c includes traffic flowing from service-side network 112 of FIGURE 1 to other region 320c.
  • the other region may be core region 120a.
  • incoming traffic having traffic flow direction 300c is matched with “to-other region” traffic.
  • classification engine 170b of edge router 140a may match incoming traffic having traffic flow direction 300c to-other classification 178c based on to-other region match condition 176c.
  • edge router 140a has the ability to match traffic to a primary', secondary, or other region, which greatly simplifies the policy language in a hierarchical SD-WAN network.
  • FIGURE 3 illustrates a particular number of edge routers 140 (edge router 140a) and traffic flow directions 300 (traffic flow direction 300a, traffic flow direction 300b, traffic flow direction 300c), this disclosure contemplates any suitable number of edge routers 140 and traffic flow directions 300.
  • FIGURE 3 illustrates a particular arrangement of edge router 140a and traffic flow directions 300 (traffic flow direction 300a, traffic flow direction 300b, traffic flow direction 300c), this disclosure contemplates any suitable arrangement of edge router 140a and traffic flow directions 300.
  • FIGURE 3 describes and illustrates particular components, devices, or systems carrying out particular actions
  • this disclosure contemplates any suitable combination of any suitable components, devices, or systems carrying out any suitable actions.
  • FIGURE 4 illustrates an example method 400 for classifying traffic on a border router based on match conditions.
  • Method 400 begins at step 410
  • a border router receives traffic flows from tunnels and the service side of the border router.
  • border router 130a may receive traffic flows 200a through 200g from service network 112, core region 120a, and access region 120b of FIGURE 1. These traffic flows egress to either the core network, to access networks, or to the service network. For example, referring to FIGURE 1, these traffic flows may egress to service-side network 112, core region 120a, access region 120b, or access region 120c.
  • method 400 moves from step 420 to step 430.
  • the border router classifies the traffic based on match conditions.
  • classification engine 170a of border router 130a may classify incoming traffic based on match conditions 172 (to-core match condition 172a, to-access match condition 172b, and to-service match condition 172c).
  • the policy construct of method 400 captures traffic that is destined to these various networks as a match condition in policy: match traffic to ⁇ access/core/service>.
  • This construct allows the border router to classify traffic going to the core, access, and/or service networks such that separate actions (e.g., Quality of Service (QoS), service level agreement (SLA), etc.) may be applied to each aggregate. While this action has more relevance at the border routers since the border routers have interfaces to the core, access, and service networks, these match conditions may be applied to the edge routers as well, with traffic to the access and service networks having more relevance.
  • QoS Quality of Service
  • SLA service level agreement
  • step 430 determines that the destination region is a core region
  • method 400 moves to step 440, where the border router classifies the traffic as “to- core” traffic. If, at step 430, the border router determines that the destination region is an access region, method 400 moves to step 450, where the border router classifies the traffic as “to- access” traffic. If, at step 430, the border router determines that the destination region is a service-side network, method 400 moves to step 440, where the border router classifies the traffic as “to-service” traffic. Method 400 then moves from step 440, step 450, and step 460 to step 470, where method 400 ends. As such, method 400 has the ability to match traffic to a core region, an access region, or a service network, which greatly simplifies the policy language in a hierarchical SD-WAN network.
  • this disclosure describes and illustrates particular steps of method 400 of FIGURE 4 as occurring in a particular order, this disclosure contemplates any suitable steps of method 400 of FIGURE 4 occurring in any suitable order.
  • this disclosure describes and illustrates an example method 400 for classifying traffic on a border router based on match conditions including the particular steps of the method of FIGURE 4, this disclosure contemplates any suitable method for classifying traffic on a border router based on match conditions, which may include all, some, or none of the steps of the method of FIGURE 4, where appropriate.
  • FIGURE 4 describes and illustrates particular components, devices, or systems carrying out particular actions, this disclosure contemplates any suitable combination of any suitable components, devices, or systems carrying out any suitable actions.
  • FIGURE 5 illustrates different types of traffic 500 (intra-region traffic 500a, inter-region traffic 500b via a direct tunnel construct, and inter-region traffic 500c via a hierarchical path) that may be used by system 100 of FIGURE 1, in accordance with certain embodiments.
  • different types of traffic 500 include intra-region traffic 500a, inter-region traffic 500b via a direct tunnel 550, and interregion traffic 500c via a hierarchical path 560.
  • Intra-region traffic 500a of system 100 is traffic that flows within the same region 120.
  • intra-region traffic 500a may flow across access tunnels 150b between edge router 140a and edge router 140b of access region 120b.
  • intra-region traffic 500a may flow across access tunnels 150b between edge router 140b and edge router 140c of access region 120b.
  • intra-region traffic 500a may flow across access tunnels 150c between edge router 140d and edge router 140e of access region 120c.
  • Inter-region traffic 500b is traffic that flows via direct tunnel 550 between edge routers 140 in different regions 120.
  • inter-region traffic 500b may flow across direct tunnel 550 between edge router 140a of access region 120b and edge router 140d of access region 120b.
  • Direct tunnel 550 is any tunnel that forms a direct path from one edge router 140 to another edge router 140.
  • the direct-tunnel feature in hierarchical SD-WAN allows edge router 140 (edge router 140a, edge router 140b, or edge router 140c) of access region 120b to form a direct session (e.g., a direct BFD session) with another edge router 140 (edge router 140d, edge router 140e, or edge router 1401) in access region 120c.
  • Direct tunnel 550 makes edge router 140a part of two different regions at atime: (I) primary' region (access region 120b that edge router 140a is part of); and (2) secondary region (a region that is shared among edge router 140a and edge router 140d and is different from their respective primary regions 120).
  • the secondary region is used by both edge router 140a and edge router 140d to fonn direct tunnel 550 with each other.
  • direct tunnels 550 are selected on specific colors when available for specific traffic. For example, direct tunnel 550 may be selected from all available direct tunnels 550 at each priority' of color preference.
  • Inter-region traffic 500c is traffic that flows via a hierarchical path 560 between edge routers 140 in different regions 120.
  • Hierarchical path 560 is a route that includes multiple hops from access region 120b to access region 120c through core region 120a.
  • inter-region traffic 500c flows along hierarchical path 560 from edge router 140a of access region 120b to border router 130a, from border router 130a to border router 130d through core region 120a, and from border router 130d to edge router 140f through access region 120c.
  • FIGURE 5 illustrates a particular number of paths for intra-region traffic 500a, direct tunnels 550 for inter-region traffic 500b, and hierarchical paths 560 for inter-region traffic 500c
  • this disclosure contemplates any suitable number of paths for intraregion traffic 500a, direct tunnels 550 for inter-region traffic 500b, and hierarchical paths 560 for inter-region traffic 500c.
  • FIGURE 5 illustrates a particular arrangement of a path for intraregion traffic 500a, direct tunnel 550 for inter-region traffic 500b, and hierarchical path 560 for inter-region traffic 500c
  • this disclosure contemplates any suitable arrangement of path for intra-region traffic 500a, direct tunnel 550 for inter-region traffic 500b, and hierarchical path 560 for inter-region traffic 500c.
  • FIGURE 5 describes and illustrates particular components, devices, or systems carrying out particular actions, this disclosure contemplates any suitable combination of any suitable components, devices, or systems carrying out any suitable actions.
  • FIGURE 6 illustrates an example method 600 for classifying traffic on an edge router based on match conditions.
  • Method 600 of FIGURE 6 introduces a match option and an action based on path-preference. Traffic is matched based on whether the traffic is destined within a primary region (intra-region traffic), to a secondary region (inter-region traffic via direct tunnel), or outside the primarv region (inter-region traffic but not to the secondary region).
  • Method 600 begins at step 610.
  • an edge router receives traffic from the service-side of the edge router.
  • edge router 140a may receive traffic from service-side network 112. These traffic flows egress to either a primary region, a secondary region, or an other region.
  • these traffic flows egress to either to primary region 320a, to secondary region 320b, or to other region 320c.
  • method 600 moves from step 620 to step 630.
  • the edge router classifies the traffic based on match conditions. For example, referring to FIGURE 1, classification engine 170b of edge router 140a may classify incoming traffic based on match conditions 176 (to-primary match condition 176a, to-secondary region match condition 176b, and to-other match condition 176c). In certain embodiments, when traffic arrives at the edge router, the edge router uses the destination IP address to determine if the destination is in the same region (primary region), is reachable over the direct tunnel (secondary region), or is reachable only by traversing the core region (other regions).
  • the policy construct of method 600 captures traffic that is destined to these various networks as a match condition in policy: match traffic to ⁇ primary/secondary/other>. This construct allows the edge router to classify traffic going to the primary, secondary, or other networks such that separate actions (e.g., QoS, SLA, etc.) may be applied to each aggregate.
  • separate actions e.g., QoS, SLA, etc.
  • step 630 If, at step 630, the edge router determines that the destination region is a primary region, method 600 moves to step 640, where the edge router classifies the traffic as “to- primary region” traffic. For example, referring to FIGURES 1 and 3, classification engine 170b of edge router 140a may match incoming traffic having traffic flow direction 300a with to- primary classification 178a based on to-primary match condition 176a.
  • step 630 the edge router determines that the destination region is a secondary region
  • method 600 moves to step 650, where the edge router classifies the traffic as “to-secondary region” traffic.
  • classification engine 170b of edge router 140a may match incoming traffic having traffic flow direction 300b with to-secondary classification 178b based on to-secondary region match condition 176b.
  • step 630 the edge router determines that the destination region is the other region
  • method 600 moves to step 660, where the edge router classifies the traffic as “to-other region” traffic.
  • classification engine 170b of edge router 140a may match incoming traffic having traffic flow direction 300b with to-other classification 178c based on to-other region match condition 176c.
  • ‘traffic-to’ can be set by the edge router as: (1) ‘primary', which matches all traffic going towards the primary region; (2) ‘secondary’, which matches all traffic going towards the secondary region; and (3) ‘other’, which matches all the traffic going towards the other region.
  • Method 600 then moves from step 640, step 650, and step 660 to step 670, where method 600 ends.
  • method 600 has the ability to match traffic to a primary region, a secondary region, or an other region, which greatly simplifies the policy language in a hierarchical SD-WAN network.
  • this disclosure describes and illustrates an example method 600 for classifying traffic on an edge router based on match conditions including the particular steps of the method of FIGURE 6, this disclosure contemplates any suitable method for classifying traffic on an edge router based on match conditions, which may include all, some, or none of the steps of the method of FIGURE 6, where appropriate.
  • FIGURE 6 describes and illustrates particular components, devices, or systems carrying out particular actions, this disclosure contemplates any suitable combination of any suitable components, devices, or systems carrying out any suitable actions.
  • FIGURE 7 illustrates an example method 700 for classifying traffic on an edge router based on action conditions, in accordance with certain embodiments.
  • Method 700 of FIGURE 7 introduces an action based on path-preference. Traffic is matched based on whether the traffic is destined for a direct tunnel path, a multi-hop path, or a default (e.g., ECMP) path.
  • the action of path-preference may capture the choice of: (a) direct-path via a direct tunnel; (b) multi-hop-path via the border routers that transit the core region; and (c) all paths ECMP between both the direct and multi-hop paths.
  • Method 700 begins at step 710.
  • an edge router receives traffic from the service-side of the edge router.
  • edge router 140a may receive traffic from service-side network 112. These traffic flows egress to either a primary region, a secondary region, or an other region.
  • these traffic flows egress to either primary region 320a, secondary region 320b, or other region 320c.
  • the edge router classifies the traffic based on action conditions.
  • classification engine 170c of edge router 140c may classify incoming traffic based on action conditions 180 (direct tunnel action condition 180a, multi -hop path action condition 180b, and default path action condition 180c).
  • the policy construct of method 700 captures traffic that is destined to these various paths as a match condition in policy: match traffic to ⁇ direct tunnel/multi-hop path/default>.
  • This construct allows the edge router to classify traffic going via direct tunnel, multi-hop path, or default (e.g., ECMP) path such that separate actions (e.g., QoS, SLA, etc.) may be applied to each aggregate.
  • step 730 the edge router determines that the destination path is a direct tunnel path
  • method 700 moves to step 740, where the edge router classifies the traffic as “to- direct tunnel” traffic.
  • classification engine 170c of edge router 140a may match inter-region traffic 500b via direct tunnel 550 with to-direct tunnel classification 182a based on to-direct tunnel action condition 180a.
  • step 730 the edge router determines that the destination path is a multihop path
  • method 700 moves to step 750, where the edge router classifies the traffic as “multihop path” traffic.
  • classification engine 170c of edge router 140a may match inter-region traffic 500c via hierarchical path 560 with to-multi-hop path classification 182b based on to-multi-hop path action condition 180b.
  • step 760 the edge router classifies the traffic as “default” traffic.
  • classification engine 170c of edge router 140a may match intra-region traffic 500a with to-default classification 182c based on to-default path action condition 180c.
  • ‘traffic-to’ can be set by the edge router as: (1) ‘direct tunnel’, which matches all traffic going via a direct tunnel; (2) ‘multi-hop’, which matches all traffic going via a multi-hop path; and (3) ‘default’, which matches all the traffic going via a default (e.g., ECMP) path.
  • Method 700 then moves from step 740, step 750, and step 760 to step 770, where method 700 ends.
  • method 700 has the ability to match traffic to a direct tunnel, a multi-hop path, or a default path, which greatly simplifies the policy language in a hierarchical SD-WAN network.
  • this disclosure describes and illustrates an example method 700 for classifying traffic on an edge router based on action conditions including the particular steps of the method of FIGURE 7, this disclosure contemplates any suitable method for classifying traffic on an edge router based on action conditions, which may include all, some, or none of the steps of the method of FIGURE 7, where appropriate.
  • FIGURE 7 describes and illustrates particular components, devices, or systems carrying out particular actions, this disclosure contemplates any suitable
  • FIGURE 8 illustrates an example computer system 800.
  • one or more computer system 800 perform one or more steps of one or more methods described or illustrated herein.
  • one or more computer system 800 provide functionality described or illustrated herein.
  • software running on one or more computer system 800 performs one or more steps of one or more methods described or illustrated herein or provides functionality described or illustrated herein.
  • Particular embodiments include one or more portions of one or more computer system 800.
  • reference to a computer system may encompass a computing device, and vice versa, where appropriate.
  • reference to a computer system may encompass one or more computer systems, where appropriate.
  • This disclosure contemplates any suitable number of computer system 800.
  • This disclosure contemplates computer system 800 taking any suitable physical form.
  • computer system 800 may be an embedded computer system, a system-on-chip (SOC), a single-board computer system (SBC) (such as, for example, a computer-on-module (COM) or system-on-module (SOM)), a desktop computer system, a laptop or notebook computer system, an interactive kiosk, a mainframe, a mesh of computer systems, a mobile telephone, a personal digital assistant (PDA), a server, a tablet computer system, an augmented/virtual reality device, or a combination of two or more of these.
  • SOC system-on-chip
  • SBC single-board computer system
  • COM computer-on-module
  • SOM system-on-module
  • computer system 800 may include one or more computer system 800; be unitary or distributed; span multiple locations; span multiple machines; span multiple data centers; or reside in a cloud, which may include one or more cloud components in one or more networks.
  • one or more computer system 800 may perfomi without substantial spatial or temporal limitation one or more steps of one or more methods described or illustrated herein.
  • one or more computer system 800 may perform in real time or in batch mode one or more steps of one or more methods described or illustrated herein.
  • One or more computer system 800 may perform at different times or at different locations one or more steps of one or more methods described or illustrated herein, where appropriate.
  • computer system 800 includes a processor 802, memory 804, storage 806, an input/output (I/O) interface 808, a communication interface 810, and a bus 812.
  • I/O input/output
  • this disclosure describes and illustrates a particular computer system having a particular number of particular components in a particular arrangement, this disclosure contemplates any suitable computer system having any suitable number of any suitable components in any suitable arrangement.
  • processor 802 includes hardware for executing instructions, such as those making up a computer program.
  • processor 802 may retrieve (or fetch) the instructions from an internal register, an internal cache, memory 804, or storage 806; decode and execute them; and then write one or more results to an internal register, an internal cache, memory 804, or storage 806.
  • processor 802 may include one or more internal caches for data, instructions, or addresses. This disclosure contemplates processor 802 including any suitable number of any suitable internal caches, where appropriate.
  • processor 802 may include one or more instruction caches, one or more data caches, and one or more translation lookaside buffers (TLBs).
  • TLBs translation lookaside buffers
  • Instructions in the instruction caches may be copies of instructions in memory 804 or storage 806, and the instruction caches may speed up retrieval of those instructions by processor 802.
  • Data in the data caches may be copies of data in memory 804 or storage 806 for instructions executing at processor 802 to operate on; the results of previous instructions executed at processor 802 for access by subsequent instructions executing at processor 802 or for writing to memory 804 or storage 806; or other suitable data.
  • the data caches may speed up read or write operations by processor 802.
  • the TLBs may speed up virtual-address translation for processor 802.
  • processor 802 may include one or more internal registers for data, instructions, or addresses. This disclosure contemplates processor 802 including any suitable number of any suitable internal registers, where appropriate. Where appropriate, processor 802 may include one or more arithmetic logic units (ALUs); be a multi-core processor; or include one or more processors 202. Although this disclosure describes and illustrates a particular processor, this disclosure contemplates any suitable processor.
  • ALUs
  • memory 804 includes main memory for storing instructions for processor 802 to execute or data for processor 802 to operate on.
  • computer system 800 may load instructions from storage 806 or another source (such as, for example, another computer system 800) to memory 804.
  • Processor 802 may then load the instructions from memory 804 to an internal register or internal cache.
  • processor 802 may retrieve the instructions from the internal register or internal cache and decode them.
  • processor 802 may write one or more results (which may be intermediate or final results) to the internal register or internal cache.
  • Processor 802 may then write one or more of those results to memory 804.
  • processor 802 executes only instructions in one or more internal registers or internal caches or in memory 804 (as opposed to storage 806 or elsewhere) and operates only on data in one or more internal registers or internal caches or in memory 804 (as opposed to storage 806 or elsewhere).
  • One or more memory' buses (which may each include an address bus and a data bus) may couple processor 802 to memory 804.
  • Bus 812 may include one or more memory buses, as described below.
  • one or more memory management units reside between processor 802 and memory 804 and facilitate accesses to memory 804 requested by processor 802.
  • memory 804 includes random access memory (RAM). This RAM may be volatile memory, where appropriate.
  • this RAM may be dynamic RAM (DRAM) or static RAM (SRAM). Moreover, where appropriate, this RAM may be singleported or multi-ported RAM. This disclosure contemplates any suitable RAM.
  • Memory 804 may include one or more memories 804, where appropriate. Although this disclosure describes and illustrates particular memory, this disclosure contemplates any suitable memory.
  • storage 806 includes mass storage for data or instructions.
  • storage 806 may include a hard disk drive (HDD), a floppy disk drive, flash memory, an optical disc, a magneto-optical disc, magnetic tape, or a Universal Serial Bus (USB) drive or a combination of two or more of these.
  • Storage 806 may include removable or non-removable (or fixed) media, where appropriate.
  • Storage 806 may be internal or external to computer system 800, where appropriate.
  • storage 806 is non-volatile, solid-state memory.
  • storage 806 includes read-only memory (ROM).
  • this ROM may be mask-programmed ROM, programmable ROM (PROM), erasable PROM (EPROM), electrically erasable PROM (EEPROM), electrically alterable ROM (EAROM), or flash memory or a combination of two or more of these.
  • This disclosure contemplates mass storage 806 taking any suitable physical form.
  • Storage 806 may include one or more storage control units facilitating communication between processor 802 and storage 806, where appropriate. Where appropriate, storage 806 may include one or more storages 806. Although this disclosure describes and illustrates particular storage, this disclosure contemplates any suitable storage.
  • UO interface 808 includes hardware, software, or both, providing one or more interfaces for communication between computer system 800 and one or more I/O devices.
  • Computer system 800 may include one or more of these I/O devices, where appropriate.
  • One or more of these I/O devices may enable communication between a person and computer system 800.
  • an I/O device may include a keyboard, keypad, microphone, monitor, mouse, printer, scanner, speaker, still camera, stylus, tablet, touch screen, trackball, video camera, another suitable I/O device or a combination of two or more of these.
  • An I/O device may include one or more sensors. This disclosure contemplates any suitable I/O devices and any suitable I/O interfaces 808 for them.
  • I/O interface 808 may include one or more device or software drivers enabling processor 802 to drive one or more of these I/O devices.
  • I/O interface 808 may include one or more I/O interfaces 808, where appropriate.
  • communication interface 810 includes hardware, software, or both providing one or more interfaces for communication (such as, for example, packet-based communication) between computer system 800 and one or more other computer system 800 or one or more networks.
  • communication interface 810 may include a network interface controller (NIC) or network adapter for communicating with an Ethernet or other wire-based network or a wireless NIC (WNIC) or wireless adapter for communicating with a wireless network, such as a WI-FI network.
  • NIC network interface controller
  • WNIC wireless NIC
  • WI-FI network wireless network
  • computer system 800 may communicate with an ad hoc network, a personal area network (PAN), a LAN, a wide area network (WAN), a metropolitan area network (MAN), or one or more portions of the Internet or a combination of two or more of these.
  • PAN personal area network
  • WAN wide area network
  • MAN metropolitan area network
  • computer system 800 may communicate with a wireless PAN (WPAN) (such as, for example, a BLUETOOTH WPAN), a WI-FI network, a WI-MAX network, a cellular telephone network (such as, for example, a Global System for Mobile Communications (GSM) network), or other suitable wireless network or a combination of two or more of these.
  • Computer system 800 may include any suitable communication interface 810 for any of these networks, where appropriate.
  • Communication interface 810 may include one or more communication interfaces 810, where appropriate.
  • bus 812 includes hardware, software, or both coupling components of computer system 800 to each other.
  • bus 812 may include an Accelerated Graphics Port (AGP) or other graphics bus, an Enhanced Industry Standard Architecture (EISA) bus, a front-side bus (FSB), a HYPERTRANSPORT (HT) interconnect, an Industry Standard Architecture (ISA) bus, an INFINIBAND interconnect, a low-pin-count (LPC) bus, a memory bus, a Micro Channel Architecture (MCA) bus, a Peripheral Component Interconnect (PCI) bus, a PCI-Express (PCIe) bus, a serial advanced technology attachment (SATA) bus, a Video Electronics Standards Association Local Bus (VLB), or another suitable bus or a combination of two or more of these.
  • Bus 812 may include one or more buses 812, where appropriate.
  • a computer-readable non-transitory storage medium or media may include one or more semiconductor-based or other integrated circuits (ICs) (such, as for example, field-programmable gate arrays (FPGAs) or application-specific ICs (ASICs)), hard disk drives (HDDs), hybrid hard drives (HHDs), optical discs, optical disc drives (ODDs), magneto-optical discs, magneto-optical drives, floppy diskettes, floppy disk drives (FDDs), magnetic tapes, solid-state drives (SSDs), RAM-dnves, SECURE DIGITAL cards or drives, any other suitable computer-readable non-transitory storage media, or any suitable combination of two or more of these, where appropriate.
  • ICs semiconductor-based or other integrated circuits
  • HDDs hard disk drives
  • HHDs hybrid hard drives
  • ODDs optical disc drives
  • magneto-optical discs magneto-optical drives
  • FDDs floppy diskettes
  • FDDs floppy disk drives
  • Embodiments disclosed herein are only examples, and the scope of this disclosure is not limited to them. Particular embodiments may include all, some, or none of the components, elements, features, functions, operations, or steps of the embodiments disclosed herein.
  • Embodiments disclosed herein include a method, an apparatus, a storage medium, a system and a computer program product, wherein any feature mentioned in one category, e.g., a method, can be applied in another category, e.g., a system, as well.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Dans un mode de réalisation, un procédé comprend les étapes consistant à : au moyen d'un nœud de réseau, recevoir un trafic dans un réseau étendu défini par logiciel (SD-WAN) hiérarchique ; au moyen du nœud de réseau, déterminer une destination du trafic, la région de destination se trouvant dans le réseau SD-WAN hiérarchique ; et au moyen du nœud de réseau, classer le trafic sur la base d'une condition de correspondance de destination, la condition de correspondance de destination étant associée à au moins deux régions de destination.
PCT/US2023/017999 2022-04-20 2023-04-10 Systèmes et procédés de classification de trafic dans un réseau sd-wan hiérarchique WO2023204985A1 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US202263332828P 2022-04-20 2022-04-20
US63/332,828 2022-04-20
US17/815,614 US20230344775A1 (en) 2022-04-20 2022-07-28 Systems and methods for classifying traffic in a hierarchical sd-wan network
US17/815,614 2022-07-28

Publications (1)

Publication Number Publication Date
WO2023204985A1 true WO2023204985A1 (fr) 2023-10-26

Family

ID=86286578

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2023/017999 WO2023204985A1 (fr) 2022-04-20 2023-04-10 Systèmes et procédés de classification de trafic dans un réseau sd-wan hiérarchique

Country Status (1)

Country Link
WO (1) WO2023204985A1 (fr)

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
CHEN QIAN ET AL: "A scalable and resilient layer-2 network with ethernet compatibility", IEEE /ACM TRANSACTIONS ON NETWORKING, IEEE / ACM, NEW YORK, NY, US, vol. 24, no. 1, 1 February 2016 (2016-02-01), pages 231 - 244, XP058261735, ISSN: 1063-6692, DOI: 10.1109/TNET.2014.2361773 *
LIU RUXIA ET AL: "A QoS Routing Optimization Algorithm Based on Hierarchical Multi-Controller Coordination", 2019 IEEE 4TH ADVANCED INFORMATION TECHNOLOGY, ELECTRONIC AND AUTOMATION CONTROL CONFERENCE (IAEAC), IEEE, vol. 1, 20 December 2019 (2019-12-20), pages 1820 - 1825, XP033715108, DOI: 10.1109/IAEAC47372.2019.8997564 *

Similar Documents

Publication Publication Date Title
CN112262553B (zh) 在软件定义网络交换机的分组处理流水线中跟踪分组的装置和方法
US11863429B2 (en) Network path selection
US7944854B2 (en) IP security within multi-topology routing
US8077721B2 (en) Methods and apparatus providing two stage tunneling
US9538423B2 (en) Routing packet traffic using hierarchical forwarding groups
US8239572B1 (en) Custom routing decisions
US10880121B1 (en) Provisioning QOS behavior on tunnel endpoints
US11716279B2 (en) Systems and methods for determining FHRP switchover
EP3586482B1 (fr) Mécanisme de détection de boucles de plan de données dans un réseau de flux ouvert
CN111865658A (zh) 基于vCPE多租户的租户业务识别映射方法及系统
US11424986B2 (en) Method and apparatus for mobile packet core mechanism for GiLAN network slices with segment routing
US11811651B2 (en) Apparatus, system, and method for steering traffic over network slices
US9479435B2 (en) Method and system for supporting transport of data packets in a network
US8553539B2 (en) Method and system for packet traffic congestion management
US8675669B2 (en) Policy homomorphic network extension
US20230344775A1 (en) Systems and methods for classifying traffic in a hierarchical sd-wan network
WO2023204985A1 (fr) Systèmes et procédés de classification de trafic dans un réseau sd-wan hiérarchique
KR102071031B1 (ko) 클라우드 환경에서 서비스 체이닝을 제공하는 방법 및 장치
US11582137B1 (en) Systems and methods for extending application-aware routing to improve site encryption throughput performance
US11489714B2 (en) Method and system for performing network fault analysis
US20230188460A1 (en) Ultimate Regional Fallback Path for Hierarchical SD-WAN
US20210377221A1 (en) Systems and Methods for Costing In Nodes after Policy Plane Convergence
WO2023107827A1 (fr) Trajet de repli régional ultime pour sd-wan hiérarchique
US11824770B2 (en) Systems and methods for asymmetrical peer forwarding in an SD-WAN environment
US20230108311A1 (en) Fast Convergence in Access Networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23721161

Country of ref document: EP

Kind code of ref document: A1