SDN controller 206 may determine whether the flow criteria matches an entry in a master data flow list of data flows. SDN controller may determine whether the flow criteria matching an entry needs to be updated. In one embodiment, the update may be based on the determination that the data flow has been encountered recently, which may use a timeout value to determine whether the data flow has been encountered before the expiration of the timeout. In another embodiment, the update may be based on the determination that the bandwidth of the data flow exceeds a threshold, which may be based on the capability of network 200, which may be defined using any suitable criteria, including but not limited to the proximity of PE router 208 to firewall 212 and client 102-2. In this case, SDN controller 206 may open or establish an additional connection between client 102-1 and client 102-2. The additional connection may bypass or skip at least one network element, such as PE router 208. The connection may be a wavelength-division multiplexing (WDM) connection, which may use fiber-optic communication and may support additional bandwidth requirements.

SDN controller 206 may include logic to determine whether the flow criteria was sent to PE router 208 within a delay or wait period. This delay period may account for the latency associated with the link 220 between SDN controller 206 and PE router 208. The delay period may enable SDN controller 206 to avoid saturation of link 220 before an authorized data flow may be managed with the assistance of PE router 208. The delay period may be less than the timeout associated with the data flow, which may ensure that the entry is not invalidated, deleted, and/or removed before the flow criteria is received and processed by PE router 208.