PE router 208 may also receive the data packet and may determine whether the data packet is unknown or new. This determination may include matching flow criteria from the data packet to entry in the PE router data flow list. PE router 208 may also send the data packet to an appropriate firewall using a default flow entry list. For instance, firewall 212 may receive the data packet from PE router 208 using link 216. Links 218, 220, and 308 may be implemented using any suitable communication protocol for flow criteria, including but not limited to RESTful protocols, NETCONF, OpenFlow, SNMP, CLI, and TL1. Links 302, 306, 304, and 216 may be implemented using any suitable communication protocol for data packets, including but not limited to an IP link.

SDN controller 206 may be connected to firewall 212, PE router 208, and CE router 210. SDN controller 206 may send the flow criteria associated with a data flow, validated or authorized by firewall 212, to PE router 208 or CE router 210. The CE router may insert the received flow criteria in a router data flow list to forward future data packets from a client directly to a destination within the same domain. For example, client 102-1 may send a future data packets associated with a data flow to client 102-2 via CE router 210 while bypassing PE router 206 and/or firewall 212. Accordingly, SDN controller 206 may manage authorized data flows, which may reduce the bandwidth requirements of network 300 and/or reduce the number of network ports on CE router 210, PE router 208, and/or firewall 212.