公开(公告)号：US12063149B2

公开(公告)日：2024-08-13

申请号：US18353702

申请日：2023-07-17

Applicant: Cisco Technology, Inc.

Inventor： Alberto Rodriguez Natal ,  Hendrikus G. P. Bosch ,  Fabio Maino ,  Lars Olaf Stefan Olofsson ,  Jeffrey Napper ,  Anubhav Gupta

IPC: H04L41/5019 ,  H04L47/10

CPC classification number: H04L41/5019 ,  H04L47/10

Abstract: Systems, methods, and computer-readable media for locally applying endpoint-specific policies to an endpoint in a network environment. A network device local to one or more endpoints in a network environment can receive from a centralized network controller one or more network-wide endpoint policies. A first endpoint of the one or more endpoints can be configured to inject policy metadata into first data traffic. Policy metadata injected into the first traffic data can be received from the first endpoint. The network device can determine one or more first endpoint-specific polices for the first endpoint by evaluation the first policy metadata with respect to the one or more network-wide endpoint policies. As follows, the one or more first endpoint-specific policies can be applied to control data traffic associated with the first endpoint.

公开(公告)号：US11617076B2

公开(公告)日：2023-03-28

申请号：US16901248

申请日：2020-06-15

Applicant: Cisco Technology Inc.

Inventor： Jeffrey Napper ,  Alessandro Duminuco ,  Hendrikus G. P. (Peter) Bosch

IPC: H04W12/037 ,  H04W76/12 ,  H04L9/40 ,  H04L9/32 ,  H04W88/18 ,  H04W84/12 ,  H04W88/16

Abstract: The present disclosure is directed to systems and methods for clientless virtual private network (VPN) roaming with 802.1x authentication and includes one or more processors and one or more computer-readable non-transitory storage media coupled to the one or more processors and comprising instructions that, when executed by the one or more processors, cause one or more components to perform operations including, receiving, at a local proxy, an 802.1x communication including authentication information from a remote device wirelessly connected to a visited network, wherein the remote device requests access to an enterprise network; authenticating the remote device with the enterprise network using the authentication information; establishing an encrypted tunnel between the visited network and the enterprise network; and transmitting data between the remote device and the enterprise network through the encrypted tunnel.

公开(公告)号：US20200322230A1

公开(公告)日：2020-10-08

申请号：US16782769

申请日：2020-02-05

Applicant: Cisco Technology, Inc.

Inventor： Alberto Rodriguez Natal ,  Hendrikus G.P. Bosch ,  Fabio Maino ,  Lars Olaf Stefan Olofsson ,  Jeffrey Napper ,  Anubhav Gupta

IPC: H04L12/24 ,  H04L12/801

Abstract: Systems, methods, and computer-readable media for locally applying endpoint-specific policies to an endpoint in a network environment. A network device local to one or more endpoints in a network environment can receive from a centralized network controller one or more network-wide endpoint policies. A first endpoint of the one or more endpoints can be configured to inject policy metadata into first data traffic. Policy metadata injected into the first traffic data can be received from the first endpoint. The network device can determine one or more first endpoint-specific polices for the first endpoint by evaluation the first policy metadata with respect to the one or more network-wide endpoint policies. As follows, the one or more first endpoint-specific policies can be applied to control data traffic associated with the first endpoint.

公开(公告)号：US09479443B2

公开(公告)日：2016-10-25

申请号：US14285843

申请日：2014-05-23

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Hendrikus G. P. Bosch ,  Ian McDowell Campbell ,  Humberto J. La Roche ,  James N. Guichard ,  Surendra M. Kumar ,  Paul Quinn ,  Alessandro Duminuco ,  Jeffrey Napper ,  Ravi Shekhar

IPC: H04L12/851 ,  H04L12/801 ,  H04W72/04 ,  H04L12/721 ,  H04W88/16

CPC classification number: H04L47/2408 ,  H04L45/38 ,  H04L47/12 ,  H04L47/14 ,  H04W72/0493 ,  H04W88/16

Abstract: An example method is provided in one example embodiment and may include receiving a packet for a subscriber at a gateway, wherein the gateway includes a local policy anchor for interfacing with one or more policy servers and one or more classifiers for interfacing with one or more service chains, each service chain including one or more services accessible by the gateway; determining a service chain to receive the subscriber's packet; appending the subscriber's packet with a header, wherein the header includes, at least in part, identification information for the subscriber and an Internet Protocol (IP) address for the local policy anchor; and injecting the packet including the header into the service chain determined for the subscriber.

Abstract translation: 在一个示例性实施例中提供了示例性方法，并且可以包括在网关处接收订户的分组，其中所述网关包括用于与一个或多个策略服务器进行接口的本地策略锚点以及用于与一个或多个服务 每个服务链包括由网关可访问的一个或多个服务; 确定服务链以接收订户的分组; 用标题附加订户的分组，其中该报头至少部分地包括用户的标识信息和用于本地策略锚的因特网协议（IP）地址; 以及将包括所述头部的分组注入到为所述用户确定的服务链中。

公开(公告)号：US09413659B2

公开(公告)日：2016-08-09

申请号：US14301767

申请日：2014-06-11

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Alessandro Duminuco ,  Hendrikus G. P. Bosch ,  Jeffrey Napper

IPC: H04L12/26 ,  H04L12/741 ,  H04L12/801 ,  H04L12/851

CPC classification number: H04L45/745 ,  H04L47/18 ,  H04L47/2441

Abstract: An example method for distributed network address and port translation (NAPT) for migrating flows between service chains in a network environment is provided and includes distributing translation state for a flow traversing the network across a plurality of NAPT service nodes in the network, with packets belonging to the flow being translated according to the translation state, associating the flow with a first service chain at a flow classifier in the network, and updating the association when the flow migrates from the first service chain to a second service chain, with packets belonging to the migrated flow also being translated according to the translation state. The method may be executed at a pool manager in the network. In specific embodiments, the pool manager may include a distributed storage located across the plurality of NAPT service nodes.

Abstract translation: 提供了一种用于在网络环境中的服务链之间迁移流的分布式网络地址和端口转换（NAPT）的示例方法，并且包括：跨越网络中的多个NAPT服务节点的跨流过的流的分发转换状态，分组属于 根据所述翻译状态对所述流进行翻译，将所述流与所述网络中的流分类器处的第一服务链相关联，以及当所述流从所述第一服务链迁移到第二服务链时更新所述关联，其中分组属于 迁移流也根据翻译状态进行翻译。 该方法可以在网络中的池管理器处执行。 在具体实施例中，池管理器可以包括跨越多个NAPT服务节点的分布式存储器。

公开(公告)号：US11743141B2

公开(公告)日：2023-08-29

申请号：US17538983

申请日：2021-11-30

Applicant: Cisco Technology, Inc.

Inventor： Alberto Rodriguez Natal ,  Hendrikus G. P. Bosch ,  Fabio Maino ,  Lars Olaf Stefan Olofsson ,  Jeffrey Napper ,  Anubhav Gupta

IPC: H04L41/5019 ,  H04L47/10

CPC classification number: H04L41/5019 ,  H04L47/10

Abstract: Systems, methods, and computer-readable media for locally applying endpoint-specific policies to an endpoint in a network environment. A network device local to one or more endpoints in a network environment can receive from a centralized network controller one or more network-wide endpoint policies. A first endpoint of the one or more endpoints can be configured to inject policy metadata into first data traffic. Policy metadata injected into the first traffic data can be received from the first endpoint. The network device can determine one or more first endpoint-specific polices for the first endpoint by evaluation the first policy metadata with respect to the one or more network-wide endpoint policies. As follows, the one or more first endpoint-specific policies can be applied to control data traffic associated with the first endpoint.

公开(公告)号：US11277337B2

公开(公告)日：2022-03-15

申请号：US16750139

申请日：2020-01-23

Applicant: Cisco Technology Inc.

Inventor： Hendrikus G. P. Bosch ,  Stefan Olofsson ,  Ijsbrand Wijnands ,  Anubhav Gupta ,  Jeffrey Napper ,  Sape Jurriën Mullender

IPC: H04L12/723 ,  H04L12/755 ,  H04L12/717 ,  H04L29/12 ,  H04L29/06 ,  H04L29/08 ,  H04L12/741 ,  H04L12/725 ,  H04L45/50 ,  H04L45/021 ,  H04L67/63 ,  H04L61/4511 ,  H04L45/42

Abstract: In one embodiment, a method includes detecting a request to route traffic to a service associated with an application. The method also includes identifying an application identifier associated with the application and selecting, using the application identifier, a label from a plurality of labels included in a routing table. The label includes one or more routes. The method further includes routing the traffic to the service associated with the application using the label.

公开(公告)号：US20170359265A1

公开(公告)日：2017-12-14

申请号：US15181159

申请日：2016-06-13

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Hendrikus G. P. Bosch ,  Jeffrey Napper ,  Alessandro Duminuco ,  Humberto J. La Roche ,  Surendra M. Kumar ,  Aeneas Sean Dodd-Noble ,  Anil Kumar Chandrupatla

IPC: H04L12/851 ,  H04L12/713 ,  H04L12/803 ,  H04L29/08 ,  H04L12/801

CPC classification number: H04L47/2441 ,  H04L45/586 ,  H04L47/125 ,  H04L47/14 ,  H04L67/1076 ,  H04L67/2842

Abstract: A method is provided in one example embodiment and includes receiving at a network element a packet associated with a flow and determining whether a flow cache of the network element includes an entry for the flow indicating a classification for the flow. The method further includes, if the network element flow cache does not include an entry for the flow, punting the packet over a default path to a classifying service function, in which the classifying service function classifies the flow and determines a control plane service function for handling the flow, and receiving from the classifying service function a service path identifier (“SPI”) of a service path leading to the determined control plane service function. The flow is subsequently offloaded from the classifying service function to the network element.

公开(公告)号：US20170208000A1

公开(公告)日：2017-07-20

申请号：US14997212

申请日：2016-01-15

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Hendrikus Bosch ,  Sape Jurriën Mullender ,  Jeffrey Napper ,  Surendra M. Kumar ,  Alessandro Duminuco

IPC: H04L12/721 ,  H04L12/741

CPC classification number: H04L45/38 ,  H04L45/745

Abstract: Particular embodiments described herein provide for a communication system that can be configured for receiving, at a network element, a flow offload decision for a first service node. The flow offload decision can include a portion of a service chain for processing a flow and updating next hop flow based routing information for the flow. A next hop in the flow can insert flow specific route information in its routing tables to bypass a packet forwarder serving the service that offloaded the flow in the reverse direction.

公开(公告)号：US09413655B2

公开(公告)日：2016-08-09

申请号：US14304043

申请日：2014-06-13

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Kevin D. Shatzkamer ,  James N. Guichard ,  Hendrikus G. P. Bosch ,  Alessandro Duminuco ,  Humberto J. La Roche ,  Jeffrey Napper

IPC: H04L12/741 ,  H04L12/721 ,  H04L12/851 ,  H04L12/725

CPC classification number: H04L45/74 ,  H04L45/306 ,  H04L45/38 ,  H04L47/2441 ,  H04L47/2483

Abstract: A method provided in one embodiment includes receiving a first data packet of a data flow at a first classifier in which the first data packet includes a first identifier. The method further includes determining a second classifier associated with the first identifier in which the second classifier is further associated with at least one service chain of a service chain environment. The method still further includes forwarding the first data packet to the second classifier. The second classifier is configured to receive the first data packet, determine a particular service chain of the at least one service chain to which the first data packet is to be forwarded, and forward the first data packet to the particular service chain.

Abstract translation: 在一个实施例中提供的方法包括在第一分类器处接收数据流的第一数据分组，其中第一数据分组包括第一标识符。 该方法还包括确定与第一标识符相关联的第二分类器，其中第二分类器进一步与服务链环境的至少一个服务链相关联。 该方法还包括将第一数据分组转发到第二分类器。 第二分类器被配置为接收第一数据分组，确定要转发第一数据分组的至少一个服务链的特定服务链，并将第一数据分组转发到特定服务链。