公开(公告)号：US12107754B2

公开(公告)日：2024-10-01

申请号：US17712342

申请日：2022-04-04

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Venkatavaradhan Devarajan ,  Vinayak Joshi

IPC: H04L45/02 ,  H04L9/40 ,  H04L12/46

CPC classification number: H04L45/02 ,  H04L12/4641 ,  H04L45/04 ,  H04L63/08 ,  H04L63/105

Abstract: In an example, a switch may receive an authentication request from a host associated with a first wireless access point (WAP) connected to the switch. The switch acts as a VXLAN Tunnel Endpoint (VTEP) in a Border Gateway Protocol (BGP) Ethernet Virtual Private Network (EVPN) based Virtual Extensible Local Area Network (VXLAN). The switch forwards the authentication request to an authentication server and on successful authentication of the host, may associate a role information with the host based on an authentication response from the authentication server. Further, the switch may create a BGP extended community field carrying the role identifier indicative of network policies to be implemented for the host and attach the BGP extended community field with a route advertisement. The switch then sends the route advertisement to another switch. The another switch is configured as a peer VTEP in the VXLAN. The switch and the another switch is configured in a single Virtual Local Area Network (VLAN).

公开(公告)号：US12095656B2

公开(公告)日：2024-09-17

申请号：US17391836

申请日：2021-08-02

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Saumya Dikshit ,  Vinayak Joshi ,  Venkatavaradhan Devarajan

IPC: H04L45/28 ,  H04L12/46 ,  H04L41/0604 ,  H04L41/0816 ,  H04L45/24 ,  H04L45/74 ,  H04L101/622

CPC classification number: H04L45/28 ,  H04L12/4633 ,  H04L12/4641 ,  H04L41/0627 ,  H04L41/0816 ,  H04L45/245 ,  H04L45/74 ,  H04L2101/622

Abstract: In an example, a failure event is detected in a network, where the failure event is indicative of a network outage in a network device or a peer network device of an MC-LAG. The network device and the peer network device may be configured as a first VTEP in an overlay network. It may be determined that reprovisioning of virtual tunnels in the network device is incomplete. State parameters between the network device and the peer network device is synchronized. The set of virtual tunnels in the network device is provisioned based on the state parameters. After completion of provisioning of the virtual tunnels, an IP address of the first VTEP is published to underlay network devices connecting the first VTEP to a second VTEP over an underlay network. Subsequently, communication links between the MC-LAG and a host device is enabled.

公开(公告)号：US20240146556A1

公开(公告)日：2024-05-02

申请号：US18051121

申请日：2022-10-31

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Vinayak Joshi ,  Tathagata Nandy

IPC: H04L12/18 ,  H04L45/64 ,  H04L45/7453

CPC classification number: H04L12/18 ,  H04L45/64 ,  H04L45/7453

Abstract: In an example, a network switch may receive a join request, for a multicast group indicated by an overlay multicast address, from a remote network switch. The network switch may be coupled to a source host device and the remote network switch may be coupled to a receiver host device of the multicast group. The network switch and the remote network switch may be configured as virtual endpoints in an overlay network deployed over an underlay network. The network switch may map the overlay multicast address to an underlay multicast address and the remote network switch may join the multicast group represented by the underlay multicast address. The network switch may receive multicast (traffic for the multicast group from the source host device and encapsulate the multicast traffic with a destination address identical to the underlay multicast address. The network switch may then forward the multicast traffic to the multicast group via the underlay network based on the destination address. The receiver host device may receive the multicast traffic via the remote network switch.

公开(公告)号：US20220191120A1

公开(公告)日：2022-06-16

申请号：US17221813

申请日：2021-04-04

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Saumya Dikshit ,  Vinayak Joshi

IPC: H04L12/26 ,  H04L12/703 ,  H04L12/721 ,  H04L12/707 ,  H04L12/46

Abstract: An example network orchestrator of a SDN is configured to receive, based on a user input, credentials associated with a traffic flow. Based on the credentials, it is determined whether the traffic flow is received at an ingress overlay network node. Route information and encapsulation information of the traffic flow is extracted from the ingress overlay network node. A first set of underlay network nodes each of which is a potential next hop for the traffic flow is identified. It is determined, based on the encapsulation information, whether the traffic flow is received by one of the first set of underlay network nodes, It is determined whether the traffic flow is received at an egress overlay network node from one of the first. A network trace of the traffic flow is determined based on the determinations of whether the traffic flow is received at the ingress overlay network node, one of the first set of underlay network nodes, and the egress overlay network node. Based on the network trace, a fault in a link between network nodes or in the ingress overlay network node or in the egress overlay network node or in one of the first set of underlay network nodes is detected.

公开(公告)号：US12126521B2

公开(公告)日：2024-10-22

申请号：US17411875

申请日：2021-08-25

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Rajib Majila ,  Venkatavaradhan Devarajan ,  Vinayak Joshi ,  Ram Iakhan Patel

IPC: H04L45/16 ,  H04L12/46 ,  H04L45/30 ,  H04L45/42

CPC classification number: H04L45/16 ,  H04L12/4633 ,  H04L45/30 ,  H04L45/42

Abstract: A system for policy management in a switch is provided. During operation, the system can generate, from a first policy defined for the switch, a second policy. The first policy can indicate whether a type of traffic is allowed from a source role to a destination role via an overlay tunnel. The second policy can indicate a plurality of destination roles that are allowed to receive multi-destination packets of the type of traffic from the source role via the overlay tunnel. Upon identifying a host associated with a role at a port of the switch, the system can determine whether the role belongs to the plurality of destination roles based on the second policy. If the role belongs to the plurality of allowed destination roles, the system can allow the port to forward a multi-destination packet, which is received via the overlay tunnel and associated with the type of traffic.

公开(公告)号：US20230111305A1

公开(公告)日：2023-04-13

申请号：US17497209

申请日：2021-10-08

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Vinayak Joshi ,  Venkatavaradhan Devarajan

IPC: H04L12/46 ,  H04L12/741

Abstract: An apparatus for detecting a loop in a domain comprising a plurality of overlay tunnel fabrics is provided. The apparatus can include an indicator logic block that can insert a predetermined value, which can be unique for the apparatus in the domain, into an egress tunnel header of a packet of a data flow. The header's destination address can correspond to a remote apparatus of an overlay tunnel fabric that includes the apparatus. Tunnel encapsulation can be initiated and terminated within the corresponding overlay tunnel fabric. The indicator logic block can determine, for a respective packet of the data flow from a remote overlay tunnel fabric of the domain, whether the predetermined value is present in an ingress tunnel header. Upon identifying the predetermining value in the ingress tunnel header, a loop logic block of the apparatus can determine that a loop is present in the domain.

公开(公告)号：US20230089819A1

公开(公告)日：2023-03-23

申请号：US17482079

申请日：2021-09-22

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Rajib Majila ,  Ram lakhan Patel ,  Vinayak Joshi

IPC: H04L29/06

Abstract: One aspect of the instant application facilitates a source port-based identification of client role. During operation, the system can receive, at a network device, a network packet from a client device coupled to the network device via a port. The system can in response to determining that the port is a trusted port, apply a global trusted port configuration based on a first mapping table. The global trusted port configuration corresponds to a default client role. The system can in response to determining that a per-port configuration exists in a second mapping table and the client device is coupled to the trusted port, identify the per-port configuration that corresponds to a port-based client role to override the global trusted port configuration; and apply, based on the per-port configuration and a third mapping table, a policy to the subsequent network packets received via the port.

公开(公告)号：US11502927B2

公开(公告)日：2022-11-15

申请号：US17221813

申请日：2021-04-04

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Saumya Dikshit ,  Vinayak Joshi

IPC: H04L43/0882 ,  H04L43/0823 ,  H04L43/0817 ,  H04L12/46 ,  H04L45/00 ,  H04L45/24 ,  H04L45/28

Abstract: An example network orchestrator of a SDN is configured to receive, based on a user input, credentials associated with a traffic flow. Based on the credentials, it is determined whether the traffic flow is received at an ingress overlay network node. Route information and encapsulation information of the traffic flow is extracted from the ingress overlay network node. A first set of underlay network nodes each of which is a potential next hop for the traffic flow is identified. It is determined, based on the encapsulation information, whether the traffic flow is received by one of the first set of underlay network nodes. It is determined whether the traffic flow is received at an egress overlay network node from one of the first. A network trace of the traffic flow is determined based on the determinations of whether the traffic flow is received at the ingress overlay network node, one of the first set of underlay network nodes, and the egress overlay network node. Based on the network trace, a fault in a link between network nodes or in the ingress overlay network node or in the egress overlay network node or in one of the first set of underlay network nodes is detected.

公开(公告)号：US12107857B2

公开(公告)日：2024-10-01

申请号：US18103341

申请日：2023-01-30

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Vinayak Joshi ,  Tathagata Nandy

IPC: H04L45/02 ,  H04L9/40 ,  H04L29/06 ,  H04L47/70 ,  H04L47/80

CPC classification number: H04L63/10 ,  H04L45/02 ,  H04L47/70 ,  H04L47/80 ,  H04L63/02 ,  H04L63/102

Abstract: A system for enforcement of a set of segmentation policies at a gateway switch of a network is provided. Here, the segmentation policies can indicate which other roles are allowed to communicate with a respective role, which can indicate a set of privileges in the network. During operation, the switch can receive a first message associated with a join request for a multicast group from a host. The switch can also receive a second message comprising data from a source of the multicast group. The first and second messages can indicate first and second roles, respectively, of the host and source. Based on the first and second roles and a corresponding segmentation policy, the system can determine whether the host is allowed to receive the data from the source. If not allowed, the system can prevent the second message from being forwarded to the host from the gateway switch.

公开(公告)号：US20240283798A1

公开(公告)日：2024-08-22

申请号：US18315269

申请日：2023-05-10

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Balaji Sankaran ,  Venkatavaradhan Devarajan ,  Vinayak Joshi

IPC: H04L9/40

CPC classification number: H04L63/104 ,  H04L63/102 ,  H04L63/30

Abstract: Some examples relate to a proxy service on a network device for applying a group based policy (GBP) to network traffic from a client. In an example, a proxy service on a network device is used to intercept a network access request message, pertaining to a client, from an access device. The proxy service forwards the network access request message to an authentication server. The server responds by sending a network access response message to the access device. The proxy service intercepts the network access response message from the authentication server and obtains the role information of the client from the network access response message. In response to receiving network traffic from the client, the proxy service identifies a GBP corresponding to the role information of the client and applies the GBP to the network traffic from the client.