公开(公告)号：US20170111360A1

公开(公告)日：2017-04-20

申请号：US14882700

申请日：2015-10-14

Applicant: Cisco Technology, Inc.

Inventor： Sanjay Kumar Hooda ,  Poon Kuen Leung ,  Liu Huang ,  Vishwas Vijendra Bhat ,  Shweta Arvind Saraf

IPC: H04L29/06 ,  H04W48/16

CPC classification number: H04W12/12 ,  H04W12/00512 ,  H04W12/10 ,  H04W84/12 ,  H04W88/16

Abstract: A computer-implemented method is provided for a management entity to detect where a rogue access point is connected to the network infrastructure. The management entity receives from a wireless network controller an indication of an unauthorized frame wirelessly intercepted by an authorized access point. The unauthorized frame carries data between a rogue access point and a wireless client device. The rogue access point is connected to a compromised network element in a managed network at a compromised port of the compromised network element. The management entity extracts a client network address and a gateway network address from the indication of the unauthorized frame. The management entity traces a path through the managed network from a gateway network element associated with the gateway network address to the compromised network element. The management entity determines the compromised port in the compromised network element at which the rogue access point is connected.

公开(公告)号：US20160254960A1

公开(公告)日：2016-09-01

申请号：US14632070

申请日：2015-02-26

Applicant: Cisco Technology, Inc.

Inventor： Nalinaksh M. Pai ,  Sanjay Kumar Hooda ,  Peter Geoffrey Jones

IPC: H04L12/24 ,  H04L12/721

CPC classification number: H04L41/12 ,  H04L41/0806 ,  H04L41/0886 ,  H04L45/66 ,  H04L49/15 ,  H04L49/351 ,  H04L49/65

Abstract: Methods and system are disclosed which can simplify the configuration of a MCEC in a fabric environment such that is may become automatic. Furthermore, centralized identities (such as a host tracking database and/or a network controlled) may be employed to detect the presence of a MCEC. Requiring the creation of direct links between network devices participating in the MCEC may be avoided. Furthermore, logical L2 fabric connectivity (over a L3 fabric underlay) may be utilized to provide dual homing active-active services without additional configuration, as the tracking of peer network devices may be performed in a centralized manner. For example, a host tracking database or a network controller may be employed for peer tracking.

Abstract translation: 公开了可以简化在织物环境中的MCEC的配置的方法和系统，使得可以变得自动化。 此外，可以采用集中式身份（例如主机跟踪数据库和/或网络控制）来检测MCEC的存在。 可以避免在参与MCEC的网络设备之间创建直接链路。 此外，可以利用逻辑L2架构连接（通过L3架构底层）来提供双重归属活动主动服务而无需附加配置，因为对等网络设备的跟踪可以以集中的方式执行。 例如，可以采用主机跟踪数据库或网络控制器来进行对等跟踪。

公开(公告)号：US20140317249A1

公开(公告)日：2014-10-23

申请号：US13868214

申请日：2013-04-23

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Rajagopalan Janakiraman ,  Sanjay Kumar Hooda ,  Pags Krishnamoorthy ,  Shreeram Bhide ,  Sridhar Subramanian

IPC: H04L12/931

CPC classification number: H04L49/65 ,  H04W40/24

Abstract: Accelerating network convergence may be provided. Consistent with embodiments of the disclosure, a mapping server may be configured to map an interconnection of various network elements comprising at least the following: a wireless host, at least two access switches, a plurality of distribution switches, a core switch, a mobility controller, and a mapping database. The mapping server may then receive an indication from the mobility controller that the wireless host has roamed from a first access switch to a second access switch. In response to the indication, the mapping server may remap the interconnection of network elements in the mapping database to update network routing information associated with the wireless host.

Abstract translation: 可以提供加速的网络融合。 与本公开的实施例一致，映射服务器可以被配置为映射至少包括以下的各种网络元件的互连：无线主机，至少两个接入交换机，多个分布交换机，核心交换机，移动性控制器 ，以及映射数据库。 然后，映射服务器可以从移动性控制器接收到无线主机已经从第一接入交换机漫游到第二接入交换机的指示。 响应于该指示，映射服务器可以重新映射映射数据库中的网络元件的互连，以更新与无线主机相关联的网络路由信息。

公开(公告)号：US12294512B2

公开(公告)日：2025-05-06

申请号：US17672278

申请日：2022-02-15

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Kedar Sudhir Karmarkar ,  Shyamsundar N. Maniyar ,  Sanjay Kumar Hooda

IPC: H04L45/16 ,  H04L45/74

Abstract: This technology enables directed broadcasts in network fabrics. A control plane node is configured to resolve directed broadcast addresses by mapping the directed broadcast address to a subnet address. A fabric border node receives a directed broadcast, extracts a destination address, and transmits a request to the control plane node to resolve the destination address. The control plane node retrieves the stored mapping and generates a map reply with a multicast destination. The fabric border node encapsulates and forwards the directed broadcast to fabric edge nodes, which decapsulate the directed broadcast and deliver a data set from the directed broadcast to appropriate end point devices. Each fabric edge node may be enabled to determine if the fabric edge node may be connected to a silent host and, based on that determination, request the fabric border node to be added to the multicast destination to receive the directed broadcast.

公开(公告)号：US12267238B2

公开(公告)日：2025-04-01

申请号：US18198104

申请日：2023-05-16

Applicant: Cisco Technology, Inc.

Inventor： Prakash C. Jain ,  Sanjay Kumar Hooda ,  Darrin Joseph Miller ,  Ashwin Kumar

IPC: H04L45/74 ,  H04L9/40

Abstract: Techniques for group-based classification and policy enforcement at a network fabric edge for traffic that is being sent to external network destinations are disclosed herein. The techniques may include receiving, at a control plane of a network and from an edge node of the network, a request to provide mapping data associated with sending a packet to a destination. Based at least in part on an address prefix value associated with the destination, the control plane may determine that the destination is located in an external network. Additionally, a group identifier that is associated with the destination may be determined. In this way, an indication of the group identifier may be sent to the edge node such that the edge node may determine, based at least in part on the group identifier, a policy decision for routing the packet to the external network.

公开(公告)号：US12212544B2

公开(公告)日：2025-01-28

申请号：US17526164

申请日：2021-11-15

Applicant: Cisco Technology, Inc.

Inventor： Sanjay Kumar Hooda ,  Prakash C. Jain

IPC: H04L9/40 ,  H04L45/745

Abstract: Techniques and architecture are described for providing a service, e.g., a security service such as a firewall, across different virtual networks/VRFs/VPN IDs. The techniques and architecture provide modifications in enterprise computing fabrics by modifying pull-based overlay protocols such as, for example, locator/identifier separation protocol (LISP), border gateway protocol ethernet virtual private network (BGP EVPN), etc. A map request carries additional information to instruct a map-server that even though mapping (destination prefix and firewall service RLOC for the destination) is known within the map-server's own virtual network/VRF for firewall service insertion, the map-server still should do a lookup across virtual networks/VRFs and discover the final destination's DGT (destination group tag) and include that in the map reply.

公开(公告)号：US20250030628A1

公开(公告)日：2025-01-23

申请号：US18905935

申请日：2024-10-03

Applicant: Cisco Technology, Inc.

Inventor： Anubhav Gupta ,  Rex Fernando ,  Sanjay Kumar Hooda ,  Syam Sundar Appala ,  Samir Thoria

IPC: H04L45/302 ,  H04L12/28 ,  H04L45/74 ,  H04L47/20

Abstract: In one embodiment, a method by a first edge router includes receiving a request control message from a second edge router requesting a first identifier of a first group associated with a first host having a first Internet Protocol (IP) address, determining the first identifier of the first group based on the first IP address, sending a response control message to the second edge router including the first identifier of the first group, receiving a data packet destined to the first host from the second edge router, determining that a second group is a source group and the first group is a destination group of the data packet, applying one or more policies associated with a combination of the source group and the destination group to the data packet, and causing the data packet to be routed to the first host within the first site.

公开(公告)号：US20240406183A1

公开(公告)日：2024-12-05

申请号：US18223344

申请日：2023-07-18

Applicant: Cisco Technology, Inc.

Inventor： Marc Portoles Comeras ,  Sanjay Kumar Hooda ,  Balaji Pitta Venkatachalapathy ,  Kedar Sudhir Karmarkar ,  Prakash C. Jain

IPC: H04L9/40 ,  H04L45/02 ,  H04L45/745

Abstract: Techniques for propagating security group tag mapping between external interconnected sites that are not capable of carrying the SGT mappings. A system is disclosed that includes operations of subscribing at a first border of a first site, by a control plane, a first SGT mapping associated with a first data packet at the first site for storing the SGT mapping of the first data packet at the control plane. Then transmitting, the first data packet from the first border of the first site to a second border of the second site without attaching the first SGT mapping with the first data packet. Further, in response to a determination by the control plane that the first data packet has lost the associated first SGT mapping at the second border, identifying the SGT mapping with the first data packet at the second border to be re-associated with the first data packet.

公开(公告)号：US12069098B2

公开(公告)日：2024-08-20

申请号：US17508731

申请日：2021-10-22

Applicant: Cisco Technology, Inc.

Inventor： Shree Murthy ,  Sanjay Kumar Hooda ,  Prakash C. Jain ,  Roberto Kobo ,  Rajagopal Venkatraman

IPC: G06F15/16 ,  G06F9/455 ,  H04L9/40 ,  H04L61/5007 ,  H04L61/5014

CPC classification number: H04L63/20 ,  G06F9/45558 ,  H04L61/5007 ,  H04L61/5014

Abstract: Techniques for analyzing traffic originating from a host device in a wireless network to identify one or more virtual machines (VMs) running on the host device and connected to the network via the host device in bridge mode. When a VM is created in bridge mode behind a host device, the traffic originated by the VM will have the source Media Access Layer (MAC) address of the host device. According to techniques described herein, devices and/or components associated with the network may profile the traffic to identify an address of the VM, such as by analyzing dynamic host configuration protocol (DHCP) packets to determine the Internet Protocol (IP) address of the VM. Once the IP address and the MAC address of the VM is known, the components and/or devices may apply security policies to the VM that may be different than security policies applied to the host device.

公开(公告)号：US12021699B2

公开(公告)日：2024-06-25

申请号：US18304890

申请日：2023-04-21

Applicant: Cisco Technology, Inc.

Inventor： Sanjay Kumar Hooda ,  Muninder Singh Sambi ,  Victor Moreno ,  Prakash C. Jain ,  Tarunesh Ahuja ,  Satish Kondalam

IPC: H04L41/0893 ,  G06F9/455 ,  H04L12/46

CPC classification number: H04L41/0893 ,  G06F9/45558 ,  H04L12/4633 ,  H04L12/4641 ,  G06F2009/45587 ,  G06F2009/45595

Abstract: Systems, methods, and computer-readable storage media are provided for provisioning a common subnet across a number of subscribers and their respective virtual networks using dynamically generated network policies that provide isolation between the subscribers. The dynamic generation of the network policies is performed when a host (e.g. client) is detected (via a switch) as the host joins the computing network via virtual networks. This ability to configure a common subnet for all the subscriber virtual networks allows these subscribers to more easily access external shared services coming from a headquarter site while keeping the separation and segmentation of multiple subscriber virtual networks within a single subnet. This allows the Enterprise fabric to be more simple and convenient to deploy without making security compromises.