公开(公告)号：US11895081B2

公开(公告)日：2024-02-06

申请号：US17667952

申请日：2022-02-09

Applicant: Cisco Technology, Inc.

Inventor： Victor Manuel Moreno ,  Sanjay Kumar Hooda

IPC: H04L61/2575 ,  H04L12/46 ,  H04L61/2592 ,  H04L51/04 ,  H04L61/5038 ,  H04L61/2557

CPC classification number: H04L61/2557 ,  H04L12/4633 ,  H04L12/4679 ,  H04L51/04 ,  H04L61/2575 ,  H04L61/2592 ,  H04L61/5038

Abstract: This disclosure describes techniques for implementing network address translation as a distributed service over the nodes of a logical network fabric, such as a software-defined network fabric. A method includes registering, by an edge node of a network, an IP address of a client device. The method further includes forwarding, by the edge node, the registered IP address to a control plane of the network. The method further includes checking, by the control plane, a network address translation policy. The method further includes recording, by the control plane, translations between the registered IP address and an allocated IP address in a translation table, each of the translations being related to the edge node. The method further includes returning, by the control plane, the translations between the registered IP address and the allocated IP address to the edge node.

公开(公告)号：US11888736B2

公开(公告)日：2024-01-30

申请号：US17375748

申请日：2021-07-14

Applicant: Cisco Technology, Inc.

Inventor： Prakash C. Jain ,  Sanjay Kumar Hooda ,  Vinay Saini ,  Victor Manuel Moreno

IPC: H04L45/586 ,  H04L45/02 ,  H04L45/302 ,  H04L45/00 ,  H04L12/46

CPC classification number: H04L45/586 ,  H04L45/04 ,  H04L45/306 ,  H04L45/54 ,  H04L12/4633

Abstract: Techniques are described herein for service chaining in fabric networks such that hardware resources can be preserved without service nodes needing additional capabilities. The techniques may include storing a first configuration associated with a first VRF instance of a service forwarding node that is connected to a first service of a service chain sequence. The first configuration may indicate an identifier and a type associated with a second service of the service chain sequence where traffic is to be sent after the first service. Additionally, the techniques may also include storing a second configuration associated with a second VRF instance of the service forwarding node that is connected to the second service. The second configuration may indicate that the second service is a last service of the service chain sequence. When traffic is received at the service forwarding node, the service forwarding node can determine whether the traffic is pre-service traffic or post-service traffic.

公开(公告)号：US11870641B2

公开(公告)日：2024-01-09

申请号：US18164010

申请日：2023-02-03

Applicant: Cisco Technology, Inc.

Inventor： Oliver James Bull ,  Rex Emmanuel Fernando ,  Anand Oswal ,  Kausik Majumdar ,  Darren Russell Dukes ,  Sanjay Kumar Hooda

IPC: H04L43/08 ,  H04L41/0806 ,  H04L41/0893 ,  H04L47/24 ,  H04L47/22 ,  H04L47/20 ,  H04W84/04 ,  H04W88/16

CPC classification number: H04L41/0806 ,  H04L41/0893 ,  H04L43/08 ,  H04L47/20 ,  H04L47/22 ,  H04L47/24 ,  H04W84/042 ,  H04W88/16

Abstract: An enterprise controller of an enterprise network sends to a service gateway of a service provider network a request for network slice information about network slices provisioned on a data plane of the service provider network. Responsive to the sending, the enterprise controller receives from the service gateway the network slice information including identifiers of and properties associated with the network slices. Responsive to receiving a request for the network slice information from a network device at a border of a forwarding plane of the enterprise network, the enterprise controller sends the network slice information to the network device to cause the network device to perform configuring network traffic in the forwarding plane with identifiers of ones of the network slices that match the network traffic, and to perform forwarding the network traffic configured with the identifiers to the data plane of the service provider network.

公开(公告)号：US20230179598A1

公开(公告)日：2023-06-08

申请号：US18163351

申请日：2023-02-02

Applicant: Cisco Technology, Inc.

Inventor： Muninder Sambi ,  Anand Oswal ,  Sanjay Kumar Hooda

IPC: H04L9/40 ,  H04L12/46

CPC classification number: H04L63/0876 ,  H04L12/4641 ,  H04L63/20

Abstract: Cloud delivered access may be provided. A network device may provide a client device with a pre-authentication virtual network and a pre-authentication address. Next, a policy may be received in response to the client device authenticating. The client device may then be moved to a post-authentication virtual network based on the policy. A post-authentication address may then be obtained for the client device in response to moving the client device to a post-authentication virtual network. Traffic for the client device may then be translated to the post-authentication address.

公开(公告)号：US20230179526A1

公开(公告)日：2023-06-08

申请号：US18103147

申请日：2023-01-30

Applicant: Cisco Technology, Inc.

Inventor： Victor Manuel Moreno ,  Sanjay Kumar Hooda ,  Anoop Vetteth ,  Prakash C. Jain

IPC: H04L47/125 ,  H04L12/16 ,  H04L45/00

CPC classification number: H04L47/125 ,  H04L12/16 ,  H04L45/56

Abstract: This disclosure describes techniques for software-defined service insertion. The techniques include a method of configuring a network for service insertion. The techniques include processing a master policy correlating an endpoint group pair, of source endpoint group and destination endpoint group, to a service graph. The service graph indicates a template service chain, and the template service chain indicates an ordering of a plurality of services. Processing the master policy includes disaggregating the master policy into at least one location specific policy, each of the at least one location specific policy corresponding to a separate location in the network and including traffic steering directives corresponding to a portion of the plurality of services associated with the separate location. The techniques further include causing each of the at least one location specific policy to be stored in association with the separate location to which that location specific policy corresponds.

公开(公告)号：US11658876B2

公开(公告)日：2023-05-23

申请号：US17377378

申请日：2021-07-16

Applicant: Cisco Technology, Inc.

Inventor： Sanjay Kumar Hooda ,  Muninder Singh Sambi ,  Victor Moreno ,  Prakash C. Jain ,  Tarunesh Ahuja ,  Satish Kondalam

IPC: H04L41/0893 ,  H04L12/46 ,  G06F9/455

CPC classification number: H04L41/0893 ,  G06F9/45558 ,  H04L12/4633 ,  H04L12/4641 ,  G06F2009/45587 ,  G06F2009/45595

Abstract: Systems, methods, and computer-readable storage media are provided for provisioning a common subnet across a number of subscribers and their respective virtual networks using dynamically generated network policies that provide isolation between the subscribers. The dynamic generation of the network policies is performed when a host (e.g. client) is detected (via a switch) as the host joins the computing network via virtual networks. This ability to configure a common subnet for all the subscriber virtual networks allows these subscribers to more easily access external shared services coming from a headquarter site while keeping the separation and segmentation of multiple subscriber virtual networks within a single subnet. This allows the Enterprise fabric to be more simple and convenient to deploy without making security compromises.

公开(公告)号：US11652791B2

公开(公告)日：2023-05-16

申请号：US16534783

申请日：2019-08-07

Applicant: Cisco Technology, Inc.

Inventor： Victor Moreno ,  Sanjay Kumar Hooda ,  Marc Portoles Comeras

IPC: H04L9/40 ,  H04L45/586 ,  H04L45/745

CPC classification number: H04L63/0236 ,  H04L45/586 ,  H04L45/745 ,  H04L63/029 ,  H04L63/0263 ,  H04L63/0272

Abstract: Systems, methods, and computer-readable media for implementing an extranet policy include receiving a request from a source to perform a lookup for a destination address. A lookup for the destination address is performed in a consolidated routing table, the consolidated routing table including a consolidated mapping of address prefixes associated with two or more virtual networks. If the lookup results in a match for the destination address with a matching address prefix, a matching virtual network associated with the matching address prefix is determined. An access policy for the request corresponding to the matching virtual network is obtained, and based on the access policy the request is allowed to access the destination address in the matching virtual network or disallowed. The consolidated routing table can be implemented in a mapping server using a Locator/ID Separation Protocol (LISP).

公开(公告)号：US11601428B2

公开(公告)日：2023-03-07

申请号：US17118061

申请日：2020-12-10

Applicant: Cisco Technology, Inc.

Inventor： Muninder Sambi ,  Anand Oswal ,  Sanjay Kumar Hooda

IPC: H04L12/22 ,  G06F21/71 ,  H04L9/40 ,  H04L12/46 ,  H04L12/813 ,  G06F12/109

Abstract: Cloud delivered access may be provided. A network device may provide a client device with a pre-authentication virtual network and a pre-authentication address. Next, a policy may be received in response to the client device authenticating. The client device may then be moved to a post-authentication virtual network based on the policy. A post-authentication address may then be obtained for the client device in response to moving the client device to a post-authentication virtual network. Traffic for the client device may then be translated to the post-authentication address.

公开(公告)号：US20230029882A1

公开(公告)日：2023-02-02

申请号：US17390677

申请日：2021-07-30

Applicant: Cisco Technology, Inc.

Inventor： Sanjay Kumar Hooda ,  Anoop Vetteth ,  Himanshu Mehra ,  Rajeev Kumar

IPC: H04L12/721 ,  H04L12/26

Abstract: Systems, methods, and computer-readable media are provided for performing secure frame encryption as a service. For instance, a network edge device can determine at least a first path and a second path for routing a data packet. The network edge device can obtain a first plurality of values for at least one network metric, wherein the first plurality of values corresponds to the first path and at least a first backup path associated with the first path. The network edge device can obtain a second plurality of values for the at least one network metric, wherein the second plurality of values corresponds to the second path and at least a second backup path associated with the second path. The network edge device can select one of the first path or the second path for routing the data packet based on a comparison of the first plurality of values and the second plurality of values.

公开(公告)号：US11570109B2

公开(公告)日：2023-01-31

申请号：US17242601

申请日：2021-04-28

Applicant: Cisco Technology, Inc.

Inventor： Victor Manuel Moreno ,  Sanjay Kumar Hooda ,  Anoop Vetteth ,  Prakash C. Jain

IPC: H04L1/00 ,  H04L47/125 ,  H04L12/16 ,  H04L45/00

Abstract: This disclosure describes techniques for software-defined service insertion. The techniques include a method of configuring a network for service insertion. The techniques include processing a master policy correlating an endpoint group pair, of source endpoint group and destination endpoint group, to a service graph. The service graph indicates a template service chain, and the template service chain indicates an ordering of a plurality of services. Processing the master policy includes disaggregating the master policy into at least one location specific policy, each of the at least one location specific policy corresponding to a separate location in the network and including traffic steering directives corresponding to a portion of the plurality of services associated with the separate location. The techniques further include causing each of the at least one location specific policy to be stored in association with the separate location to which that location specific policy corresponds.