公开(公告)号：US20220417287A1

公开(公告)日：2022-12-29

申请号：US17409179

申请日：2021-08-23

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Vinayak Joshi ,  Venkatavaradhan Devarajan ,  Rajib Majila ,  Tathagata Nandy

IPC: H04L29/06

Abstract: Examples disclosed herein relate to a method for defining an ingress access policy at an ingress network device based on instructions from an egress network device. The egress network device receives data packets directed to a first entity from a second entity connected to an ingress network device. Each data packet transmitted includes a source role tag corresponding to the second entity. At the egress network device, the data packets may be dropped based on the enforcement of an egress access policy. When the number of data packets that are being dropped increases beyond a pre-defined threshold, the egress network device transmits a command to the ingress network device instructing the ingress network device to create a restriction on the transmission of subsequent data packets. The command is transmitted in a Border Gateway Protocol (BGP) Flow Specification (FlowSpec) route.

公开(公告)号：US20240259346A1

公开(公告)日：2024-08-01

申请号：US18161171

申请日：2023-01-30

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Vinayak Joshi ,  Venkata Varadhan Devarajan ,  Rajib Majila ,  Sathyanarayana Gopal ,  Hari Anil Kumar

IPC: H04L9/40

CPC classification number: H04L63/0254 ,  H04L63/0245 ,  H04L63/104

Abstract: A system for compacting traffic separation policies in campus networks, the system comprising an access layer switch and a campus border switch. The access layer switch is configured to receive a definition of one or more policies; responsive to receiving a packet, determine whether any of the policies apply to the packet; responsive to determining that none of the policies apply, cause a tag to be inserted into a communication header of the packet and forward the packet; and responsive to determining that one of the policies applies, forward or drop the packet according to the applicable policy and omit the tag. The campus border switch is configured to, responsive to receiving a packet from the access layer switch, determine whether the packet includes the tag, and responsive to determining that the packet includes the tag, apply a traffic separation policy associated with the tag to the packet.

公开(公告)号：US11888901B2

公开(公告)日：2024-01-30

申请号：US17409179

申请日：2021-08-23

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Vinayak Joshi ,  Venkatavaradhan Devarajan ,  Rajib Majila ,  Tathagata Nandy

IPC: H04L9/40 ,  H04L9/32

CPC classification number: H04L63/20 ,  H04L63/0236 ,  H04L63/105

Abstract: Examples disclosed herein relate to a method for defining an ingress access policy at an ingress network device based on instructions from an egress network device. The egress network device receives data packets directed to a first entity from a second entity connected to an ingress network device. Each data packet transmitted includes a source role tag corresponding to the second entity. At the egress network device, the data packets may be dropped based on the enforcement of an egress access policy. When the number of data packets that are being dropped increases beyond a pre-defined threshold, the egress network device transmits a command to the ingress network device instructing the ingress network device to create a restriction on the transmission of subsequent data packets. The command is transmitted in a Border Gateway Protocol (BGP) Flow Specification (FlowSpec) route.

公开(公告)号：US11671282B2

公开(公告)日：2023-06-06

申请号：US17328485

申请日：2021-05-24

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Vinayak Joshi ,  Venkatavaradhan Devarajan ,  Rajib Majila

IPC: H04L12/46

CPC classification number: H04L12/4641 ,  H04L12/4633

Abstract: A system for dynamically activating a virtual network is provided. During operation, the system can operate a switch as a tunnel endpoint of a tunnel in conjunction with a remote switch. The tunnel can facilitate a virtual private network (VPN) spanning the switch and the remote switch. The system can maintain an inactive state for a virtual local area network (VLAN) and a corresponding tunnel network identifier identifying the VLAN for the tunnel. If a notification indicating the activation of the VLAN at a downstream switch is received by the switch, the system can activate the VLAN at the switch. The system can then activate the tunnel network identifier in a routing process of the VPN, thereby enabling sharing of a media access control (MAC) address associated with the VLAN via the tunnel.

公开(公告)号：US20230069306A1

公开(公告)日：2023-03-02

申请号：US17411875

申请日：2021-08-25

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Rajib Majila ,  Venkatavaradhan Devarajan ,  Vinayak Joshi ,  Ram lakhan Patel

IPC: H04L12/761 ,  H04L12/717 ,  H04L12/725 ,  H04L12/46

Abstract: A system for policy management in a switch is provided. During operation, the system can generate, from a first policy defined for the switch, a second policy. The first policy can indicate whether a type of traffic is allowed from a source role to a destination role via an overlay tunnel. The second policy can indicate a plurality of destination roles that are allowed to receive multi-destination packets of the type of traffic from the source role via the overlay tunnel. Upon identifying a host associated with a role at a port of the switch, the system can determine whether the role belongs to the plurality of destination roles based on the second policy. If the role belongs to the plurality of allowed destination roles, the system can allow the port to forward a multi-destination packet, which is received via the overlay tunnel and associated with the type of traffic.

公开(公告)号：US20220376950A1

公开(公告)日：2022-11-24

申请号：US17328485

申请日：2021-05-24

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Vinayak Joshi ,  Venkatavaradhan Devarajan ,  Rajib Majila

IPC: H04L12/46

Abstract: A system for dynamically activating a virtual network is provided. During operation, the system can operate a switch as a tunnel endpoint of a tunnel in conjunction with a remote switch. The tunnel can facilitate a virtual private network (VPN) spanning the switch and the remote switch. The system can maintain an inactive state for a virtual local area network (VLAN) and a corresponding tunnel network identifier identifying the VLAN for the tunnel. If a notification indicating the activation of the VLAN at a downstream switch is received by the switch, the system can activate the VLAN at the switch. The system can then activate the tunnel network identifier in a routing process of the VPN, thereby enabling sharing of a media access control (MAC) address associated with the VLAN via the tunnel.