公开(公告)号：US20160006651A1

公开(公告)日：2016-01-07

申请号：US14851236

申请日：2015-09-11

Applicant: Cisco Technology, Inc.

Inventor： James Guichard ,  Paul Quinn ,  David Ward ,  Surendra Kumar ,  Nagaraj A. Bagepalli ,  Michael R. Smith ,  Navindra Yadav

IPC: H04L12/721 ,  H04L29/06 ,  H04L12/725

CPC classification number: H04L45/566 ,  H04L45/306 ,  H04L69/22

Abstract: Presented herein are techniques useful in a network comprising a plurality of network nodes each configured to apply one or more service functions to traffic that passes through the respective network nodes. A network node receives packets encapsulated in a service header that includes information defining a first set of context headers stacked into an association of metadata that is relevant to one or more service functions within a service path comprised of one or more network nodes. The network node performs at least one of the service functions in the service path and rewrites the service header with a second set of context headers. The second set of context headers include metadata derived from performing the service function(s) at the network node.

Abstract translation: 这里呈现的是在网络中有用的技术，其包括多个网络节点，每个网络节点被配置为将一个或多个服务功能应用于通过各个网络节点的业务。 网络节点接收封装在服务头部中的分组，其包括定义堆叠成与由一个或多个网络节点组成的服务路径内的一个或多个服务功能相关的元数据关联的第一组上下文标题的信息。 网络节点执行服务路径中的至少一个服务功能，并用第二组上下文头重写服务头部。 第二组上下文报头包括从在网络节点处执行服务功能导出的元数据。

公开(公告)号：US20150124826A1

公开(公告)日：2015-05-07

申请号：US14530550

申请日：2014-10-31

Applicant: Cisco Technology, Inc.

Inventor： Thomas James Edsall ,  Navindra Yadav ,  Francisco M. Matus ,  Kit Chiu Chu ,  Michael R. Smith ,  Sameer Merchant ,  Krishna Doddapaneni ,  Satyam Sinha

IPC: H04L12/741

CPC classification number: H04L45/74 ,  G06F9/45558 ,  G06F2009/45595 ,  H04L12/4633 ,  H04L45/66 ,  H04L49/10

Abstract: Disclosed herein are methods of forwarding packets on a network, such as a leaf-spine network having leaf devices and spine devices. The methods may include receiving a packet at an ingress leaf device, and determining based, at least in part, on a header of the packet whether the packet is to be transmitted to a spine device. The methods may further include ascertaining based, at least in part, on a header of the packet whether to perform encapsulation on the packet, encapsulating the packet according to a result of the ascertaining, and then transmitting the packet to a spine device according to a result of the determining. Also disclosed herein are network apparatuses which include a processor and a memory, at least one of the processor or the memory being configured to perform some or all of the foregoing described methods.

Abstract translation: 这里公开了在诸如具有叶装置和脊柱装置的叶脊网络的网络上转发分组的方法。 所述方法可以包括在入口叶设备处接收分组，以及至少部分地基于所述分组的报头确定所述分组是否要传送到脊柱设备。 所述方法可以进一步包括至少部分地基于分组的报头来确定是否对分组进行封装，根据确定的结果封装分组，然后根据所述分组将分组发送到脊柱设备 决定的结果。 本文还公开了包括处理器和存储器的网络设备，处理器或存储器中的至少一个被配置为执行前述所描述的方法中的一些或全部。

公开(公告)号：US20140334488A1

公开(公告)日：2014-11-13

申请号：US13891245

申请日：2013-05-10

Applicant: CISCO TECHNOLOGY, INC.

Inventor： James Guichard ,  Paul Quinn ,  David Ward ,  Surendra Kumar ,  Navindra Yadav ,  Michael R. Smith ,  Nagaraj A. Bagepalli

IPC: H04L12/851

CPC classification number: H04L45/306 ,  H04L41/0893 ,  H04L47/2441 ,  H04L69/22

Abstract: Techniques are provided to decouple service chain structure from the underlying network forwarding state and allow for data plane learning of service chain forwarding requirements and any association between services function state requirements and the forward and reverse forwarding paths for a service chain. In a network comprising a plurality of network nodes each configured to apply a service function to traffic that passes through the respective network node, a packet is received at a network node. When the network node determines that the service function it applies is stateful, it updates context information in a network service header of the packet to indicate that the service function applied at the network node is stateful and that traffic for a reverse path matching the classification criteria is to be returned to the network node.

Abstract translation: 提供了技术来将服务链结构与底层网络转发状态分离，并允许服务链转发要求的数据平面学习和服务功能状态要求与服务链的前向和后向转发路径之间的任何关联。 在包括多个网络节点的网络中，每个网络节点被配置为对通过相应网络节点的业务应用服务功能，在网络节点处接收分组。 当网络节点确定其应用的服务功能是有状态时，它更新分组的网络服务报头中的上下文信息，以指示在网络节点处应用的服务功能是有状态的，并且用于与分类标准匹配的反向路径的业务 将被返回到网络节点。

公开(公告)号：US20160352576A1

公开(公告)日：2016-12-01

申请号：US14809971

申请日：2015-07-27

Applicant: Cisco Technology, Inc.

Inventor： Joji Thomas Mekkattuparamban ,  Vijay Chander ,  Saurabh Jain ,  Van Lieu ,  Badhri Madabusi Vijayaraghavan ,  Praveen Jain ,  Munish Mehta ,  Michael R. Smith ,  Narender Enduri

IPC: H04L12/24

CPC classification number: H04L41/0893 ,  H04L41/0886 ,  H04L61/15 ,  H04L61/6022 ,  H04L63/101 ,  H04L63/104

Abstract: Systems, methods, and computer-readable storage media are provided for dynamically setting an end point group for an end point. An endpoint can be assigned a default end point group when added to a network. For example, the default end point group can be a baseline port/security group which is considered an untrusted group. The end point can then be dynamically assigned an end point group based on a set of group selection rules. For example, the group selection rules can identify an end point group based on the MAC address or other attributes. When the end point is added to the network, the MAC address and/or other attributes of the end point can be determined and used to assign an end point group. As another example, an end point group can be assigned based on the amount of traffic or guest operation system.

Abstract translation: 提供了系统，方法和计算机可读存储介质，用于动态设置端点的端点组。 当添加到网络时，端点可以被分配一个默认端点组。 例如，默认端点组可以是被认为是不可信组的基准端口/安全组。 然后可以基于一组组选择规则动态地为端点组分配端点组。 例如，组选择规则可以基于MAC地址或其他属性来识别端点组。 当终点被添加到网络中时，可以确定端点的MAC地址和/或其他属性，并用于分配端点组。 作为另一示例，可以基于流量或客户操作系统的数量来分配端点组。

公开(公告)号：US20160255087A1

公开(公告)日：2016-09-01

申请号：US14954308

申请日：2015-11-30

Applicant: Cisco Technology, Inc.

Inventor： Michael R. Smith

IPC: H04L29/06

CPC classification number: H04L63/101 ,  G06F21/6218 ,  H04L12/4645 ,  H04L12/4675 ,  H04L45/04 ,  H04L45/54 ,  H04L45/7453 ,  H04L63/08 ,  H04L63/105 ,  H04L63/20

Abstract: A method and apparatus for providing network security using role-based access control is disclosed. A network device implementing such a method can include, for example, an access control list. Such an access control list includes an access control list entry, which, in turn, includes a user group field. Alternatively, a network device implementing such a method can include, for example, a forwarding table that includes a plurality of forwarding table entries. In such a case, at least one of the forwarding table entries includes a user group field.

Abstract translation: 公开了一种使用基于角色的访问控制来提供网络安全性的方法和装置。 实现这种方法的网络设备可以包括例如访问控制列表。 这样的访问控制列表包括访问控制列表条目，其又包括用户组字段。 或者，实现这种方法的网络设备可以包括例如包括多个转发表条目的转发表。 在这种情况下，转发表项中的至少一个包括用户组字段。

公开(公告)号：US20160099867A1

公开(公告)日：2016-04-07

申请号：US14966737

申请日：2015-12-11

Applicant: Cisco Technology, Inc.

Inventor： James Guichard ,  Paul Quinn ,  David Ward ,  Surendra Kumar ,  Yavindra Yadav ,  Michael R. Smith ,  Nagaraj A. Bagepalli

IPC: H04L12/725 ,  H04L12/851 ,  H04L29/06

CPC classification number: H04L45/306 ,  H04L41/0893 ,  H04L47/2441 ,  H04L69/22

Abstract: Techniques are provided to decouple service chain structure from the underlying network forwarding state and allow for data plane learning of service chain forwarding requirements and any association between services function state requirements and the forward and reverse forwarding paths for a service chain. In a network comprising a plurality of network nodes each configured to apply a service function to traffic that passes through the respective network node, a packet is received at a network node. When the network node determines that the service function it applies is stateful, it updates context information in a network service header of the packet to indicate that the service function applied at the network node is stateful and that traffic for a reverse path matching the classification criteria is to be returned to the network node.

Abstract translation: 提供了技术来将服务链结构与底层网络转发状态分离，并允许服务链转发要求的数据平面学习和服务功能状态要求与服务链的前向和后向转发路径之间的任何关联。 在包括多个网络节点的网络中，每个网络节点被配置为对通过相应网络节点的业务应用服务功能，在网络节点处接收分组。 当网络节点确定其应用的服务功能是有状态时，它更新分组的网络服务报头中的上下文信息，以指示在网络节点处应用的服务功能是有状态的，并且用于与分类标准匹配的反向路径的业务 将被返回到网络节点。

公开(公告)号：US09178812B2

公开(公告)日：2015-11-03

申请号：US13910179

申请日：2013-06-05

Applicant: Cisco Technology, Inc.

Inventor： James Guichard ,  Paul Quinn ,  David Ward ,  Surendra Kumar ,  Nagaraj A. Bagepalli ,  Michael R. Smith ,  Navindra Yadav

IPC: H04L12/721 ,  H04L12/725

CPC classification number: H04L45/566 ,  H04L45/306 ,  H04L69/22

Abstract: Presented herein are techniques useful in a network comprising a plurality of network nodes each configured to apply one or more service functions to traffic that passes through the respective network nodes. A network node receives packets encapsulated in a service header that includes information defining a variable set of context headers stacked into an association of metadata that is relevant to one or more service functions within a service path comprised of one or more network nodes. The network node interprets a forwarding state and a next-hop network node for the service path from the service header, and determines a service action or associated metadata from the set of context headers.

Abstract translation: 这里呈现的是在网络中有用的技术，其包括多个网络节点，每个网络节点被配置为将一个或多个服务功能应用于通过各个网络节点的业务。 网络节点接收封装在服务头部中的分组，该分组包括定义一组上下文标题的信息，这些信息堆叠成与由一个或多个网络节点组成的服务路径内的一个或多个服务功能相关的元数据关联。 网络节点从服务头解释用于服务路径的转发状态和下一跳网络节点，并且从上下文头集合中确定服务动作或相关联的元数据。