公开(公告)号：US09461968B2

公开(公告)日：2016-10-04

申请号：US14627223

申请日：2015-02-20

Applicant: Cisco Technology, Inc.

Inventor： David Chang ,  Abhijit Patra ,  Nagaraj Bagepalli ,  Rajesh Kumar Sethuraghavan

IPC: H04L12/721 ,  H04L29/06 ,  H04L12/931 ,  H04L29/08 ,  G06F21/53

CPC classification number: H04L63/0263 ,  G06F9/45558 ,  G06F2009/45587 ,  G06F2009/45595 ,  H04L29/08927 ,  H04L29/08972 ,  H04L49/356 ,  H04L49/70 ,  H04L63/0218 ,  H04L63/0227

Abstract: Techniques are provided for implementing a zone-based firewall policy. At a virtual network device, information is defined and stored that represents a security management zone for a virtual firewall policy comprising one or more common attributes of applications associated with the security zone. Information representing a firewall rule for the security zone is defined and comprises first conditions for matching common attributes of applications associated with the security zone and an action to be performed on application traffic. Parameters associated with the application traffic are received that are associated with properly provisioned virtual machines. A determination is made whether the application traffic parameters satisfy the conditions of the firewall rule and in response to determining that the conditions are satisfied, the action is performed.

公开(公告)号：US11604658B2

公开(公告)日：2023-03-14

申请号：US17345882

申请日：2021-06-11

Applicant: Cisco Technology, Inc.

Inventor： David W. Chang ,  Abhijit Patra ,  Nagaraj Bagepalli ,  Dileep Kumar Devireddy ,  Ganesh Sadasivan

IPC: G06F15/16 ,  G06F9/4401 ,  H04L67/10 ,  H04L61/103 ,  H04L12/46 ,  G06F9/455 ,  H04L67/1097 ,  H04L9/40 ,  H04L47/70 ,  H04L45/00 ,  H04L101/622

Abstract: Many hybrid cloud topologies require virtual machines in a public cloud to use a router in a private cloud, even when the virtual machine is transmitting to another virtual machine in the public cloud. Routing data through an enterprise router on the private cloud via the internet is generally inefficient. This problem can be overcome by placing a router within the public cloud that mirrors much of the routing functionality of the enterprise router. A switch configured to intercept address resolution protocol (ARP) request for the enterprise router's address and fabricate a response using the MAC address of the router in the public cloud.

公开(公告)号：US10554620B2

公开(公告)日：2020-02-04

申请号：US14749391

申请日：2015-06-24

Applicant: Cisco Technology, Inc.

Inventor： David W. Chang ,  Abhijit Patra ,  Nagaraj Bagepalli ,  Dileep Kumar Devireddy ,  Ganesh Sadasivan

IPC: G06F15/16 ,  H04L29/12 ,  H04L29/08 ,  H04L12/911

Abstract: Many hybrid cloud topologies require virtual machines in a public cloud to use a router in a private cloud, even when the virtual machine is transmitting to another virtual machine in the public cloud. Routing data through an enterprise router on the private cloud via the internet is generally inefficient. This problem can be overcome by placing a router within the public cloud that mirrors much of the routing functionality of the enterprise router. A switch configured to intercept address resolution protocol (ARP) request for the enterprise router's address and fabricate a response using the MAC address of the router in the public cloud.

公开(公告)号：US10462136B2

公开(公告)日：2019-10-29

申请号：US14881649

申请日：2015-10-13

Applicant: Cisco Technology, Inc.

Inventor： Mauricio Arregoces ,  Nagaraj Bagepalli ,  Subramanian Chandrasekaran

IPC: H04L29/06 ,  H04L29/08

Abstract: In one embodiment, a request may be received from a first cloud network of a hybrid cloud environment to transmit data to a second cloud network of the hybrid cloud environment, wherein the request can include a security profile related to the data. The security profile may be automatically analyzed to determine access permissions related to the data. Based at least in part on the access permissions, data can be allowed to access to the second cloud network.

公开(公告)号：US09965317B2

公开(公告)日：2018-05-08

申请号：US15465654

申请日：2017-03-22

Applicant: Cisco Technology, Inc.

Inventor： David Chang ,  Abhijit Patra ,  Nagaraj Bagepalli ,  Murali Anantha

IPC: G06F15/16 ,  G06F9/455 ,  H04L12/931 ,  H04L29/08 ,  H04L12/64 ,  H04L12/24

CPC classification number: G06F9/45558 ,  G06F2009/45595 ,  H04L12/6418 ,  H04L41/12 ,  H04L49/70 ,  H04L67/10

Abstract: A sense of location is provided for distributed virtual switch components into the service provisioning scheme to reduce latency observed in conducting policy evaluations across a network in a hybrid cloud environment. A management application in a first virtual network subscribes to virtual network services provided by a first virtual service node in the first virtual network. A second virtual network receives the subscription to the virtual network services and starts a virtual switch that switches network traffic for one or more virtual machines in the second virtual network that are configured to extend services provided by the first virtual network into the second virtual network. The second virtual network starts a second virtual service node in the second virtual network that provides network traffic services for the one or more virtual machines.

公开(公告)号：US20170012940A1

公开(公告)日：2017-01-12

申请号：US15270476

申请日：2016-09-20

Applicant: Cisco Technology, Inc.

Inventor： David Chang ,  Abhijit Patra ,  Nagaraj Bagepalli ,  Rajesh Kumar Sethuraghavan

IPC: H04L29/06 ,  G06F9/455

CPC classification number: H04L63/0263 ,  G06F9/45558 ,  G06F2009/45587 ,  G06F2009/45595 ,  H04L29/08927 ,  H04L29/08972 ,  H04L49/356 ,  H04L49/70 ,  H04L63/0218 ,  H04L63/0227

Abstract: Techniques are provided for implementing a zone-based firewall policy. At a virtual network device, information is defined and stored that represents a security management zone for a virtual firewall policy comprising one or more common attributes of applications associated with the security zone. Information representing a firewall rule for the security zone is defined and comprises first conditions for matching common attributes of applications associated with the security zone and an action to be performed on application traffic. Parameters associated with the application traffic are received that are associated with properly provisioned virtual machines. A determination is made whether the application traffic parameters satisfy the conditions of the firewall rule and in response to determining that the conditions are satisfied, the action is performed.

Abstract translation: 提供了实现基于区域的防火墙策略的技术。 在虚拟网络设备处，定义和存储表示虚拟防火墙策略的安全管理区域的信息，该虚拟防火墙策略包括与安全区域相关联的应用的一个或多个公共属性。 定义表示安全区域的防火墙规则的信息，并且包括用于匹配与安全区域相关联的应用的通用属性的第一条件以及要对应用流量执行的动作。 接收到与正确配置的虚拟机相关联的与应用程序流量相关联的参数。 确定应用业务参数是否满足防火墙规则的条件，并且响应于确定满足条件，执行动作。

公开(公告)号：US20160352682A1

公开(公告)日：2016-12-01

申请号：US14749391

申请日：2015-06-24

Applicant: Cisco Technology, Inc.

Inventor： David W. Chang ,  Abhijit Patra ,  Nagaraj Bagepalli ,  Dileep Kumar Devireddy ,  Ganesh Sadasivan

IPC: H04L29/12 ,  H04L12/911 ,  H04L29/08

Abstract: Many hybrid cloud topologies require virtual machines in a public cloud to use a router in a private cloud, even when the virtual machine is transmitting to another virtual machine in the public cloud. Routing data through an enterprise router on the private cloud via the internet is generally inefficient. This problem can be overcome by placing a router within the public cloud that mirrors much of the routing functionality of the enterprise router. A switch configured to intercept address resolution protocol (ARP) request for the enterprise router's address and fabricate a response using the MAC address of the router in the public cloud.

Abstract translation: 许多混合云拓扑需要公共云中的虚拟机在私有云中使用路由器，即使虚拟机正在传播到公共云中的另一个虚拟机。 通过互联网在私有云上通过企业路由器路由数据通常效率低下。 通过将路由器放置在公共云中来反映企业路由器的大部分路由功能，可以克服这个问题。 交换机被配置为拦截企业路由器地址的地址解析协议（ARP）请求，并使用公共云中的路由器的MAC地址来制定响应。

公开(公告)号：US20160188359A1

公开(公告)日：2016-06-30

申请号：US15060758

申请日：2016-03-04

Applicant: Cisco Technology, Inc.

Inventor： David Chang ,  Abhijit Patra ,  Nagaraj Bagepalli ,  Murali Anantha

IPC: G06F9/455 ,  H04L12/931 ,  H04L12/24 ,  H04L29/08 ,  H04L12/64

CPC classification number: G06F9/45558 ,  G06F2009/45595 ,  H04L12/6418 ,  H04L41/12 ,  H04L49/70 ,  H04L67/10

Abstract: A sense of location is provided for distributed virtual switch components into the service provisioning scheme to reduce latency observed in conducting policy evaluations across a network in a hybrid cloud environment. A management application in a first virtual network subscribes to virtual network services provided by a second virtual network. A first message is sent to the second virtual network, the first message comprising information configured to start a virtual switch in the second virtual network that switches network traffic for one or more virtual machines in the second virtual network that are configured to extend services provided by the first virtual network into the second virtual network. A second message is sent to the second virtual network, the second message comprising information configured to start a virtual service node in the second virtual network that provides network traffic services for the one or more virtual machines.

Abstract translation: 将分布式虚拟交换机组件的位置感提供到服务提供方案中，以减少在混合云环境中跨网络进行策略评估时观察到的延迟。 第一虚拟网络中的管理应用订阅由第二虚拟网络提供的虚拟网络服务。 将第一消息发送到第二虚拟网络，第一消息包括被配置为启动第二虚拟网络中的虚拟交换机的信息，该第二虚拟网络切换第二虚拟网络中的一个或多个虚拟机的网络流量，所述虚拟机被配置为扩展由 第一个虚拟网络进入第二个虚拟网络。 第二消息被发送到第二虚拟网络，第二消息包括被配置为启动在第二虚拟网络中为一个或多个虚拟机提供网络业务服务的虚拟服务节点的信息。

公开(公告)号：US20160036862A1

公开(公告)日：2016-02-04

申请号：US14745524

申请日：2015-06-22

Applicant: Cisco Technology, Inc.

Inventor： Nagaraj Bagepalli ,  Prashant Gandhi ,  Abhijit Patra ,  Kirti Prabhu ,  Anant Thakar

IPC: H04L29/06 ,  H04L9/32

CPC classification number: H04L63/205 ,  H04L9/3242 ,  H04L47/20 ,  H04L63/02 ,  H04L63/0428 ,  H04L63/166 ,  H04L69/16 ,  H04L69/161 ,  H04L69/321 ,  Y10T70/5827

Abstract: A highly scalable application network appliance is described herein. According to one embodiment, a network element includes a switch fabric, a first service module coupled to the switch fabric, and a second service module coupled to the first service module over the switch fabric. In response to packets of a network transaction received from a client over a first network to access a server of a data center having multiple servers over a second network, the first service module is configured to perform a first portion of OSI (open system interconnection) compatible layers of network processes on the packets while the second service module is configured to perform a second portion of the OSI compatible layers of network processes on the packets. The first portion includes at least one OSI compatible layer that is not included in the second portion. Other methods and apparatuses are also describe.

Abstract translation: 这里描述了高度可扩展的应用网络设备。 根据一个实施例，网络元件包括交换结构，耦合到交换结构的第一服务模块以及通过交换结构耦合到第一服务模块的第二服务模块。 响应于通过第一网络从客户端接收的网络交易的分组来访问具有多个服务器的数据中心的服务器，所述第一服务模块被配置为执行OSI的第一部分（开放系统互连） 在第二服务模块被配置为执行分组上的OSI兼容的网络进程层的第二部分时，分组上的网络进程的兼容层。 第一部分包括不包括在第二部分中的至少一个OSI兼容层。 还描述了其他方法和装置。

公开(公告)号：US09100371B2

公开(公告)日：2015-08-04

申请号：US13859833

申请日：2013-04-10

Applicant: Cisco Technology, Inc.

Inventor： Nagaraj Bagepalli ,  Prashant Gandhi ,  Abhijit Patra ,  Kirti Prabhu ,  Anant Thakar

IPC: H04L29/06

CPC classification number: H04L63/205 ,  H04L9/3242 ,  H04L47/20 ,  H04L63/02 ,  H04L63/0428 ,  H04L63/166 ,  H04L69/16 ,  H04L69/161 ,  H04L69/321 ,  Y10T70/5827

Abstract: A highly scalable application network appliance is described herein. According to one embodiment, a network element includes a switch fabric, a first service module coupled to the switch fabric, and a second service module coupled to the first service module over the switch fabric. In response to packets of a network transaction received from a client over a first network to access a server of a data center having multiple servers over a second network, the first service module is configured to perform a first portion of OSI (open system interconnection) compatible layers of network processes on the packets while the second service module is configured to perform a second portion of the OSI compatible layers of network processes on the packets. The first portion includes at least one OSI compatible layer that is not included in the second portion. Other methods and apparatuses are also described.

Abstract translation: 这里描述了高度可扩展的应用网络设备。 根据一个实施例，网络元件包括交换结构，耦合到交换结构的第一服务模块以及通过交换结构耦合到第一服务模块的第二服务模块。 响应于通过第一网络从客户端接收的网络事务的分组来访问具有多个服务器的数据中心的服务器，所述第一服务模块被配置为执行OSI的第一部分（开放系统互连） 在第二服务模块被配置为执行分组上的OSI兼容的网络进程层的第二部分时，分组上的网络进程的兼容层。 第一部分包括不包括在第二部分中的至少一个OSI兼容层。 还描述了其它方法和装置。