公开(公告)号：US11463429B2

公开(公告)日：2022-10-04

申请号：US17070415

申请日：2020-10-14

Applicant: Cisco Technology, Inc.

Inventor： Syam Sundar Appala ,  Sanjay Kumar Hooda ,  Rex E. Fernando ,  Vikram Pendharkar

IPC: G06F7/04 ,  G06F15/16 ,  G06F17/30 ,  H04L29/06 ,  H04L9/40

Abstract: Network controls for application access secured by transport layer security (TLS) using single sign on (SSO) flow may be provided. An application access request for authenticating a user may be received in response to the user requesting an access to an application. User credentials associated with the user may be validated. In response to validating the user credentials, user attributes associated with the user may be determined. Network controls for a user session associated with the application access request may be determined based on the user attributes. The application access request may be redirected to a plain text user session. The plain text user session may comprise the network controls for the user session.

公开(公告)号：US20220116806A1

公开(公告)日：2022-04-14

申请号：US17556765

申请日：2021-12-20

Applicant: Cisco Technology, Inc.

Inventor： Balaji Sundararajan ,  Sanjay Kumar Hooda ,  Venkatesh Ramachandra Gota ,  Chandramouli Balasubramanian ,  Anand Oswal

IPC: H04W24/08 ,  H04W28/02 ,  H04W36/22 ,  H04W28/24 ,  H04W48/06

Abstract: Systems and methods for managing traffic in a hybrid environment include monitoring traffic load of a local network to determine whether the traffic load exceeds or is likely to exceed a maximum traffic load, where the maximum traffic load is a traffic load for which a service can be provided by the local network, based on a license. An excess traffic load is determined if the traffic load exceeds or is likely to exceed the maximum traffic load. One or more external networks which have a capacity to provide the service to the excess traffic load are determined, to which the excess traffic load is migrated. The local network includes one or more service instances for providing the service for up to the maximum traffic load, and the service to the excess traffic load is provided by one or more additional service instances in the one or more external networks.

公开(公告)号：US20210385100A1

公开(公告)日：2021-12-09

申请号：US16897110

申请日：2020-06-09

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Kedar Sudhir Karmarkar ,  Shyamsundar N. Maniyar ,  Sanjay Kumar Hooda

IPC: H04L12/18 ,  H04L12/741 ,  H04L12/751 ,  H04L12/761 ,  H04L12/46

Abstract: This technology enables directed broadcasts in network fabrics. To enable a directed broadcast, a control plane node is configured to resolve directed broadcast addresses by mapping the directed broadcast address to a subnet address associated with the network fabric. A fabric border node receives a directed broadcast, extracts a destination address associated with the directed broadcast, and transmits a request to the control plane node to resolve the destination address. The control plane node retrieves the stored mapping and generates a map reply to the fabric border node with a multicast destination comprising the network fabric subnet address. The fabric border node encapsulates the directed broadcast with a header comprising the multicast destination and forwards the encapsulated directed broadcast to fabric edge nodes, which decapsulate the directed broadcast and deliver a data set from the directed broadcast to appropriate end point devices.

公开(公告)号：US11165702B1

公开(公告)日：2021-11-02

申请号：US16864442

申请日：2020-05-01

Applicant: Cisco Technology, Inc.

Inventor： Prakash C. Jain ,  Sanjay Kumar Hooda ,  Satish Kondalam ,  Raja Janardanan ,  Aaditya Vadnere ,  Shivangi Sharma

IPC: H04L12/28 ,  H04L12/747 ,  H04L12/741 ,  H04L12/801 ,  H04L12/715 ,  H04L12/813 ,  H04L29/06

Abstract: Systems, methods, and computer-readable media for communicating policy changes in a Locator/ID Separation Protocol (LISP) based network deployment include receiving, at a first routing device, a first notification from a map server, the first notification indicating a change in a policy for LISP based communication between at least a first endpoint device and at least a second endpoint device, the first endpoint device being connected to a network fabric through the first routing device and the second endpoint device being connected to the network fabric through a second routing device. The first routing device forwards a second notification to the second routing device if one or more entries of a first map cache implemented by the first routing device are affected by the policy change, the second notification indicating a set of one or more endpoints connected to the second routing device that are affected by the policy change.

公开(公告)号：US11070422B2

公开(公告)日：2021-07-20

申请号：US16571365

申请日：2019-09-16

Applicant: Cisco Technology, Inc.

Inventor： Oliver James Bull ,  Rex Emmanuel Fernando ,  Anand Oswal ,  Kausik Majumdar ,  Darren Russell Dukes ,  Sanjay Kumar Hooda

IPC: H04L12/26 ,  H04L12/24 ,  H04L12/851 ,  H04L12/815 ,  H04L12/813 ,  H04W84/04 ,  H04W88/16

Abstract: An enterprise controller of an enterprise network sends to a service gateway of a service provider network a request for network slice information about network slices provisioned on a data plane of the service provider network. Responsive to the sending, the enterprise controller receives from the service gateway the network slice information including identifiers of and properties associated with the network slices. Responsive to receiving a request for the network slice information from a network device at a border of a forwarding plane of the enterprise network, the enterprise controller sends the network slice information to the network device to cause the network device to perform configuring network traffic in the forwarding plane with identifiers of ones of the network slices that match the network traffic, and to perform forwarding the network traffic configured with the identifiers to the data plane of the service provider network.

公开(公告)号：US20210218794A1

公开(公告)日：2021-07-15

申请号：US16737964

申请日：2020-01-09

Applicant: Cisco Technology, Inc.

Inventor： Prakash Jain ,  Sanjay Kumar Hooda ,  Satish Kumar Kondalam

IPC: H04L29/08 ,  H04L12/721

Abstract: Presented herein are techniques to provide an endpoint in a multi-site Software-defined network (SDN) fabric with an Internet access route that is optimal for the specific site in which the endpoint is located. In particular, a control plane node in a first site of a multi-site SDN fabric registers a border node in the first site as a Default Egress Tunnel Router (ETR) for Internet access or unknown endpoint identifier (EID) of the first site. The first site includes at least one endpoint. The control plane node receives a request for Internet access for the at least one endpoint and provides a dynamically-selected Internet access route via a same or different virtual instance (e.g., Virtual Routing and Forwarding (VRF) function(s), Virtual Private Network(s) (VPNs), Virtual Networks (VNs), etc.) for Internet traffic sent by the at least one endpoint.

公开(公告)号：US10999239B2

公开(公告)日：2021-05-04

申请号：US16715382

申请日：2019-12-16

Applicant: Cisco Technology, Inc.

Inventor： Jesus Arango ,  Vina Ermagan ,  Johnson Leong ,  Sanjay Kumar Hooda

IPC: H04L12/28 ,  H04L29/12 ,  H04L12/713 ,  H04L12/26

Abstract: A Location/Identifier Separation Protocol (LISP) mapping server, including: a network interface for communicating with a LISP-enabled network; a mapping database; a subscription database; and an overlapping subscription publication engine (OSPE) to: receive a first mapping of a first subnetwork to a first routing locator (RLOC); add the first mapping to the mapping database; receive from a first ingress tunnel router (ITR) a subscription request for an endpoint identifier (EID) within the first subnetwork; add to a first subscription entry for the first subnetwork in the subscription database a subscription for the first ITR; receive a second mapping of a second subnetwork to a second RLOC, wherein the second subnetwork overlaps the first subnetwork; add the second mapping to the mapping database; and copy at least part of the first subscription entry to a second subscription entry for the second subnetwork.

公开(公告)号：US20210075767A1

公开(公告)日：2021-03-11

申请号：US16561360

申请日：2019-09-05

Applicant: Cisco Technology, Inc.

Inventor： Prakash C. Jain ,  Sanjay Kumar Hooda ,  Satish Kondalam

IPC: H04L29/06 ,  H04L12/715 ,  H04L29/12

Abstract: Systems, methods, and computer-readable media for preserving source host context when firewall policies are applied to traffic in an enterprise network fabric. A data packet to a destination host from a source host can be received at a first border node instance in an enterprise network fabric as part of network traffic. The data packet can include a context associated with the source host. Further, the data packet can be sent to a firewall of the enterprise network fabric and can be received at a second border node instance after the firewall applies a firewall policy to the data packet. The data packet can then be selectively encapsulated with the context associated with the source host at the second border node instance for applying one or more policies to control transmission of the network traffic through the enterprise network fabric.

公开(公告)号：US10673850B2

公开(公告)日：2020-06-02

申请号：US15384365

申请日：2016-12-20

Applicant: Cisco Technology, Inc.

Inventor： Victor Moreno ,  Sridhar Subramanian ,  Sanjay Kumar Hooda

IPC: G06F7/04 ,  H04L29/06 ,  H04L29/08 ,  H04L29/12 ,  G06F21/41

Abstract: Systems and methods for network authorization are described herein. An example method can include receiving a user credential from a host device connected to a network, authenticating the user credential, and in response to authenticating the user credential, determining an authorization policy associated with the host device. The method can also include polling a network overlay control plane of the network to obtain a network location information associated with the host device, identifying at least one network device of the network using the network location information, and transmitting the authorization policy to the at least one network device.

公开(公告)号：US10652047B2

公开(公告)日：2020-05-12

申请号：US16010444

申请日：2018-06-16

Applicant: Cisco Technology, Inc.

Inventor： Prakash Chand Jain ,  Sanjay Kumar Hooda ,  Victor M. Moreno ,  Satish Kumar Kondalam

IPC: H04L12/46 ,  H04L12/741

Abstract: In one embodiment, a method is performed at a first node. The method may include receiving, at a first node, a request from a source host associated with a network to communicate with a destination host. The first node may determine whether the destination host is associated with the network. If the destination host is not associated with the network, the first node may determine an instance identifier (IID) and a proxy egress tunnel router (PETR) locator address used to communicate with the destination host. The first node may send an indicator to an ingress tunnel router (ITR) to encapsulate a packet with the IID and the PETR locator address before sending the packet from the source host to the destination host.