公开(公告)号：US20160294797A1

公开(公告)日：2016-10-06

申请号：US14674938

申请日：2015-03-31

Applicant: Cisco Technology, Inc.

Inventor： Antonio Martin ,  Syam Sundar Appala ,  Joseph Salowey

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/08 ,  H04L63/0236 ,  H04L63/0245 ,  H04L63/0272 ,  H04L63/0815 ,  H04L63/0892 ,  H04L63/1466 ,  H04L63/168 ,  H04L63/30 ,  H04L67/02 ,  H04L67/2814

Abstract: In an embodiment a method is performed by a network access device (NAD). The NAD transfers a first HTTPS request from a client computer (UE) to an identity provider computer (IdP). The NAD transfers, from the IdP, a preceding redirected URL in response to the first HTTPS request, to the UE and configured to cause the UE to redirect to said preceding redirected URL. Over a secure network link, the NAD receives a particular request specifying said preceding redirected URL, from the UE. Responsive to receiving the particular request, the NAD generates a response, comprising a subsequent redirected URL and a session identifier, and configured to cause the UE to redirect to the IdP over an HTTPS connection. The NAD transfers said subsequent redirected URL over the secure network link to the UE. The NAD transfers a second HTTPS request, comprising the session identifier, from the UE to the IdP.

Abstract translation: 在一个实施例中，一种方法由网络接入设备（NAD）来执行。 NAD将第一个HTTPS请求从客户端计算机（UE）传送到身份提供者计算机（IdP）。 NAD从IdP将响应于第一HTTPS请求的先前重定向的URL传送到UE并且被配置为使得UE重定向到所述先前的重定向URL。 通过安全网络链路，NAD从UE接收指定所述先前重定向URL的特定请求。 响应于接收到特定请求，NAD生成响应，包括随后的重定向URL和会话标识符，并且被配置为使得UE通过HTTPS连接重定向到IdP。 NAD通过安全网络链路将所述后续的重定向URL传送给UE。 NAD将包括会话标识符的第二HTTPS请求从UE传送到IdP。

公开(公告)号：US20250030628A1

公开(公告)日：2025-01-23

申请号：US18905935

申请日：2024-10-03

Applicant: Cisco Technology, Inc.

Inventor： Anubhav Gupta ,  Rex Fernando ,  Sanjay Kumar Hooda ,  Syam Sundar Appala ,  Samir Thoria

IPC: H04L45/302 ,  H04L12/28 ,  H04L45/74 ,  H04L47/20

Abstract: In one embodiment, a method by a first edge router includes receiving a request control message from a second edge router requesting a first identifier of a first group associated with a first host having a first Internet Protocol (IP) address, determining the first identifier of the first group based on the first IP address, sending a response control message to the second edge router including the first identifier of the first group, receiving a data packet destined to the first host from the second edge router, determining that a second group is a source group and the first group is a destination group of the data packet, applying one or more policies associated with a combination of the source group and the destination group to the data packet, and causing the data packet to be routed to the first host within the first site.

公开(公告)号：US10826775B1

公开(公告)日：2020-11-03

申请号：US16446338

申请日：2019-06-19

Applicant: Cisco Technology, Inc.

Inventor： Victor Moreno ,  Anand Oswal ,  Rex Emmanuel Fernando ,  Syam Sundar Appala ,  Sanjay Kumar Hooda

IPC: H04L12/24 ,  H04L12/715 ,  H04L29/06 ,  G06F9/455 ,  H04L12/721

Abstract: Systems, methods, and computer-readable media for providing cross-domain policy enforcement. In some examples, transit VRFs for a destination network domain and a source network domain are created. Route advertisements for nodes coupled to source VRFs in the source network domain are created that include identifications of the source VRFs. The route advertisements can be transmitted from a source transit VRF in the source network domain to a destination transit VRF in the destination network domain. The route advertisements can then be filtered at the destination transit VRF based on a cross-domain policy using the identifications of the source VRFs to export routes to destination VRFs in the destination network domain according to the cross-domain policy.

公开(公告)号：US12184539B2

公开(公告)日：2024-12-31

申请号：US18303493

申请日：2023-04-19

Applicant: Cisco Technology, Inc.

Inventor： Anubhav Gupta ,  Rex Fernando ,  Sanjay Kumar Hooda ,  Syam Sundar Appala ,  Samir Thoria

IPC: H04L45/302 ,  H04L12/28 ,  H04L45/74 ,  H04L47/20

Abstract: In one embodiment, a method by an edge router configured to operate at a first site of a software-defined wide-area network includes receiving a data packet from a first host located in the first site, where the data packet is destined to a second host located in a second site, determining that an identifier of a second group to which the second host belongs is not available at the edge router, sending a request for an identifier of the second group to a network apparatus, where the request may comprise an address of the second host, receiving a response comprising the identifier of the second group from the network apparatus, determining that the second group is a destination group, applying one or more policies associated with the destination group to the data packet, and causing the data packet to be routed to the second host.

公开(公告)号：US11683262B2

公开(公告)日：2023-06-20

申请号：US16697016

申请日：2019-11-26

Applicant: Cisco Technology, Inc.

Inventor： Anubhav Gupta ,  Rex Fernando ,  Sanjay Kumar Hooda ,  Syam Sundar Appala ,  Samir Thoria

IPC: H04L45/302 ,  H04L12/28 ,  H04L45/74 ,  H04L47/20

CPC classification number: H04L45/302 ,  H04L12/2854 ,  H04L45/74 ,  H04L47/20

Abstract: In one embodiment, a method includes receiving a data packet from a first host located in the first site, where the data packet may be destined to a second host located in a second site that may be different from the first site, determining that an identifier of a second group to which the second host belongs is not available at the first network apparatus, sending a request for an identifier of the second group to a second network apparatus, where the request may comprise an address of the second host, receiving a response comprising the identifier of the second group from the second network apparatus, determining that the second group is a destination group, applying one or more policies associated with the destination group to the data packet, and causing the data packet to be routed to the second host.

公开(公告)号：US11463429B2

公开(公告)日：2022-10-04

申请号：US17070415

申请日：2020-10-14

Applicant: Cisco Technology, Inc.

Inventor： Syam Sundar Appala ,  Sanjay Kumar Hooda ,  Rex E. Fernando ,  Vikram Pendharkar

IPC: G06F7/04 ,  G06F15/16 ,  G06F17/30 ,  H04L29/06 ,  H04L9/40

Abstract: Network controls for application access secured by transport layer security (TLS) using single sign on (SSO) flow may be provided. An application access request for authenticating a user may be received in response to the user requesting an access to an application. User credentials associated with the user may be validated. In response to validating the user credentials, user attributes associated with the user may be determined. Network controls for a user session associated with the application access request may be determined based on the user attributes. The application access request may be redirected to a plain text user session. The plain text user session may comprise the network controls for the user session.

公开(公告)号：US20230261981A1

公开(公告)日：2023-08-17

申请号：US18303493

申请日：2023-04-19

Applicant: Cisco Technology, Inc.

Inventor： Anubhav Gupta ,  Rex Fernando ,  Sanjay Kumar Hooda ,  Syam Sundar Appala ,  Samir Thoria

IPC: H04L45/302 ,  H04L12/28 ,  H04L45/74 ,  H04L47/20

CPC classification number: H04L45/302 ,  H04L12/2854 ,  H04L45/74 ,  H04L47/20

Abstract: In one embodiment, a method by an edge router configured to operate at a first site of a software-defined wide-area network includes receiving a data packet from a first host located in the first site, where the data packet is destined to a second host located in a second site, determining that an identifier of a second group to which the second host belongs is not available at the edge router, sending a request for an identifier of the second group to a network apparatus, where the request may comprise an address of the second host, receiving a response comprising the identifier of the second group from the network apparatus, determining that the second group is a destination group, applying one or more policies associated with the destination group to the data packet, and causing the data packet to be routed to the second host.

公开(公告)号：US11296985B2

公开(公告)日：2022-04-05

申请号：US16939300

申请日：2020-07-27

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Victor Moreno ,  Sanjay Kumar Hooda ,  Rex Emmanuel Fernando ,  Syam Sundar Appala

IPC: H04L12/741 ,  H04L45/74 ,  H04L12/46

Abstract: This technology enables normalized lookup and forwarding for diverse virtual private networks in multi-site network fabric deployments. A source device on a first Layer 2 site transmits a frame to a destination device on the same subnet, but on a second Layer 2 site. The frame is encapsulated and routed to a fabric border node. The fabric border node matches the source subnet to the destination subnet and transmits an address request protocol (“ARP”). In response to not receiving a reply to the ARP, the fabric border node transmits a map request to a Layer 3 transit fabric control plane node. The control plane node extracts a destination identifier from the map request and determines that the destination identifier is a Layer 2 identifier. The control plane node transmits a map reply to the fabric border node, where the frame is re-encapsulated and forwarded to the destination device.

公开(公告)号：US20220029915A1

公开(公告)日：2022-01-27

申请号：US16939300

申请日：2020-07-27

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Victor Moreno ,  Sanjay Kumar Hooda ,  Rex Emmanuel Fernando ,  Syam Sundar Appala

IPC: H04L12/741 ,  H04L12/46

Abstract: This technology enables normalized lookup and forwarding for diverse virtual private networks in multi-site network fabric deployments. A source device on a first Layer 2 site transmits a frame to a destination device on the same subnet, but on a second Layer 2 site. The frame is encapsulated and routed to a fabric border node. The fabric border node matches the source subnet to the destination subnet and transmits an address request protocol (“ARP”). In response to not receiving a reply to the ARP, the fabric border node transmits a map request to a Layer 3 transit fabric control plane node. The control plane node extracts a destination identifier from the map request and determines that the destination identifier is a Layer 2 identifier. The control plane node transmits a map reply to the fabric border node, where the frame is re-encapsulated and forwarded to the destination device.

公开(公告)号：US20210160175A1

公开(公告)日：2021-05-27

申请号：US16697016

申请日：2019-11-26

Applicant: Cisco Technology, Inc.

Inventor： Anubhav Gupta ,  Rex Fernando ,  Sanjay Kumar Hooda ,  Syam Sundar Appala ,  Samir Thoria

IPC: H04L12/725 ,  H04L12/741 ,  H04L12/813 ,  H04L12/28

Abstract: In one embodiment, a method includes receiving a data packet from a first host located in the first site, where the data packet may be destined to a second host located in a second site that may be different from the first site, determining that an identifier of a second group to which the second host belongs is not available at the first network apparatus, sending a request for an identifier of the second group to a second network apparatus, where the request may comprise an address of the second host, receiving a response comprising the identifier of the second group from the second network apparatus, determining that the second group is a destination group, applying one or more policies associated with the destination group to the data packet, and causing the data packet to be routed to the second host.