公开(公告)号：US12063149B2

公开(公告)日：2024-08-13

申请号：US18353702

申请日：2023-07-17

Applicant: Cisco Technology, Inc.

Inventor： Alberto Rodriguez Natal ,  Hendrikus G. P. Bosch ,  Fabio Maino ,  Lars Olaf Stefan Olofsson ,  Jeffrey Napper ,  Anubhav Gupta

IPC: H04L41/5019 ,  H04L47/10

CPC classification number: H04L41/5019 ,  H04L47/10

Abstract: Systems, methods, and computer-readable media for locally applying endpoint-specific policies to an endpoint in a network environment. A network device local to one or more endpoints in a network environment can receive from a centralized network controller one or more network-wide endpoint policies. A first endpoint of the one or more endpoints can be configured to inject policy metadata into first data traffic. Policy metadata injected into the first traffic data can be received from the first endpoint. The network device can determine one or more first endpoint-specific polices for the first endpoint by evaluation the first policy metadata with respect to the one or more network-wide endpoint policies. As follows, the one or more first endpoint-specific policies can be applied to control data traffic associated with the first endpoint.

公开(公告)号：US11233743B2

公开(公告)日：2022-01-25

申请号：US16839485

申请日：2020-04-03

Applicant: Cisco Technology, Inc.

Inventor： Alberto Rodriguez Natal ,  Fabio Maino ,  Bradford Pielech ,  Richard James Smith ,  Mikhail Davidov ,  Lorand Jakab

IPC: H04L12/46 ,  H04L12/851 ,  H04L29/12 ,  H04L29/06

Abstract: The present technology pertains to a system and method for extending enterprise networks' trusted policy frameworks to cloud-native applications. The present technology comprises sending, by an enterprise network controller, a first communication to a service mesh orchestrator for a service mesh, wherein the first communication informs the service mesh orchestrator of traffic segmentation policies to be applied to traffic originating at an enterprise network and of layer 7 extension headers which correspond to the enterprise network traffic segmentation policies.

公开(公告)号：US20200322273A1

公开(公告)日：2020-10-08

申请号：US16839485

申请日：2020-04-03

Applicant: Cisco Technology, Inc.

Inventor： Alberto Rodriguez Natal ,  Fabio Maino ,  Bradford Pielech ,  Richard James Smith ,  Mikhail Davidov ,  Lorand Jakab

IPC: H04L12/851 ,  H04L29/12 ,  H04L29/06 ,  H04L12/46

Abstract: The present technology pertains to a system and method for extending enterprise networks' trusted policy frameworks to cloud-native applications. The present technology comprises sending, by an enterprise network controller, a first communication to a service mesh orchestrator for a service mesh, wherein the first communication informs the service mesh orchestrator of traffic segmentation policies to be applied to traffic originating at an enterprise network and of layer 7 extension headers which correspond to the enterprise network traffic segmentation policies.

公开(公告)号：US20200322230A1

公开(公告)日：2020-10-08

申请号：US16782769

申请日：2020-02-05

Applicant: Cisco Technology, Inc.

Inventor： Alberto Rodriguez Natal ,  Hendrikus G.P. Bosch ,  Fabio Maino ,  Lars Olaf Stefan Olofsson ,  Jeffrey Napper ,  Anubhav Gupta

IPC: H04L12/24 ,  H04L12/801

Abstract: Systems, methods, and computer-readable media for locally applying endpoint-specific policies to an endpoint in a network environment. A network device local to one or more endpoints in a network environment can receive from a centralized network controller one or more network-wide endpoint policies. A first endpoint of the one or more endpoints can be configured to inject policy metadata into first data traffic. Policy metadata injected into the first traffic data can be received from the first endpoint. The network device can determine one or more first endpoint-specific polices for the first endpoint by evaluation the first policy metadata with respect to the one or more network-wide endpoint policies. As follows, the one or more first endpoint-specific policies can be applied to control data traffic associated with the first endpoint.

公开(公告)号：US20170041246A1

公开(公告)日：2017-02-09

申请号：US14816406

申请日：2015-08-03

Applicant: Cisco Technology, Inc.

Inventor： Fabio Maino ,  Vina Ermagan ,  Christopher Spain

IPC: H04L12/911 ,  H04L12/851 ,  H04L12/741

CPC classification number: H04L47/825 ,  H04L45/74 ,  H04L47/24

Abstract: In one embodiment, a first device in a network receives application traffic sent from a source device towards a destination address. The first device sends the application traffic to a traffic identification service. The first device receives an instruction to establish a network tunnel to send the application traffic from the source device towards the destination address. The instruction is based on a classification of the application traffic by the traffic identification service. The first device establishes the network tunnel to send the application traffic from the source device towards the destination address.

Abstract translation: 在一个实施例中，网络中的第一设备接收从源设备发送到目的地地址的应用流量。 第一个设备将应用流量发​​送到流量识别服务。 第一设备接收建立网络隧道的指令，以将来自源设备的应用流量发​​送到目的地址。 该指令基于流量识别服务对应用流量的分类。 第一个设备建立网络隧道，将应用流量从源设备发送到目的地址。

公开(公告)号：US20150063351A1

公开(公告)日：2015-03-05

申请号：US14010707

申请日：2013-08-27

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Victor Moreno ,  Fabio Maino ,  Vina Ermagan

IPC: H04L12/741 ,  H04L12/56

CPC classification number: H04L45/745 ,  H04L45/04 ,  H04L45/741

Abstract: In one embodiment, a method includes receiving a packet at a tunnel end point in a multi-tenant network, the packet comprising a destination, performing a lookup for the destination in a database comprising a mapping of global identifiers to local tenant identifiers for different hosting locations, each of the global identifiers uniquely identifying a tenant across all of the hosting locations, identifying a destination tunnel end point and a local tenant identifier for the destination, and inserting the destination tunnel end point and the local tenant identifier into the packet and forwarding the packet. An apparatus and logic are also disclosed herein.

Abstract translation: 在一个实施例中，一种方法包括在多租户网络中的隧道终点处接收分组，所述分组包括目的地，在数据库中执行目的地的查找，包括全局标识符到不同主机的本地租户标识符的映射 位置，每个全局标识符唯一地标识所有托管位置的租户，标识目的地的目的地隧道终点和本地租户标识符，并将目的地隧道终点和本地租户标识符插入到分组中并转发 包。 本文还公开了一种装置和逻辑。

公开(公告)号：US11863434B2

公开(公告)日：2024-01-02

申请号：US17534101

申请日：2021-11-23

Applicant: Cisco Technology, Inc.

Inventor： Fabio Maino ,  Syed Khalid Raza ,  Alberto Rodriguez Natal ,  Marc Portoles Comeras

IPC: H04L45/302 ,  H04L12/46 ,  H04L47/2441 ,  H04L9/40 ,  H04L45/64 ,  H04L47/20 ,  H04L67/63

CPC classification number: H04L45/306 ,  H04L12/4633 ,  H04L45/64 ,  H04L47/20 ,  H04L47/2441 ,  H04L63/20 ,  H04L67/63

Abstract: Disclosed are systems and methods for providing policy selection in a software defined network. An example method includes registering, by an enterprise controller on an enterprise domain, in a shared mapping system on a service provider domain, one or more entries specifying one or more services for one or more classes of traffic to yield registered entries, reading, by a service provider controller, from the shared mapping system, the registered entries, posting, by the service provider controller, the one or more entries to one or more routing tables at a software-defined wide area network of the service provider domain and receiving a request, by a mobile node on the enterprise domain, of a specific service for a particular class of packets according to a classification of the particular class of packets based on a particular label defined in the registered entries for the specific service.

公开(公告)号：US11743141B2

公开(公告)日：2023-08-29

申请号：US17538983

申请日：2021-11-30

Applicant: Cisco Technology, Inc.

Inventor： Alberto Rodriguez Natal ,  Hendrikus G. P. Bosch ,  Fabio Maino ,  Lars Olaf Stefan Olofsson ,  Jeffrey Napper ,  Anubhav Gupta

IPC: H04L41/5019 ,  H04L47/10

CPC classification number: H04L41/5019 ,  H04L47/10

Abstract: Systems, methods, and computer-readable media for locally applying endpoint-specific policies to an endpoint in a network environment. A network device local to one or more endpoints in a network environment can receive from a centralized network controller one or more network-wide endpoint policies. A first endpoint of the one or more endpoints can be configured to inject policy metadata into first data traffic. Policy metadata injected into the first traffic data can be received from the first endpoint. The network device can determine one or more first endpoint-specific polices for the first endpoint by evaluation the first policy metadata with respect to the one or more network-wide endpoint policies. As follows, the one or more first endpoint-specific policies can be applied to control data traffic associated with the first endpoint.

公开(公告)号：US11647019B2

公开(公告)日：2023-05-09

申请号：US16654160

申请日：2019-10-16

Applicant: Cisco Technology, Inc.

Inventor： Alberto Rodriguez Natal ,  Mikhail Davidov ,  Lorand Jakab ,  Richard James Smith ,  Fabio Maino

IPC: H04L9/40 ,  H04L9/32 ,  G06F21/34 ,  G06F21/60

CPC classification number: H04L63/0853 ,  G06F21/34 ,  G06F21/602 ,  H04L9/32 ,  H04L63/0428 ,  H04L63/061 ,  H04L63/10

Abstract: A method includes generating, by an internal segmentation orchestrator, a key to cipher/decipher a cryptographic segmentation tag used by an untrusted device, transmitting the key to an external segmentation orchestrator, transmitting the cryptographic segmentation tag to the external segmentation orchestrator and provisioning a trusted network edge with the key and optionally the cryptographic segmentation tag. The method can also include onboarding, based on the key and the cryptographic segmentation tag, the untrusted device, wherein the untrusted device receives the cryptographic segmentation tag from the external segmentation orchestrator.

公开(公告)号：US11201818B2

公开(公告)日：2021-12-14

申请号：US16783843

申请日：2020-02-06

Applicant: Cisco Technology, Inc.

Inventor： Fabio Maino ,  Syed Khalid Raza ,  Alberto Rodriguez Natal ,  Marc Portoles Comeras

IPC: H04L12/725 ,  H04L29/08 ,  H04L12/46 ,  H04L12/851 ,  H04L29/06 ,  H04L12/715 ,  H04L12/813

Abstract: Disclosed are systems and methods for providing policy selection in a software defined network. An example method includes registering, by an enterprise controller on an enterprise domain, in a shared mapping system on a service provider domain, one or more entries specifying one or more services for one or more classes of traffic to yield registered entries, reading, by a service provider controller, from the shared mapping system, the registered entries, posting, by the service provider controller, the one or more entries to one or more routing tables at a software-defined wide area network of the service provider domain and receiving a request, by a mobile node on the enterprise domain, of a specific service for a particular class of packets according to a classification of the particular class of packets based on a particular label defined in the registered entries for the specific service.