公开(公告)号：US09426262B2

公开(公告)日：2016-08-23

申请号：US14246365

申请日：2014-04-07

Applicant: Cisco Technology, Inc.

Inventor： Andrew E. Ossipov ,  Kent Leung

IPC: H04L1/16 ,  H04L29/14 ,  H04L29/06

CPC classification number: H04L69/40 ,  H04L63/02 ,  H04L69/163

Abstract: Techniques are presented herein for optimizing network traffic exchanged between devices in a network. A firewall device in a network detects a firewall failure event. In response to detecting the firewall failure event, the firewall device changes from a standby state to an active state in managing a network connection between a source device and a destination device in the network. The firewall device generates a synchronization message and sends the synchronization message to the destination device. The firewall device receives from the destination device a response message that includes synchronization information.

Abstract translation: 本文介绍了用于优化网络中设备之间交换的网络流量的技术。 网络中的防火墙设备检测到防火墙故障事件。 响应于检测到防火墙故障事件，防火墙设备在管理网络中的源设备和目的设备之间的网络连接时，从备用状态更改为活动状态。 防火墙设备生成同步消息，并将同步消息发送到目标设备。 防火墙设备从目的地设备接收包括同步信息的响应消息。

公开(公告)号：US20200296075A1

公开(公告)日：2020-09-17

申请号：US16885620

申请日：2020-05-28

Applicant: Cisco Technology, Inc.

Inventor： Andrew E. Ossipov ,  Kent Leung ,  Zhijun Liu

IPC: H04L29/12

Abstract: A method is performed by a master network device among network devices of a cluster. The master network device receives cluster configuration information including a set of Internet Protocol (IP) addresses and a pool of port blocks associated with the IP addresses. Each port block includes multiple ports, and the pool of the port blocks is to be shared across the network devices for port address translation. The master network device divides the port blocks in the pool into multiple buckets. The master network device allocates to each network device in the cluster a corresponding one of the buckets, and reserves each bucket that is not allocated for allocation to a potential new network device. When a new network device joins the cluster, the master network device allocates to the new network device the port blocks from a corresponding one of the reserved buckets.

公开(公告)号：US10462047B2

公开(公告)日：2019-10-29

申请号：US15483534

申请日：2017-04-10

Applicant: Cisco Technology, Inc.

Inventor： Kent Leung ,  Jianxin Wang

IPC: H04L12/721 ,  H04L29/08 ,  H04L29/12 ,  H04L12/851 ,  H04L12/741 ,  H04L12/26

Abstract: An extended service-function chain (SFC) proxy is hosted on a network node and connected to a service path formed by one or more network nodes hosting a chain of service-functions applied to packets traversing the service path. The packets each include a service header having a service path identifier and a service index. A packet of a traffic flow destined for a service-function is received from the service path and sent to the service-function. An indication to offload the traffic flow is received from the service-function. The indication is stored in a flow table having entries each identifying a respective traffic flow. A subsequent packet of the traffic flow is received from the service path. The flow table is searched for the indication to offload the traffic flow. Upon finding the indication, the service-function is bypassed, and the subsequent packet is forwarded along the service path.

公开(公告)号：US09860209B2

公开(公告)日：2018-01-02

申请号：US14709777

申请日：2015-05-12

Applicant: Cisco Technology, Inc.

Inventor： Kevin A. Buchanan ,  Andrew E. Ossipov ,  Kent Leung ,  Xun Wang ,  Zhijun Liu ,  Weiwei Kang

IPC: H04L29/00 ,  H04L29/06 ,  H04L12/801

CPC classification number: H04L63/0227 ,  H04L47/10 ,  H04L63/0254

Abstract: A method operable in a security device cluster having a plurality of security devices each configured to receive respective data flows. The method includes receiving a first segment of a flow at a first security device of the plurality of security devices, sending the first segment of the flow toward a destination node without the first security device of the plurality of security devices asserting ownership over the flow, receiving, from the destination node, a second segment of the flow at a second security device of the plurality of security devices, the second segment of the flow being responsive to the first segment, asserting, by the second security device of the plurality of security devices, ownership over the flow, and forwarding, from the first security device, packets of the flow subsequently received by the first security device to the second security device.

公开(公告)号：US10931571B2

公开(公告)日：2021-02-23

申请号：US16578517

申请日：2019-09-23

Applicant: Cisco Technology, Inc.

Inventor： Kent Leung ,  Jianxin Wang

IPC: H04L12/721 ,  H04L29/08 ,  H04L29/12 ,  H04L12/851 ,  H04L12/741 ,  H04L12/26

Abstract: An extended service-function chain (SFC) proxy is hosted on a network node and connected to a service path formed by one or more network nodes hosting a chain of service-functions applied to packets traversing the service path. The packets each include a service header having a service path identifier and a service index. A packet of a traffic flow destined for a service-function is received from the service path and sent to the service-function. An indication to offload the traffic flow is received from the service-function. The indication is stored in a flow table having entries each identifying a respective traffic flow. A subsequent packet of the traffic flow is received from the service path. The flow table is searched for the indication to offload the traffic flow. Upon finding the indication, the service-function is bypassed, and the subsequent packet is forwarded along the service path.

公开(公告)号：US09955344B2

公开(公告)日：2018-04-24

申请号：US14801680

申请日：2015-07-16

Applicant: Cisco Technology, Inc.

Inventor： Kent Leung ,  Alpesh Patel ,  Naveen Paulkandasamy ,  Stefan Raab

IPC: H04W4/00 ,  H04B7/216 ,  H04W8/26 ,  H04W8/08 ,  H04W8/12 ,  H04W60/00 ,  H04W8/06 ,  H04W80/04

CPC classification number: H04W8/26 ,  H04W8/065 ,  H04W8/082 ,  H04W8/12 ,  H04W60/005 ,  H04W80/04

Abstract: The disclosed embodiments support mobility internal and external to enterprise networks. Service providers provide mobility by providing Home Agent functionality corresponding to each Enterprise network. In this manner, mobility may be provided to Mobile Nodes both internal and external to their enterprise networks. Moreover, data packets may be transmitted by Mobile Nodes to Correspondent Nodes, whether they are within their enterprise network, the Service Provider network, or the Internet.

公开(公告)号：US11570091B2

公开(公告)日：2023-01-31

申请号：US17130865

申请日：2020-12-22

Applicant: Cisco Technology, Inc.

Inventor： Kent Leung ,  Jianxin Wang

IPC: H04L45/00 ,  H04L43/026 ,  H04L61/2521 ,  H04L67/59 ,  H04L47/2483 ,  H04L45/745 ,  H04L61/2517 ,  H04L61/2514

Abstract: An extended service-function chain (SFC) proxy is hosted on a network node and connected to a service path formed by one or more network nodes hosting a chain of service-functions applied to packets traversing the service path. The packets each include a service header having a service path identifier and a service index. A packet of a traffic flow destined for a service-function is received from the service path and sent to the service-function. An indication to offload the traffic flow is received from the service-function. The indication is stored in a flow table having entries each identifying a respective traffic flow. A subsequent packet of the traffic flow is received from the service path. The flow table is searched for the indication to offload the traffic flow. Upon finding the indication, the service-function is bypassed, and the subsequent packet is forwarded along the service path.

公开(公告)号：US11159481B2

公开(公告)日：2021-10-26

申请号：US16885620

申请日：2020-05-28

Applicant: Cisco Technology, Inc.

Inventor： Andrew E. Ossipov ,  Kent Leung ,  Zhijun Liu

IPC: H04L29/12 ,  H04L12/24

Abstract: A method is performed by a master network device among network devices of a cluster. The master network device receives cluster configuration information including a set of Internet Protocol (IP) addresses and a pool of port blocks associated with the IP addresses. Each port block includes multiple ports, and the pool of the port blocks is to be shared across the network devices for port address translation. The master network device divides the port blocks in the pool into multiple buckets. The master network device allocates to each network device in the cluster a corresponding one of the buckets, and reserves each bucket that is not allocated for allocation to a potential new network device. When a new network device joins the cluster, the master network device allocates to the new network device the port blocks from a corresponding one of the reserved buckets.

公开(公告)号：US10938728B2

公开(公告)日：2021-03-02

申请号：US16520408

申请日：2019-07-24

Applicant: Cisco Technology, Inc.

Inventor： Kent Leung ,  Zhijun Liu ,  Andrew E. Ossipov

IPC: H04L12/851 ,  H04L12/715 ,  H04L12/721

Abstract: A method is provided including obtaining at a newly added flow mapper node of a plurality of flow mapper nodes, from a first flow locator node of a plurality of flow locator nodes, a flow owner lookup request for flow state information that includes identification of a particular flow locator that is to handle processing of a packet flow. The newly added flow mapper node determines whether it has stored flow state information. When the newly added flow mapper node does not have stored flow state information, the newly added flow mapper node identifies a particular flow mapper node of the plurality of flow mapper nodes which has stored flow state information for the particular packet flow and services the flow owner lookup request using flow state information stored by the particular flow mapper node.

公开(公告)号：US20150327058A1

公开(公告)日：2015-11-12

申请号：US14801680

申请日：2015-07-16

Applicant: Cisco Technology, Inc.

Inventor： Kent Leung ,  Alpesh Patel ,  Naveen Paulkandasamy ,  Stefan Raab

IPC: H04W8/26 ,  H04W8/08 ,  H04W60/00

CPC classification number: H04W8/26 ,  H04W8/065 ,  H04W8/082 ,  H04W8/12 ,  H04W60/005 ,  H04W80/04

Abstract: The disclosed embodiments support mobility internal and external to enterprise networks. Service providers provide mobility by providing Home Agent functionality corresponding to each Enterprise network. In this manner, mobility may be provided to Mobile Nodes both internal and external to their enterprise networks. Moreover, data packets may be transmitted by Mobile Nodes to Correspondent Nodes, whether they are within their enterprise network, the Service Provider network, or the Internet.

Abstract translation: 所公开的实施例支持企业网络内部和外部的移动性。 服务提供商通过提供与每个企业网络相对应的归属代理功能来提供移动性。 以这种方式，移动性可以被提供给他们的企业网络内部和外部的移动节点。 此外，数据分组可以由移动节点发送到通信节点，无论它们在其企业网络，服务提供商网络还是因特网内。