公开(公告)号：US20170104850A1

公开(公告)日：2017-04-13

申请号：US15077052

申请日：2016-03-22

Applicant: Cisco Technology, Inc.

Inventor： Kuralvanan Arangasamy ,  Brian Eliot Weis ,  Rakesh Chopra ,  Hugo J.W. Vliegen

IPC: H04L29/06 ,  H04L12/741 ,  H04L12/28 ,  H04L29/08

CPC classification number: H04L69/22 ,  H04L12/28 ,  H04L12/4633 ,  H04L63/0428 ,  H04L63/162 ,  H04L63/164

Abstract: In an egress processing method, an egress frame is received. The egress frame includes an outer Ethernet frame, an Internet Protocol (IP) header, a layer 3 (L3) encapsulation identifying a layer 2 (L2)-over-L3 tunnel protocol, and an inner Ethernet frame with a payload. The outer Ethernet frame, the IP header, and the inner Ethernet frame, and the L3 encapsulation are parsed. Based on results of the parsing, a media access control security (MACsec) policy that defines how to protect the inner Ethernet frame is determined, and the inner Ethernet frame is protected according to the MACsec policy, while leaving unprotected the outer Ethernet frame, the IP header, and the L3 encapsulation, to produce a partly protected output egress frame. The partly protected output egress frame is transmitted to the peer network device over a public wide area network.

公开(公告)号：US09992310B2

公开(公告)日：2018-06-05

申请号：US15077061

申请日：2016-03-22

Applicant: Cisco Technology, Inc.

Inventor： Kuralvanan Arangasamy ,  Brian Eliot Weis ,  Rakesh Chopra ,  Hugo J. W. Vliegen

IPC: H04L12/28 ,  H04L29/06 ,  H04L12/46

CPC classification number: H04L69/22 ,  H04L12/28 ,  H04L12/4633 ,  H04L63/0428 ,  H04L63/162 ,  H04L63/164

Abstract: An egress frame processing method, an Ethernet frame is received. Information defining an Internet Protocol (IP) tunnel between the network device and a peer network device over a public wide area network is determined. A media access control security (MACsec) policy that defines how to protect the Ethernet frame is determined based on the information defining the IP tunnel. The Ethernet frame is protected according to the MACsec policy. The following fields are appended to the protected Ethernet frame: (i) an unprotected layer 3 (L3) encapsulation identifying a layer 2 (L2)-over-L3 tunnel protocol; (ii) an unprotected IP header corresponding to the IP tunnel; and (iii) an unprotected outer Ethernet header, to produce a partly protected egress frame. The partly protected egress frame is transmitted to the peer network device over the IP tunnel of the public wide area network.

公开(公告)号：US09967372B2

公开(公告)日：2018-05-08

申请号：US15077052

申请日：2016-03-22

Applicant: Cisco Technology, Inc.

Inventor： Kuralvanan Arangasamy ,  Brian Eliot Weis ,  Rakesh Chopra ,  Hugo J. W. Vliegen

IPC: H04L12/741 ,  H04L29/06 ,  H04L12/28 ,  H04L12/46

CPC classification number: H04L69/22 ,  H04L12/28 ,  H04L12/4633 ,  H04L63/0428 ,  H04L63/162 ,  H04L63/164

Abstract: In an egress processing method, an egress frame is received. The egress frame includes an outer Ethernet frame, an Internet Protocol (IP) header, a layer 3 (L3) encapsulation identifying a layer 2 (L2)-over-L3 tunnel protocol, and an inner Ethernet frame with a payload. The outer Ethernet frame, the IP header, and the inner Ethernet frame, and the L3 encapsulation are parsed. Based on results of the parsing, a media access control security (MACsec) policy that defines how to protect the inner Ethernet frame is determined, and the inner Ethernet frame is protected according to the MACsec policy, while leaving unprotected the outer Ethernet frame, the IP header, and the L3 encapsulation, to produce a partly protected output egress frame. The partly protected output egress frame is transmitted to the peer network device over a public wide area network.

公开(公告)号：US20170104851A1

公开(公告)日：2017-04-13

申请号：US15077061

申请日：2016-03-22

Applicant: Cisco Technology, Inc.

Inventor： Kuralvanan Arangasamy ,  Brian Eliot Weis ,  Rakesh Chopra ,  Hugo J.W. Vliegen

IPC: H04L29/06 ,  H04L12/741 ,  H04L12/28 ,  H04L29/08

CPC classification number: H04L69/22 ,  H04L12/28 ,  H04L12/4633 ,  H04L63/0428 ,  H04L63/162 ,  H04L63/164

Abstract: An egress frame processing method, an Ethernet frame is received. Information defining an Internet Protocol (IP) tunnel between the network device and a peer network device over a public wide area network is determined. A media access control security (MACsec) policy that defines how to protect the Ethernet frame is determined based on the information defining the IP tunnel. The Ethernet frame is protected according to the MACsec policy. The following fields are appended to the protected Ethernet frame: (i) an unprotected layer 3 (L3) encapsulation identifying a layer 2 (L2)-over-L3 tunnel protocol; (ii) an unprotected IP header corresponding to the IP tunnel; and (iii) an unprotected outer Ethernet header, to produce a partly protected egress frame. The partly protected egress frame is transmitted to the peer network device over the IP tunnel of the public wide area network.