公开(公告)号：US20230069306A1

公开(公告)日：2023-03-02

申请号：US17411875

申请日：2021-08-25

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Rajib Majila ,  Venkatavaradhan Devarajan ,  Vinayak Joshi ,  Ram lakhan Patel

IPC: H04L12/761 ,  H04L12/717 ,  H04L12/725 ,  H04L12/46

Abstract: A system for policy management in a switch is provided. During operation, the system can generate, from a first policy defined for the switch, a second policy. The first policy can indicate whether a type of traffic is allowed from a source role to a destination role via an overlay tunnel. The second policy can indicate a plurality of destination roles that are allowed to receive multi-destination packets of the type of traffic from the source role via the overlay tunnel. Upon identifying a host associated with a role at a port of the switch, the system can determine whether the role belongs to the plurality of destination roles based on the second policy. If the role belongs to the plurality of allowed destination roles, the system can allow the port to forward a multi-destination packet, which is received via the overlay tunnel and associated with the type of traffic.

公开(公告)号：US20230089819A1

公开(公告)日：2023-03-23

申请号：US17482079

申请日：2021-09-22

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Rajib Majila ,  Ram lakhan Patel ,  Vinayak Joshi

IPC: H04L29/06

Abstract: One aspect of the instant application facilitates a source port-based identification of client role. During operation, the system can receive, at a network device, a network packet from a client device coupled to the network device via a port. The system can in response to determining that the port is a trusted port, apply a global trusted port configuration based on a first mapping table. The global trusted port configuration corresponds to a default client role. The system can in response to determining that a per-port configuration exists in a second mapping table and the client device is coupled to the trusted port, identify the per-port configuration that corresponds to a port-based client role to override the global trusted port configuration; and apply, based on the per-port configuration and a third mapping table, a policy to the subsequent network packets received via the port.

公开(公告)号：US20230113466A1

公开(公告)日：2023-04-13

申请号：US17498029

申请日：2021-10-11

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Rajib Majila ,  Ram lakhan Patel

IPC: H04L12/813

Abstract: A system determines a first set of policies, wherein at least one policy entry for a destination role comprises a source role, a traffic attribute, and an action to be taken for the packet. The system represents the policies as a matrix, wherein a first entry in the matrix indicates the source and destination role, the traffic attribute, and the action of the at least one policy entry. The system replaces, in the first entry, the action with the destination role if the action indicates to allow the packet, and with a null value if the action indicates to deny the packet, to obtain a first data structure with entries indicating, for a respective source role, traffic attributes and corresponding sets of allowed destination roles. The system resolves an overlapping pair comprising a first and a second traffic attribute to obtain a second set of synthesized policies.

公开(公告)号：US12126535B2

公开(公告)日：2024-10-22

申请号：US17498029

申请日：2021-10-11

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Rajib Majila ,  Ram lakhan Patel

IPC: H04L29/06 ,  G06F15/16 ,  G06F17/13 ,  G06Q30/00 ,  H04B17/318 ,  H04L29/08 ,  H04L47/20

CPC classification number: H04L47/20

Abstract: A system determines a first set of policies, wherein at least one policy entry for a destination role comprises a source role, a traffic attribute, and an action to be taken for the packet. The system represents the policies as a matrix, wherein a first entry in the matrix indicates the source and destination role, the traffic attribute, and the action of the at least one policy entry. The system replaces, in the first entry, the action with the destination role if the action indicates to allow the packet, and with a null value if the action indicates to deny the packet, to obtain a first data structure with entries indicating, for a respective source role, traffic attributes and corresponding sets of allowed destination roles. The system resolves an overlapping pair comprising a first and a second traffic attribute to obtain a second set of synthesized policies.

公开(公告)号：US20230093278A1

公开(公告)日：2023-03-23

申请号：US17483474

申请日：2021-09-23

Applicant: Hewlett Packard Enterprise Development LP

Inventor： Rajib Majila ,  Ram lakhan Patel

IPC: H04L12/741 ,  H04L12/751 ,  H04L12/717 ,  H04L12/46 ,  H04L29/12

Abstract: The system determines a first source MAC associated with a switch. The system updates a MAC address table by mapping the first source MAC to a first tag which indicates a source role corresponding to a network infrastructure. A processor associated with the switch generates a first packet which indicates the first source MAC. The system performs a first search in the MAC address table based on the indicated first source MAC to obtain the first tag, and performs a second search in a policy table based on the first tag for a policy which indicates an action to be applied to the first packet. If the second search is not successful, the system modifies a header of the first packet by adding the first tag. If the second search is successful, the system determines that the indicated action comprises allowing the first packet and transmits the first packet.