公开(公告)号：US12069051B2

公开(公告)日：2024-08-20

申请号：US17743758

申请日：2022-05-13

Applicant: Cisco Technology, Inc.

Inventor： Roberto Mitsuo Kobo ,  Zheng Li ,  Gopala Krishna Andagunda ,  Einar Nilsen-Nygaard ,  Shree Murthy ,  Parthiv Shah

IPC: H04L29/06 ,  G06F9/455 ,  H04L9/40 ,  H04L61/5014

CPC classification number: H04L63/0876 ,  G06F9/45558 ,  H04L61/5014 ,  H04L63/101 ,  H04L63/20 ,  G06F2009/45587 ,  G06F2009/45595

Abstract: Techniques for authenticating and enforcing differentiated policies for a virtual machine (VM) executing in bridge mode on a wireless host device in a media access control (MAC)-based authentication network are described. In an example method a wireless host device is authorized to join a fabric enabled wireless network. A VM executes in bridge mode on the wireless host device. At the fabric edge, a source MAC address of the VM is determined. A session is created between the VM and an authentication server. The VM is authenticated. A policy for the VM is determined. A source internet protocol (IP) address is assigned to the VM to create a MAC-IP binding. A data-plane device in the fabric enabled wireless network is programmed to apply the policy to traffic communicated with the VM. Finally, the data-plane device applies the policy for the VM based at least in part on the MAC-IP binding.

公开(公告)号：US11824753B2

公开(公告)日：2023-11-21

申请号：US17446965

申请日：2021-09-05

Applicant: Cisco Technology, Inc.

Inventor： Rajagopal Venkatraman ,  Rajeev Kumar ,  Roberto Mitsuo Kobo ,  Vikash Agarwal

IPC: H04L43/12 ,  H04L45/02 ,  H04L45/74

CPC classification number: H04L43/12 ,  H04L45/02 ,  H04L45/74

Abstract: In one embodiment, network node-to-node connectivity verification is performed in a network including data path processing of packets within a packet switching device. In one embodiment, an echo request connectivity test packet, emulating an echo request connectivity test packet received from a first connected network node, is inserted by the packet switching device prior in its data processing path prior to ingress processing performed for packets received from the first connected network node. A correspondingly received echo reply connectivity test packet is intercepted by the packet switching device during data path egress processing performed for packets to be forwarded to the first connected network node.

公开(公告)号：US20240340283A1

公开(公告)日：2024-10-10

申请号：US18746555

申请日：2024-06-18

Applicant: Cisco Technology, Inc.

Inventor： Roberto Mitsuo Kobo ,  Zheng Li ,  Gopala Krishna Andagunda ,  Einar Nilsen-Nygaard ,  Shree Murthy ,  Parthiv Shah

IPC: H04L9/40 ,  G06F9/455 ,  H04L61/5014

CPC classification number: H04L63/0876 ,  G06F9/45558 ,  H04L61/5014 ,  H04L63/101 ,  H04L63/20 ,  G06F2009/45587 ,  G06F2009/45595

Abstract: Techniques for authenticating and enforcing differentiated policies for a virtual machine (VM) executing in bridge mode on a host device are described. In an example method a fabric edge device determines a MAC address of the VM executing on the host device. The fabric edge device transmits an access request to create a session for the VM to an authentication server. The fabric edge device receives an indication that the VM is authenticated and a session for the VM has been created from the authentication server. The authentication server determines a policy to apply to packets communicated from the VM and assigns an IP address to the VM to create a MAC-IP binding for the VM. The fabric edge device applies the policy for the VM to packets with a source IP address corresponding to an IP address assigned to the VM.

公开(公告)号：US11223564B2

公开(公告)日：2022-01-11

申请号：US16567324

申请日：2019-09-11

Applicant: Cisco Technology, Inc.

Inventor： Atri Indiresan ,  Roberto Mitsuo Kobo ,  Sanjay Kumar Hooda ,  Anton Smirnov

IPC: H04L12/803 ,  H04L12/931 ,  H04L29/12 ,  H04L12/939

Abstract: In one embodiment, a method comprises receiving traffic to send from a router to a host in the fabric edge network, wherein the fabric edge network comprises a plurality of switches and an inter-switch link (ISL); and sending the traffic from the router to the host via at least one of the switches based on the downlink connectivity of the host. Sending the traffic from the router to the host is performed without sending the traffic through the ISL. Sending the traffic from the router to the host comprises sending the traffic through the ISL when there is a link failure on a path between the router and the host.

公开(公告)号：US20230370453A1

公开(公告)日：2023-11-16

申请号：US17743758

申请日：2022-05-13

Applicant: Cisco Technology, Inc.

Inventor： Roberto Mitsuo Kobo ,  Zheng Li ,  Gopala Krishna Andagunda ,  Einar Nilsen-Nygaard ,  Shree Murthy ,  Parthiv Shah

IPC: H04L9/40 ,  H04L61/5014 ,  G06F9/455

CPC classification number: H04L63/0876 ,  H04L63/101 ,  H04L63/20 ,  H04L61/5014 ,  G06F9/45558 ,  G06F2009/45595 ,  G06F2009/45587

Abstract: Techniques for authenticating and enforcing differentiated policies for a virtual machine (VM) executing in bridge mode on a wireless host device in a media access control (MAC)-based authentication network are described. In an example method a wireless host device is authorized to join a fabric enabled wireless network. A VM executes in bridge mode on the wireless host device. At the fabric edge, a source MAC address of the VM is determined. A session is created between the VM and an authentication server. The VM is authenticated. A policy for the VM is determined. A source internet protocol (IP) address is assigned to the VM to create a MAC-IP binding. A data-plane device in the fabric enabled wireless network is programmed to apply the policy to traffic communicated with the VM. Finally, the data-plane device applies the policy for the VM based at least in part on the MAC-IP binding.

公开(公告)号：US20230308389A1

公开(公告)日：2023-09-28

申请号：US17703965

申请日：2022-03-24

Applicant: Cisco Technology, Inc.

Inventor： Victor Manuel Moreno ,  Sanjay Kumar Hooda ,  Roberto Mitsuo Kobo ,  Balaji Pitta Venkatachalapathy

IPC: H04L45/64 ,  H04L12/46

CPC classification number: H04L45/64 ,  H04L12/4641

Abstract: Methods and devices configure edge nodes of a virtual network overlay to continuously forward data plane traffic flows between client devices of a common subnet over the course of at least some of the edge nodes being EF-configured. TF-configured edge nodes and EF-configured edge nodes both play roles in unilaterally inducing address discovery by sending to client devices address discovery responses that were not prompted by address discovery requests. TF-configured edge nodes then handle ensuing address discovery requests by proxy, and subsequently handle certain traffic flows according to an EF-compatible forwarding mode, while EF-configured edge nodes continue to forward traffic flows by IP routing normally. This averts throughput of data plane traffic over the network overlay being reduced as a side effect of the heterogeneously configured edge nodes, and averts the possibility of client devices broadcasting address discovery protocol requests as a result of remote client devices being unreachable.

公开(公告)号：US12273254B2

公开(公告)日：2025-04-08

申请号：US18334947

申请日：2023-06-14

Applicant: Cisco Technology, Inc.

Inventor： Rajagopal Venkatraman ,  Rajeev Kumar ,  Roberto Mitsuo Kobo ,  Vikash Agarwal

IPC: H04L43/12 ,  H04L45/02 ,  H04L45/74

Abstract: In one embodiment, network node-to-node connectivity verification is performed in a network including data path processing of packets within a packet switching device. In one embodiment, an echo request connectivity test packet, emulating an echo request connectivity test packet received from a first connected network node, is inserted by the packet switching device prior in its data processing path prior to ingress processing performed for packets received from the first connected network node. A correspondingly received echo reply connectivity test packet is intercepted by the packet switching device during data path egress processing performed for packets to be forwarded to the first connected network node.

公开(公告)号：US11729139B2

公开(公告)日：2023-08-15

申请号：US17381539

申请日：2021-07-21

Applicant: Cisco Technology, Inc.

Inventor： Roberto Mitsuo Kobo ,  Parthiv Shah ,  Ramesh Yeevani-Srinivas

IPC: H04L12/741 ,  H04L12/721 ,  H04L29/12 ,  H04L61/5014 ,  G06F9/455 ,  H04L101/622

CPC classification number: H04L61/5014 ,  G06F9/45558 ,  G06F2009/45562 ,  G06F2009/45595 ,  H04L2101/622

Abstract: A system and method for onboarding a virtual machine in a bridge host extension mode are provided. The method includes: creating a virtual machine on a host computing device, wherein the host computing device is associated with a first MAC address and a first IP address; assigning the virtual machine a second MAC address by the host computing device; receiving a first DHCP packet from the virtual machine by the host computing device, wherein the first DHCP packet comprises a first field that includes the second MAC address; replacing the second MAC address in the first field with the first MAC address by the host computing device; adding the second MAC address to a second field of the first DHCP packet by the host computing device; and providing the first DHCP packet to a DHCP server through a network by the host computing device.

公开(公告)号：US20230034148A1

公开(公告)日：2023-02-02

申请号：US17381539

申请日：2021-07-21

Applicant: Cisco Technology, Inc.

Inventor： Roberto Mitsuo Kobo ,  Parthiv Shah ,  Ramesh Yeevani-Srinivas

IPC: H04L29/12 ,  G06F9/455

Abstract: A system and method for onboarding a virtual machine in a bridge host extension mode are provided. The method includes: creating a virtual machine on a host computing device, wherein the host computing device is associated with a first MAC address and a first IP address; assigning the virtual machine a second MAC address by the host computing device; receiving a first DHCP packet from the virtual machine by the host computing device, wherein the first DHCP packet comprises a first field that includes the second MAC address; replacing the second MAC address in the first field with the first MAC address by the host computing device; adding the second MAC address to a second field of the first DHCP packet by the host computing device; and providing the first DHCP packet to a DHCP server through a network by the host computing device.

公开(公告)号：US20240396945A1

公开(公告)日：2024-11-28

申请号：US18791151

申请日：2024-07-31

Applicant: Cisco Technology, Inc.

Inventor： Shree Narasimha Murthy ,  Sanjay Kumar Hooda ,  Prakash C. Jain ,  Roberto Mitsuo Kobo ,  Rajagopal Venkatraman

IPC: H04L9/40 ,  G06F9/455 ,  H04L61/5007 ,  H04L61/5014

Abstract: Techniques for analyzing traffic originating from a host device in a wireless network to identify one or more virtual machines (VMs) running on the host device and connected to the network via the host device in bridge mode. When a VM is created in bridge mode behind a host device, the traffic originated by the VM will have the source Media Access Layer (MAC) address of the host device. According to techniques described herein, devices and/or components associated with the network may profile the traffic to identify an address of the VM, such as by analyzing dynamic host configuration protocol (DHCP) packets to determine the Internet Protocol (IP) address of the VM. Once the IP address and the MAC address of the VM is known, the components and/or devices may apply security policies to the VM that may be different than security policies applied to the host device.