公开(公告)号：US12284119B2

公开(公告)日：2025-04-22

申请号：US18129755

申请日：2023-03-31

Applicant: Cisco Technology, Inc.

Inventor： Ian James Wells ,  Kyle Andrew Donald Mestery ,  Carlos M. Pignataro ,  Nagendra Kumar Nainar

IPC: H04L47/24 ,  H04L45/50

Abstract: This disclosure describes techniques for performing application-based tagging. An example method includes receiving, at a virtual socket, non-packetized data from an application and generating, by the virtual socket, a label based on the application. One or more data packets are generated by packetizing at least a portion of the non-packetized data. A header field of the one or more data packets includes a tag based on the label.

公开(公告)号：US20250047759A1

公开(公告)日：2025-02-06

申请号：US18924470

申请日：2024-10-23

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Kyle Andrew Donald Mestery

IPC: H04L67/561 ,  H04L9/40 ,  H04L12/46 ,  H04L45/00 ,  H04L45/42 ,  H04L61/103 ,  H04L61/4511 ,  H04L67/02 ,  H04L67/101 ,  H04L67/1012 ,  H04L67/141 ,  H04L67/562

Abstract: Techniques for leveraging the MASQUE protocol to provide remote clients with full application access to private enterprise resources are described herein. One or more network nodes may be configured to execute a MASQUE proxy service to provide a remote client device with full access to an enterprise/private application resource executing on an application node and hosted in an enterprise/application network, behind the MASQUE proxy service. In some examples, the MASQUE proxy service may execute on a single proxy node hosted at an edge of a cloud network or at an edge of an enterprise network. Additionally, or alternatively, a first instance of the MASQUE proxy service may execute on a first proxy node hosted at an edge of a cloud network (e.g., an ingress proxy node) and a second instance of the MASQUE proxy service may execute on a second proxy node hosted at an edge of the enterprise network.

公开(公告)号：US12184547B2

公开(公告)日：2024-12-31

申请号：US18367941

申请日：2023-09-13

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Christopher Blair Murray ,  Jon Langemak ,  Rahim Lalani ,  Alvin Wong

IPC: H04L45/74 ,  H04L12/46 ,  H04L41/0816 ,  H04L41/0853 ,  H04L45/00 ,  H04L45/02 ,  H04L45/30 ,  H04L45/42 ,  H04L45/50 ,  H04L45/586 ,  H04L45/741 ,  H04L45/745 ,  H04L67/51

Abstract: Techniques for using global virtual network instance (VNI) labels in a multi-domain network to route network data with a multi-tenant network overlay are described herein. A routing device provisioned in a network domain of the multi-domain network may register with a service discovery system of the network domain for use of network configuration data to establish routes through the multi-domain network with network nodes. Each network domain of the multi-domain network may include an application programming interface (API) server for processing API requests to make changes to configurations of a network domain. A border gateway protocol (BGP) large community may be utilized to encode global VNI labels, network addresses, local next hop nodes, and/or additional network information and sent to routing devices provisioned in separate network domains. A service chain may be signaled by global VNI labels to route network traffic through various services prior to reaching a destination endpoint.

公开(公告)号：US20240388533A1

公开(公告)日：2024-11-21

申请号：US18786114

申请日：2024-07-26

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Kyle Andrew Donald Mestery ,  Doron Levari

IPC: H04L47/12 ,  H04L67/141 ,  H04L67/148

Abstract: Techniques for scaling additional capacity for secure access solutions and other workloads of enterprise edge networks in and out of a cloud-computing network based on demand. The techniques may include determining that a capacity associated with a secure access node of an enterprise edge network meets or exceeds a threshold capacity. Based at least in part on the capacity meeting or exceeding the threshold capacity, the techniques may include causing a facsimile of the secure access node to be spun up on a cloud-computing network that is remote from the enterprise edge network. In this way, new connection requests received from client devices can be redirected to the facsimile of the secure access node. Additionally, or alternatively, one or more existing connections between client devices and the secure access node may be migrated to the facsimile of the secure access node in the cloud.

公开(公告)号：US20240323129A1

公开(公告)日：2024-09-26

申请号：US18732016

申请日：2024-06-03

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Mark A. Bakke ,  William Mark Townsley

IPC: H04L47/2441 ,  H04L9/40 ,  H04L61/5007

CPC classification number: H04L47/2441 ,  H04L61/5007 ,  H04L63/02

Abstract: The present disclosure is directed to network traffic management and load balancing at a cloud-based secure access service accessible to remotely connected user devices. In one example, a cloud-based secure service system includes a network controller configured to receive network traffic from one or more user devices remotely connected to the controller; parse the network traffic into flow data and contextual information associated with the network traffic; determine that the network traffic is to be serviced by a target firewall service at the cloud-based secure service system based on the flow data and the contextual information; and direct the network traffic to the target firewall service to be serviced.

公开(公告)号：US20240323119A1

公开(公告)日：2024-09-26

申请号：US18670439

申请日：2024-05-21

Applicant: Cisco Technology, Inc.

Inventor： Christopher Blair Murray ,  Jon Langemak ,  Alvin Wong ,  Alvaro Cesar Pereira ,  Kyle Andrew Donald Mestery

IPC: H04L45/74 ,  H04L12/46 ,  H04L41/0816 ,  H04L41/0853 ,  H04L45/00 ,  H04L45/02 ,  H04L45/30 ,  H04L45/42 ,  H04L45/50 ,  H04L45/586 ,  H04L45/741 ,  H04L45/745 ,  H04L67/51

CPC classification number: H04L45/74 ,  H04L12/4633 ,  H04L12/4641 ,  H04L41/0816 ,  H04L41/0853 ,  H04L45/02 ,  H04L45/04 ,  H04L45/22 ,  H04L45/30 ,  H04L45/42 ,  H04L45/50 ,  H04L45/586 ,  H04L45/741 ,  H04L45/745 ,  H04L67/51

Abstract: Techniques for using global virtual network instance (VNI) labels in a multi-domain network to route network data with a multi-tenant network overlay are described herein. A routing device provisioned in a network domain of the multi-domain network may register with a service discovery system of the network domain for use of network configuration data to establish routes through the multi-domain network with network nodes. Each network domain of the multi-domain network may include an application programming interface (API) server for processing API requests to make changes to configurations of a network domain. A border gateway protocol (BGP) large community may be utilized to encode global VNI labels, network addresses, local next hop nodes, and/or additional network information and sent to routing devices provisioned in separate network domains. A service chain may be signaled by global VNI labels to route network traffic through various services prior to reaching a destination endpoint.

公开(公告)号：US12052329B2

公开(公告)日：2024-07-30

申请号：US18198124

申请日：2023-05-16

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Kyle Andrew Donald Mestery

IPC: H04L67/63 ,  H04L45/74 ,  H04L47/2475 ,  H04L67/1001

CPC classification number: H04L67/63 ,  H04L45/74 ,  H04L47/2475 ,  H04L67/1001

Abstract: Techniques for using computer networking protocol extensions to route control-plane traffic and data-plane traffic associated with a common application are described herein. For instance, a traffic flow associated with an application may be established such that control-plane traffic is sent to a control-plane node associated with the application and data-plane traffic is sent to a data-plane node associated with the application. When a client device sends an authentication request to connect to the application, the control-plane node may send an indication of a hostname to be used by the client device to send data-plane traffic to the data-node. As such, when a packet including the hostname corresponding with the data-plane node is received, the packet may be forwarded to the data-plane node.

公开(公告)号：US20240243971A1

公开(公告)日：2024-07-18

申请号：US18620459

申请日：2024-03-28

Applicant: Cisco Technology, Inc.

Inventor： Pankaj Chitrigi Ganesh ,  Kyle Andrew Donald Mestery ,  Danxiang Li ,  Rahim Lalani ,  Andrzej Konrad Kielbasinski

IPC: H04L41/082 ,  H04L12/46 ,  H04L45/00 ,  H04L67/1031 ,  H04L67/563

CPC classification number: H04L41/082 ,  H04L12/4675 ,  H04L45/22 ,  H04L67/1031 ,  H04L67/563

Abstract: Techniques for the transparent rolling of nodes in a cloud-delivered headend service without disrupting client traffic or making users aware of the various nodes in the system being rolled are described herein. The techniques may include receiving an indication that a first node of a network is to be rolled. Based at least in part on the indication, new connection requests may not be sent to the first intermediate node. Additionally, a client device having an existing connection through the first node may be identified. In some examples, a request may be sent to the client device to prompt the client device to establish a new connection. After determining that the new connection has been established such that the new connection flows through a second node of the network, the first node may be rolled.

公开(公告)号：US11962506B2

公开(公告)日：2024-04-16

申请号：US17335437

申请日：2021-06-01

Applicant: Cisco Technology, Inc.

Inventor： Leonardo Rangel Augusto ,  Grzegorz Boguslaw Duraj ,  Kyle Andrew Donald Mestery

IPC: H04L47/125 ,  H04L47/24

CPC classification number: H04L47/125 ,  H04L47/24

Abstract: Techniques for dynamically load balancing traffic based on predicted and actual load capacities of data nodes are described herein. The techniques may include determining a predicted capacity of a data node of a network during a period of time. The data node may be associated with a first traffic class. The techniques may also include determining an actual capacity of the data node during the period of time, as well as determining that a difference between the actual capacity and the predicted capacity is greater than a threshold difference. Based at least in part on the difference, a number of data flows sent to the data node may be either increased or decreased. Additionally, or alternatively, a data flow associated with a second traffic class may be redirected to the data node during the period of time to be handled according to the first traffic class.

公开(公告)号：US20240080313A1

公开(公告)日：2024-03-07

申请号：US17902201

申请日：2022-09-02

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Kyle Andrew Donald Mestery

IPC: H04L9/40

CPC classification number: H04L63/083 ,  H04L63/0272 ,  H04L63/0281

Abstract: Techniques for combining independent sessions between application(s) and a VPN, proxy service, or similar system, including inner protocol sessions (e.g., such as QUIC, etc.), coming from a single device to form a single logical session, where the single logical session could share a single authentication/authorization token are described. The techniques include receiving, from a device within a network, a request for a first application to access a service associated with the proxy service or the VPN, sending, to the device, a first authentication request, and receiving, from the device, a message including a token. The techniques may further include authenticating, by the proxy service or the VPN, the token using a unique identifier associated with the device and enabling, by the proxy service or the VPN, the device to access the service via a first session flow.