公开(公告)号：US11968277B2

公开(公告)日：2024-04-23

申请号：US17719921

申请日：2022-04-13

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Kyle Andrew Donald Mestery

IPC: H04L67/561 ,  H04L9/40 ,  H04L12/46 ,  H04L45/00 ,  H04L45/42 ,  H04L61/103 ,  H04L61/4511 ,  H04L67/02 ,  H04L67/101 ,  H04L67/1012 ,  H04L67/141 ,  H04L67/562

CPC classification number: H04L67/561 ,  H04L12/4633 ,  H04L12/4641 ,  H04L45/42 ,  H04L45/66 ,  H04L61/103 ,  H04L61/4511 ,  H04L63/0236 ,  H04L63/0281 ,  H04L63/029 ,  H04L63/0435 ,  H04L67/02 ,  H04L67/101 ,  H04L67/1012 ,  H04L67/141 ,  H04L67/562

Abstract: Techniques for tunneling Layer 2 ethernet frames over a connection tunnel using the MASQUE protocol are described herein. The MASQUE protocol may be extended to include a new entity, configured to proxy ethernet frames using a MASQUE proxy connection, and an associated CONNECT method, CONNECT-ETH. Using the extended MASQUE protocol, an Ethernet over MASQUE (EoMASQUE) tunnel may then be established between various networks that are remote from one another and connected to the internet. An EoMASQUE tunnel, established between separate remote client premises, and/or between a remote client premise and an enterprise premise, may tunnel ethernet packets between the endpoints. Additionally, a first EoMASQUE tunnel, established between a first client router provisioned in a first remote client premise and an EoMASQUE proxy node, and a second EoMASQUE tunnel, established between a second client premise and the EoMASQUE proxy node, may tunnel ethernet packets between the first and second client premise.

公开(公告)号：US11924107B2

公开(公告)日：2024-03-05

申请号：US17493398

申请日：2021-10-04

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Kyle Andrew Donald Mestery

IPC: H04L47/125 ,  H04L47/10 ,  H04L47/2416 ,  H04L47/52 ,  H04L47/726

CPC classification number: H04L47/125 ,  H04L47/2416 ,  H04L47/29 ,  H04L47/528 ,  H04L47/726

Abstract: Techniques for orchestrating workloads based on policy to operate in optimal host and/or network proximity in cloud-native environments are described herein. The techniques may include receiving flow data associated with network paths between workloads hosted by a cloud-based network. Based at least in part on the flow data, the techniques may include determining that a utilization of a network path between a first workload and a second workload is greater than a relative utilization of other network paths between the first workload and other workloads. The techniques may also include determining that reducing the network path would optimize communications between the first workload and the second workload without adversely affecting communications between the first workload and the other workloads. The techniques may also include causing at least one of a redeployment or a network path re-routing to reduce the networking proximity between the first workload and the second workload.

公开(公告)号：US11822443B2

公开(公告)日：2023-11-21

申请号：US17902677

申请日：2022-09-02

Applicant: Cisco Technology, Inc.

Inventor： Pierre Pfister ,  Ian James Wells ,  Kyle Andrew Donald Mestery ,  William Mark Townsley ,  Yoann Desmouceaux ,  Guillaume Ruty ,  Aloys Augustin

IPC: G06F11/20 ,  G06F9/455 ,  H04L61/2503 ,  H04L61/58 ,  H04L101/00

CPC classification number: G06F11/2033 ,  G06F9/45558 ,  H04L61/2503 ,  G06F2009/45595 ,  G06F2201/85 ,  H04L61/58 ,  H04L2101/00

Abstract: This disclosure describes techniques for providing a distributed scalable architecture for Network Address Translation (NAT) systems with high availability and mitigations for flow breakage during failover events. The NAT servers may include functionality to serve as fast-path servers and/or slow-path servers. A fast-path server may include a NAT worker that includes a cache of NAT mappings to perform stateful network address translation and to forward packets with minimal latency. A slow-path server may include a mapping server that creates new NAT mappings, depreciates old ones, and answers NAT worker state requests. The NAT system may use virtual mapping servers (VMSs) running on primary physical servers with state duplicated VMSs on different physical failover servers. Additionally, the NAT servers may implement failover solutions for dynamically allocated routeable address/port pairs assigned to new sessions by assigning new outbound address/port pairs when a session starts and broadcasting pairing information.

公开(公告)号：US20230262132A1

公开(公告)日：2023-08-17

申请号：US18124435

申请日：2023-03-21

Applicant: Cisco Technology, Inc.

Inventor： Paul Quinn ,  Kyle Andrew Donald Mestery

IPC: H04L61/4511 ,  H04L41/0894 ,  H04L41/50

CPC classification number: H04L61/4511 ,  H04L41/0894 ,  H04L41/5058 ,  H04L2101/668

Abstract: Techniques for policy-based connection provisioning using Domain Name System (DNS) requests are described herein. The techniques may include receiving policy data associated with one or more headend nodes that manage connections to computing resources. Additionally, the techniques may include receiving a DNS request from a client device to establish a connection between the client device and a first headend node of the one or more headend nodes. The DNS request may include an attribute associated with the client device. A provisioning service may determine that the connection should be established between the client device and the first headend node based at least in part on evaluating the attribute with respect to the policy data. Additionally, the techniques may include sending an internet protocol (IP) address, which is associated with the first headend node, to the client device to facilitate establishment of the connection.

公开(公告)号：US11689642B2

公开(公告)日：2023-06-27

申请号：US17376646

申请日：2021-07-15

Applicant: Cisco Technology, Inc.

Inventor： Vincent Parla ,  Kyle Andrew Donald Mestery

IPC: H04L67/63 ,  H04L67/1001 ,  H04L45/74 ,  H04L47/2475

CPC classification number: H04L67/63 ,  H04L45/74 ,  H04L47/2475 ,  H04L67/1001

Abstract: Techniques for using computer networking protocol extensions to route control-plane traffic and data-plane traffic associated with a common application are described herein. For instance, a traffic flow associated with an application may be established such that control-plane traffic is sent to a control-plane node associated with the application and data-plane traffic is sent to a data-plane node associated with the application. When a client device sends an authentication request to connect to the application, the control-plane node may send an indication of a hostname to be used by the client device to send data-plane traffic to the data-node. As such, when a packet including the hostname corresponding with the data-plane node is received, the packet may be forwarded to the data-plane node.

公开(公告)号：US20230155941A1

公开(公告)日：2023-05-18

申请号：US17529098

申请日：2021-11-17

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Kyle Andrew Donald Mestery

IPC: H04L12/803 ,  H04L12/801 ,  H04L12/855 ,  H04L12/26

CPC classification number: H04L47/125 ,  H04L47/29 ,  H04L47/2466 ,  H04L43/0852

Abstract: Techniques for a computing resource network to send a packet through a processing flow (e.g., a service chain) according to an order of processing workloads (e.g., services) included in the processing flow, configured as an optimized service chain. In some examples, the computing resource network may include a policy evaluation engine configured to determine the best probabilistic outcome of an order of routing between the services that results in the lowest computational costs based on the probability that a given packet will be terminated/modified at one of the earlier processing workloads in the service chain, a prediction engine configured to determine the order of the processing workloads included in the processing flow based on a policy and/or telemetry data associated with the processing workloads, and/or an intelligent routing engine configured to route a packet between the one or more processing workloads included in a processing flow according to the order.

公开(公告)号：US20230153161A1

公开(公告)日：2023-05-18

申请号：US17529978

申请日：2021-11-18

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Ian James Wells

IPC: G06F9/50 ,  G06F9/48

CPC classification number: G06F9/505 ,  G06F9/4818

Abstract: Techniques are described for using observability to allocate and deploy workloads for execution by computing resources in a cloud network. The workloads may be allocated and deployed to the computing resources based on metrics. The workloads may be deployed to the computing resources, based on the computing resources providing a number of types of observability that matches the number of metrics. The workloads may be deployed to the computing resources, further based on each of the computing resources matching a corresponding one of the metrics. Deployment of the workloads may be further based on availability of the computing resources. The workloads may be redeployed to other computing resources that provide different types of observability associated with the metrics, in comparison to the initial computing resources. The workloads may be allocated and deployed based on intent based descriptions indicating characteristics utilized to determine types of metrics for providing observability.

公开(公告)号：US11646969B2

公开(公告)日：2023-05-09

申请号：US17388754

申请日：2021-07-29

Applicant: Cisco Technology, Inc.

Inventor： Ian James Wells ,  Kyle Andrew Donald Mestery ,  Carlos M. Pignataro ,  Nagendra Kumar Nainar

IPC: H04L47/24 ,  H04L45/50

CPC classification number: H04L47/24 ,  H04L45/507

Abstract: This disclosure describes techniques for performing application-based tagging. An example method is performed by a virtual socket of a device. The method includes receiving non-packetized data from an application, generating a label based on the application, and providing the non-packetized data and the label to a kernel of the device.

公开(公告)号：US11625230B2

公开(公告)日：2023-04-11

申请号：US17028715

申请日：2020-09-22

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Ian James Wells ,  Grzegorz Boguslaw Duraj

IPC: G06F9/44 ,  G06F8/65 ,  H04L67/52

Abstract: This disclosure describes techniques and mechanisms for using a domain-specific language (DSL) to express and compile serverless network functions, and optimizing the deployment location for the serverless network functions on network devices. In some examples, the serverless network functions may be expressed entirely in the DSL (e.g., via a text-based editor, a graphics-based editor, etc.), where the DSL is a computer language specialized to a particular domain, such as a network function domain. In additional examples, the serverless network functions may be expressed and compiled using a DSL in combination with a general-purpose language (GSL). Once the serverless network function have been expressed and/or compiled, the techniques of this disclosure further include determining an optimized network component on which the serverless network function is to execute, and deploying the serverless function to the optimized network component.

公开(公告)号：US20230097734A1

公开(公告)日：2023-03-30

申请号：US17491163

申请日：2021-09-30

Applicant: Cisco Technology, Inc.

Inventor： Vincent Parla ,  Kyle Andrew Donald Mestery ,  Rahim Lalani ,  Scott Roy Fluhrer

IPC: H04L29/06

Abstract: A system and computer-implemented method for routing an encrypted packet through a cloud enforcement network based on a metadata tag. The cloud enforcement network applies policy and routing attributions or tags outside of the encrypted packet payload in such a way as to not require an inner packet to first be decrypted. Traffic prioritization, data protection, and per application policies are achieved by using such metadata tags for internode routing without the need for DPI or decryption. Furthermore, the metadata itself can also be signed or encrypted depending on the provenance of the data. As such, applying meta-tagging external to an encrypted packet, the payload would not be needed to be decrypted during transit of the packet to express end-to-end policy and routing decisions.