公开(公告)号：US20200322262A1

公开(公告)日：2020-10-08

申请号：US16783843

申请日：2020-02-06

Applicant: Cisco Technology, Inc.

Inventor： Fabio Maino ,  Syed Khalid Raza ,  Alberto Rodriguez Natal ,  Marc Portoles Comeras

IPC: H04L12/725 ,  H04L29/06 ,  H04L29/08 ,  H04L12/46 ,  H04L12/851 ,  H04L12/813 ,  H04L12/715

Abstract: Disclosed are systems and methods for providing policy selection in a software defined network. An example method includes registering, by an enterprise controller on an enterprise domain, in a shared mapping system on a service provider domain, one or more entries specifying one or more services for one or more classes of traffic to yield registered entries, reading, by a service provider controller, from the shared mapping system, the registered entries, posting, by the service provider controller, the one or more entries to one or more routing tables at a software-defined wide area network of the service provider domain and receiving a request, by a mobile node on the enterprise domain, of a specific service for a particular class of packets according to a classification of the particular class of packets based on a particular label defined in the registered entries for the specific service.

公开(公告)号：US20200059457A1

公开(公告)日：2020-02-20

申请号：US16104456

申请日：2018-08-17

Applicant: Cisco Technology, Inc.

Inventor： Syed Khalid Raza ,  Mosaddaq Hussain Turabi ,  Fabio Rodolfo Maino ,  Vina Ermagan ,  Atri Indiresan

IPC: H04L29/06 ,  H04L12/28 ,  H04L12/46

Abstract: A method is performed by an access router of an enterprise network including a first edge router to communicate with a second edge router over a wide area network (WAN). The method includes receiving a packet from a first endpoint, receiving from a mapping service a network location of a second edge router for which the packet is destined and a security association (SA) to encrypt the packet from the access router to the second edge router, and generating for the first edge router one or more path selectors for WAN path selection. The method includes encrypting the packet using the SA, and adding to the encrypted IP packet, in clear text, the path selectors and outer encapsulation including the network location, to produce an encrypted tunnel packet. The method also includes forwarding the encrypted tunnel packet to the second edge router via the first edge router and the WAN.

公开(公告)号：USRE50105E1

公开(公告)日：2024-08-27

申请号：US17677280

申请日：2022-02-22

Applicant: Cisco Technology, Inc.

Inventor： Atif Khan ,  Syed Khalid Raza ,  Nehal Bhau ,  Himanshu H. Shah

IPC: H04L29/06 ,  H04L9/40 ,  H04L12/701 ,  H04L12/715 ,  H04L12/751 ,  H04L45/00 ,  H04L45/02 ,  H04L45/64 ,  H04L12/28

CPC classification number: H04L63/0209 ,  H04L45/00 ,  H04L45/02 ,  H04L45/64 ,  H04L63/0272 ,  H04L63/205 ,  H04L12/2854 ,  H04L63/166

Abstract: A method for creating a secure network is provided. The method comprises establishing an overlay domain to control routing between overlay edge routers based on an underlying transport network, wherein said establishing comprises running an overlay management protocol to exchange information within the overlay domain; in accordance with the overlay management protocol defining service routes that exist exclusively within the overlay domain wherein each overlay route includes information on at least service availability within the overlay domain; and selectively using the service routes to control routing between the overlay edge routers; wherein the said routing is through the underlying transport network in a manner in which said overlay routes is shared with the overlay edge routers but not with the underlying transport network via the overlay management protocol.

公开(公告)号：US11516004B2

公开(公告)日：2022-11-29

申请号：US17162473

申请日：2021-01-29

Applicant: Cisco Technology, Inc.

Inventor： Syed Khalid Raza ,  Praveen Raju Kariyanahalli ,  Rameshbabu Prabagaran ,  Amir Khan

IPC: H04L9/08 ,  H04L9/40

Abstract: A method for securing communications for a given network topology is provided. The method comprises generating by a node N(i) of the network, security parameters for the node N(i); transmitting by the node N(i), said security parameters to a controller for the network; maintaining by the controller said security parameters for the node N(i); receiving by the controller a request from a node N(j) for the security parameters for the node N(i); retrieving by the controller the security parameters for the node N(i); and transmitting by the controller said security parameters to the node N(j).

公开(公告)号：US11088992B2

公开(公告)日：2021-08-10

申请号：US16536756

申请日：2019-08-09

Applicant: Cisco Technology, Inc.

Inventor： Lars Olof Stefan Olofsson ,  Atif Khan ,  Syed Khalid Raza ,  Himanshu H. Shah ,  Amir Khan ,  Nehal Bhau

IPC: H04L29/06 ,  H04L12/46 ,  H04L29/08 ,  H04L9/08 ,  H04L12/715

Abstract: A method for operating a network is provided. The method comprises segmenting the network into a plurality of virtual private networks, wherein each virtual private network runs on an underlying physical network; and wherein each virtual private network represents a particular context; and configuring at least some nodes within the network to send and receive traffic based on context.

公开(公告)号：US10944733B2

公开(公告)日：2021-03-09

申请号：US16021281

申请日：2018-06-28

Applicant: Cisco Technology, Inc.

Inventor： Syed Khalid Raza ,  Mosaddaq Hussain Turabi ,  Lars Olaf Stefan Olofsson ,  Atif Khan ,  Praveen Raju Kariyanahalli

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/32

Abstract: A method may include determining, by a first network device, a type of control channel to open across a transport in a software-defined network (SDN). The method may also include establishing the control channel with a control device via a control plane that is separate from a data plane. The method may further include advertising first security association parameters to the control device via the control channel. The method may include receiving, from the control device via the control channel, second security association parameters associated with a second network device. The method may also include establishing a data plane connection with the second network device using the second security association parameters.

公开(公告)号：US10904240B2

公开(公告)日：2021-01-26

申请号：US16705652

申请日：2019-12-06

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G. P. Bosch ,  Alessandro Duminuco ,  Jeffrey Napper ,  David Delano Ward ,  Syed Khalid Raza ,  Sape Jurrien Mullender

IPC: H04L29/06 ,  H04L12/725 ,  H04L12/721

Abstract: Disclosed are concepts for provided for managing application traffic. A method includes receiving a request to access a service from an application, confirming an entity of a user of the application and, based on the confirmation, generating, via an authentication service, a routing policy for data flows between the application and the service. The routing policy defines a mandated path between the application and the service. The method also can include storing proof-of-transit data in the traffic flow for tracking an actual path from the application to the service and determining whether the data path complies with the mandated path defined in the policy. When the determination indicates that the actual path followed the mandated path defined in the routing policy, the method includes granting access to the user for the service. When the actual path differs from the mandated path, the method includes denying access to the user.

公开(公告)号：US10277558B2

公开(公告)日：2019-04-30

申请号：US15677001

申请日：2017-08-14

Applicant: Cisco Technology, Inc.

Inventor： Atif Khan ,  Syed Khalid Raza ,  Nehal Bhau ,  Himanshu H. Shah

IPC: H04L29/06 ,  H04L12/751 ,  H04L12/715 ,  H04L12/701 ,  H04L12/28

Abstract: A method for creating a secure network is provided. The method comprises establishing an overlay domain to control routing between overlay edge routers based on an underlying transport network, wherein said establishing comprises running an overlay management protocol to exchange information within the overlay domain; in accordance with the overlay management protocol defining service routes that exist exclusively within the overlay domain wherein each overlay route includes information on at least service availability within the overlay domain; and selectively using the service routes to control routing between the overlay edge routers; wherein the said routing is through the underlying transport network in a manner in which said overlay routes is shared with the overlay edge routers but not with the underlying transport network via the overlay management protocol.

公开(公告)号：US20160261485A1

公开(公告)日：2016-09-08

申请号：US15156215

申请日：2016-05-16

Applicant: Cisco Technology, Inc.

Inventor： Yi Yang ,  Alvaro E. Retana ,  James L. Ng ,  Abhay Roy ,  Alfred C. Lindem ,  Sina Mirtorabi ,  Timothy M. Gage ,  Syed Khalid Raza

IPC: H04L12/755 ,  H04L12/801 ,  H04L12/751 ,  H04L12/773

CPC classification number: H04L45/021 ,  H04L45/02 ,  H04L45/025 ,  H04L45/54 ,  H04L45/60 ,  H04L47/10 ,  H04L63/0407

Abstract: In one embodiment, a first router determines whether an interface coupling the first router to one or more second routers is transit-only. When the interface is transit-only, the first router generates an Open Shortest Path First (OSPF) Link State Advertisement (LSA) that includes an address for the interface and a designated network mask. The designated network mask operates as a transit-only identification that indicates the address should not be installed in a Routing Information Base (RIB) upon receipt of the OSPF LSA at the one or more second routers. When the network is not transit-only, the first router generates an OSPF LSA that includes the address for the interface but does not include the designated network mask, to permit installation of the address in a RIB upon receipt of the OSPF LSA at the one or more second routers.

Abstract translation: 在一个实施例中，第一路由器确定将第一路由器耦合到一个或多个第二路由器的接口是否只是转接。 当接口只有传输时，第一个路由器生成包含接口地址和指定网络掩码的开放最短路径优先（OSPF）链路状态通告（LSA）。 指定的网络掩码作为仅传输标识操作，其指示在一个或多个第二路由器上接收到OSPF LSA时，该地址不应安装在路由信息库（RIB）中。 当网络不传输时，第一个路由器生成包含接口地址但不包括指定网络掩码的OSPF LSA，以便在接收到OSPF LSA时在一个RIB中安装该地址 或更多的第二路由器。

公开(公告)号：US11496294B2

公开(公告)日：2022-11-08

申请号：US16988439

申请日：2020-08-07

Applicant: Cisco Technology, Inc.

Inventor： Syed Khalid Raza ,  Praveen Raju Kariyanahalli ,  Rameshbabu Prabagaran ,  Amir Khan

IPC: H04L9/08 ,  H04L9/40

Abstract: A method for securing communications for a given network topology is provided. The method comprises generating by a node N(i) of the network, security parameters for the node N(i); transmitting by the node N(i), said security parameters to a controller for the network; maintaining by the controller said security parameters for the node N(i); receiving by the controller a request from a node N(j) for the security parameters for the node N(i); retrieving by the controller the security parameters for the node N(i); and transmitting by the controller said security parameters to the node N(j).