公开(公告)号：US20150063351A1

公开(公告)日：2015-03-05

申请号：US14010707

申请日：2013-08-27

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Victor Moreno ,  Fabio Maino ,  Vina Ermagan

IPC: H04L12/741 ,  H04L12/56

CPC classification number: H04L45/745 ,  H04L45/04 ,  H04L45/741

Abstract: In one embodiment, a method includes receiving a packet at a tunnel end point in a multi-tenant network, the packet comprising a destination, performing a lookup for the destination in a database comprising a mapping of global identifiers to local tenant identifiers for different hosting locations, each of the global identifiers uniquely identifying a tenant across all of the hosting locations, identifying a destination tunnel end point and a local tenant identifier for the destination, and inserting the destination tunnel end point and the local tenant identifier into the packet and forwarding the packet. An apparatus and logic are also disclosed herein.

Abstract translation: 在一个实施例中，一种方法包括在多租户网络中的隧道终点处接收分组，所述分组包括目的地，在数据库中执行目的地的查找，包括全局标识符到不同主机的本地租户标识符的映射 位置，每个全局标识符唯一地标识所有托管位置的租户，标识目的地的目的地隧道终点和本地租户标识符，并将目的地隧道终点和本地租户标识符插入到分组中并转发 包。 本文还公开了一种装置和逻辑。

公开(公告)号：US11363073B2

公开(公告)日：2022-06-14

申请号：US17034100

申请日：2020-09-28

Applicant: Cisco Technology, Inc.

Inventor： Fabio R. Maino ,  Vina Ermagan ,  Alberto Rodriguez Natal

IPC: H04L29/06 ,  H04L12/46 ,  H04L9/40

Abstract: An ingress network element obtains data from a source endpoint associated with the ingress network element. The data identifies a destination endpoint remote from the ingress network element. The ingress network element provides a map request identifying the destination endpoint to a mapping server. The ingress network element obtains a map reply including a network address of an egress network element associated with the destination endpoint and a security association. The ingress network element encrypts the data for the destination endpoint with the security association according to a cryptographic policy based on the source endpoint, the destination endpoint, and the availability of cryptographic resources on the network. The ingress network element provides the encrypted data to the egress network element.

公开(公告)号：US20210014285A1

公开(公告)日：2021-01-14

申请号：US17034100

申请日：2020-09-28

Applicant: Cisco Technology, Inc.

Inventor： Fabio R. Maino ,  Vina Ermagan ,  Alberto Rodriguez Natal

IPC: H04L29/06 ,  H04L12/46

Abstract: An ingress network element obtains data from a source endpoint associated with the ingress network element. The data identifies a destination endpoint remote from the ingress network element. The ingress network element provides a map request identifying the destination endpoint to a mapping server. The ingress network element obtains a map reply including a network address of an egress network element associated with the destination endpoint and a security association. The ingress network element encrypts the data for the destination endpoint with the security association according to a cryptographic policy based on the source endpoint, the destination endpoint, and the availability of cryptographic resources on the network. The ingress network element provides the encrypted data to the egress network element.

公开(公告)号：US10826827B1

公开(公告)日：2020-11-03

申请号：US16514223

申请日：2019-07-17

Applicant: Cisco Technology, Inc.

Inventor： Alberto Rodriguez Natal ,  Marc Portoles Comeras ,  Vina Ermagan ,  Victor Moreno ,  Fabio Maino ,  Sanjay Hooda

IPC: H04L12/715 ,  H04L12/741 ,  H04L12/733

Abstract: In one embodiment, a router includes processors and computer-readable non-transitory storage media coupled to the processors including instructions executable by the processors. The router may store at least one virtual prefix and an associated aggregation threshold. The router may register, with a mapping database of an overlay network, ownership of individual prefixes served by the router. The router may determine an amount of prefixes served by the router that are within an address space of the virtual prefix. The router may register, based on a determination that the amount of prefixes satisfies the aggregation threshold, ownership of the virtual prefix with the mapping database of the overlay network. The registration of the virtual prefix may cause ownership of one or more of the registered individual prefixes served by the router that are within the address space of the virtual prefix to be deregistered.

公开(公告)号：US20200344662A1

公开(公告)日：2020-10-29

申请号：US16395817

申请日：2019-04-26

Applicant: Cisco Technology, Inc.

Inventor： Fabio R. Maino ,  Vina Ermagan ,  Marc Portoles Comeras ,  John Martin Graybeal ,  Alberto Rodriguez Natal

IPC: H04W40/02 ,  H04W76/12 ,  H04L12/26

Abstract: In one illustrative example, network fabric policy data associated with an application, subscriber, and/or device may be received. Mobile network policy data that corresponds to the received network fabric policy data may be selected, based on stored policy mappings between a set of network fabric policy profiles of a fabric network and a set of mobile network policy profiles of a mobile network. A bearer or Quality of Service (QoS) flow of the mobile network may be established in satisfaction of the selected mobile network policy data. In addition, a packet filter of a traffic flow template (TFT) or a packet detection rule (PDR) may be generated and applied in order to direct IP traffic flows associated with the application to the established bearer or QoS flow for communication in the mobile network.

公开(公告)号：US20200059457A1

公开(公告)日：2020-02-20

申请号：US16104456

申请日：2018-08-17

Applicant: Cisco Technology, Inc.

Inventor： Syed Khalid Raza ,  Mosaddaq Hussain Turabi ,  Fabio Rodolfo Maino ,  Vina Ermagan ,  Atri Indiresan

IPC: H04L29/06 ,  H04L12/28 ,  H04L12/46

Abstract: A method is performed by an access router of an enterprise network including a first edge router to communicate with a second edge router over a wide area network (WAN). The method includes receiving a packet from a first endpoint, receiving from a mapping service a network location of a second edge router for which the packet is destined and a security association (SA) to encrypt the packet from the access router to the second edge router, and generating for the first edge router one or more path selectors for WAN path selection. The method includes encrypting the packet using the SA, and adding to the encrypted IP packet, in clear text, the path selectors and outer encapsulation including the network location, to produce an encrypted tunnel packet. The method also includes forwarding the encrypted tunnel packet to the second edge router via the first edge router and the WAN.

公开(公告)号：US20170054758A1

公开(公告)日：2017-02-23

申请号：US15058447

申请日：2016-03-02

Applicant: Cisco Technology, Inc.

Inventor： Fabio R. Maino ,  Horia Miclea ,  John Evans ,  Brian Eliot Weis ,  Vina Ermagan

IPC: H04L29/06

CPC classification number: H04L47/781 ,  H04L41/0823 ,  H04L41/5025 ,  H04L43/0882 ,  H04L45/64

Abstract: High-level network policies that represent a virtual private network (VPN) as a high-level policy model are received. The VPN is to provide secure connectivity between connection sites of the VPN based on the high-level network policies. The high-level network policies are translated into low-level device configuration information represented in a network overlay and used for configuring a network underlay that provides the connections sites to the VPN. The network underlay is configured with the device configuration information so that the network underlay implements the VPN in accordance with the high-level policies. It is determined whether the network underlay is operating to direct traffic flows between the connection sites in compliance with the high-level network policies. If it is determined that the network underlay is not operating in compliance, the network underlay is reconfigured with new low-level device configuration information so that the network underlay operates in compliance.

Abstract translation: 收到代表虚拟专用网（VPN）作为高级策略模型的高级网络策略。 VPN是基于高级网络策略在VPN的连接站点之间提供安全连接。 高级网络策略被转换为在网络覆盖中表示的低级设备配置信息，并用于配置向VPN提供连接站点的网络底层。 网络底层配置了设备配置信息，使得网络底层根据高级策略实现VPN。 确定网络底层是否正在操作以在连接站点之间引导符合高级网络策略的业务流。 如果确定网络底层不符合操作，则使用新的低级设备配置信息来重新配置网络底层，使得网络底层符合操作。

公开(公告)号：US20170026417A1

公开(公告)日：2017-01-26

申请号：US15217154

申请日：2016-07-22

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Vina Ermagan ,  Fabio R. Maino ,  Florin T. Coras ,  Marius Horia Miclea ,  John William Evans ,  Paul Quinn ,  Darrel Jay Lewis ,  Brian E. Weis

IPC: H04L29/06 ,  H04L12/741 ,  H04L29/12 ,  H04L12/46

CPC classification number: H04L63/20 ,  H04L12/4633 ,  H04L12/4641 ,  H04L45/54 ,  H04L45/64 ,  H04L45/74 ,  H04L61/251 ,  H04L63/0272 ,  H04L63/029 ,  H04L63/0428 ,  H04L63/06 ,  H04L69/03

Abstract: Aspects of the embodiments are directed to systems, methods, and computer program products to program, via a northbound interface, a mapping between an endpoint identifier (EID) and a routing locator (RLOC) directly into a mapping database at a mapping system; receive, from a first tunneling router associated with a first virtual network, a mapping request to a second virtual network, the first router compliant with a Locator/ID Separation Protocol, the mapping request comprising an EID tuple that includes a source identifier and a destination identifier; identify an RLOC based, at least in part, on the destination identifier of the EID tuple from the mapping database; and transmit the RLOC to the first tunneling router implementing an high level policy that has been dynamically resolved into a state of the mapping database.

Abstract translation: 实施例的方面涉及通过北向接口将端点标识符（EID）和路由定位器（RLOC）之间的映射直接编程到映射系统的映射数据库中的系统，方法和计算机程序产品; 从与第一虚拟网络相关联的第一隧道路由器接收对第二虚拟网络的映射请求，所述第一路由器符合定位符/ ID分离协议，所述映射请求包括包含源标识符和目的地的EID元组 标识符 至少部分地基于来自映射数据库的EID元组的目的地标识符来识别RLOC; 并将RLOC发送到实现已经被动态地解析成映射数据库的状态的高级策略的第一隧道路由器。

公开(公告)号：US09178828B2

公开(公告)日：2015-11-03

申请号：US13872008

申请日：2013-04-26

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Surendra M. Kumar ,  Dileep K. Devireddy ,  Nagaraj A. Bagepalli ,  Abhijit Patra ,  Vina Ermagan ,  Fabio R. Maino ,  Victor Manuel Moreno ,  Paul Quinn

IPC: G06F9/455 ,  H04L12/851

CPC classification number: H04L47/2425 ,  G06F9/45533 ,  G06F2009/45562

Abstract: An example method for service insertion in a network environment is provided in one example and includes configuring a service node by tagging one or more interface ports of a virtual switch function to which the service node is connected with one or more policy identifiers. When data traffic associated with a policy identifier is received on a virtual overlay path the virtual switch function may then terminate the virtual overlay path and direct raw data traffic to the interface port of the service node that is tagged to the policy identifier associated with the data traffic.

Abstract translation: 在一个示例中提供了在网络环境中的服务插入的示例方法，并且包括通过标记服务节点与其连接的虚拟交换机功能的一个或多个接口端口与一个或多个策略标识符来配置服务节点。 当在虚拟覆盖路径上接收到与策略标识符相关联的数据流量时，虚拟交换机功能可以终止虚拟覆盖路径，并将原始数据流直接引导到标记为与数据相关联的策略标识符的服务节点的接口端口 交通。

公开(公告)号：US20150029987A1

公开(公告)日：2015-01-29

申请号：US14485050

申请日：2014-09-12

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Sateesh K. Addepalli ,  Lillian Lei Dai ,  Flavio Bonomi ,  Xiaoqing Zhu ,  Fabio R. Maino ,  Pere Monclus ,  Rong Pan ,  Preethi Natarajan ,  Vina Ermagan ,  Alexander Loukissas

IPC: H04W72/04 ,  H04W12/06 ,  H04W40/20 ,  H04W48/02 ,  H04W48/18 ,  H04W28/02

CPC classification number: H04W4/046 ,  B60R16/023 ,  B60W50/10 ,  G06F3/017 ,  G06F3/167 ,  G06F9/542 ,  G06F21/45 ,  H04L1/008 ,  H04L29/06578 ,  H04L43/0811 ,  H04L43/0858 ,  H04L43/0876 ,  H04L45/12 ,  H04L51/02 ,  H04L61/2592 ,  H04L63/08 ,  H04L63/107 ,  H04L67/12 ,  H04L67/32 ,  H04L69/18 ,  H04Q9/00 ,  H04W4/00 ,  H04W4/10 ,  H04W8/06 ,  H04W8/08 ,  H04W8/26 ,  H04W12/02 ,  H04W12/04 ,  H04W12/06 ,  H04W12/08 ,  H04W28/0215 ,  H04W28/06 ,  H04W36/0009 ,  H04W36/08 ,  H04W40/02 ,  H04W40/20 ,  H04W48/02 ,  H04W48/06 ,  H04W48/16 ,  H04W48/18 ,  H04W52/12 ,  H04W52/143 ,  H04W52/225 ,  H04W52/241 ,  H04W52/346 ,  H04W72/0406 ,  H04W72/042 ,  H04W72/0493 ,  H04W76/45 ,  H04W80/02 ,  H04W84/005 ,  H04W84/12 ,  H04W92/18 ,  Y02A30/60

Abstract: A method in one embodiment includes intercepting a message in an on-board unit (OBU) of a vehicular network environment between a source and a receiver in the vehicular network environment, verifying the message is sent from the source, verifying the message is not altered, evaluating a set of source flow control policies associated with the source, and blocking the message if the set of source flow control policies indicate the message is not permitted. In specific embodiments, the message is not permitted if a level of access assigned to the source in the set of source flow control policies does not match a level of access tagged on the message. In further embodiments, the method includes evaluating a set of receiver flow control policies associated with the receiver, and blocking the message if the set of receiver flow control policies indicates the message is not permitted.

Abstract translation: 在一个实施例中的方法包括拦截车辆网络环境中的源和接收机之间的车载网络环境的车载单元（OBU）中的消息，验证该消息是从源发送的，验证该消息没有被改变 ，评估与源相关联的一组源流控制策略，以及如果源流控制策略集指示不允许该消息，则阻塞该消息。 在具体实施例中，如果分配给源流控制策略集中的源的访问级别与消息上标记的访问级别不匹配，则不允许该消息。 在另外的实施例中，该方法包括评估与接收器相关联的一组接收器流控制策略，以及如果该组接收器流控制策略指示该消息不被允许，则阻塞该消息。