公开(公告)号：US20250030737A1

公开(公告)日：2025-01-23

申请号：US18224220

申请日：2023-07-20

Applicant: Cisco Technology, Inc.

Inventor： Srilatha Tangirala ,  Venkatesh Nataraj ,  Ambika Basappa Chandrappa ,  Kartik Katti ,  Sasi Veera ,  Balaji Sundararajan

IPC: H04L9/40

Abstract: Techniques for automatically integrating SD-WAN constructs to security policies are described. The techniques may include defining, by a security cloud provider, a security policy for an entity, the entity represented by a VPN security policy label and the security policy absent source and destination CIDR IP addresses. The security cloud provider notifies an SD-WAN controller of the security policy. The SD-WAN controller maps the VPN security policy label to an IP address pool and a VPN ID. The SD-WAN controller generates an enhanced security policy by automatically adding source and destination CIDR IP addresses to the security policy. The SD-WAN controller deploys the enhanced security policy to an SD-WAN branch router and generates a VPN segment between the SD-WAN branch router and the security cloud provider to establish a common secure internet gateway tunnel for the IP address pool.

公开(公告)号：US12132660B2

公开(公告)日：2024-10-29

申请号：US17718775

申请日：2022-04-12

Applicant: Cisco Technology, Inc.

Inventor： Balaji Sundararajan ,  Srilatha Tangirala ,  Ajeet Pal Singh Gill ,  Vivek Agarwal ,  Nithin Bangalore Raju

IPC: H04L47/20 ,  H04L69/16

CPC classification number: H04L47/20 ,  H04L69/16

Abstract: According to certain embodiments, a method by a network device includes receiving a handshake message for a traffic flow from a Software-Defined Wide-Area Network (SDWAN) and determining, from a traffic policy, whether the traffic flow should be symmetrical. In response to determining from the traffic policy that the traffic flow should be symmetrical, the method further includes performing a flow lookup on the traffic flow to determine if the network device originated the traffic flow. In response to determining that the network device did not originate the traffic flow, the method further includes determining a second network device that originated the traffic flow and sending the handshake message for the traffic flow to the second network device in order to maintain symmetry for the traffic flow.

公开(公告)号：US12127020B2

公开(公告)日：2024-10-22

申请号：US18524474

申请日：2023-11-30

Applicant: Cisco Technology, Inc.

Inventor： Balaji Sundararajan ,  Sanjay Kumar Hooda ,  Venkatesh Ramachandra Gota ,  Chandramouli Balasubramanian ,  Anand Oswal

IPC: H04W24/08 ,  H04W28/02 ,  H04W28/24 ,  H04W36/22 ,  H04W48/06

CPC classification number: H04W24/08 ,  H04W28/0221 ,  H04W28/0284 ,  H04W28/0289 ,  H04W28/24 ,  H04W36/22 ,  H04W48/06

Abstract: Systems and methods for managing traffic in a hybrid environment include monitoring traffic load of a local network to determine whether the traffic load exceeds or is likely to exceed a maximum traffic load, where the maximum traffic load is a traffic load for which a service can be provided by the local network, based on a license. An excess traffic load is determined if the traffic load exceeds or is likely to exceed the maximum traffic load. One or more external networks which have a capacity to provide the service to the excess traffic load are determined, to which the excess traffic load is migrated. The local network includes one or more service instances for providing the service for up to the maximum traffic load, and the service to the excess traffic load is provided by one or more additional service instances in the one or more external networks.

公开(公告)号：US20240333689A1

公开(公告)日：2024-10-03

申请号：US18128824

申请日：2023-03-30

Applicant: Cisco Technology, Inc.

Inventor： Pritam Baruah ,  Balaji Sundararajan ,  Nithin Bangalore Raju ,  Srilatha Tangirala ,  Ramakumara Kariyappa

IPC: H04L9/40

CPC classification number: H04L63/0281 ,  H04L63/0236 ,  H04L63/20

Abstract: Techniques for utilizing a network gateway provisioned in a software-defined network to verify service readiness of one or more security service(s) of a service chain prior to redirecting network traffic along a given data-path to the security service(s). The gateway may be configured to open a specific port on a network device hosting a security service to transmit network policies and/or test network traffic to the security service. The network gateway may host a virtual source and/or a virtual destination and cause the virtual source to send test network traffic through the security service via the port and to the virtual destination. The gateway may then utilize the received test network traffic to determine whether a given security service satisfies a threshold health and/or functionality measurement. Once it is determined that the security service satisfies the thresholds, the gateway may cause network traffic to be redirected to the security service.

公开(公告)号：US12095652B1

公开(公告)日：2024-09-17

申请号：US18328566

申请日：2023-06-02

Applicant: Cisco Technology, Inc.

Inventor： Balaji Sundararajan ,  Satish Kumar Mahadevan ,  Ramakumara Kariyappa ,  Ganesh Devendrachar ,  Arul Murugan Manickam ,  Samir D Thoria ,  Pritam Baruah ,  Deepa Rajendra Sangolli ,  Avinash Shah

IPC: H04L45/17 ,  H04L43/0817 ,  H04L45/24

CPC classification number: H04L45/17 ,  H04L43/0817 ,  H04L45/24

Abstract: Techniques are described for suppressing data plane traffic using a service monitoring policy for data plane control. If a service provided to a router becomes nonfunctional, preventing the router from being able to forward traffic to a next-hop device, data plane traffic from client devices on the data plane that requires the use of the nonfunctioning service is suppressed. Additionally, new communication pathways to the router that will use the nonfunctioning service are prevented from being established. Traffic is redirected to another router with a functioning service. Thus, traffic that may normally be directed to the router with the nonfunctioning service and not able to be forwarded (e.g., blackholing of data) can be forwarded to the other router.

公开(公告)号：US20240267325A1

公开(公告)日：2024-08-08

申请号：US18604972

申请日：2024-03-14

Applicant: Cisco Technology, Inc.

Inventor： Balaji Sundararajan ,  Ramakumara Kariyappa ,  Nithin Bangalore Raju ,  Bhairav Dutia ,  Vivek Agarwal ,  Satish Mahadevan ,  Ankur Bhargava

IPC: H04L45/586 ,  H04L45/748 ,  H04L61/5061

CPC classification number: H04L45/586 ,  H04L45/748 ,  H04L61/5061

Abstract: Symmetric networking techniques disclosed herein can be applied by gateway routers in cloud networks. The techniques can ensure that both outbound traffic received at a cloud from a branch device and return traffic directed from the cloud back to the branch device are processed by a same gateway router. The gateway router can use network address translation to insert IP addresses from an inside pool and an outside pool assigned to the router.

公开(公告)号：US20240259305A1

公开(公告)日：2024-08-01

申请号：US18632852

申请日：2024-04-11

Applicant: Cisco Technology, Inc.

Inventor： Balaji Sundararajan ,  Khalil A. Jabr ,  Anand Oswal ,  Vivek Agarwal ,  Chandramouli Balasubramanian

IPC: H04L45/64 ,  H04L9/40 ,  H04L12/46 ,  H04L45/02 ,  H04L45/50 ,  H04L47/2441

CPC classification number: H04L45/64 ,  H04L12/4641 ,  H04L45/04 ,  H04L45/50 ,  H04L47/2441 ,  H04L63/162

Abstract: Systems, methods, and computer-readable media for interconnecting SDWANs through segment routing. A first SDWAN and a second SDWAN of a SDWAN fabric can be identified. A segment routing domain that interconnects the first SDWAN and the second SDWAN can be formed across a WAN underlay of the SDWAN fabric. Data transmission between the first SDWAN and the second SDWAN can be controlled by performing segment routing through the segment routing domain formed between the first SDWAN and the second SDWAN.

公开(公告)号：US20240205243A1

公开(公告)日：2024-06-20

申请号：US18591090

申请日：2024-02-29

Applicant: Cisco Technology, Inc.

Inventor： Balaji Sundararajan ,  Gaurang Rajeev Mokashi ,  Preety Mordani ,  Vivek Agarwal

IPC: H04L9/40 ,  G06F9/455 ,  H04L43/08 ,  H04L47/20 ,  H04L49/25

CPC classification number: H04L63/1416 ,  G06F9/45558 ,  H04L43/08 ,  H04L47/20 ,  H04L49/25 ,  H04L63/20 ,  G06F2009/45587 ,  G06F2009/45595

Abstract: Systems, methods, and computer-readable media for performing threat remediation through a switch fabric of a virtualized network environment. Data traffic passing into a virtualized network environment including a plurality of virtual machines running on a switch fabric is monitored. A network threat introduced through at a least a portion of the data traffic is identified at the switch fabric. One or more remedial measures are performed in the network environment based on the identification of the network threat in the virtualized network environment.

公开(公告)号：US20240106855A1

公开(公告)日：2024-03-28

申请号：US18106891

申请日：2023-02-07

Applicant: Cisco Technology, Inc.

Inventor： Balaji Sundararajan ,  Vivek Agarwal ,  Vishnuprasad Raghavan ,  Kannan Kumar ,  Chandra Balaji Rajaram

IPC: H04L9/40

CPC classification number: H04L63/1466 ,  H04L63/0227

Abstract: This disclosure describes techniques and mechanisms for improving security within SDWAN fabric and utilizing telemetry data from non-enterprise providers to remediate compromised SDWAN site(s) and/or user(s). The techniques may implement an integration of non-enterprise application(s) and API(s) with an enterprise network, thereby enabling the enterprise network to identify compromised endpoint(s), identify user(s), group(s), site(s) that are impacted, and take a corrective action (by the enterprise network and/or the non-enterprise application(s) or API(s)) on the enterprise fabric.

公开(公告)号：US11924046B1

公开(公告)日：2024-03-05

申请号：US18075276

申请日：2022-12-05

Applicant: Cisco Technology, Inc.

Inventor： Balaji Sundararajan ,  Bhairav Dutia ,  Ankur Bhargava ,  Satish Mahadevan ,  Srinivas Yalamanchanli ,  Ziad Sarieddine ,  Nikolai Pitaev

IPC: H04L41/12 ,  H04L41/0894 ,  H04L67/52

CPC classification number: H04L41/12 ,  H04L41/0894 ,  H04L67/52

Abstract: This disclosure describes techniques and mechanisms for disclosure describes techniques and mechanisms for a central management plane to automatically create and assign system identifiers to network devices, thereby creating a global network hierarchy within a network. The techniques enable the use of a system identifier to be automatically generated and assigned, as well as configuration and network policies to be automatically generated based on the system identifier. Accordingly, the techniques enable automation of regional connectivity and policy application, a simplified manner of troubleshooting/debugging of any connectivity issues, and a simplified, aggregated view of statistic and analytics related to problems at site, sub-region, and region levels.