公开(公告)号：US20180255092A1

公开(公告)日：2018-09-06

申请号：US15446707

申请日：2017-03-01

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Eric Levy-Abegnoli ,  Eliot Lear ,  Brian E. Weis

IPC: H04L29/06 ,  H04L29/12

CPC classification number: H04L63/1458 ,  H04L61/103 ,  H04L61/1511 ,  H04L61/2015 ,  H04L63/10 ,  H04L63/102

Abstract: In one embodiment, a device in a network inserts a profile tag into an address request sent by an endpoint node in the network to a lookup service. The lookup service is configured to identify one or more addresses with which the endpoint node is authorized to communicate based on a profile for the endpoint node associated with the inserted profile tag. The device receives an address response sent from the lookup service to the endpoint node that indicates the set of one or more addresses with which the endpoint node is authorized to communicate. The device determines whether a communication between the endpoint node and a particular network address is authorized using the set of one or more addresses with which the endpoint node is authorized to communicate. The device blocks the communication based on a determination that the particular network address is not in the set of one or more addresses with which the endpoint node is authorized to communicate.

公开(公告)号：US20180124688A1

公开(公告)日：2018-05-03

申请号：US15491203

申请日：2017-04-19

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Jean-Philippe Vasseur ,  Patrick Wetterwald ,  Eric Levy-Abegnoli

IPC: H04W48/14 ,  H04W8/24 ,  H04L1/18 ,  H04W24/02

CPC classification number: H04W48/14 ,  H04L1/18 ,  H04W24/02 ,  H04W88/08

Abstract: In one embodiment, a supervisory device in a network receives from a plurality of access points (APs) in the network data regarding a network availability request broadcast by a node seeking to access the network and received by the APs in the plurality. The supervisory device uniquely associates the node with a virtual access point (VAP) for the node and forms a VAP mapping between the VAP for the node and a set of the APs in the plurality selected based on the received data regarding the network availability request. One of the APs in the mapping is designated as a primary access point for the node. The supervisory device instructs the primary AP to send a network availability response to the node that includes information for the VAP. The node uses the information for the VAP to access the network via the set of APs in the VAP mapping.

公开(公告)号：US20180109492A1

公开(公告)日：2018-04-19

申请号：US15485673

申请日：2017-04-12

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Jean-Philippe Vasseur ,  Patrick Wetterwald ,  Eric Levy-Abegnoli

IPC: H04L29/06 ,  H04L12/46 ,  G06N99/00

CPC classification number: H04L63/029 ,  G06N20/00 ,  H04L12/4641 ,  H04L63/0236 ,  H04L63/0272 ,  H04L63/1425 ,  H04L63/1458

Abstract: In one embodiment, a server instructs one or more networking devices in a local area network (LAN) to form a virtual network overlay in the LAN that redirects traffic associated with a particular node in the LAN to the server. The server receives the redirected traffic associated with the particular node. The server trains a machine learning-based behavioral model for the particular node based on the redirected traffic. The server controls whether a particular redirected traffic flow associated with the node in the LAN is sent to a destination of the traffic flow using the trained behavioral model.

公开(公告)号：US20150195304A1

公开(公告)日：2015-07-09

申请号：US14666717

申请日：2015-03-24

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Eric Levy-Abegnoli ,  Vincent J. Ribiere

IPC: H04L29/06 ,  H04L29/12

CPC classification number: H04L63/1458 ,  G06F21/10 ,  H04L45/742 ,  H04L61/103 ,  H04L61/6009 ,  H04L61/6059 ,  H04L2463/142

Abstract: In one embodiment, a device (e.g., switch or registry) maintains a binding table for all internet protocol (IP) addresses in a particular subnet associated with the device, and in response to receiving a neighbor solicitation (NS) lookup message from a router for a particular address, determines whether the particular address is within the binding table. When the particular address is not within the binding table, the device causes the router to not store the particular address in a neighbor discovery (ND) cache at the router (e.g., by responding to clear the cache, or ignoring to prevent state from being created). In another embodiment, the ND-requesting router ensures that the particular address is not kept in an ND cache at the router in response to the device indicating that the particular address is not within its binding table (e.g., an explicit response to clear, or absence of instruction to store state).

Abstract translation: 在一个实施例中，设备（例如，交换机或注册表）维护与设备相关联的特定子网中的所有互联网协议（IP）地址的绑定表，并且响应于从路由器接收到邻居请求（NS）查找消息 对于特定地址，确定特定地址是否在绑定表内。 当特定地址不在绑定表内时，设备会使路由器不将特定地址存储在路由器的邻居发现（ND）缓存中（例如，通过响应清除缓存或忽略以防止状态为 创建）。 在另一个实施例中，ND请求路由器确保特定地址不被保留在路由器处的ND高速缓存中，以响应于设备指示特定地址不在其绑定表内（例如，明确的清除响应或 没有指令存储状态）。

公开(公告)号：US20140282864A1

公开(公告)日：2014-09-18

申请号：US13795993

申请日：2013-03-12

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Pascal Thubert ,  Eric Levy-Abegnoli ,  Vincent J. Ribiere

IPC: H04L29/06

CPC classification number: H04L63/1458 ,  H04W12/12

Abstract: In one embodiment, a switch in a computer network may receive a neighbor solicitation (NS) message for a target node for which no neighbor authentication (NA) reply has been received at the switch. The switch may then determine whether to forward the NS message to only non-constrained links of the switch, or to both non-constrained links and constrained links of the switch. The determining may be configured to intermittently result in forwarding the NS message for the target node to both the non-constrained links and the constrained links. The switch may then forward the NS message according to the determination.

Abstract translation: 在一个实施例中，计算机网络中的交换机可以接收到在交换机处没有接收到相邻认证（NA）应答的目标节点的邻居请求（NS）消息。 交换机然后可以确定是否将NS消息转发到仅交换机的非受约束的链路，或者转发到非限制链路和交换机的约束链路。 该确定可以被配置为间歇地导致将目标节点的NS消息转发到非约束链路和受约束链路两者。 然后，交换机可以根据确定转发NS消息。

公开(公告)号：US20140269717A1

公开(公告)日：2014-09-18

申请号：US13839259

申请日：2013-03-15

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Pascal Thubert ,  Christophe Benejean ,  Eric Levy-Abegnoli

IPC: H04L12/947

CPC classification number: H04L63/1458 ,  H04L45/16 ,  H04L45/66 ,  H04L45/7457 ,  H04L49/201 ,  H04L49/3009 ,  H04L61/103 ,  H04L63/1416

Abstract: In one embodiment, a switch in a computer network intercepts a packet to a destination target, the packet having a solicited node multicast address of the target as a destination media access control (MAC) address of the packet. As such, the switch may determine whether the solicited node multicast address is a hit or miss within a switch hardware table of the switch, and in response to a hit, re-writes the destination MAC address with a known value of the destination target from the table, and unicasts the packet to the destination target. In one or more additional embodiments, in response to a miss, and in response to a single-switch architecture, the switch drops the packet, while in response to a miss, and in response to a multi-switch architecture, the switch may compute a repository switch for the solicited multicast destination, and unicasts the packet to the computed repository switch.

Abstract translation: 在一个实施例中，计算机网络中的交换机拦截到目的地目的地的分组，该分组具有目标的请求节点多播地址作为分组的目的地媒体访问控制（MAC）地址。 因此，交换机可以确定被请求的节点多播地址是否是交换机的交换机硬件表中的命中或未命中，并且响应于命中，用目的地目标的已知值重新写入目的地MAC地址 该表，并将数据包单播到目标目标。 在一个或多个附加实施例中，响应于未命中，并且响应于单个交换机架构，交换机在响应于未命中的同时丢弃分组，并且响应于多交换机体系结构，交换机可以计算 用于被请求的组播目的地的存储库交换机，并将该分组单播到计算的存储库交换机。

公开(公告)号：US12231417B2

公开(公告)日：2025-02-18

申请号：US18120889

申请日：2023-03-13

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Patrick Wetterwald ,  Jonas Zaddach ,  Eric Levy-Abegnoli

IPC: H04L9/40 ,  H04L67/141 ,  H04L67/142

Abstract: Techniques for adjusting a duration of an authenticated user device session. A baseline session duration is determined for a session for which a user account is authorized in response to a request for authentication. A first session is established on behalf of a user device associated with the user account based at least in part on the user account performing a first authentication. A posture associated with the user device is determined. The baseline duration is then adjusted to a dynamic duration based at least in part upon the posture associated with the user device. Based at least in part on the dynamic duration the user can be required to re-authenticate.

公开(公告)号：US12213052B2

公开(公告)日：2025-01-28

申请号：US17750229

申请日：2022-05-20

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Eric Levy-Abegnoli ,  Jonas Zaddach ,  Patrick Wetterwald

IPC: H04W40/24

Abstract: In one embodiment, an illustrative method herein may comprise: receiving, at a first edge device, a direct indication from a second edge device that a mobile device has moved from the first to the second edge device; determining, based on the direct indication, a first time at which the mobile device attached to the second edge device; receiving a network routing update message indicative of a routing update for the mobile device having moved to the second edge device; determining, based on the network routing update message, a second time at which convergence completed at the first edge device; and calculating a convergence time for the mobile device to be detected as having moved to the second edge device based on a difference between the first time and the second time.

公开(公告)号：US20240406144A1

公开(公告)日：2024-12-05

申请号：US18205464

申请日：2023-06-02

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Pradeep Kumar Kathail ,  Eric Levy-Abegnoli ,  David A. Maluf

IPC: H04L9/40 ,  H04L61/4511

Abstract: Techniques for using Locator ID Separation Protocol (LISP), Mobile Internet Protocol (MIP), and/or other techniques in conjunction with Domain Name System (DNS) to obfuscate server-side addresses in data communications. Rather than having DNS provide a client device with an IP address of an endpoint device, such as a server, the DNS instead returns an endpoint identifiers (EID) that is mapped to the client device and at least one routing locator (RLOC) of the endpoint device. In this way, IP addresses of servers are obfuscated by a network mapping of EIDs and RLOCs. The client device may then communicate data packets to the server using the EIDs as the destination address, and a virtual network service that works in conjunction with DNS can encapsulate the data packet with the RLOC using LISP and forward the data packet onto the server.

公开(公告)号：US12155622B1

公开(公告)日：2024-11-26

申请号：US18237590

申请日：2023-08-24

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Eric A. Voit ,  Eric Levy-Abegnoli ,  Patrick Wetterwald ,  Jonas Zaddach

IPC: H04L61/5007 ,  H04L9/40 ,  H04L61/2503 ,  H04L61/4511

Abstract: Techniques for varying locations of virtual networks associated with endpoints using Network Address Translation (NAT), Mobile Internet Protocol (MIP), and/or other techniques in conjunction with Domain Name System (DNS). Rather than having DNS provide a client device with an IP address of an endpoint device, such as a server, the DNS instead returns a virtual IP (VIP) address that is mapped to the client device and the endpoint device. The VIP address may be selected based on a number of factors (e.g., power usage, privacy requirements, virtual distances, etc.). In this way, IP addresses of servers are obfuscated by a virtual network of VIP addresses that can be periodically rotated and/or load balanced. The client device may then communicate data packets to the server using the VIP address as the destination address, and a virtual network service that works in conjunction with DNS can convert the VIP address to the actual IP address of the server using NAT and forward the data packet onto the server.