公开(公告)号：US20250158877A1

公开(公告)日：2025-05-15

申请号：US18508130

申请日：2023-11-13

Applicant: Cisco Technology, Inc.

Inventor： Jeffrey Yi Dar Lo ,  Dan Talayco ,  Robert Rodgers ,  Kyle Andrew Donald Mestery ,  TJ Giuli

IPC: H04L41/08

Abstract: Devices, systems, methods, and processes for converting target state data are described herein. Network devices are configured with a variety of settings that can be adjusted based on the desired network deployment. These changes can be made by a network engineer, user, or the like. However, the specific commands to adjust the settings are very technical and specific for a user to understand. Thus, the user is presented with an abstract representation of the network that they can understand and adjust to a desired deployment configuration. This abstract network configuration is packaged as element target state data, which is then transmitted and converted to network target state data that is used internally within a controller to route to a network device. The network target state data is converted to a material target state data which can be processed by the network devices to apply the desired settings within the device.

公开(公告)号：US12255831B2

公开(公告)日：2025-03-18

申请号：US17866932

申请日：2022-07-18

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Kyle Andrew Donald Mestery

IPC: H04L47/726 ,  H04L47/11 ,  H04L47/70 ,  H04L47/74

Abstract: Techniques for migrating on-premises and/or cloud-based workloads to follow a network session as it potentially migrates, due to multipathing techniques, across multiple edge and/or cloud datacenters. The techniques may include determining, by a controller of a network, that a traffic flow between an endpoint device and a workload has migrated to a different path of a multipath flow such that the traffic flow terminates at a different termination point than the workload. Based at least in part on determining that the traffic flow has migrated, the controller may cause a migration of a state of the workload to a location associated with the different termination point. That is, the controller may cause the workload to be migrated in its current state, which may be specific to the endpoint device, to follow the traffic flow.

公开(公告)号：US20250047684A1

公开(公告)日：2025-02-06

申请号：US18924631

申请日：2024-10-23

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Ian James Wells

IPC: H04L9/40 ,  H04L41/0894 ,  H04L67/14

Abstract: Techniques for creating consent contracts for devices that indicate whether the devices consent to receiving network-based communications from other devices. Further, the techniques include enforcing the consent contracts such that network-based communications are either allowed or disallowed in the network-communications layer prior to the network communications reaching the devices. Rather than simply allowing a device to communicate with any other device over a network, the techniques described herein include building in consent for network-based communications where the consent is consulted at one or more points in a communication process to make informed decisions about network-based traffic.

公开(公告)号：US20250047607A1

公开(公告)日：2025-02-06

申请号：US18924342

申请日：2024-10-23

Applicant: Cisco Technology, Inc.

Inventor： Grzegorz Boguslaw Duraj ,  Leonardo Rangel Augusto ,  Kyle Andrew Donald Mestery

IPC: H04L47/125 ,  H04L9/08 ,  H04L9/40 ,  H04L12/46 ,  H04L47/10 ,  H04L47/24 ,  H04L47/2425 ,  H04L47/2441 ,  H04L69/22

Abstract: Techniques for load balancing encrypted traffic based on security parameter index (SPI) values of packet headers and sets of 5-tuple values of the packet headers are described herein. Additionally, techniques for including quality of service (QOS)-type information in SPI value fields of packet headers are also described herein. The QoS-type information may indicate a particular traffic class according to which the packet is to be handled. Further, techniques for pre-configuring a backend host such that encrypted traffic may be migrated to the backend host from another backend host without causing temporary service disruptions are also described herein.

公开(公告)号：US20250039135A1

公开(公告)日：2025-01-30

申请号：US18779939

申请日：2024-07-22

Applicant: Cisco Technology, Inc.

Inventor： Vincent Parla ,  Kyle Andrew Donald Mestery ,  Stephen Craig Connors, JR.

IPC: H04L9/40

Abstract: A system and method are provided that use metadata encoded in a data flow to determine security actions to perform at a policy-enforcement point based on the security-chain context for the data flow that is provided by metadata (e.g., the security-chain context can include which security operations have been performed upstream on which data packets). The policy-enforcement point receives the data flow and the metadata, including attestations of the security operations that have previously (e.g., upstream) been applied to the data flow. Based on the attested to security operations, the policy-enforcement point selects what security actions to apply next to the data flow, e.g., additional security operations to apply, allow the data flow into a workload or trust zone, drop the workload, perform dynamic load balancing.

公开(公告)号：US12200080B2

公开(公告)日：2025-01-14

申请号：US17719787

申请日：2022-04-13

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Kyle Andrew Donald Mestery

IPC: H04L67/561 ,  H04L9/40 ,  H04L12/46 ,  H04L45/00 ,  H04L45/42 ,  H04L61/103 ,  H04L61/4511 ,  H04L67/02 ,  H04L67/101 ,  H04L67/1012 ,  H04L67/141 ,  H04L67/562

Abstract: Techniques for leveraging the MASQUE protocol to provide remote clients with full application access to private enterprise resources are described herein. One or more network nodes may be configured to execute a MASQUE proxy service to provide a remote client device with full access to an enterprise/private application resource executing on an application node and hosted in an enterprise/application network, behind the MASQUE proxy service. In some examples, the MASQUE proxy service may execute on a single proxy node hosted at an edge of a cloud network or at an edge of an enterprise network. Additionally, or alternatively, a first instance of the MASQUE proxy service may execute on a first proxy node hosted at an edge of a cloud network (e.g., an ingress proxy node) and a second instance of the MASQUE proxy service may execute on a second proxy node hosted at an edge of the enterprise network.

公开(公告)号：US12149596B2

公开(公告)日：2024-11-19

申请号：US18542094

申请日：2023-12-15

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Vincent E. Parla

IPC: H04L67/561 ,  H04L9/40 ,  H04L12/46 ,  H04L45/00 ,  H04L45/42 ,  H04L61/103 ,  H04L61/4511 ,  H04L67/02 ,  H04L67/101 ,  H04L67/1012 ,  H04L67/141 ,  H04L67/562

Abstract: Techniques for managing migrations of QUIC connection session(s) across proxy nodes, data centers, and/or private application nodes are described herein. A global key-value datastore, accessible by proxy nodes and/or application nodes, may store mappings between a first QUIC connection, associated with a proxy node and a client device, on the frontend of the proxy node and a second QUIC connection, associated with the proxy node and an application node, on the backend of the proxy node. With the global key-value datastore being accessible by the proxy nodes, when a proxy node receives a QUIC packet on the front end or the back end, the proxy node may determine where to map this connection to on the opposite end. Additionally, with the global key-value datastore being accessible to the application nodes, when an application node receives a QUIC packet, the application node may determine the client device associated with the connection.

公开(公告)号：US20240364628A1

公开(公告)日：2024-10-31

申请号：US18769185

申请日：2024-07-10

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Vincent E. Parla ,  Ian James Wells

IPC: H04L45/74 ,  H04L69/165

CPC classification number: H04L45/74 ,  H04L69/165

Abstract: Techniques for NAT-based steering of traffic in cloud-based networks. The techniques may include establishing, by a frontend node of a network, a connection with a client device. The frontend node may receive, via the connection, a packet including an indication of an identity of a service hosted on a backend node of the network. Based at least in part on the indication, the frontend node may establish a second connection with the backend node. Additionally, the frontend node may store a mapping indicating that packets received from the client device are to be sent to the backend node. The techniques may also include receiving another packet at the frontend node or another frontend node of the network. Based at least in part on the mapping, the frontend node or other frontend node may alter one or more network addresses of the other packet and forward it to the backend node.

公开(公告)号：US12107937B2

公开(公告)日：2024-10-01

申请号：US17679499

申请日：2022-02-24

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Vincent E. Parla

IPC: H04L67/56 ,  H04L12/54 ,  H04L41/0895 ,  H04L49/45 ,  H04L49/60 ,  H04L67/00

CPC classification number: H04L67/56 ,  H04L12/56 ,  H04L41/0895 ,  H04L49/45 ,  H04L49/60 ,  H04L67/34

Abstract: Techniques for operationalizing workloads at edge network nodes, while maintaining centralized intent and policy controls. The techniques may include storing, in a cloud-computing network, a workload image that includes a function capability. The techniques may also include receiving, at the cloud-computing network, a networking policy associated with an enterprise network. Based at least in part on the networking policy, a determination may be made at the cloud-computing network that the function capability is to be operationalized on an edge device of the enterprise network. The techniques may also include sending the workload image to the edge device to be installed on the edge device to operationalize the function capability. In some examples, the function capability may be a security function capability (e.g., proxy, firewall, etc.), a routing function capability (e.g., network address translation, load balancing, etc.), or any other function capability.

公开(公告)号：US20240137320A1

公开(公告)日：2024-04-25

申请号：US18544079

申请日：2023-12-18

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Kyle Andrew Donald Mestery

IPC: H04L47/125 ,  H04L47/10 ,  H04L47/2416 ,  H04L47/52 ,  H04L47/726

CPC classification number: H04L47/125 ,  H04L47/2416 ,  H04L47/29 ,  H04L47/528 ,  H04L47/726

Abstract: Techniques for orchestrating workloads based on policy to operate in optimal host and/or network proximity in cloud-native environments are described herein. The techniques may include receiving flow data associated with network paths between workloads hosted by a cloud-based network. Based at least in part on the flow data, the techniques may include determining that a utilization of a network path between a first workload and a second workload is greater than a relative utilization of other network paths between the first workload and other workloads. The techniques may also include determining that reducing the network path would optimize communications between the first workload and the second workload without adversely affecting communications between the first workload and the other workloads. The techniques may also include causing at least one of a redeployment or a network path re-routing to reduce the networking proximity between the first workload and the second workload.