公开(公告)号：US11165828B2

公开(公告)日：2021-11-02

申请号：US16289647

申请日：2019-02-28

Applicant: Cisco Technology, Inc.

Inventor： Rajagopalan Janakiraman ,  Ronak K. Desai ,  Sivakumar Ganapathy ,  Mohammed Javed Asghar ,  Azeem Suleman ,  Patel Amitkumar Valjibhai

IPC: H04L12/24 ,  H04L29/06

Abstract: Systems, methods, and computer-readable media for policy splitting in multi-cloud fabrics. In some examples, a method can include discovering a path from a first endpoint in a first cloud to a second endpoint in a second cloud; determining runtime policy table capacities associated with nodes in the path; determining policy distribution and enforcement for traffic from the first endpoint to the second endpoint based on the runtime policy table capacities; based on the policy distribution and enforcement, installing a set of policies for traffic from the first endpoint to the second endpoint across a set of nodes in the path; and applying the set of policies to traffic from the first endpoint in the first cloud to the second endpoint in the second cloud.

公开(公告)号：US11057350B2

公开(公告)日：2021-07-06

申请号：US16426336

申请日：2019-05-30

Applicant: Cisco Technology, Inc.

Inventor： Rajagopalan Janakiraman ,  Sivakumar Ganapathy ,  Azeem Suleman ,  Mohammed Javed Asghar ,  Patel Amitkumar Valjibhai ,  Ronak K. Desai

IPC: H04L29/06 ,  H04L12/721 ,  H04L12/46 ,  H04L29/08 ,  H04L29/12

Abstract: Technologies for extending a subnet across on-premises and cloud-based deployments are provided. An example method may include creating a VPC in a cloud for hosting an endpoint being moved from an on-premises site. For the endpoint to retain its IP address, a subnet range assigned to the VPC, based on the smallest subnet mask allowed by the cloud, is selected to include the IP address of the endpoint. The IP addresses from the assigned subnet range corresponding to on-premises endpoints are configured as secondary IP addresses on a Layer 2 (L2) proxy router instantiated in the VPC. The L2 proxy router establishes a tunnel to a cloud overlay router and directs traffic destined to on-premises endpoints, with IP addresses in the VPC subnet range thereto for outbound transmission. The cloud overly router updates the secondary IP addresses on the L2 proxy router based on reachability information for the on-premises site.

公开(公告)号：US20200280587A1

公开(公告)日：2020-09-03

申请号：US16289647

申请日：2019-02-28

Applicant: Cisco Technology, Inc.

Inventor： Rajagopalan Janakiraman ,  Ronak K. Desai ,  Sivakumar Ganapathy ,  Mohammed Javed Asghar ,  Azeem Suleman ,  Patel Amitkumar Valjibhai

IPC: H04L29/06 ,  H04L12/24

Abstract: Systems, methods, and computer-readable media for policy splitting in multi-cloud fabrics. In some examples, a method can include discovering a path from a first endpoint in a first cloud to a second endpoint in a second cloud; determining runtime policy table capacities associated with nodes in the path; determining policy distribution and enforcement for traffic from the first endpoint to the second endpoint based on the runtime policy table capacities; based on the policy distribution and enforcement, installing a set of policies for traffic from the first endpoint to the second endpoint across a set of nodes in the path; and applying the set of policies to traffic from the first endpoint in the first cloud to the second endpoint in the second cloud.

公开(公告)号：US11368484B1

公开(公告)日：2022-06-21

申请号：US16396096

申请日：2019-04-26

Applicant: Cisco Technology, Inc.

Inventor： Govind Prasad Sharma ,  Eshwar Rao Yedavalli ,  Mohammed Javed Asghar ,  Ashwath Kumar Chandrasekaran ,  Swapnil Mankar ,  Umamaheswararao Karyampudi

IPC: H04L101/622 ,  G06F9/455 ,  H04L61/103 ,  H04L9/40

Abstract: Methods to secure against IP address thefts by rogue devices in a virtualized datacenter are provided. Rogue devices are detected and distinguished from a migration of an endpoint in a virtualized datacenter. A first hop network element in a one or more network fabrics intercepts a request that includes an identity of an endpoint and performs a local lookup for the endpoint entity identifier. Based on the lookup not finding the endpoint entity identifier, the first hop network element broadcasts a message such as a remote media access address (MAC) query to other network elements in the one or more network fabrics. Based on the received response, which may include an IP address associated with the MAC address, the first hop network element performs a theft validation process to determine whether the request originated from a migrated endpoint or a rogue device.

公开(公告)号：US11336515B1

公开(公告)日：2022-05-17

申请号：US17179692

申请日：2021-02-19

Applicant: Cisco Technology, Inc.

Inventor： Munish Mehta ,  Sundeep Kumar Singh ,  Shyam N. Kapadia ,  Mohammed Javed Asghar ,  Lukas Krattiger

IPC: H04L41/0806 ,  H04L61/2596 ,  H04L69/22 ,  H04L12/46

Abstract: Presented herein are systems and methods to enable simultaneous interoperability with policy-aware and policy-unaware data center sites. A multi-site orchestrator (MSO) device can be configured to obtain configuration information for each of a plurality of different data center sites. The data center sites may include one or more on-premises sites and one or more off-premises sites, each of which may include one or more policy-aware sites and/or one or more policy-unaware sites. The MSO can selectively use namespace translations to create a unified fabric across the different data center sites, enabling one or more hosts and/or applications at a first of the data center sites to communicate with one or more hosts and/or applications at a second of the data center sites, regardless of the sites' respective configurations.

公开(公告)号：US20220263865A1

公开(公告)日：2022-08-18

申请号：US17736748

申请日：2022-05-04

Applicant: Cisco Technology, Inc.

Inventor： Govind Prasad Sharma ,  Eshwar Rao Yedavalli ,  Mohammed Javed Asghar ,  Ashwath Kumar Chandrasekaran ,  Swapnil Mankar ,  Umamaheswararao Karyampudi

IPC: H04L9/40 ,  G06F9/455 ,  H04L61/103 ,  H04L101/622

Abstract: Methods to secure against IP address thefts by rogue devices in a virtualized datacenter are provided. Rogue devices are detected and distinguished from a migration of an endpoint in a virtualized datacenter. A first hop network element in a one or more network fabrics intercepts a request that includes an identity of an endpoint and performs a local lookup for the endpoint entity identifier. Based on the lookup not finding the endpoint entity identifier, the first hop network element broadcasts a message such as a remote media access address (MAC) query to other network elements in the one or more network fabrics. Based on the received response, which may include an IP address associated with the MAC address, the first hop network element performs a theft validation process to determine whether the request originated from a migrated endpoint or a rogue device.

公开(公告)号：US20200382471A1

公开(公告)日：2020-12-03

申请号：US16426336

申请日：2019-05-30

Applicant: Cisco Technology, Inc.

Inventor： Rajagopalan Janakiraman ,  Sivakumar Ganapathy ,  Azeem Suleman ,  Mohammed Javed Asghar ,  Patel Amitkumar Valjibhai ,  Ronak K. Desai

IPC: H04L29/06 ,  H04L12/721 ,  H04L29/12 ,  H04L29/08 ,  H04L12/46

Abstract: Technologies for extending a subnet across on-premises and cloud-based deployments are provided. An example method may include creating a VPC in a cloud for hosting an endpoint being moved from an on-premises site. For the endpoint to retain its IP address, a subnet range assigned to the VPC, based on the smallest subnet mask allowed by the cloud, is selected to include the IP address of the endpoint. The IP addresses from the assigned subnet range corresponding to on-premises endpoints are configured as secondary IP addresses on a Layer 2 (L2) proxy router instantiated in the VPC. The L2 proxy router establishes a tunnel to a cloud overlay router and directs traffic destined to on-premises endpoints, with IP addresses in the VPC subnet range thereto for outbound transmission. The cloud overly router updates the secondary IP addresses on the L2 proxy router based on reachability information for the on-premises site.

公开(公告)号：US11757935B2

公开(公告)日：2023-09-12

申请号：US17736748

申请日：2022-05-04

Applicant: Cisco Technology, Inc.

Inventor： Govind Prasad Sharma ,  Eshwar Rao Yedavalli ,  Mohammed Javed Asghar ,  Ashwath Kumar Chandrasekaran ,  Swapnil Mankar ,  Umamaheswararao Karyampudi

IPC: H04L9/40 ,  G06F9/455 ,  H04L61/103 ,  H04L101/622

CPC classification number: H04L63/1483 ,  G06F9/45558 ,  H04L61/103 ,  H04L63/10 ,  G06F2009/4557 ,  G06F2009/45595 ,  H04L2101/622

Abstract: Methods to secure against IP address thefts by rogue devices in a virtualized datacenter are provided. Rogue devices are detected and distinguished from a migration of an endpoint in a virtualized datacenter. A first hop network element in a one or more network fabrics intercepts a request that includes an identity of an endpoint and performs a local lookup for the endpoint entity identifier. Based on the lookup not finding the endpoint entity identifier, the first hop network element broadcasts a message such as a remote media access address (MAC) query to other network elements in the one or more network fabrics. Based on the received response, which may include an IP address associated with the MAC address, the first hop network element performs a theft validation process to determine whether the request originated from a migrated endpoint or a rogue device.

公开(公告)号：US20210234898A1

公开(公告)日：2021-07-29

申请号：US16750841

申请日：2020-01-23

Applicant: Cisco Technology, Inc.

Inventor： Ronak K. Desai ,  Rajagopalan Janakiraman ,  Mohammed Javed Asghar ,  Azeem Suleman ,  Patel Amitkumar Valjibhai ,  Sanjay Kumar Hooda ,  Victor Manuel Moreno

IPC: H04L29/06 ,  H04L12/813 ,  H04L12/947 ,  H04L29/12

Abstract: The present technology pertains to a system, method, and non-transitory computer-readable medium for orchestrating policies across multiple networking domains. The technology can receive, at a provider domain from a consumer domain, a data request; receive, at the provider domain from the consumer domain, at least one access policy for the consumer domain; translate, at the provider domain, the at least one access policy for the consumer domain into at least one translated access policy understood by the provider domain; apply, at the provider domain, the at least one translated access policy understood by the provider domain to the data request; and send, at the provider domain to the consumer domain, a response to the data request.