公开(公告)号：US20200344662A1

公开(公告)日：2020-10-29

申请号：US16395817

申请日：2019-04-26

Applicant: Cisco Technology, Inc.

Inventor： Fabio R. Maino ,  Vina Ermagan ,  Marc Portoles Comeras ,  John Martin Graybeal ,  Alberto Rodriguez Natal

IPC: H04W40/02 ,  H04W76/12 ,  H04L12/26

Abstract: In one illustrative example, network fabric policy data associated with an application, subscriber, and/or device may be received. Mobile network policy data that corresponds to the received network fabric policy data may be selected, based on stored policy mappings between a set of network fabric policy profiles of a fabric network and a set of mobile network policy profiles of a mobile network. A bearer or Quality of Service (QoS) flow of the mobile network may be established in satisfaction of the selected mobile network policy data. In addition, a packet filter of a traffic flow template (TFT) or a packet detection rule (PDR) may be generated and applied in order to direct IP traffic flows associated with the application to the established bearer or QoS flow for communication in the mobile network.

公开(公告)号：US20170054758A1

公开(公告)日：2017-02-23

申请号：US15058447

申请日：2016-03-02

Applicant: Cisco Technology, Inc.

Inventor： Fabio R. Maino ,  Horia Miclea ,  John Evans ,  Brian Eliot Weis ,  Vina Ermagan

IPC: H04L29/06

CPC classification number: H04L47/781 ,  H04L41/0823 ,  H04L41/5025 ,  H04L43/0882 ,  H04L45/64

Abstract: High-level network policies that represent a virtual private network (VPN) as a high-level policy model are received. The VPN is to provide secure connectivity between connection sites of the VPN based on the high-level network policies. The high-level network policies are translated into low-level device configuration information represented in a network overlay and used for configuring a network underlay that provides the connections sites to the VPN. The network underlay is configured with the device configuration information so that the network underlay implements the VPN in accordance with the high-level policies. It is determined whether the network underlay is operating to direct traffic flows between the connection sites in compliance with the high-level network policies. If it is determined that the network underlay is not operating in compliance, the network underlay is reconfigured with new low-level device configuration information so that the network underlay operates in compliance.

Abstract translation: 收到代表虚拟专用网（VPN）作为高级策略模型的高级网络策略。 VPN是基于高级网络策略在VPN的连接站点之间提供安全连接。 高级网络策略被转换为在网络覆盖中表示的低级设备配置信息，并用于配置向VPN提供连接站点的网络底层。 网络底层配置了设备配置信息，使得网络底层根据高级策略实现VPN。 确定网络底层是否正在操作以在连接站点之间引导符合高级网络策略的业务流。 如果确定网络底层不符合操作，则使用新的低级设备配置信息来重新配置网络底层，使得网络底层符合操作。

公开(公告)号：US20170026417A1

公开(公告)日：2017-01-26

申请号：US15217154

申请日：2016-07-22

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Vina Ermagan ,  Fabio R. Maino ,  Florin T. Coras ,  Marius Horia Miclea ,  John William Evans ,  Paul Quinn ,  Darrel Jay Lewis ,  Brian E. Weis

IPC: H04L29/06 ,  H04L12/741 ,  H04L29/12 ,  H04L12/46

CPC classification number: H04L63/20 ,  H04L12/4633 ,  H04L12/4641 ,  H04L45/54 ,  H04L45/64 ,  H04L45/74 ,  H04L61/251 ,  H04L63/0272 ,  H04L63/029 ,  H04L63/0428 ,  H04L63/06 ,  H04L69/03

Abstract: Aspects of the embodiments are directed to systems, methods, and computer program products to program, via a northbound interface, a mapping between an endpoint identifier (EID) and a routing locator (RLOC) directly into a mapping database at a mapping system; receive, from a first tunneling router associated with a first virtual network, a mapping request to a second virtual network, the first router compliant with a Locator/ID Separation Protocol, the mapping request comprising an EID tuple that includes a source identifier and a destination identifier; identify an RLOC based, at least in part, on the destination identifier of the EID tuple from the mapping database; and transmit the RLOC to the first tunneling router implementing an high level policy that has been dynamically resolved into a state of the mapping database.

Abstract translation: 实施例的方面涉及通过北向接口将端点标识符（EID）和路由定位器（RLOC）之间的映射直接编程到映射系统的映射数据库中的系统，方法和计算机程序产品; 从与第一虚拟网络相关联的第一隧道路由器接收对第二虚拟网络的映射请求，所述第一路由器符合定位符/ ID分离协议，所述映射请求包括包含源标识符和目的地的EID元组 标识符 至少部分地基于来自映射数据库的EID元组的目的地标识符来识别RLOC; 并将RLOC发送到实现已经被动态地解析成映射数据库的状态的高级策略的第一隧道路由器。

公开(公告)号：US09178828B2

公开(公告)日：2015-11-03

申请号：US13872008

申请日：2013-04-26

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Surendra M. Kumar ,  Dileep K. Devireddy ,  Nagaraj A. Bagepalli ,  Abhijit Patra ,  Vina Ermagan ,  Fabio R. Maino ,  Victor Manuel Moreno ,  Paul Quinn

IPC: G06F9/455 ,  H04L12/851

CPC classification number: H04L47/2425 ,  G06F9/45533 ,  G06F2009/45562

Abstract: An example method for service insertion in a network environment is provided in one example and includes configuring a service node by tagging one or more interface ports of a virtual switch function to which the service node is connected with one or more policy identifiers. When data traffic associated with a policy identifier is received on a virtual overlay path the virtual switch function may then terminate the virtual overlay path and direct raw data traffic to the interface port of the service node that is tagged to the policy identifier associated with the data traffic.

Abstract translation: 在一个示例中提供了在网络环境中的服务插入的示例方法，并且包括通过标记服务节点与其连接的虚拟交换机功能的一个或多个接口端口与一个或多个策略标识符来配置服务节点。 当在虚拟覆盖路径上接收到与策略标识符相关联的数据流量时，虚拟交换机功能可以终止虚拟覆盖路径，并将原始数据流直接引导到标记为与数据相关联的策略标识符的服务节点的接口端口 交通。

公开(公告)号：US20150101029A1

公开(公告)日：2015-04-09

申请号：US14570902

申请日：2014-12-15

Applicant: Cisco Technology, Inc.

Inventor： Fabio R. Maino ,  Marco Di Benedetto ,  Claudio Desanti

IPC: H04L29/06

CPC classification number: H04L63/123 ,  H04L9/0838 ,  H04L9/3239 ,  H04L63/12

Abstract: Methods and apparatus are provided for improving both node-based and message-based security in a fibre channel network. Entity to entity authentication and key exchange services can be included in existing initialization messages used for introducing fibre channel network entities into a fibre channel fabric, or with specific messages exchanged over an already initialized communication channel. Both per-message authentication and encryption mechanisms can be activated using the authentication and key exchange services. Messages passed between fibre channel network entities can be encrypted and authenticated using information provided during the authentication sequence. Security services such as per-message authentication, confidentiality, integrity protection, and anti-replay protection can be implemented.

Abstract translation: 提供了用于改进光纤通道网络中的基于节点和基于消息的安全性的方法和装置。 可以将实体认证和密钥交换服务的实体包括在用于将光纤信道网络实体引入光纤信道结构的现有初始化消息中，或者通过已经初始化的通信信道交换的特定消息。 可以使用认证和密钥交换服务来激活每消息认证和加密机制。 在光纤通道网络实体之间通过的消息可以使用在认证序列期间提供的信息进行加密和认证。 可以实现诸如每消息认证，机密性，完整性保护和反重放保护等安全服务。

公开(公告)号：US20150029987A1

公开(公告)日：2015-01-29

申请号：US14485050

申请日：2014-09-12

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Sateesh K. Addepalli ,  Lillian Lei Dai ,  Flavio Bonomi ,  Xiaoqing Zhu ,  Fabio R. Maino ,  Pere Monclus ,  Rong Pan ,  Preethi Natarajan ,  Vina Ermagan ,  Alexander Loukissas

IPC: H04W72/04 ,  H04W12/06 ,  H04W40/20 ,  H04W48/02 ,  H04W48/18 ,  H04W28/02

CPC classification number: H04W4/046 ,  B60R16/023 ,  B60W50/10 ,  G06F3/017 ,  G06F3/167 ,  G06F9/542 ,  G06F21/45 ,  H04L1/008 ,  H04L29/06578 ,  H04L43/0811 ,  H04L43/0858 ,  H04L43/0876 ,  H04L45/12 ,  H04L51/02 ,  H04L61/2592 ,  H04L63/08 ,  H04L63/107 ,  H04L67/12 ,  H04L67/32 ,  H04L69/18 ,  H04Q9/00 ,  H04W4/00 ,  H04W4/10 ,  H04W8/06 ,  H04W8/08 ,  H04W8/26 ,  H04W12/02 ,  H04W12/04 ,  H04W12/06 ,  H04W12/08 ,  H04W28/0215 ,  H04W28/06 ,  H04W36/0009 ,  H04W36/08 ,  H04W40/02 ,  H04W40/20 ,  H04W48/02 ,  H04W48/06 ,  H04W48/16 ,  H04W48/18 ,  H04W52/12 ,  H04W52/143 ,  H04W52/225 ,  H04W52/241 ,  H04W52/346 ,  H04W72/0406 ,  H04W72/042 ,  H04W72/0493 ,  H04W76/45 ,  H04W80/02 ,  H04W84/005 ,  H04W84/12 ,  H04W92/18 ,  Y02A30/60

Abstract: A method in one embodiment includes intercepting a message in an on-board unit (OBU) of a vehicular network environment between a source and a receiver in the vehicular network environment, verifying the message is sent from the source, verifying the message is not altered, evaluating a set of source flow control policies associated with the source, and blocking the message if the set of source flow control policies indicate the message is not permitted. In specific embodiments, the message is not permitted if a level of access assigned to the source in the set of source flow control policies does not match a level of access tagged on the message. In further embodiments, the method includes evaluating a set of receiver flow control policies associated with the receiver, and blocking the message if the set of receiver flow control policies indicates the message is not permitted.

Abstract translation: 在一个实施例中的方法包括拦截车辆网络环境中的源和接收机之间的车载网络环境的车载单元（OBU）中的消息，验证该消息是从源发送的，验证该消息没有被改变 ，评估与源相关联的一组源流控制策略，以及如果源流控制策略集指示不允许该消息，则阻塞该消息。 在具体实施例中，如果分配给源流控制策略集中的源的访问级别与消息上标记的访问级别不匹配，则不允许该消息。 在另外的实施例中，该方法包括评估与接收器相关联的一组接收器流控制策略，以及如果该组接收器流控制策略指示该消息不被允许，则阻塞该消息。

公开(公告)号：US20140321459A1

公开(公告)日：2014-10-30

申请号：US13872008

申请日：2013-04-26

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Surendra M. Kumar ,  Dileep K. Devireddy ,  Nagaraj A. Bagepalli ,  Abhijit Patra ,  Vina Ermagan ,  Fabio R. Maino ,  Victor Manuel Moreno ,  Paul Quinn

IPC: H04L12/851

CPC classification number: H04L47/2425 ,  G06F9/45533 ,  G06F2009/45562

Abstract: An example method for service insertion in a network environment is provided in one example and includes configuring a service node by tagging one or more interface ports of a virtual switch function to which the service node is connected with one or more policy identifiers. When data traffic associated with a policy identifier is received on a virtual overlay path the virtual switch function may then terminate the virtual overlay path and direct raw data traffic to the interface port of the service node that is tagged to the policy identifier associated with the data traffic.

Abstract translation: 在一个示例中提供了在网络环境中的服务插入的示例方法，并且包括通过标记服务节点与其连接的虚拟交换机功能的一个或多个接口端口与一个或多个策略标识符来配置服务节点。 当在虚拟覆盖路径上接收到与策略标识符相关联的数据流量时，虚拟交换机功能可以终止虚拟覆盖路径，并将原始数据流直接引导到标记为与数据相关联的策略标识符的服务节点的接口端口 交通。