公开(公告)号：US12199868B2

公开(公告)日：2025-01-14

申请号：US17804333

申请日：2022-05-27

Applicant: Cisco Technology, Inc.

Inventor： Samir Thoria ,  Ram Dular Singh ,  Laxmikantha Reddy Ponnuru

IPC: H04L45/76 ,  H04L9/40 ,  H04L45/50 ,  H04L45/64

Abstract: According to some embodiments, a method is performed by a software defined wide area network (SD-WAN) edge router in a hierarchical SD-WAN network comprising a plurality of edge routers and a plurality of border routers. The method comprises: originating a SD-WAN system route for advertising reachability to the edge router, the system route comprising an encryption key associated with the edge router; and transmitting the system route to one or more SD-WAN border routers. The method may further comprise: receiving a packet destined for the edge router from one of the one or more SD-WAN border routers, wherein the packet is at least partially encrypted with the encryption key associated with the edge router; and decrypting the received packet.

公开(公告)号：US12184539B2

公开(公告)日：2024-12-31

申请号：US18303493

申请日：2023-04-19

Applicant: Cisco Technology, Inc.

Inventor： Anubhav Gupta ,  Rex Fernando ,  Sanjay Kumar Hooda ,  Syam Sundar Appala ,  Samir Thoria

IPC: H04L45/302 ,  H04L12/28 ,  H04L45/74 ,  H04L47/20

Abstract: In one embodiment, a method by an edge router configured to operate at a first site of a software-defined wide-area network includes receiving a data packet from a first host located in the first site, where the data packet is destined to a second host located in a second site, determining that an identifier of a second group to which the second host belongs is not available at the edge router, sending a request for an identifier of the second group to a network apparatus, where the request may comprise an address of the second host, receiving a response comprising the identifier of the second group from the network apparatus, determining that the second group is a destination group, applying one or more policies associated with the destination group to the data packet, and causing the data packet to be routed to the second host.

公开(公告)号：US20240022548A1

公开(公告)日：2024-01-18

申请号：US17812901

申请日：2022-07-15

Applicant: Cisco Technology, Inc.

Inventor： Ali Sajassi ,  Pradeep Kumar Kathail ,  Samir Thoria

IPC: H04L9/40 ,  H04L45/00

CPC classification number: H04L63/0435 ,  H04L63/029 ,  H04L45/22

Abstract: A system and method for adaptive encryption for SD-WAN includes identifying an encrypted conversational flow and determining whether a duration of the encrypted conversational flow exceeds a threshold. The method also includes selecting a header-less tunnel for the encrypted conversational flow when the duration is more than the threshold. The method further includes transmitting the encrypted conversational flow to an egress router over the selected header-less tunnel.

公开(公告)号：US20230388233A1

公开(公告)日：2023-11-30

申请号：US17804333

申请日：2022-05-27

Applicant: Cisco Technology, Inc.

Inventor： Samir Thoria ,  Ram Dular Singh ,  Laxmikantha Reddy Ponnuru

IPC: H04L45/76 ,  H04L45/64 ,  H04L45/50 ,  H04L9/40

CPC classification number: H04L45/76 ,  H04L45/64 ,  H04L45/50 ,  H04L63/0485

Abstract: According to some embodiments, a method is performed by a software defined wide area network (SD-WAN) edge router in a hierarchical SD-WAN network comprising a plurality of edge routers and a plurality of border routers. The method comprises: originating a SD-WAN system route for advertising reachability to the edge router, the system route comprising an encryption key associated with the edge router; and transmitting the system route to one or more SD-WAN border routers. The method may further comprise: receiving a packet destined for the edge router from one of the one or more SD-WAN border routers, wherein the packet is at least partially encrypted with the encryption key associated with the edge router; and decrypting the received packet.

公开(公告)号：US20230283589A1

公开(公告)日：2023-09-07

申请号：US18172225

申请日：2023-02-21

Applicant: Cisco Technology, Inc.

Inventor： Ali Sajassi ,  Samir Thoria ,  Lukas Krattiger ,  Manoj Kumar Pandey

IPC: H04L61/5053 ,  H04L9/40 ,  H04L61/5014

CPC classification number: H04L61/5053 ,  H04L63/101 ,  H04L63/0236 ,  H04L61/5014 ,  H04L2101/622

Abstract: Systems and techniques are provided for synchronizing DHCP snoop information. In some examples, a method can include, performing, by a first PE device from a plurality of PE devices, DHCP snooping of a first plurality of DHCP messages between a DHCP client and a DHCP server, wherein the plurality of PE devices is part of an ethernet segment for multihoming the DHCP client. In some aspects, the method includes determining, based on snooping the first plurality of DHCP messages, an association between an IP address corresponding to the DHCP client and a MAC address corresponding to the DHCP client. In some examples, the method includes sending, by the first PE device to at least one other PE device from the plurality of PE devices, a first route advertisement that includes the association between the IP address corresponding to the DHCP client and the MAC address corresponding to the DHCP client.

公开(公告)号：US11683262B2

公开(公告)日：2023-06-20

申请号：US16697016

申请日：2019-11-26

Applicant: Cisco Technology, Inc.

Inventor： Anubhav Gupta ,  Rex Fernando ,  Sanjay Kumar Hooda ,  Syam Sundar Appala ,  Samir Thoria

IPC: H04L45/302 ,  H04L12/28 ,  H04L45/74 ,  H04L47/20

CPC classification number: H04L45/302 ,  H04L12/2854 ,  H04L45/74 ,  H04L47/20

Abstract: In one embodiment, a method includes receiving a data packet from a first host located in the first site, where the data packet may be destined to a second host located in a second site that may be different from the first site, determining that an identifier of a second group to which the second host belongs is not available at the first network apparatus, sending a request for an identifier of the second group to a second network apparatus, where the request may comprise an address of the second host, receiving a response comprising the identifier of the second group from the second network apparatus, determining that the second group is a destination group, applying one or more policies associated with the destination group to the data packet, and causing the data packet to be routed to the second host.

公开(公告)号：US20230188607A1

公开(公告)日：2023-06-15

申请号：US17709877

申请日：2022-03-31

Applicant: Cisco Technology, Inc.

Inventor： Srilatha Tangirala ,  Rahul Hardikar ,  Sheikh Qumruzzaman ,  Ravi Kiran Chintallapudi ,  Samir Thoria ,  Ajeet Pal Singh Gill ,  Vivek Agarwal

IPC: H04L67/141 ,  H04L9/40

CPC classification number: H04L67/141 ,  H04L63/0428 ,  H04L45/76

Abstract: In one embodiment, a method includes onboarding, by an edge router, a first tenant from a network management system and determining, by the edge router, a mapping of a tenant identifier associated with the first tenant to a controller identifier associated with a controller. The method also includes reserving, by the edge router, a port number in a kernel for the first tenant and inserting, by the edge router, the tenant identifier into a first control packet. The method further includes communicating, by the edge router, the first control packet to the controller via an encrypted control connection during a first peering session. The first peering session shares the encrypted control connection with a second peering session.

公开(公告)号：US20230052974A1

公开(公告)日：2023-02-16

申请号：US17586204

申请日：2022-01-27

Applicant: Cisco Technology, Inc.

Inventor： Samir Thoria ,  Vivek Agarwal ,  Satish Kumar Mahadevan ,  Laxmikantha Reddy Ponnuru ,  Jean-Marc Barozet ,  Hamzah Kardame

IPC: H04L45/64 ,  H04L9/40

Abstract: According to some embodiments, a software defined wide area network (SD-WAN) includes a first region and a second region. The first region includes multiple first routing controllers and multiple first SD-WAN edge routers. The second region includes multiple second routing controllers and multiple second SD-WAN edge routers. Each first SD-WAN edge router of the first region is configured to establish Overlay Management Protocol (OMP) peering connections with the plurality of first routing controllers of the first region but to avoid establishing OMP peering connections with the plurality of second routing controllers of the second region. Each second SD-WAN edge router of the second region is configured to establish OMP peering connections with the plurality of second routing controllers of the second region but to avoid establishing OMP peering connections with the plurality of first routing controllers of the first region.

公开(公告)号：US20210211404A1

公开(公告)日：2021-07-08

申请号：US16737607

申请日：2020-01-08

Applicant: Cisco Technology, Inc.

Inventor： Manoj Pandey ,  Samir Thoria ,  Ali Sajassi

IPC: H04L29/12 ,  H04L29/06 ,  H04L12/66 ,  H04L12/46

Abstract: This disclosure describes methods of operating a leaf node device, such as a switch device, connected to a switch fabric of a network. The leaf node device receives, from another leaf node device via the switch fabric, an indication of a secure route to a host device. In response to receiving the indication of the secure route, the leaf node device creates or updates a routing entry for the host device in a routing information base of the leaf node device and creates or updates an entry for the host device in a Dynamic Host Configuration Protocol (DHCP) snoop database of the leaf node device. The leaf node may thereby communicate with the host device that is attached to the leaf node device as a result of moving from the other leaf node device.

公开(公告)号：US20200322268A1

公开(公告)日：2020-10-08

申请号：US16375810

申请日：2019-04-04

Applicant: Cisco Technology, Inc.

Inventor： Samir Thoria ,  Ali Sajassi ,  Lukas Krattiger

IPC: H04L12/723 ,  H04L12/715 ,  H04L12/721 ,  H04L12/46 ,  H04L12/66

Abstract: A system and method are disclosed for enabling interoperability between asymmetric and symmetric Integrated Routing and Bridging (IRB) modes. A system is configured to receive a route advertisement, examine the label fields of the route advertisement, and determine whether Layer 2 or Layer 3 information is conveyed. The system is further configured to build a route advertisement to advertise to a second device based on whether Layer 2 or Layer 3 information is conveyed in the first route advertisement.