Traffic distribution over multiple paths in a network while maintaining flow affinity
US-9716592-B1 · Jul 25, 2017 · US
Symmetric bi-directional policy based redirect of traffic flows
US10419496B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10419496-B2 |
| Application number | US-201615186304-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jun 17, 2016 |
| Priority date | Jun 17, 2016 |
| Publication date | Sep 17, 2019 |
| Grant date | Sep 17, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Disclosed are systems, methods, and computer-readable storage media for guaranteeing symmetric bi-directional policy based redirect of traffic flows. A first switch connected to a first endpoint can receive a first data packet transmitted by the first endpoint to a second endpoint connected to a second switch. The first switch can enforce an ingress data policy to the first data packet by applying a hashing algorithm to a Source Internet Protocol (SIP) value and a Destination Internet Protocol (DIP) value of the first data packet, resulting in a hash value of the first data packet. The first switch can then route the first data packet to a first service node based on the hash value of the first data packet.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method for managing traffic through a switch fabric having a border defined at least by a plurality of leaf nodes connected by at least one spine node, the plurality of leaf nodes including at least first and second leaf nodes, the method comprising: receiving, by the first leaf node connected to a first endpoint, a first data packet transmitted by the first endpoint to a second endpoint connected to the second leaf node; enforcing, at entry of the first data packet into the switch fabric at the first leaf node, an ingress data policy to the first data packet by applying a symmetrical hashing algorithm to at least a portion of the first data packet, resulting in a hash value of the first data packet; routing the first data packet to a first service node based on the hash value of the first data packet; receiving, by the second leaf node, a second data packet transmitted by the second endpoint to the first endpoint; enforcing, at entry of the second data packet into the switch fabric at the second leaf node, an ingress data policy to the second data packet by applying the symmetrical hashing algorithm to at least a portion of the second data packet, resulting in a hash value of the second data packet; and routing the second data packet to the first service node based on the hash value of the first data packet; wherein, due to the symmetrical nature of the symmetrical hashing algorithm, data between the first and second endpoints are sent to the first service node regardless of the direction in which the data was sent. 2. The method of claim 1 , further comprising: in response to determining that the second endpoint has moved from the second leaf node to a third node of the switch fabric, dynamically reconfiguring the first leaf node to stop enforcing the ingress data policy to data packets transmitted from the first endpoint to the second endpoint. 3. The method of claim 2 , further comprising: after dynamically reconfiguring the first leaf node to stop enforcing the ingress data policy, receiving a second data packet transmitted by the first endpoint to the second endpoint; and transmitting the second data packet to the third leaf node, wherein the third leaf node enforces an egress data policy by applying the hashing algorithm to a Source Internet Protocol (SIP) value and a Destination Internet Protocol (DIP) value of the second data packet, resulting in a hash value of the second data packet, wherein the third leaf node routes the second data packet to the first service node based on the hash value of the second data packet. 4. The method of claim 1 , wherein the first service node is a firewall. 5. The method of claim 1 , wherein the first service node routes the first data packet to the second leaf node to be delivered to the second endpoint. 6. The method of claim 1 , wherein a protocol value of the first data packet is also applied to the hashing algorithm to result in the hash value of the first data packet. 7. A system comprising: a switch fabric having a border defined at least by a plurality of leaf nodes connected by at least one spine node, the plurality of leaf nodes including at least first and second leaf nodes; a memory storing instructions that, when executed by any of the leaf nodes, cause the leaf nodes to: receive by the first leaf node a first data packet transmitted by a first endpoint to a second endpoint connected to the second leaf node; enforce, at entry of the first data packet into the switch fabric at the first leaf node, an ingress data policy to the first data packet by applying a symmetrical hashing algorithm to at least a portion of the first data packet, resulting in a hash value of the first data packet; route the first data packet to a first service node based on the hash value of the first data packet; receive, by the second leaf node, a second data packet transmitted by the second endpoint to the first endpoint; enforce, at entry of the second data packet into the switch fabric at the second leaf node, an ingress data policy to the second data packet by applying the symmetrical hashing algorithm to at least a portion of the second data packet, resulting in a hash value of the second data packet; and route the second data packet to the first service node based on the hash value of the first data packet; wherein due to the symmetrical nature of the symmetrical hashing algorithm data between the first and second endpoints are sent to the first service node regardless of the direction in which the data was sent. 8. The system of claim 7 , wherein the instructions further cause the first leaf node to: in response to determining that the second endpoint has moved from the second leaf node to a third leaf node, dynamically reconfigure the first leaf node to stop enforcing the ingress data policy to data packets transmitted from the first endpoint to the second endpoint. 9. The system of claim 8 , wherein the instructions further cause the first leaf node to: after dynamically reconfiguring the first leaf node to stop enforcing the ingress data policy, receive a second data packet transmitted by the first endpoint to the second endpoint; and transmit the second data packet to the third leaf node, wherein the third leaf node enforces an egress data policy by applying the hashing algorithm to a Source Internet Protocol (SIP) value and a Destination Internet Protocol (DIP) value of the second data packet, resulting in a hash value of the second data packet, wherein the third leaf node routes the second data packet to the first service node based on the hash value of the second data packet. 10. The system of claim 7 , wherein the first service node is a firewall. 11. The system of claim 7 , wherein the first service node routes the first data packet to the second leaf node to be delivered to the second endpoint. 12. The system of claim 7 , wherein a protocol value of the first data packet is also applied to the hashing algorithm to result in the hash value of the first data packet. 13. A non-transitory computer-readable medium storing instructions that, when executed by a switch fabric having a border defined at least by a plurality of leaf nodes connected by at least one spine node, the plurality of leaf nodes including at least first and second leaf nodes, cause the switch fabric to: receive by the first leaf node a first data packet transmitted by a first endpoint to a second endpoint connected to the second leaf node; enforce, at entry of the first data packet into the switch fabric at the first leaf node, an ingress data policy to the first data packet by applying a symmetrical hashing algorithm to at least a portion of the first data packet, resulting in a hash value of the first data packet; route the first data packet to a first service node based on the hash value of the first data packet; receive, by the second leaf node, a second data packet transmitted by the second endpoint to the first endpoint; enforce, at entry of the second data packet into the switch fabric at the second leaf node, an ingress data policy to the second data packet by applying the symmetrical hashing algorithm to at least a portion of the second data packet, resulting in a hash value of the second data packet; and route the second data packet to the first service node based on the hash value of the first data packet; wherein due to the symmetrical nature of the symmetrical hashing algorithm data between the first and second endpoints are sent to the first service node regardless of the direction in which the data was sent. 14. The non-transitory computer-readable med
Assignees
Inventors
Classifications
using hashing · CPC title
- H04L65/1006Primary
Electricity · mapped topic
- H04L65/1104Primary
Session initiation protocol [SIP] · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10419496B2 cover?
- Disclosed are systems, methods, and computer-readable storage media for guaranteeing symmetric bi-directional policy based redirect of traffic flows. A first switch connected to a first endpoint can receive a first data packet transmitted by the first endpoint to a second endpoint connected to a second switch. The first switch can enforce an ingress data policy to the first data packet by apply…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L65/1006. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Sep 17 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).