	US 11,757,777 B2
	Assigning security group tag for infrastructure traffic and preserving security group tag in snooped packets in dynamic segmentation
Rajib Majila, Bangalore (IN); and Ram Iakhan Patel, Bangalore (IN)
Assigned to Hewlett Packard Enterprise Development LP, Spring, TX (US)
Filed by Hewlett Packard Enterprise Development LP, Houston, TX (US)
Filed on Sep. 23, 2021, as Appl. No. 17/483,474.
Prior Publication US 2023/0093278 A1, Mar. 23, 2023
Int. Cl. H04L 45/745 (2022.01); H04L 45/02 (2022.01); H04L 12/46 (2006.01); H04L 45/42 (2022.01); H04L 101/622 (2022.01)

CPC H04L 45/745 (2013.01) [H04L 12/4641 (2013.01); H04L 45/02 (2013.01); H04L 45/42 (2013.01); H04L 2101/622 (2022.05)]

17 Claims

1. A computer-implemented method, comprising:

determining a first source media access control address (MAC) associated with a switch;

updating a MAC address table by mapping the first source MAC to a first tag which indicates a source role corresponding to a network infrastructure associated with the switch;

generating, by a processor associated with the switch, a first packet which indicates the first source MAC;

performing a first search in the MAC address table based on the indicated first source MAC to obtain the first tag;

performing a second search in a policy table based on the first tag for a group-based policy which indicates an action to be applied to the first packet;

responsive to determining that the second search is not successful, modifying a header of the first packet by adding the first tag to the header;

responsive to determining that the second search is successful, determining that the indicated action to be applied comprises allowing the first packet;

transmitting the first packet;

determining a second packet to be inspected by the processor;

receiving, by the processor, the second packet;

determining that the second packet is received over a virtual extensible local area network (VXLAN);

retrieving, from a header of the second packet, a second tag which indicates a source role corresponding to a sender of the second packet;

decapsulating the second packet to obtain an Ethernet header;

obtaining, from the Ethernet header, a second source MAC associated with the sender of the second packet; and

responsive to determining that the second source MAC is present in a cache:

determining a cached tag associated with the second source MAC in the cache;

determining that the cached tag does not match the second tag;

updating the cache by mapping the second source MAC to the second tag;

updating the MAC address table by mapping the second source MAC to the second tag; and

transmitting the second packet to a control plane daemon for processing.