Scalable distribution of identity information in overlay networks with identity-based policies

Abstract

A network controller in an overlay network maintains collective sets of identity-based policies and identity mappings for onboarded users of the network for informed distribution to network elements across the network. As new users are onboarded, the controller identifies a site of the network at which the user was onboarded and determines identity mappings of the user and applicable policies for distribution to a network element at the identified site. The controller assigns index values to each identity and communicates the indices to network elements with the corresponding identity mappings and policies. The network elements encapsulate cross-site traffic with the index values corresponding to senders so recipient network elements can obtain the index value from encapsulation header formats, query the controller for the corresponding identity mappings, and apply policies to the traffic that are determined to be pertinent based on the sender's identity mappings obtained from the controller.

CPC Classifications