Configuration of rules in a network visibility system

US 10,129,088 B2
Filed: 10/30/2015
Issued: 11/13/2018
Est. Priority Date: 06/17/2015
Status: Active Grant

First Claim

Patent Images

1. A method of configuring rules in a network visibility system, said method comprising:

maintaining, at a network device, a default rules table, which specifies a default allocation of IP addresses to output ports;

receiving, at the network device, control information containing, for a tunnel, an endpoint IP address of a control session and an endpoint IP address of a data session;

determining, at the network device, whether the endpoint IP address of said control session and the endpoint IP address of said data session in said default rules table are allocated to a same output port of the network device; and

if the endpoint IP address of said control session and the endpoint IP address of said data session are not allocated to the same output port of the network device, configuring, at the network device, a dynamic rule in a dynamic rules table to force packets of both said control session and said data session to be forwarded to the same output port of the network device.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Aspects of the present disclosure enable a router controller to maintain a default rules table indicating allocation of IP addresses (of GTP packets) to respective output ports. In an embodiment, the router controller receives information indicating the respective tunnel endpoint IP addresses of a control session and a data session of a user. The router controller is configured to determine whether such IP addresses of the control session and the data session(s) are allocated to the same output port. If the IP addresses of the control session and the data session are not allocated to the same output port, router controller is configured to generate a dynamic rule to force packets of both the control session and the data session to the same output port.

Citations

20 Claims

1. A method of configuring rules in a network visibility system, said method comprising:
- maintaining, at a network device, a default rules table, which specifies a default allocation of IP addresses to output ports;
  
  receiving, at the network device, control information containing, for a tunnel, an endpoint IP address of a control session and an endpoint IP address of a data session;
  
  determining, at the network device, whether the endpoint IP address of said control session and the endpoint IP address of said data session in said default rules table are allocated to a same output port of the network device; and
  
  if the endpoint IP address of said control session and the endpoint IP address of said data session are not allocated to the same output port of the network device, configuring, at the network device, a dynamic rule in a dynamic rules table to force packets of both said control session and said data session to be forwarded to the same output port of the network device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein said determining further comprises:
    - examining said default rules table to identify output ports allocated to said endpoint IP address of said control session and said endpoint IP address of said data session; and
      
      comparing said output ports identified by said examining.
  - 3. The method of claim 2, wherein a first IP address of a tunnel endpoint of said control session is received before a second IP address of a tunnel end point of said data session.
  - 4. The method of claim 3, wherein said control session and said data session are created on a 4G/LTE network, wherein said 4G/LTE network contains a Mobility Management Entity (MME), a Serving Gateway (SGW) and an eNodeB,wherein said control session is established between said MME and a first interface of said SGW, wherein said data session is established between said eNodeB and a second interface of said SGW, wherein said data session terminates at a second tunnel endpoint having second TEID (tunnel endpoint identifier) at said second interface,wherein said first IP address is at said first interface and said second IP address is at said second interface,wherein said default table maps said first IP address to a first output port and said second IP address to a second output port,wherein said dynamic rule operates to force packets of said second IP address and said second TEID to said first output port.
  - 5. The method of claim 4, wherein a second set of packets destined to said second interface based on said second IP address, but with TEID not equaling said second TEID, are forwarded to said to second output port by operation of said default rules table.
  - 6. The method of claim 3, wherein said control session and said data session are created on a 3G network, wherein said 3G network contains a Serving GPRS Support Node (SGSN) and a Gateway GPRS Support Node (GGSN) in a path from a user equipment to Internet, said GGSN containing a first interface and a second interface communicatively coupled to said SGSN, said first interface and said second interface being respectively assigned said first IP address and said second IP address,wherein said control session is established to terminate at said first IP address,wherein said data session is established to terminate with a second TEID at said second IP address,wherein said default table maps said first IP address to a first output port and said second IP address to a second output port,wherein said dynamic rule operates to force packets of said second IP address and said second TEID to said first output port.
  - 7. The method of claim 6, wherein a second set of packets destined to said second interface based on said second IP address, but with TEID not equaling said second TEID, are forwarded to said to second output port by operation of said default rules table.

8. A non-transitory machine readable medium storing one or more sequences of instructions for enabling a network visibility system to configure rules, wherein execution of said one or more instructions by one or more processors contained in said network visibility system enables said network visibility system to perform the actions of:
- maintaining, at a network device, a default rules table, which specifies the default allocation of IP addresses to output ports;
  
  receiving, at the network device, control information containing, for a tunnel, an endpoint IP address of a control session and an endpoint IP address of a data session;
  
  determining, at the network device, whether the endpoint IP address of said control session and the endpoint IP address of said data session in said default rules table are allocated to a same output port of the network device; and
  
  if the endpoint IP address of said control session and the endpoint IP address of said data session are not allocated to the same output port of the network device, configuring, at the network device, a dynamic rule in a dynamic rules table to force packets of both said control session and said data session to be forwarded to the same output port of the network device.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory machine readable medium of claim 8, wherein said determiningfurther comprises:
    - examining said default rules table to identify output ports allocated to said endpoint IP address of said control session and said endpoint IP address of said data session; and
      
      comparing said output ports identified by said examining.
  - 10. The non-transitory machine readable medium of claim 9, wherein a first IP address of a tunnel endpoint of said control session is received before a second IP address of a tunnel end point of said data session.
  - 11. The non-transitory machine readable medium of claim 10, wherein said control session and said data session are created on a 4G/LTE network, wherein said 4G/LTE network contains a Mobility Management Entity (MME), a Serving Gateway (SGW) and an eNodeB,wherein said control session is established between said MME and a first interface of said SGW, wherein said data session is established between said eNodeB and a second interface of said SGW, wherein said data session terminates at a second tunnel endpoint having second TEID (tunnel endpoint identifier) at said second interface,wherein said first IP address is at said first interface and said second IP address is at said second interface,wherein said default table maps said first IP address to a first output port and said second IP address to a second output port,wherein said dynamic rule operates to force packets of said second IP address and said second TEID to said first output port.
  - 12. The non-transitory machine readable medium of claim 11, wherein a second set of packets destined to said second interface based on said second IP address, but with TEID not equaling said second TEID, are forwarded to said to second output port by operation of said default rules table.
  - 13. The non-transitory machine readable medium of claim 10, wherein said control session and said data session are created on a 3G network, wherein said 3G network contains a Serving GPRS Support Node (SGSN) and a Gateway GPRS Support Node (GGSN) in a path from a user equipment to Internet, said GGSN containing a first interface and a second interface communicatively coupled to said SGSN, said first interface and said second interface beingrespectively assigned said first IP address and said second IP address,wherein said control session is established to terminate at said first IP address,wherein said data session is established to terminate with a second TEID at said second IP address,wherein said default table maps said first IP address to a first output port and said second IP address to a second output port,wherein said dynamic rule operates to force packets of said second IP address and said second TEID to said first output port.
  - 14. The non-transitory machine readable medium of claim 13, wherein a second set of packets destined to said second interface based on said second IP address, but with TEID not equaling said second TEID, are forwarded to said to second output port by operation of said default rules table.

15. A network visibility system comprising:
- a network device with a processing block and a memory,said memory to store instructions which when retrieved and executed by said processing block causes said network visibility system to perform the actions of;
  
  maintaining a default rules table, which specifies the default allocation of IP addresses to output ports;
  
  receiving control information containing, for a tunnel, an endpoint IP address of a control session and an endpoint IP address of a data session;
  
  determining whether the endpoint IP address of said control session and the endpoint IP address of said data session in said default rules table are allocated to a same output port of the network device; and
  
  if the endpoint IP address of said control session and the endpoint IP address of said data session are not allocated to the same output port of the network device, configuring, at the network device, a dynamic rule in a dynamic rules table to force packets of both said control session and said data session to be forwarded to the same output port of the network device.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The network visibility system of claim 15, wherein said determining further comprises:
    - examining said default rules table to identify output ports allocated to said endpoint IP address of said control session and said endpoint IP address of said data session; and
      
      comparing said output ports identified by said examining.
  - 17. The network visibility system of claim 16, wherein a first IP address of a tunnel endpoint of said control session is received before a second IP address of a tunnel end point of said data session.
  - 18. The network visibility system of claim 17, wherein said control session and said data session are created on a 4G/LTE network, wherein said 4G/LTE network contains a Mobility Management Entity (MME), a Serving Gateway (SGW) and an eNodeB,wherein said control session is established between said MME and a first interface of said SGW, wherein said data session is established between said eNodeB and a second interface of said SGW, wherein said data session terminates at a second tunnel endpoint having second TEID (tunnel endpoint identifier) at said second interface,wherein said first IP address is at said first interface and said second IP address is at said second interface,wherein said default table maps said first IP address to a first output port and said second IP address to a second output port,wherein said dynamic rule operates to force packets of said second IP address and said second TEID to said first output port.
  - 19. The network visibility system of claim 18, wherein a second set of packets destined to said second interface based on said second IP address, but with TEID not equaling said second TEID, are forwarded to said to second output port by operation of said default rules table.
  - 20. The network visibility system of claim 17, wherein said control session and said data session are created on a 3G network, wherein said 3G network contains a Serving GPRS Support Node (SGSN) and a Gateway GPRS Support Node (GGSN) in a path from a user equipment to Internet, said GGSN containing a first interface and a second interface communicatively coupled to said SGSN, said first interface and said second interface being respectively assigned said first IP address and said second IP address,wherein said control session is established to terminate at said first IP address,wherein said data session is established to terminate with a second TEID at said second IP address,wherein said default table maps said first IP address to a first output port and said second IP address to a second output port,wherein said dynamic rule operates to force packets of said second IP address and said second TEID to said first output port.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Extreme Networks, Inc.
Original Assignee
Extreme Networks, Inc.
Inventors
Sharma, Shailender, Varimalla, Rakesh
Primary Examiner(s)
Morlan, Robert M
Assistant Examiner(s)
Kaur, Pamit

Application Number

US14/927,482
Publication Number

US 20160373304A1
Time in Patent Office

1,110 Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/342   between virtual entities, e...

H04L 43/00   Arrangements for monitoring...

H04L 43/12   Network monitoring probes

H04L 43/20   the monitoring system or th...

H04L 45/745   Address table lookup; Addre...

H04L 63/101   Access control lists [ACL]

H04L 63/20   for managing network securi...

H04W 24/08   Testing, supervising or mon...

Configuration of rules in a network visibility system

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Configuration of rules in a network visibility system

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links