Switch for local area network

US 20040028047A1
Filed: 05/22/2003
Published: 02/12/2004
Est. Priority Date: 05/22/2002
Status: Abandoned Application

First Claim

Patent Images

1. A method for processing data packets in a computer network, the data packets including information from one or more of Layers 2 through 7 of the OSI Model, comprising:

configuring a packet filter engine to process data packets at wire-speed based on one or more user defined packet policies, each user defined packet policy specifying information for one or more of Layers 4 through 7;

receiving a data packet, the received data packet having a sequence of bytes;

examining the data packet;

determining if there is a match between the data packet and one or more of the packet policies, each packet policy having on or more policy action fields;

if no matching packet policy is found, routing the data packet;

if a matching packet policy is found, processing the data packet based on the policy action fields of the matching policy.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus, including computer program products, implement techniques for processing data packets in a computer network. A packet filter engine is configured to process data packets at wire-speed based on or more user defined packet policies. A received data packet is examined to determine if there is a match between the data packet and one or more packet policies. If no matching packet policies are found, the packet is routed. If a matching packet policy is found, the data packet is processed based on the policy action fields of the matching policy.

141 Citations

39 Claims

1. A method for processing data packets in a computer network, the data packets including information from one or more of Layers 2 through 7 of the OSI Model, comprising:
- configuring a packet filter engine to process data packets at wire-speed based on one or more user defined packet policies, each user defined packet policy specifying information for one or more of Layers 4 through 7;
  
  receiving a data packet, the received data packet having a sequence of bytes;
  
  examining the data packet;
  
  determining if there is a match between the data packet and one or more of the packet policies, each packet policy having on or more policy action fields;
  
  if no matching packet policy is found, routing the data packet;
  
  if a matching packet policy is found, processing the data packet based on the policy action fields of the matching policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein configuring the packet filter engine includes:
    - receiving a user request for a packet policy; and
      
      transmitting the requested packet policy to the packet filter engine as one of the one or more user defined packet policies.
  - 3. The method of claim 1, wherein each user defined packet policy specifies a policy byte pattern and determining if there is a match includes:
    - determining if the sequence of bytes in the received packet matches the policy byte pattern.
  - 4. The method of claim 1, wherein routing the packet includes:
    - routing the packet using a Layer 2-3 switch.
  - 5. The method of claim 1, wherein the policy action field specifies an action to be performed on the received data packet and processing the packet includes:
    - performing the specified action in the policy action field.
  - 6. The method of claim 1, wherein processing the packet includes:
    - blocking the packet, based on the policy action field of the matching policy;
      
      forwarding the data packet to one or more switch applications; and
      
      processing the data packet using a switch application of the one or more switch applications.
  - 7. The method of claim 6, wherein the switch applications include:
    - an application for performing network address translation.
  - 8. The method of claim 6, wherein the switch applications include:
    - an application for detecting attempted network security attacks.
  - 9. The method of claim 1, wherein the packet policies include:
    - predefined packet policies.
  - 10. The method of claim 1, wherein the packet policies include:
    - expert policies specified by the user.
  - 11. The method of claim 1, further comprising:
    - receiving a user request to disable a deactivated packet policy of the one or more user defined packet policies; and
      
      configuring the packet filter engine to disable the deactivated packet policy.
  - 12. The method of claim 1, further comprising:
    - specifying for one or more of the packet policies, at least one of a start time and an end time;
      
      obtaining a current time; and
      
      if a start time and an end time are specified, determining if there is a match includes determining if there is a match when the current time is within a duration starting at the start time and ending at the end time.
  - 13. The method of claim 12, wherein:
    - if the end time is not specified, determining if there is a match includes determining if there is a match when the current time is greater than the start time.
  - 14. The method of claim 12, wherein:
    - if the start time is not specified, determining if there is a match includes determining if there is a match when the current time is less than the end time.

15. A computer implemented method, comprising:
- receiving a request at a first network switch to transfer switch data from the first network switch to a second network switch, the switch data being operable to control operation of the first network switch and the second network switch; and
  
  transferring the switch data from the first network switch to the second network switch.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15, wherein the switch data includes:
    - configuration data operable to configure the first network switch and the second network switch.
  - 17. The method of claim 15, wherein the switch data includes:
    - firmware operable to control the operation of the first network switch and the second network switch.

18. A computer program product tangibly embodied in an information carrier, the computer program product comprising instructions operable to cause data processing equipment to:
- configure a packet filter engine to process data packets at wire-speed based on one or more user defined packet policies, each user defined packet policy specifying information for one or more of Layers 4 through 7;
  
  receive a data packet, the received data packet having a sequence of bytes;
  
  examine the data packet;
  
  determine if there is a match between the data packet and one or more of the packet policies, each packet policy having on or more policy action fields;
  
  if no matching packet policy is found, route the data packet;
  
  if a matching packet policy is found, process the data packet based on the policy action fields of the matching policy.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 19. The computer program product of claim 18, wherein the instructions for configuring the packet filter engine cause the data processing equipment to:
    - receive a user request for a packet policy; and
      
      transmit the requested packet policy to the packet filter engine as one of the one or more user defined packet policies.
  - 20. The computer program product of claim 18, wherein each user defined packet policy specifies a policy byte pattern and the instructions for determining if there is a match cause the data processing equipment to:
    - determine if the sequence of bytes in the received packet matches the policy byte pattern.
  - 21. The computer program product of claim 18, wherein the instructions for routing the packet cause the data processing equipment to:
    - route the packet using a Layer 2-3 switch.
  - 22. The computer program product of claim 18, wherein the policy action field specifies an action to be performed on the received data packet and the instructions for processing the packet cause the data processing equipment to:
    - perform the specified action in the policy action field.
  - 23. The computer program product claim 18, wherein the instructions for processing the packet cause the data processing equipment to:
    - block the packet, based on the policy action field of the matching policy;
      
      forward the data packet to one or more switch applications; and
      
      process the data packet using a switch application of the one or more switch applications.
  - 24. The computer program product of claim 23, wherein the switch applications include:
    - an application to perform network address translation.
  - 25. The computer program product of claim 23, wherein the switch applications include:
    - an application to detect attempted network security attacks.
  - 26. The computer program product of claim 18, wherein the packet policies include:
    - predefined packet policies.
  - 27. The computer program product of claim 18, wherein the packet policies include:
    - expert policies specified by the user.
  - 28. The computer program product of claim 18, further comprising instructions operable to cause the data processing equipment to:
    - receive a user request to disable a deactivated packet policy of the one or more user defined packet policies; and
      
      configure the packet filter engine to disable the deactivated packet policy.
  - 29. The computer program product of claim 18, further comprising instructions operable to cause the data processing equipment to:
    - specify for one or more of the packet policies, at least one of a start time and an end time;
      
      obtain a current time; and
      
      if a start time and an end time are specified, the instructions for determining if there is a match cause the data processing equipment to determine if there is a match when the current time is within a duration starting at the start time and ending at the end time.
  - 30. The computer program product of claim 29, wherein:
    - if the end time is not specified, the instructions for determining if there is a match cause the data processing equipment to determine if there is a match when the current time is greater than the start time.
  - 31. The computer program product of claim 29, wherein:
    - if the start time is not specified, the instructions for determining if there is a match cause the data processing equipment to determine if there is a match when the current time is less than the end time.

32. A computer program product tangibly embodied in an information carrier, the computer program product comprising instructions operable to cause data processing equipment to:
- receive a request at a first network switch to transfer switch data from the first network switch to a second network switch, the switch data being operable to control operation of the first network switch and the second network switch; and
  
  transfer the switch data from the first network switch to the second network switch.
- View Dependent Claims (33, 34)
- - 33. The computer program product of claim 32, wherein the switch data includes:
    - configuration data operable to configure the first network switch and the second network switch.
  - 34. The computer program product of claim 32, wherein the switch data includes:
    - firmware operable to control the operation of the first network switch and the second network switch.

35. An apparatus for processing data packets, comprising:
- a packet policy repository containing one or more requested packet policies, each requested packet policy having a policy byte pattern and one or more policy action fields;
  
  a time triggered action unit operable to specify at least one of a start time and an end time associated with a requested packet policy of the one or more requested packet policies, generate a start time trigger event if the start time is specified, generate an end time trigger event if the end time is specified;
  
  a packet filter engine that applies one or more activated packet policies for each received packet, the packet filter engine operating at wire-speed, the packet filter engine being operable to detect received packets matching an activated packet policy of the one or more activated packet policies, and process the packet according to the policy action fields of the matching packet policy; and
  
  a packet policy manager, the packet policy manager detecting the start time trigger event and adding the associated requested packet policy to the one or more activated packet policies applied by the packet filter engine, the packet policy manager detecting the end time trigger event and deleting the associated requested packet policy from the one or more activated packet policies applied by the packet filter engine.
- View Dependent Claims (36)
- - 36. The apparatus of claim 35, wherein:
    - the packet policy manager is operable by the user to specify one or more user defined packet policies, the user defined packet policies being stored as requested packet policies in the packet policy repository.

37. An apparatus for processing data packets, comprising:
- a plurality of network switches, each network switch including a central management unit, the central management unit including a central management client and a central management server;
  
  a first network switch being operable to transfer data from the first network switch to a second network switch;
  
  a third network switch being operable to receive requests from the user for a transfer of switch data from the first network switch to the second network switch, the third network switch configuring the first network switch and the second network switch to complete the transfer of data requested by the user, the switch data being operable to control the operation of the first network switch and the second network switch.
- View Dependent Claims (38, 39)
- - 38. The apparatus of claim 37, wherein the switch data includes:
    - configuration data being operable to configure the first device and the second device.
  - 39. The apparatus of claim 37, wherein the switch data includes:
    - firmware operable to control the operation of the first network switch and the second network switch.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Procera Networks, Inc. (Sandvine Corp.)
Original Assignee
Procera Networks, Inc. (Sandvine Corp.)
Inventors
Hou, Sean, Yung Ching, Daniel Yin, Andrews, Keith M., Ge, William R., Hansen, Magnus B., Claudatos, Christopher H.

Application Number

US10/445,293
Publication Number

US 20040028047A1
Time in Patent Office

Days
Field of Search
US Class Current

370/392
CPC Class Codes

H04L 49/355   Application aware switches,...

H04L 49/602   Multilayer or multiprotocol...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

Switch for local area network

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

141 Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Switch for local area network

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

141 Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links