Policy-based processing of packets
First Claim
1. A method for processing packets performed by a packet switching device, the method comprising:
- authenticating a user;
receiving a non-network address user group identifier corresponding to said authenticated user;
receiving one or more policies associated with the non-network address user group identifier;
receiving a packet and associating the non-network address user group identifier with said received packet, the received packet including a source address and a second field;
identifying a second non-network address group identifier based on the second field; and
performing a lookup operation on a policy based on the non-network address user group identifier and the second non-network address group identifier to identify a packet processing action to be performed on said received packet.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed are, inter alia, methods, apparatus, data structures, computer-readable media, and mechanisms, for policy-based processing of packets, including mechanisms for managing the policies. A user is authenticated and its user group identifier is identified. A packet is received and is associated with the user group identifier, and one or more fields (typically other than the source address field) of the packet are used to identify a second group identifier. A lookup operation is then performed on a policy based on the first and second group identifiers to identify a packet processing action to be performed on the packet. These identifiers are typically not network addresses, which disassociates the policy from physical network addresses (which often are dynamically assigned and may also vary based on the access point into the network of a user), and allows a switching device to process packets based on a policy stated using group identifiers.
-
Citations
26 Claims
-
1. A method for processing packets performed by a packet switching device, the method comprising:
-
authenticating a user;
receiving a non-network address user group identifier corresponding to said authenticated user;
receiving one or more policies associated with the non-network address user group identifier;
receiving a packet and associating the non-network address user group identifier with said received packet, the received packet including a source address and a second field;
identifying a second non-network address group identifier based on the second field; and
performing a lookup operation on a policy based on the non-network address user group identifier and the second non-network address group identifier to identify a packet processing action to be performed on said received packet. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for processing packets based on a policy identifying a non-network address first group identifier corresponding to a first group and a non-network address second group identifier corresponding to a second group, the first group including a first user and a second user, and the second group including a first server;
- the method comprising;
a first packet switching device receiving the policy;
a second packet switching device receiving the policy;
the first packet switching device receiving a first plurality of packets from the first user and processing the first plurality of packets based on the policy to control access to the first server; and
the second packet switching device receiving a second plurality of packets from the second user and processing the second plurality of packets based on the policy to control access to the first server. - View Dependent Claims (8, 9, 10, 11)
- the method comprising;
-
12. A method for processing packets based on a policy identifying a non-network address first group identifier corresponding to a first group and a non-network address second group identifier corresponding to a second group, the first group including a first user and a second user, and the second group including a first server and a second server;
-
the method comprising;
a first packet switching device receiving the policy;
a second packet switching device receiving the policy;
the first packet switching device receiving a first plurality of packets from the first user and processing the first plurality of packets based on the policy to control access to the first server; and
the second packet switching device receiving a second plurality of packets from the second user and processing the second plurality of packets based on the policy to control access to the second server. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A method for processing packets by a packet switching device, the method comprising:
-
authenticating a user using 802.1x protocol with a server and in response, receiving a non-network address user group identifier corresponding to said authenticated user from the server; and
for each particular packet of a plurality of packets received from the user;
performing a lookup based on a non-source address field of the plurality packet to identify a second non-network address identifier, and performing a lookup operation on a policy based on the non-network address user group identifier and the second non-network address identifier to identify a packet processing action to be performed on said particular packet. - View Dependent Claims (18, 19, 20)
-
-
21. An apparatus for processing a packet, the apparatus comprising:
-
input interface circuitry configured to receive the packet, the packet including a source address field and a second field;
a source user group association mechanism configured to associate a non-network address user source group identifier with the packet;
a group lookup mechanism configured to identify a second non-network address group identifier based on the second field; and
a policy lookup mechanism configured to perform a lookup operation on a policy based on the non-network address user group identifier and the second non-network address identifier to identify a packet processing action to be performed on said particular packet. - View Dependent Claims (22, 23)
-
-
24. An apparatus for processing packets, the apparatus comprising:
-
means for authenticating a user;
means for receiving a non-network address user group identifier corresponding to said authenticated user;
means for receiving one or more policies associated with the non-network address user group identifier;
means for receiving a packet and associating the non-network address user group identifier with said received packet, the received packet including a source address and a second field;
means for identifying a second non-network address group identifier based on the second field; and
means for performing a lookup operation on a policy based on the non-network address user group identifier and the second non-network address group identifier to identify a packet processing action to be performed on said received packet. - View Dependent Claims (25, 26)
-
Specification