Policy-based processing of packets

US 20060233173A1
Filed: 05/05/2005
Published: 10/19/2006
Est. Priority Date: 04/19/2005
Status: Active Grant

First Claim

Patent Images

1. A method for processing packets performed by a packet switching device, the method comprising:

authenticating a user;

receiving a non-network address user group identifier corresponding to said authenticated user;

receiving one or more policies associated with the non-network address user group identifier;

receiving a packet and associating the non-network address user group identifier with said received packet, the received packet including a source address and a second field;

identifying a second non-network address group identifier based on the second field; and

performing a lookup operation on a policy based on the non-network address user group identifier and the second non-network address group identifier to identify a packet processing action to be performed on said received packet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are, inter alia, methods, apparatus, data structures, computer-readable media, and mechanisms, for policy-based processing of packets, including mechanisms for managing the policies. A user is authenticated and its user group identifier is identified. A packet is received and is associated with the user group identifier, and one or more fields (typically other than the source address field) of the packet are used to identify a second group identifier. A lookup operation is then performed on a policy based on the first and second group identifiers to identify a packet processing action to be performed on the packet. These identifiers are typically not network addresses, which disassociates the policy from physical network addresses (which often are dynamically assigned and may also vary based on the access point into the network of a user), and allows a switching device to process packets based on a policy stated using group identifiers.

48 Citations

View as Search Results

26 Claims

1. A method for processing packets performed by a packet switching device, the method comprising:
- authenticating a user;
  
  receiving a non-network address user group identifier corresponding to said authenticated user;
  
  receiving one or more policies associated with the non-network address user group identifier;
  
  receiving a packet and associating the non-network address user group identifier with said received packet, the received packet including a source address and a second field;
  
  identifying a second non-network address group identifier based on the second field; and
  
  performing a lookup operation on a policy based on the non-network address user group identifier and the second non-network address group identifier to identify a packet processing action to be performed on said received packet.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the second field includes a destination address.
  - 3. The method of claim 2, wherein the destination address corresponds to a server.
  - 4. The method of claim 1, wherein said one or more policies do not include any network addresses.
  - 5. The method of claim 1, wherein said one or more policies are received from a policy server located remotely from the packet switching device.
  - 6. The method of claim 1, comprising:
    - in response to identifying that the packet switching device does not have a policy corresponding to the non-network address user group identifier, requesting at least one policy from a policy server prior to said receiving said one or more policies.

7. A method for processing packets based on a policy identifying a non-network address first group identifier corresponding to a first group and a non-network address second group identifier corresponding to a second group, the first group including a first user and a second user, and the second group including a first server;
- the method comprising;
  
  a first packet switching device receiving the policy;
  
  a second packet switching device receiving the policy;
  
  the first packet switching device receiving a first plurality of packets from the first user and processing the first plurality of packets based on the policy to control access to the first server; and
  
  the second packet switching device receiving a second plurality of packets from the second user and processing the second plurality of packets based on the policy to control access to the first server.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The method of claim 7, wherein the policy does not specify the first user nor the second user.
  - 9. The method of claim 8, wherein the policy does not specify the first server.
  - 10. The method of claim 7, wherein said processing the first plurality of packets based on the policy includes performing a lookup operation on the policy based on the first group identifier and the second group identifier.
  - 11. The method of claim 7, wherein said processing the second plurality of packets based on the policy includes performing a lookup operation on the policy based on the first group identifier and the second group identifier.

12. A method for processing packets based on a policy identifying a non-network address first group identifier corresponding to a first group and a non-network address second group identifier corresponding to a second group, the first group including a first user and a second user, and the second group including a first server and a second server;
- the method comprising;
  
  a first packet switching device receiving the policy;
  
  a second packet switching device receiving the policy;
  
  the first packet switching device receiving a first plurality of packets from the first user and processing the first plurality of packets based on the policy to control access to the first server; and
  
  the second packet switching device receiving a second plurality of packets from the second user and processing the second plurality of packets based on the policy to control access to the second server.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The method of claim 12, wherein the policy does not specify the first user nor the second user.
  - 14. The method of claim 13, wherein the policy does not specify the first server nor the second server.
  - 15. The method of claim 12, wherein said processing the first plurality of packets based on the policy includes performing a lookup operation on the policy based on the first group identifier and the second group identifier.
  - 16. The method of claim 12, wherein said processing the second plurality of packets based on the policy includes performing a lookup operation on the policy based on the first group identifier and the second group identifier.

17. A method for processing packets by a packet switching device, the method comprising:
- authenticating a user using 802.1x protocol with a server and in response, receiving a non-network address user group identifier corresponding to said authenticated user from the server; and
  
  for each particular packet of a plurality of packets received from the user;
  
  performing a lookup based on a non-source address field of the plurality packet to identify a second non-network address identifier, and performing a lookup operation on a policy based on the non-network address user group identifier and the second non-network address identifier to identify a packet processing action to be performed on said particular packet.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, wherein the policy is propagated to a plurality of packet switching devices;
    - and wherein the non-network address user group identifier is associated with a plurality of users.
  - 19. The method of claim 17, wherein the policy is programmed into one or more associative memories, and said lookup on the policy includes performing a lookup operation on said one or more associative memories.
  - 20. The method of claim 17, wherein said one or more associative memories includes at least one ternary content-addressable memory.

21. An apparatus for processing a packet, the apparatus comprising:
- input interface circuitry configured to receive the packet, the packet including a source address field and a second field;
  
  a source user group association mechanism configured to associate a non-network address user source group identifier with the packet;
  
  a group lookup mechanism configured to identify a second non-network address group identifier based on the second field; and
  
  a policy lookup mechanism configured to perform a lookup operation on a policy based on the non-network address user group identifier and the second non-network address identifier to identify a packet processing action to be performed on said particular packet.
- View Dependent Claims (22, 23)
- - 22. The apparatus of claim 21, wherein the policy lookup mechanism includes an associative memory programmed with the policy.
  - 23. The apparatus of claim 21, wherein the group lookup mechanism includes a second associative memory programmed with an association between the second field and the second non-network address group identifier.

24. An apparatus for processing packets, the apparatus comprising:
- means for authenticating a user;
  
  means for receiving a non-network address user group identifier corresponding to said authenticated user;
  
  means for receiving one or more policies associated with the non-network address user group identifier;
  
  means for receiving a packet and associating the non-network address user group identifier with said received packet, the received packet including a source address and a second field;
  
  means for identifying a second non-network address group identifier based on the second field; and
  
  means for performing a lookup operation on a policy based on the non-network address user group identifier and the second non-network address group identifier to identify a packet processing action to be performed on said received packet.
- View Dependent Claims (25, 26)
- - 25. The apparatus of claim 24, wherein said one or more policies are received from a policy server located remotely from the apparatus.
  - 26. The apparatus of claim 24, including means for requesting at least one policy from a policy server prior to said receiving said one or more policies in response to identifying that the packet switching device does not have a policy corresponding to the non-network address user group identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Ponnapalli, Ramesh V.N, Devireddy, Dileep Kumar, Pullela, Venkateshwar Rao, Kenghe, Ambarish, Gurajapu, Suresh

Granted Patent

US 7,724,728 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/392
CPC Class Codes

H04L 12/4641 Virtual LANs, VLANs, e.g. v...

Policy-based processing of packets

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

48 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Policy-based processing of packets

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links