Virtual private data network session count limitation

US 7,493,395 B2
Filed: 09/01/2004
Issued: 02/17/2009
Est. Priority Date: 05/06/1999
Status: Expired due to Fees

First Claim

Patent Images

1. A method for limiting the number of VPN sessions raised by users belonging to a particular group in a data communications network to a predetermined number, said method comprising:

maintaining a central database including group identifications, corresponding maximum numbers VPN sessions for each group, and corresonding network-wide VPN session counts for each group;

responding to a user'"'"'s attempt to initiate a VPN session on the data communications network as a member of a particular group by checking the central database to determine if the user'"'"'s VPN session would exceed by a predetermined number said corresponding maximum number of VPN sessions associated with said particular group.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data communications network with a plurality of PoPs maintains a local database associated with each PoP and a central database somewhere on the data communications network. The local database contains a group identification such as a domain identification corresponding to a group of users, a maximum number of VPN sessions to provide the group of users at the PoP and a dynamic VPN session count corresponding to active VPN sessions currently provided to the group of users at the PoP. The central database contains a maximum number of VPN sessions to provide the group of users over the entire data communications network and a dynamic network-wide VPN session count corresponding to active VPN sessions currently provided to the group of users on the entire data communications network. Actions are taken when the group attempts to exceed either the local maximum number of sessions or the network-wide maximum number of sessions by more than a predetermined number. The actions may include assessing extra charges, denying access, and sending warning messages to appropriate recipients.

Citations

30 Claims

1. A method for limiting the number of VPN sessions raised by users belonging to a particular group in a data communications network to a predetermined number, said method comprising:
- maintaining a central database including group identifications, corresponding maximum numbers VPN sessions for each group, and corresonding network-wide VPN session counts for each group;
  
  responding to a user'"'"'s attempt to initiate a VPN session on the data communications network as a member of a particular group by checking the central database to determine if the user'"'"'s VPN session would exceed by a predetermined number said corresponding maximum number of VPN sessions associated with said particular group.

2. A local database checker associated with a particular PoP of a data communications network, the local database checker comprising:
- a network inter-face for interfacing with the data communications network; and
  
  at least one computing device coupled to the network interface and configured to, in response to a user'"'"'s attempt to initiate a VPN session on the data communications network as a member of a particular group, check a local database associated with the PoP to determine if the user'"'"'s VPN session would exceed by a predetermined number the corresponding maximum number of VPN sessions associated with the particular group at the PoP, the local database being part of a set of distributed databases and including group identifications, corresponding maximum numbers of VPN sessions for each group at the PoP, and corresponding current VPN session counts for each group at the PoP.
- View Dependent Claims (3, 4, 5)
- - 3. The local database checker according to claim 2 wherein the local database checker is operatively coupled to a VPN session rejecter configured to reject the user'"'"'s attempt to initiate a VPN session if the user'"'"'s log in would exceed by a first predetermined number the corresponding maximum number of VPN session associated with the particular group at the PoP.
  - 4. The local database checker according to claim 3 wherein the local database checker is operatively coupled to:
    - a session allower configured to allow the user'"'"'s attempt to initiate a VPN session if it is not rejected; and
      
      a VPN session count incrementer associated with the local database and the user'"'"'s group and responsive to allowing the user'"'"'s VPN session.
  - 5. The local database checker according to claim 4 wherein the local database checker is operatively coupled to:
    - a VPN start event publisher configured to publish VPN start events corresponding to a user'"'"'s group to other subscribing PoPs in response to allowing the user'"'"'s VPN session; and
      
      a data communication network current VPN session count incrementer associated with the local database and the user'"'"'s group and responsive to allowing the user'"'"'s VPN session.

6. A VPN session limiter associated with a particular PoP of a data communications network, the VPN session limiter comprising:
- a network interface for interfacing with the data communications network; and
  
  at least one computing device coupled to the network interface and configured to, in response to a user'"'"'s attempt to initiate a VPN session on the data communications network as a member of a particular group;
  
  check a local database to determine if the user'"'"'s VPN session would exceed by a first predetermined number the corresponding maximum number of VPN sessions associated with the particular group at the PoP; and
  
  check the local database to determine if the user'"'"'s VPN session would exceed by a second predetermined number the corresponding maximum number of VPN sessions associated with the particular group on the data communications network, the local database being part of a set of distributed databases and including group identifications, corresponding maximum numbers of VPN sessions for each group at the PoP, and corresponding current VPN session counts for each group at the PoP.
- View Dependent Claims (7, 8, 9)
- - 7. The VPN session limiter according to claim 6 wherein the VPN session limiter is further configured to reject the user'"'"'s attempt to initiate a VPN session if the user'"'"'s VPN session would exceed by a first predetermined number the corresponding maximum number of VPN sessions associated with the particular group at the PoP or would exceed by a second predetermined number the corresponding maximum number of VPN sessions associated with the particular group on the data communications network.
  - 8. A VPN session limiter according to claim 7 wherein the VPN session limiter is further configured to:
    - allow the user'"'"'s VPN session if it is not rejected;
      
      increment a VPN session count associated the user'"'"'s group at the local database in response to allowing the user'"'"'s VPN session;
      
      publish a VPN start event corresponding to the user'"'"'s group to other subscribing PoPs in response to allowing the user'"'"'s VPN session; and
      
      increment a data communications network current VPN session count at each subscribing PoP in response to the publishing of the VPN start event.
  - 9. The VPN session limiter of claim 8 wherein the VPN session limiter is further configured to:
    - decrement a VPN session count associated with the user'"'"'s group at the local database in response to a user'"'"'s VPN session termination;
      
      publish a VPN stop event corresponding to the user'"'"'s group to other subscribing PoPs in response to a user'"'"'s VPN session; and
      
      decrement a data communications network current VPN session count at each subscribing PoP in response to the publishing of the VPN stop event.

10. A network node associated with a particular PoP of a data communications network, the network node comprising:
- a VPN start event publisher configured to publish VPN start events corresponding to a user'"'"'s group to other subscribing PoPs in response to allowing the user'"'"'s VPN session; and
  
  a data communications network current VPN session count incrementer associated with a local database and the user'"'"'s group and responsive to the user'"'"'s VPN session being allowed, the local database being part of a set of distributed databases and including group identifications, corresponding maximum numbers of VPN sessions for each group at the PoP, and corresponding current VPN session counts for each group at the PoP.

11. A network node associated with a particular PoP of a data communications network, the network node comprising:
- a VPN start event publisher configured to publish VPN start events corresponding to a user'"'"'s group to other subscribing PoPs in response to allowing the user'"'"'s VPN session;
  
  a data communications network current VPN session count incrementer associated with a local database and the user'"'"'s group and responsive to allowing the user'"'"'s VPN session, the local database being part of a set of distributed databases and including group identifications, corresponding maximum numbers of VPN sessions for each group at the PoP, and corresponding current VPN session counts for each group at the PoP;
  
  a VPN session count decrementer associated with the local database and a user'"'"'s group and responsive to terminating the user'"'"'s VPN session;
  
  a VPN stop event publisher configured to publish VPN stop events corresponding to a user'"'"'s group to other subscribing PoPs in response to terminating the user'"'"'s VPN session; and
  
  a data communications network current VPN session count decrementer associated with the local database and the user'"'"'s group and responsive to terminating the user'"'"'s VPN session.

12. An apparatus for limiting the number of VPN sessions raised by users belonging to a particular group in a data communications network to a predetermined number, the apparatus comprising:
- means for maintaining a central database including group identifications, corresponding network-wide maximum numbers of VPN sessions for each group, and corresponding current network wide VPN session counts for each group;
  
  means for maintaining a local database associated with a particular PoP of the data communications network, the database being part of a set of distributed databases and including group identifications, corresponding maximum numbers of VPN sessions for each group at the PoP, and corresponding current VPN session counts for each group at the PoP;
  
  means for responding to a user'"'"'s attempt to initiate a VPN session on the data communications network as a member of a particular group by checking the central database to determine if the user'"'"'s VPN session would exceed by a first predetermined number the corresponding network-wide maximum number of VPN sessions associated with the particular group;
  
  means for rejecting the user'"'"'s attempt to initiate a VPN session if the user'"'"'s log in would exceed by the first predetermined number the corresponding network-wide maximum number of VPN sessions associated with the particular group;
  
  means for responding to a user'"'"'s attempt to initiate a VPN session on the data communications network as a member of a particular group by checking the local database to determine if the user'"'"'s VPN session would exceed by a second predetermined number the corresponding maximum number of VPN sessions associated with the particular group at the PoP; and
  
  means for rejecting the user'"'"'s attempt to initiate a VPN session if the user'"'"'s VPN session would exceed by a second predetermined number the corresponding maximum number of VPN sessions associated with the particular group.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The apparatus according to claim 12, wherein the first predetermined number is zero.
  - 14. The apparatus according to claim 12, wherein the second predetermined number is zero.
  - 15. The apparatus according to claim 14, wherein the first predetermined number is zero.
  - 16. The apparatus according to claim 12, further comprising:
    - means for allowing the user'"'"'s attempt to initiate a VPN session if it would not exceed any maximum number of VPN sessions associated with the user'"'"'s group;
      
      means for incrementing a VPN session count associated with the user'"'"'s group at the local database in response to allowing the user'"'"'s VPN session; and
      
      means for incrementing a VPN session count associated with the user'"'"'s group at the central database in response to allowing the user'"'"'s VPN session.
  - 17. The apparatus according to claim 12, further comprising:
    - means for allowing the user'"'"'s attempt to initiate a VPN session if it would not exceed any maximum number of VPN sessions associated with the user'"'"'s group;
      
      means for incrementing a VPN session count associated with the user'"'"'s group at the local database in response to allowing the user'"'"'s VPN session; and
      
      means for incrementing a VPN session count associated with the user'"'"'s group at the central database in response to allowing the user'"'"'s VPN session.

18. An apparatus for limiting the number of VPN sessions raised by users belonging to a particular group in a data communications network to a predetermined number, the apparatus comprising:
- means for maintaining a local database associated with a particular PoP of the data communications network, the database being part of a set of distributed databases and including group identifications, corresponding maximum numbers of VPN sessions for each group at the PoP, corresponding current VPN session counts for each group at the PoP, corresponding maximum numbers of VPN sessions for each group on the data communications network, and corresponding current network-wide VPN session counts for each group on the data communications network; and
  
  means for responding to a user'"'"'s attempt to initiate a VPN session on the data communications network as a member of a particular group by checking the local database to determine if the user'"'"'s VPN session would exceed by a first predetermined number the corresponding maximum number of VPN sessions associated with the particular group at the PoP and checking the local database to determine if the user'"'"'s VPN session would exceed by a second predetermined number the corresponding maximum number of VPN sessions associated with the particular group on the data communications network.
- View Dependent Claims (19, 20, 21)
- - 19. The apparatus according to claim 18, further comprising:
    - means for rejecting the user'"'"'s attempt to initiate a VPN session if the user'"'"'s VPN session would exceed by a first predetermined number the corresponding maximum number of VPN sessions associated with the particular group at the PoP or would exceed by a second predetermined number the corresponding maximum number of VPN sessions associated with the particular group on the data communications network.
  - 20. The apparatus according to claim 19, further comprising:
    - means for allowing the user'"'"'s VPN session if it is not rejected;
      
      means for incrementing a VPN session count associated the user'"'"'s group at the local database in response to allowing the user'"'"'s VPN session;
      
      means for first publishing a VPN start event corresponding to the user'"'"'s group to other subscribing PoPs in response to allowing the user'"'"'s VPN session; and
      
      means for incrementing a data communications network current VPN session count at each subscribing PoP in response to the first publishing.
  - 21. The apparatus according to claim 20, further comprising:
    - means for decrementing a VPN session count associated with the user'"'"'s group at the local database in response to a user'"'"'s VPN session termination;
      
      means for second publishing a VPN stop event corresponding to the user'"'"'s group to other subscribing PoPs in response to a user'"'"'s VPN session; and
      
      means for decrementing a data communications network current VPN session count at each subscribing PoP in response to the second publishing.

22. An apparatus for limiting the number of VPN sessions raised by users belonging to a particular group in a data communications network to a predetermined number, the apparatus comprising:
- means for maintaining a local database associated with a particular PoP of the data communications network, the database being part of a set of distributed databases and including group identifications, corresponding maximum numbers of VPN sessions for each group at the PoP, corresponding current VPN session counts for each group at the PoP, corresponding maximum numbers of VPN sessions for each group on the data communications network, and corresponding current network-wide VPN session counts for each group on the data communications network;
  
  means for responding to a user'"'"'s attempt to initiate a VPN session on the data communications network as a member of a particular group by checking the local database to determine if the user'"'"'s VPN session would exceed by a first predetermined number the corresponding maximum number of VPN sessions associated with the particular group at the PoP and checking the local database to determine if the user'"'"'s VPN session would exceed by a second predetermined number the corresponding maximum number of VPN sessions associated with the particular group on the data communications network;
  
  means for rejecting the user'"'"'s attempt to initiate a VPN session if the user'"'"'s VPN session would exceed by a first predetermined number the corresponding maximum number of VPN sessions associated with the particular group at the PoP or would exceed by a second predetermined number the corresponding maximum number of VPN sessions associated with the particular group on the data communications network;
  
  means for allowing the user'"'"'s VPN session if it is not rejected;
  
  means for incrementing a VPN session count associated with the user'"'"'s group at the local database in response to allowing the user'"'"'s VPN session;
  
  publishing a VPN start event corresponding to the user'"'"'s group to other subscribing PoPs in response to allowing the user'"'"'s VPN session; and
  
  means for incrementing a data communications network current VPN session count associated with the user'"'"'s group at the local database in response to allowing the user'"'"'s VPN session.
- View Dependent Claims (23, 24, 25)
- - 23. The apparatus according to claim 22, further comprising:
    - means for receiving a VPN start event publication corresponding to the user'"'"'s group from one of the other subscribing PoPs in response to the allowance of a VPN session by one of the subscribing PoPs; and
      
      means for incrementing the data communications network current VPN session count associated with the user'"'"'s group at the local database in response to the receiving.
  - 24. The apparatus according to claim 22, further comprising:
    - means for decrementing the VPN session count associated with the user'"'"'s group at the local database in response to terminating the user'"'"'s VPN session; and
      
      means for publishing a VPN stop event corresponding to the user'"'"'s group to other subscribing PoPs in response to terminating the user'"'"'s VPN session.
  - 25. The apparatus according to claim 22, further comprising:
    - means for receiving a VPN stop event publication corresponding to the user'"'"'s group from one of the other subscribing PoPs in response to the termination of a VPN session at one of the subscribing PoPs; and
      
      means for decrementing the data communications network current VPN session count associated with the user'"'"'s group at the local database in response to the receiving.

26. An apparatus for limiting the number of VPN sessions raised by users belonging to a particular group in a data communications network to a predetermined number, the apparatus comprising:
- means for maintaining a local database associated with a particular PoP of the data communications network, the database being part of a set of distributed databases and including group identifications, corresponding maximum numbers of VPN sessions for each group at the PoP, and corresponding current VPN session counts for each group at the PoP; and
  
  means for responding to a user'"'"'s attempt to initiate a VPN session on the data communications network as a member of a particular group by checking the local database to determine if the user'"'"'s VPN session would exceed by a predetermined number the corresponding maximum number of VPN sessions associated with the particular group at the PoP.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The apparatus according to claim 26, further comprising:
    - means for rejecting the user'"'"'s attempt to initiate a VPN session if the user'"'"'s VPN session would exceed by a predetermined number the corresponding maximum number of VPN sessions associated with the particular group.
  - 28. The apparatus according to claim 27, wherein the predetermined number is zero.
  - 29. The apparatus according to claim 26, further comprising:
    - means for allowing the user'"'"'s attempt to initiate a VPN session if it would not exceed any maximum number of VPN sessions associated with the user'"'"'s group; and
      
      means for incrementing a VPN session count associated with the user'"'"'s group at the local database in response to allowing the user'"'"'s VPN session.
  - 30. The apparatus according to claim 27, further comprising:
    - means for allowing the user'"'"'s attempt to initiate a VPN session if it would not exceed any maximum number of VPN sessions associated with the user'"'"'s group; and
      
      means for incrementing a VPN session count associated with the user'"'"'s group at the local database in response to allowing the user'"'"'s VPN sessions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Yager, Charles Troper, Alesso, Craig Michael, Sitaraman, Aravind
Primary Examiner(s)
SALAD, ABDULLAHI ELMI

Application Number

US10/933,101
Publication Number

US 20050044237A1
Time in Patent Office

1,630 Days
Field of Search

709223-229
US Class Current

709/225
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 12/4679   Arrangements for the regist...

H04L 67/14   Session management for real...

H04L 67/535   Tracking the activity of th...

H04L 69/329   in the application layer [O...

Virtual private data network session count limitation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Virtual private data network session count limitation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links