Access control listing mechanism for routers
First Claim
1. A method of determining rules to be applied to a data packet arriving at a first interface within a data packet router, comprising the steps of:
- associating at least two sets of rules with the first interface, at least one of the sets of rules being a shared set of rules also associated with a second interface, wherein Ternary Content Addressable Memory (TCAM) storage space is saved by storing the shared set of rules in a first Access Control List (ACL);
storing a set of rules specific to only the first interface in a second ACL;
determining a key of the data packet;
searching both the first ACL and the second ACL to determine at least one rule matching the key; and
applying an action associated with the key-matching rule to the data packet.
12 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus are provided for maintaining access control lists (ACLs) within TCAM on a line card in a data packet router, the rules being applied to incoming data packets. Each interface may be associated with multiple ACLs, and multiple interfaces may be associated with single shared ACLs. The shared ACLs include rules applicable to more than one interface. Other ACLs are specific to a particular interface. When searching for a rule to apply to an incoming data packet, the filter searches both the specific ACL and the shared ACLs associated with the interface over which the data packet arrived. Using the shared ACLs, duplication of common rules is reduced, thereby reducing the total number of rules stored on the line card and saving memory storage space. The invention is also applicable to sets of rules other than ACLs.
24 Citations
21 Claims
-
1. A method of determining rules to be applied to a data packet arriving at a first interface within a data packet router, comprising the steps of:
-
associating at least two sets of rules with the first interface, at least one of the sets of rules being a shared set of rules also associated with a second interface, wherein Ternary Content Addressable Memory (TCAM) storage space is saved by storing the shared set of rules in a first Access Control List (ACL); storing a set of rules specific to only the first interface in a second ACL; determining a key of the data packet; searching both the first ACL and the second ACL to determine at least one rule matching the key; and applying an action associated with the key-matching rule to the data packet. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method of providing security in a data packet router at which a data packet arrives at a first interface, comprising the steps of:
-
associating at least two sets of rules with the first interface, at least one of the sets of rules being a shared set of rules also associated with a second interface, each rule in the at least two sets of rules having an associated action, wherein Ternary Content Addressable Memory (TCAM) storage space is saved by storing the shared set of rules in a first Access Control List (ACL); storing a set of rules specific to only the first interface in a second ACL; determining a key of the data packet; searching both the first ACL and the second ACL for at least one rule matching the key; and when at least one rule matching the key is found, applying the action associated with the key-matching rule to the data packet. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A line card comprising:
-
a first interface; a second interface; a first set of rules specific to only the first interface; a second set of rules shared by the first interface and the second interface;
wherein Ternary Content Addressable Memory (TCAM) storage space is saved by storing the second set of rules in a first Access Control List (ACL) and by storing the first set of rules in a second ACL,means for searching both the first ACL and the second ACL to determine at least one rule applicable to individual data packets arriving at the first interface; and applying an action associated with the at least one rule to the data packets. - View Dependent Claims (16, 17, 18, 19, 20)
-
-
21. A computer-readable medium including instructions for providing security in a data packet router at which a data packet arrives at a first interface, comprising:
-
instructions for associating at least two sets of rules with the first interface, at least one of the sets of rules being a shared set of rules also associated with a second interface, each rule in the at least two sets of rules having an associated action, wherein Ternary Content Addressable Memory (TCAM) storage space is saved by storing the shared set of rules in a first Access Control List (ACL) and by storing a set of rules specific to the first interface in a second ACL; instructions for determining a key of the data packet; instructions for searching both the first ACL and the second ACL for at least one rule matching the key; and instructions for applying the action associated with each of the at least one rule to the data packet, when at least one rule matching the key is found.
-
Specification