Methods and apparatus for providing multiple policies for a virtual private network

US 7,613,826 B2
Filed: 02/09/2006
Issued: 11/03/2009
Est. Priority Date: 02/09/2006
Status: Active Grant

First Claim

Patent Images

1. In a device, in a network, a method of providing policies to a first and second traffic partition in the network, the method comprising:

providing a request for a first and second policy from a policy server;

receiving the first policy from the policy server, the first policy indicating processing to be applied to the first traffic partition passing through the device and the first policy defining a first encryption key and first address range within the network;

receiving the second policy from the policy server, the second policy indicating processing to be applied to the second traffic partition passing through the device and the second policy defining a second address range within the network;

configuring, for the first traffic partition within the device, the first policy within a first routing structure associated with the first traffic partition with the first address range;

configuring, for the second traffic partition within the device, the second policy within a second routing structure associated with the second traffic partition with the second address range, the second address range overlapping the first address range;

routing a first stream of traffic for the first routing structure in accordance with the first policy for the first routing structure; and

routing a second stream of traffic for the second routing structure in accordance with the second policy for the second routing structure.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system provides a request for a policy from a policy server, and receives the policy from the policy server. The policy indicates processing to be applied to a traffic partition passing through the device. The system configures the policy within a routing structure associated with the traffic partition for the policy in the device, and routes a stream of traffic for the routing structure in accordance with the policy for that routing structure.

72 Citations

View as Search Results

18 Claims

1. In a device, in a network, a method of providing policies to a first and second traffic partition in the network, the method comprising:
- providing a request for a first and second policy from a policy server;
  
  receiving the first policy from the policy server, the first policy indicating processing to be applied to the first traffic partition passing through the device and the first policy defining a first encryption key and first address range within the network;
  
  receiving the second policy from the policy server, the second policy indicating processing to be applied to the second traffic partition passing through the device and the second policy defining a second address range within the network;
  
  configuring, for the first traffic partition within the device, the first policy within a first routing structure associated with the first traffic partition with the first address range;
  
  configuring, for the second traffic partition within the device, the second policy within a second routing structure associated with the second traffic partition with the second address range, the second address range overlapping the first address range;
  
  routing a first stream of traffic for the first routing structure in accordance with the first policy for the first routing structure; and
  
  routing a second stream of traffic for the second routing structure in accordance with the second policy for the second routing structure.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein providing a request for the first and second policy from a policy server comprises:
    - notifying the policy server of the presence of the device; and
      
      notifying the policy server that the device is active.
  - 3. The method of claim 2 wherein notifying the policy server that the device is active comprises:
    - receiving an authentication message from the policy server; and
      
      responding to the authentication message from the policy server.
  - 4. The method of claim 1 wherein the policy server is a plurality of policy servers and wherein receiving the first policy from the policy server, the first policy indicating processing to be applied to the first traffic partition passing through the device comprises:
    - receiving the first policy from at least one policy server of the plurality of policy servers.
  - 5. The method of claim 4 wherein the first policy is a plurality of policies and wherein receiving the first policy from at least one policy server of the plurality of policy servers comprises:
    - receiving at least one policy from the plurality of policies, the at least one policy received from at least one policy server of the plurality of policy servers.
  - 6. The method of claim 5 wherein receiving at least one policy from the plurality of policies, the at least one policy received from at least one policy server of the plurality of policy servers comprises:
    - providing an identity of the device onto the network to allow the plurality of policy servers to receive the identity of the device to determine whether the plurality of policy servers have at least one policy from the plurality of policies for that device; and
      
      in response, providing the at least one policy for that device to the device, when the identity of the device is associated with the at least one policy from the plurality of policies.
  - 7. The method of claim 1 wherein the first traffic partition is a plurality of traffic partitions and wherein receiving the first policy from the policy server, the first policy indicating processing to be applied to the first traffic partition passing through the device comprises:
    - receiving a policy dedicated to the plurality of traffic partitions.
  - 8. The method of claim 1 wherein routing a stream of traffic for the first routing structure in accordance with the policy for that routing structure comprises:
    - applying the first policy to the stream of traffic passing through the first traffic partition on the device in the network; and
      
      processing the stream of traffic for the first routing structure within at least one constraint defined by the first policy.

9. In a router, in a network, a method of providing a policy to a traffic partition that is a virtual private network, the policy defining security processing for the virtual private network on the network, the method comprising:
- providing a request for the policy from a policy server dedicated to providing security processing for the virtual private network;
  
  Wherein, receiving the policy from the policy server, the policy indicating processing to be applied to the traffic partition passing through the router comprises;
  
  receiving the policy from the dedicated policy server, the policy indicating security processing to be applied to the virtual private network passing through the router;
  
  wherein configuring the policy within a routing structure associated with the traffic partition for the policy in the router comprises;
  
  configuring the policy within a virtual routing and forwarding instance associated with the virtual private network passing through the router; and
  
  wherein routing a stream of traffic for the routing structure in accordance with the policy for that routing structure comprises;
  
  routing a stream of traffic for the virtual routing and forwarding instance in accordance with the security processing for that virtual routing and forwarding instance.

10. A computerized device comprising:
- a memory;
  
  a processor;
  
  a communications interface;
  
  an interconnection mechanism coupling the memory, the processor and the communications interface;
  
  wherein the memory is encoded with a policy providing application that when executed on the processor provides policies to a first and second traffic partition on the computerized device by performing the operations of;
  
  providing a request for a first and second policy from a policy server;
  
  receiving the first policy from the policy server, the first policy indicating processing to be applied to the first traffic partition passing through the device and the first policy defining a first encryption key and first address range within the network;
  
  receiving the second policy from the policy server, the second policy indicating processing to be applied to the second traffic partition passing through the device and the second policy defining a second address range within the network;
  
  configuring, for the first traffic partition within the device, the first policy within a first routing structure associated with the first traffic partition with the first address range;
  
  configuring, for the second traffic partition within the device, the second policy within a second routing structure associated with the second traffic partition with the second address range, the second address range overlapping the first address range;
  
  routing a first stream of traffic for the first routing structure in accordance with the first policy for the first routing structure; and
  
  routing a second stream of traffic for the second routing structure in accordance with the second policy for the second routing structure.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The computerized device of claim 10 wherein when the computerized device performs the operation of providing a request for the first and second policy from a policy server, the computerized device performs the operations of:
    - notifying the policy server of the presence of the device; and
      
      notifying the policy server that the device is active.
  - 12. The computerized device of claim 11 wherein when the computerized device performs the operation of notifying the policy server that the device is active, the computerized device performs the operations of:
    - receiving an authentication message from the policy server; and
      
      responding to the authentication message from the policy server.
  - 13. The computerized device of claim 10 wherein the policy server is a plurality of policy servers and wherein when the computerized device performs the operation of receiving the first policy from the policy server, the first policy indicating processing to be applied to the first traffic partition passing through the device, the computerized device performs the operation of:
    - receiving the first policy from at least one policy server of the plurality of policy servers.
  - 14. The computerized device of claim 13 wherein the first policy is a plurality of policies and wherein when the computerized device performs the operation of receiving the first policy from at least one policy server of the plurality of policy servers, the computerized device performs the operation of:
    - receiving at least one policy from the plurality of policies, the at least one policy received from at least one policy server of the plurality of policy servers.
  - 15. The computerized device of claim 14 wherein when the computerized device performs the operation of receiving at least one policy from the plurality of policies, the at least one policy received from at least one policy server of the plurality of policy servers, the computerized device performs the operations of:
    - providing an identity of the device onto the network to allow the plurality of policy servers to receive the identity of the device to determine whether the plurality of policy servers have at least one policy from the plurality of policies for that device; and
      
      in response, providing the last least one policy for that device to the device, when the identity of the device is associated with the at least one policy from the plurality of policies.
  - 16. The computerized device of claim 10 wherein the first traffic partition is a plurality of traffic partitions and wherein when the computerized device performs the operation of receiving the first policy from the policy server, the first policy indicating processing to be applied to the first traffic partition passing through the device, the computerized device performs the operation of:
    - receiving a policy dedicated to the plurality of traffic partitions.

17. A router, in a network, wherein a policy to a traffic partition is a virtual private network, the policy defining security processing for the virtual private network on the network, the router configured to perform the operations of:
- providing a request for a policy from a policy server dedicated to providing security processing for the virtual private network in the network, the virtual private network passing through the router;
  
  wherein when the router performs an operation of receiving the policy from the policy server, the policy indicating processing to be applied to the traffic partition passing through the router, the router performs the operation of;
  
  receiving the policy from the dedicated policy server, the policy indicating security processing to be applied to the virtual private network passing through the router; and
  
  wherein when the router performs the operation of configuring the policy within a routing structure associated with the traffic partition for the policy in the router, the router performs the operation of;
  
  configuring the policy within a virtual routing and forwarding instance associated with the virtual private network passing through the router; and
  
  wherein when the router performs the operation of routing a stream of traffic for the routing structure in accordance with the policy for that routing structure, the router performs the operation of;
  
  routing a steam of traffic for the virtual routing and forwarding instance in accordance with the security processing for that virtual routing and forwarding instance.

18. A computer readable medium encoded with computer programming logic that when executed on a process in a computerized device produces a policy providing process that provides policies by causing the computerized device to perform the operations of:
- providing a request for a first and second policy from a policy server;
  
  receiving the first policy from the policy server, the first policy indicating processing to be applied to the first traffic partition passing through the device and the first policy defining a first encryption key and first address range within the network;
  
  receiving the second policy from the policy server, the second policy indicating processing to be applied to the second traffic partition passing through the device and the second policy defining a second encryption key and second address range within the network;
  
  configuring, for the first traffic partition within the device, the first policy within a first routing structure associated with the first traffic partition with the first address range;
  
  configuring, for the second traffic partition within the device, the second policy within a second routing structure associated with the second traffic partition with the second address range, the second address range overlapping the first address range;
  
  routing a first stream of traffic for the first routing structure in accordance with the first policy for the first routing structure; and
  
  routing a second stream of traffic for the second routing structure in accordance with the second policy for the second routing structure.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Khalid, Mohamed, Guichard, James N., Wainner, W. Scott, Weis, Brian E.
Primary Examiner(s)
Meky; Moustafa M

Application Number

US11/350,991
Publication Number

US 20070186009A1
Time in Patent Office

1,363 Days
Field of Search

709200-203, 709217-227, 709/238, 713/153, 713/154
US Class Current

709/238
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 45/00   Routing or path finding of ...

H04L 45/42   Centralised routing

H04L 45/586   of virtual routers

H04L 47/10   Flow control; Congestion co...

H04L 47/125   by balancing the load, e.g....

H04L 47/20   Traffic policing

H04L 63/0272   Virtual private networks

Methods and apparatus for providing multiple policies for a virtual private network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

72 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for providing multiple policies for a virtual private network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

72 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links