Policy-based processing of packets

US 7,724,728 B2
Filed: 05/05/2005
Issued: 05/25/2010
Est. Priority Date: 04/19/2005
Status: Active Grant

First Claim

Patent Images

1. A method for processing packets performed by a packet switching device, the method comprising:

authenticating a user and configuring the packet switching device to process a plurality of packets from the user using one or more policies, with said operations of authenticating the user and configuring the packet switching device including;

using an authentication server to determine that the user is authorized, and in response, receiving a non-network address user group identifier corresponding to said authenticated user from the authentication server;

associating a source address of the user with said received non-network address user group identifier for use in identifying the non-network address user group identifier, by the packet switching device, for packets received from the user; and

querying a policy server based on said received non-network address user group identifier, and in response, receiving said one or more policies associated with the non-network address user group identifier for use in determining how the packet switching device should process packets from the user; and

subsequent to said operations of authenticating the user and configuring the packet switching device, for each particular packet of the plurality of packets;

receiving said particular packet, with said particular packet including the source address and a second field;

associating the non-network address user group identifier with said received particular packet based on the source address of said particular packet;

identifying a second non-network address group identifier based on the second field of said received particular packet;

performing a lookup operation, based on the non-network address user group identifier and the second non-network address group identifier without the source address nor the second field, on said received one or more policies to identify a packet processing action to be performed on said received particular packet; and

processing, by the packet switching device, said received particular packet based on the packet processing action said identified.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are, inter alia, methods, apparatus, data structures, computer-readable media, and mechanisms, for policy-based processing of packets, including mechanisms for managing the policies. A user is authenticated and its user group identifier is identified. A packet is received and is associated with the user group identifier, and one or more fields (typically other than the source address field) of the packet are used to identify a second group identifier. A lookup operation is then performed on a policy based on the first and second group identifiers to identify a packet processing action to be performed on the packet. These identifiers are typically not network addresses, which disassociates the policy from physical network addresses (which often are dynamically assigned and may also vary based on the access point into the network of a user), and allows a switching device to process packets based on a policy stated using group identifiers.

41 Citations

View as Search Results

11 Claims

1. A method for processing packets performed by a packet switching device, the method comprising:
- authenticating a user and configuring the packet switching device to process a plurality of packets from the user using one or more policies, with said operations of authenticating the user and configuring the packet switching device including;
  
  using an authentication server to determine that the user is authorized, and in response, receiving a non-network address user group identifier corresponding to said authenticated user from the authentication server;
  
  associating a source address of the user with said received non-network address user group identifier for use in identifying the non-network address user group identifier, by the packet switching device, for packets received from the user; and
  
  querying a policy server based on said received non-network address user group identifier, and in response, receiving said one or more policies associated with the non-network address user group identifier for use in determining how the packet switching device should process packets from the user; and
  
  subsequent to said operations of authenticating the user and configuring the packet switching device, for each particular packet of the plurality of packets;
  
  receiving said particular packet, with said particular packet including the source address and a second field;
  
  associating the non-network address user group identifier with said received particular packet based on the source address of said particular packet;
  
  identifying a second non-network address group identifier based on the second field of said received particular packet;
  
  performing a lookup operation, based on the non-network address user group identifier and the second non-network address group identifier without the source address nor the second field, on said received one or more policies to identify a packet processing action to be performed on said received particular packet; and
  
  processing, by the packet switching device, said received particular packet based on the packet processing action said identified.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the second field includes a destination address.
  - 3. The method of claim 2, wherein the destination address corresponds to a server.
  - 4. The method of claim 1, wherein said one or more policies do not include any network addresses.
  - 5. The method of claim 1, wherein said one or more policies are received from the policy server located remotely from the packet switching device.
  - 6. The method of claim 1, wherein the user is assigned an Internet Protocol address for use in sending packets subsequent to said receipt of the non-network address user group identifier corresponding to said authenticated user.
  - 7. The method of claim 1, wherein the said one or more policies are defined to the policy server in at least one access control list (ACL).

8. A packet switching device, comprising:
- means for authenticating a user and configuring the packet switching device to process a plurality of packets from the user using one or more policies configured to perform operations including;
  
  using an authentication server to determine that the user is authorized, and in response, receiving a non-network address user group identifier corresponding to said authenticated user from the authentication server;
  
  associating a source address of the user with said received non-network address user group identifier for use in identifying the non-network address user group identifier, by the packet switching device, for packets received from the user; and
  
  querying a policy server based on said received non-network address user group identifier, and in response, receiving said one or more policies associated with the non-network address user group identifier for use in determining how the packet switching device should process packets from the user; and
  
  means for receiving and processing each particular packet of the plurality of packets configured to perform particular operations subsequent to said means for authenticating a user and configuring the packet switching device said authenticating the user and configuring the packet switching device, with said particular operations including;
  
  receiving said particular packet, with said particular packet including the source address and a second field;
  
  associating the non-network address user group identifier with said received particular packet based on the source address of said particular packet;
  
  identifying a second non-network address group identifier based on the second field of said received particular packet;
  
  performing a lookup operation, based on the non-network address user group identifier and the second non-network address group identifier without the source address nor the second field, on said received one or more policies to identify a packet processing action to be performed on said received particular packet; and
  
  processing, by the packet switching device, said received particular packet based on the packet processing action said identified.
- View Dependent Claims (9, 10, 11)
- - 9. The packet switching device of claim 8, wherein the policy server is located remotely from the packet switching device.
  - 10. The packet switching device of claim 8, wherein the user is assigned an Internet Protocol address for use in sending packets subsequent to said receipt of the non-network address user group identifier corresponding to said authenticated user.
  - 11. The packet switching device of claim 8, wherein the said one or more policies are defined to the policy server in at least one access control list (ACL).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Ponnapalli, Ramesh V N, Kenghe, Ambarish, Devireddy, Dileep Kumar, Pullela, Venkateshwar Rao, Gurajapu, Suresh
Primary Examiner(s)
Vu; Huy D
Assistant Examiner(s)
RENNER, BRANDON M

Application Number

US11/122,612
Publication Number

US 20060233173A1
Time in Patent Office

1,846 Days
Field of Search

370352-356, 370/395.2, 370/395.21, 370/395.3, 370/395.42
US Class Current

370/352
CPC Class Codes

H04L 12/4641 Virtual LANs, VLANs, e.g. v...

Policy-based processing of packets

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

41 Citations

11 Claims

Specification

Use Cases

Quick Links

Others

Policy-based processing of packets

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

11 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others