Method and system for policy-based forwarding

US 7,792,113 B1
Filed: 10/21/2002
Issued: 09/07/2010
Est. Priority Date: 10/21/2002
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

determining, using a processor of a network device, if a packet is subject to a policy, whereinsaid packet is identified by analyzing, using said processor, said packet using a filtering rule, andsaid analyzing comprisesdetermining, using said processor, whether a destination address of said packet is intended for forwarding across a boundary of a virtual local area network by looking up said destination address of said packet in a forwarding table, anddetermining, using said processor, whether said packet matches an entry in an access control list table associated with said virtual local area network using said destination address; and

forwarding said packet, wherein said forwarding said packet comprisesif said packet is subject to said policy,forwarding said packet to a policy-based forwarding engine of said network device, andperforming said forwarding said packet based on said policy usingsaid policy-based forwarding engine, whereinsaid performing said forwarding comprises rewriting said destination address based on an adjacency table, andif said packet is not subject to said policy,determining if said packet is subject to a forwarding rule, andif said packet is subject to said forwarding rule,forwarding said packet to a forwarding engine of said network device, andperforming said forwarding based on said forwarding rule using said forwarding engine.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of operating a network is disclosed. The method includes identifying a packet as being subject to a policy and forwarding said packet based on said policy, if said packet is subject to said policy.

184 Citations

57 Claims

1. A method comprising:
- determining, using a processor of a network device, if a packet is subject to a policy, whereinsaid packet is identified by analyzing, using said processor, said packet using a filtering rule, andsaid analyzing comprisesdetermining, using said processor, whether a destination address of said packet is intended for forwarding across a boundary of a virtual local area network by looking up said destination address of said packet in a forwarding table, anddetermining, using said processor, whether said packet matches an entry in an access control list table associated with said virtual local area network using said destination address; and
  
  forwarding said packet, wherein said forwarding said packet comprisesif said packet is subject to said policy,forwarding said packet to a policy-based forwarding engine of said network device, andperforming said forwarding said packet based on said policy usingsaid policy-based forwarding engine, whereinsaid performing said forwarding comprises rewriting said destination address based on an adjacency table, andif said packet is not subject to said policy,determining if said packet is subject to a forwarding rule, andif said packet is subject to said forwarding rule,forwarding said packet to a forwarding engine of said network device, andperforming said forwarding based on said forwarding rule using said forwarding engine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, whereinsaid filtering rule is based on a plurality of a destination media access control address, a source media access control address, a destination internet protocol address, a source internet protocol address, an Open System Interconnection (OSI) layer 4 protocol type, an OSI layer 5 protocol type, and an OSI layer 7 protocol type.
  - 3. The method of claim 1, further comprising:
    - determining if a portion of information in said packet is to be re-written.
  - 4. The method of claim 3, whereinsaid portion of said packet is at least some of protocol information of said packet.
  - 5. The method of claim 3, wherein said forwarding said packet based on said policy comprises:
    - redirecting said packet to a physical port, if said portion of information in said packet is not to be re-written; and
      
      re-writing said portion of said information in said packet, if said portion of information in said packet is to be re-written.
  - 6. The method of claim 5, whereinsaid portion of said packet is at least a portion of protocol information of said packet.
  - 7. The method of claim 1, wherein said identifying comprises:
    - searching in a forwarding table for a first destination address matching a destination address in said packet; and
      
      if said first destination address matching said destination address in said packet is found, determining if said first destination address matches a policy-based forwarding engine address of said policy-based forwarding engine.
  - 8. The method of claim 7, wherein said identifying further comprises:
    - if said first destination address matches said policy-based forwarding engine address, determining if a second destination address matches a destination address in said access control list entry in said access control list table.
  - 9. The method of claim 7, wherein said identifying further comprises:
    - if said first destination address matches said policy-based forwarding engine address, determining if a source address matches a source address in an access control list entry in access control list table.
  - 10. The method of claim 7, wherein said identifying further comprises:
    - if said first destination address matches said policy-based forwarding engine address, determining if a port address matches a port address in an access control list entry in access control list table.
  - 11. The method of claim 7, wherein said determining generates forwarding information, and further comprising:
    - accessing said adjacency table using said forwarding information to determine an outgoing interface, if said first destination address matches said policy-based forwarding engine address.
  - 12. The method of claim 11, further comprising:
    - using said forwarding information to access an adjacency table in order to determine an outgoing interface.
  - 13. The method of claim 12, wherein said forwarding comprises:
    - sending said packet to said outgoing interface.

14. A network element comprising:
- a policy-based forwarding engine, wherein;
  
  said policy-based forwarding engine is configured to implement policy-based forwarding, andsaid policy-based forwarding engine is configured to rewrite a destination address of a packet based on an adjacency table; and
  
  a forwarding engine, whereinsaid forwarding engine and said policy-based forwarding engine are coupled to receive a packet,said forwarding engine comprises a forwarding table,said forwarding table is configured to store a first destination address in an access control list associated with a virtual local area network,said forwarding engine is configured to determine if said packet is subject to a policy,said forwarding engine is configured to identify said packet by analyzing said packet using a filtering rule,said forwarding engine is configured to analyze said packet by determining whether a destination address of said packet is intended for forwarding across a boundary of a virtual local area network by looking up said destination address of said packet in said forwarding table, andsaid forwarding engine is configured to analyze said packet by determining whether said packet matches an entry in an access control list table associated with said virtual local area network using said destination address,said forwarding engine is configured to, if said packet is not subject to said policy, determine if said packet is subject to a forwarding rule, andsaid first destination address is a destination address of a policy-based forwarding engine.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The apparatus of claim 14, whereinsaid first destination address is used for comparison with a destination address of said packet.
  - 16. The apparatus of claim 14, wherein said forwarding engine further comprises:
    - said access control list, wherein said access control list is configured to store a second destination address for comparison with a second destination address of said packet.
  - 17. The apparatus of claim 14, wherein said forwarding engine further comprises:
    - an access control list, wherein said access control list is configured to store a source address for comparison with a source address of said packet.
  - 18. The apparatus of claim 14, wherein said forwarding engine further comprises:
    - an access control list, wherein said access control list is configured to store a port address for comparison with a port address of said packet.
  - 19. The apparatus of claim 15, wherein said forwarding engine further comprises:
    - said adjacency table, wherein said adjacency table is configured to allow a determination to be made as to which one of a plurality of outgoing interfaces said packet should be sent.

20. A network element comprising:
- a processor;
  
  a forwarding engine, coupled to said processor;
  
  a policy-based forwarding engine, coupled to said processor;
  
  a computer readable storage medium coupled to said processor; and
  
  computer code, encoded in said computer readable storage medium, for operating a network and configured to cause said processor todetermine if a packet is subject to a policy, whereinsaid packet is identified by analyzing said packet using a filtering rule,said analyzing comprisesdetermining whether a destination address of said packet is intended for forwarding across a boundary of a virtual local area network by looking up said destination address of said packet in a forwarding table, anddetermining whether said packet matches an entry in an access control list table associated with said virtual local area network using said destination address; and
  
  forward said packet, wherein said forwarding said packet comprisesif said packet is subject to said policy,forwarding said packet to said policy-based forwarding engine, andcausing said policy-based forwarding engine to perform said forwarding said packet based on said policy, wherein
  
  said causing said forwarding comprises rewriting said destination address based on an adjacency table, andif said packet is not subject to said policy,determining if said packet is subject to a forwarding rule, and
  
  if said packet is subject to said forwarding rule,
  
  forwarding said packet to said forwarding engine, and
  
  causing said forwarding engine to perform said forwarding based on said forwarding rule.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 21. The network element of claim 20, whereinsaid filtering rule is based on a plurality of a destination media access control address, a source media access control address, a destination internet protocol address, a source internet protocol address, an Open System Interconnection (OSI) layer 4 protocol type, an OSI layer 5 protocol type, and an OSI layer 7 protocol type.
  - 22. The network element of claim 20, wherein said computer code is further configured to cause said processor to:
    - determine if a portion of information in said packet is to be re-written.
  - 23. The network element of claim 22, whereinsaid portion of said packet is at least a portion of protocol information of said packet.
  - 24. The network element of claim 20, wherein said computer code configured to cause said processor to forward said packet based on said policy is further configured to cause said processor to:
    - redirect said packet to a physical port, if said portion of information in said packet is not to be re-written; and
      
      re-write said portion of said information in said packet, if said portion of information in said packet is to be re-written.
  - 25. The network element of claim 24, whereinsaid portion of said packet is at least some of protocol information of said packet.
  - 26. The network element of claim 20, wherein said computer code configured to cause said processor to identify is further configured to cause said processor to:
    - search in a forwarding table for a first destination address matching a destination address in said packet; and
      
      determine if said first destination address matches a policy-based forwarding engine address of said policy-based forwarding engine, if said first destination address matching said destination address in said packet is found.
  - 27. The network element of claim 26, wherein said computer code configured to cause said processor to identify is further configured to cause said processor to:
    - determine if a second destination address matches a destination address in said access control list entry in said access control list table, if said first destination address matches said policy-based forwarding engine address.
  - 28. The network element of claim 26, wherein said computer code configured to cause said processor to identify is further configured to cause said processor to:
    - determine if a source address matches a source address in an access control list entry in an access control list table, if said first destination address matches said policy-based forwarding engine address.
  - 29. The network element of claim 26, wherein said computer code configured to cause said processor to identify is further configured to cause said processor to:
    - determine if a port address matches a port address in an access control list entry in an access control list table, if said first destination address matches said policy-based forwarding engine address.
  - 30. The network element of claim 26, whereinsaid computer code configured to cause said processor to determine is further configured to cause said processor to generate forwarding information, andsaid computer code is further configured to cause said processor to access said adjacency table using said forwarding information to determine an outgoing interface, if said first destination address matches said policy-based forwarding engine address.
  - 31. The network element of claim 30, wherein said computer code is further configured to cause said processor to:
    - use said forwarding information to access an adjacency table in order to determine an outgoing interface.
  - 32. The network element of claim 31, wherein said computer code configured to cause said processor to forward is further configured to cause said processor to:
    - send said packet to said outgoing interface.

33. A non-transitory computer-readable storage medium, storing a computer program product comprising:
- a first set of instructions, executable on a computer system, configured to determine if a packet is subject to a policy, whereinsaid packet is identified by analyzing said packet using a filtering rule, said analyzing comprisesdetermining whether a destination address of said packet is intended for forwarding across a boundary of a virtual local area network by looking up said destination address of said packet in a forwarding table, anddetermining whether said packet matches an entry in an access control list table associated with said virtual local area network using said destination address; and
  
  a second set of instructions, executable on said computer system, configured to forward said packet, wherein said second set of instructions is further configured toif said packet is subject to said policy,forward said packet to a policy-based forwarding engine, andcause said policy-based forwarding engine to perform said forwarding said packet based on said policy, whereinsaid performing said forwarding comprises rewriting said destination address based on an adjacency table, andif said packet is not subject to said policy,determine if said packet is subject to a forwarding rule, andif said packet is subject to said forwarding rule,forward said packet to a forwarding engine, andcause said forwarding engine to perform said forwarding based on said forwarding rule.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44)
- - 34. The non-transitory computer-readable storage medium of claim 33, said computer program product further comprising:
    - a fourth set of instructions, executable on said computer system, configured to determine if a portion of information in said packet is to be re-written.
  - 35. The non-transitory computer-readable storage medium of claim 34, wherein said portion of said packet is at least a portion of protocol information of said packet.
  - 36. The non-transitory computer-readable storage medium of claim 33, wherein said second set of instructions comprises:
    - a first subset of instructions, executable on said computer system, configured to redirect said packet to a physical port, if said portion of information in said packet is not to be re-written; and
      
      a second subset of instructions, executable on said computer system, configured to re-write said portion of said information in said packet, if said portion of information in said packet is to be re-written.
  - 37. The non-transitory computer-readable storage medium of claim 36, whereinsaid portion of said packet is at least some of protocol information of said packet.
  - 38. The non-transitory computer-readable storage medium of claim 33, wherein said first set of instructions comprises:
    - a first subset of instructions, executable on said computer system, configured to search in a forwarding table for a first destination address matching a destination address in said packet; and
      
      a second subset of instructions, executable on said computer system, configured to determine if said first destination address matches a policy-based forwarding engine address of said policy-based forwarding engine, if said first destination address matching said destination address in said packet is found.
  - 39. The non-transitory computer-readable storage medium of claim 38, wherein said first set of instructions further comprises:
    - a third subset of instructions, executable on said computer system, configured to determine if a second destination address matches a destination address in said access control list entry in said access control list table, if said first destination address matches said policy-based forwarding engine address.
  - 40. The non-transitory computer-readable storage medium of claim 38, wherein said first set of instructions further comprises:
    - a third subset of instructions, executable on said computer system, configured to determine if a source address matches a source address in said access control list entry in said access control list table, if said first destination address matches said policy-based forwarding engine address.
  - 41. The non-transitory computer-readable storage medium of claim 38, wherein said first set of instructions further comprises:
    - a third subset of instructions, executable on said computer system, configured to determine if a port address matches a port address in said access control list entry in said access control list table, if said first destination address matches said policy-based forwarding engine address.
  - 42. The non-transitory computer-readable storage medium of claim 38, wherein said third subset of instructions comprises a first subset of instructions, executable on said computer system, configured to generate forwarding information, and further comprising:
    - a fourth set of instructions, executable on said computer system, configured to access said adjacency table using said forwarding information to determine an outgoing interface, if said first destination address matches said policy-based forwarding engine address.
  - 43. The non-transitory computer-readable storage medium of claim 42, further comprising:
    - a fifth set of instructions, executable on said computer system, configured to use said forwarding information to access said adjacency table in order to determine an outgoing interface.
  - 44. The non-transitory computer-readable storage medium of claim 43, wherein said second set of instructions further comprises:
    - a first subset of instructions, executable on said computer system, configured to send said packet to said outgoing interface.

45. An apparatus for operating a network comprising:
- a forwarding engine;
  
  a policy-based forwarding engine;
  
  means for determining if a packet is subject to a policy, whereinsaid means for determining comprisesa means for analyzing said packet using a filtering rule,a means for determining whether a destination address of said packet is intended for forwarding across a boundary of a virtual local area network by looking up said destination address of said packet in a forwarding table, anda means for determining whether said packet matches an entry in an access control list table associated with said virtual local area network using said destination address; and
  
  means for forwarding said packet, wherein said means for forwarding said packet comprisesif said packet is subject to said policy,means for forwarding said packet to said policy-based forwarding engine, andmeans for causing said policy-based forwarding engine to perform said forwarding said packet based on said policy, wherein said means for performing said forwarding comprises means for rewriting said destination address based on an adjacency table, andif said packet is not subject to said policy,means for determining if said packet is subject to a forwarding rule, andif said packet is subject to a forwarding rule,means for forwarding said packet to said forwarding engine, andmeans for causing said forwarding engine to perform said forwarding based on said forwarding rule.
- View Dependent Claims (46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57)
- - 46. The apparatus of claim 45, whereinmeans for analyzing said packet comprises said filtering rules, andsaid filtering rule is based on a plurality of a destination media access control address, a source media access control address, a destination internet protocol address, a source internet protocol address, an Open System Interconnection (OSI) layer 4 protocol type, an OSI layer 5 protocol type, and an OSI layer 7 protocol type.
  - 47. The apparatus of claim 45, further comprising:
    - means for determining if a portion of information in said packet is to be re-written.
  - 48. The apparatus of claim 47, whereinsaid portion of said packet is at least a portion of protocol information of said packet.
  - 49. The apparatus of claim 47, wherein said means for forwarding said packet based on said policy comprises:
    - means for redirecting said packet to a physical port, if said portion of information in said packet is not to be re-written; and
      
      means for re-writing said portion of said information in said packet, if said portion of information in said packet is to be re-written.
  - 50. The apparatus of claim 49, whereinsaid portion of said packet is at least some of protocol information of said packet.
  - 51. The apparatus of claim 45, wherein said means for identifying comprises:
    - means for searching in a forwarding table for a first destination address matching a destination address in said packet; and
      
      means for determining if said first destination address matches a policy-based forwarding engine address of said policy-based forwarding engine, if said first destination address matching said destination address in said packet is found.
  - 52. The apparatus of claim 51, wherein said means for identifying further comprises:
    - means for determining if a second destination address matches a destination address in an access control list entry in an access control list table, if said first destination address matches said policy-based forwarding engine address.
  - 53. The apparatus of claim 51, wherein said means for identifying further comprises:
    - means for determining if a source address matches a source address in an access control list entry in an access control list table, if said first destination address matches said policy-based forwarding engine address.
  - 54. The apparatus of claim 51, wherein said means for identifying further comprises:
    - means for determining if a port address matches a port address in said access control list entry in said access control list table, if said first destination address matches said policy-based forwarding engine address.
  - 55. The apparatus of claim 51, wherein said means for determining generates forwarding information, and further comprising:
    - means for accessing said adjacency table using said forwarding information to determine an outgoing interface, if said first destination address matches said policy-based forwarding engine address.
  - 56. The apparatus of claim 55, further comprising:
    - means for using said forwarding information to access an adjacency table in order to determine an outgoing interface.
  - 57. The apparatus of claim 56, wherein said means for forwarding comprises:
    - means for sending said packet to said outgoing interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Portolani, Maurizio, Pullela, Venkateshwar R., Chen, Justin Q., Benea, Robert C., Foschiano, Marco E.
Primary Examiner(s)
Harper; Kevin C

Application Number

US10/274,608
Time in Patent Office

2,878 Days
Field of Search

370/392
US Class Current

370/392
CPC Class Codes

H04L 12/4675 Dynamic sharing of VLAN inf...

Method and system for policy-based forwarding

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

184 Citations

57 Claims

Specification

Use Cases

Quick Links

Others

Method and system for policy-based forwarding

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

184 Citations

57 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others