L2/L3 multi-mode switch including policy processing

US 8,594,085 B2
Filed: 04/11/2007
Issued: 11/26/2013
Est. Priority Date: 04/11/2007
Status: Active Grant

First Claim

Patent Images

1. A method for forwarding data packets in a computer network, the method comprising:

receiving, by a processor, a data packet;

examining the data packet using the processor to classify the data packet including classifying the data packet as a L2 or L3 packet;

performing zone determination on the classified data packet including determining only a destination zone, but not a source zone, associated with the classified data packet, wherein the destination zone is associated with at least one policy rule, and wherein a policy includes one or more policy rules that are indexed by the destination zone;

determining one or more policies based on the zone determination;

processing the classified data packet in accordance with the one or more determined policies including;

performing content based pattern matching on the classified data packet in accordance with signature data including determining one or more content based policies associated with matched packets; and

forwarding the classified data packets to an intended destination if the determined policies permit based on the destination zone and content based pattern matching.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for processing data packets in a computer network are described. One general method includes receiving a data packet; examining the data packet to classify the data packet including classifying the data packet as a L2 or L3 packet and including determining at least one zone associated with the packet; processing the packet in accordance with one or more policies associated with the zone; determining forwarding information associated with the data packet; and if one or more policies permit, forwarding the data packet toward an intended destination using the forwarding information.

47 Citations

View as Search Results

12 Claims

1. A method for forwarding data packets in a computer network, the method comprising:
- receiving, by a processor, a data packet;
  
  examining the data packet using the processor to classify the data packet including classifying the data packet as a L2 or L3 packet;
  
  performing zone determination on the classified data packet including determining only a destination zone, but not a source zone, associated with the classified data packet, wherein the destination zone is associated with at least one policy rule, and wherein a policy includes one or more policy rules that are indexed by the destination zone;
  
  determining one or more policies based on the zone determination;
  
  processing the classified data packet in accordance with the one or more determined policies including;
  
  performing content based pattern matching on the classified data packet in accordance with signature data including determining one or more content based policies associated with matched packets; and
  
  forwarding the classified data packets to an intended destination if the determined policies permit based on the destination zone and content based pattern matching.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein processing the classified data packet includes processing the classified data packet in accordance with header data.
  - 3. The method of claim 1, wherein processing the classified data packet includes processing the classified data packet based on the content.
  - 4. The method of claim 1, wherein processing the classified data packet includes performing content based protocol decoding on the classified data packet.
  - 5. The method of claim 1, wherein processing the classified data packet includes performing content based object extraction on the classified data packet.
  - 6. The method of claim 1, wherein processing the classified data packet is selected from a group consisting of logging, storing, allowing the packet to pass, setting an alarm, blocking, or dropping the classified data packet.
  - 7. The method of claim 1, wherein determining the one or more policies based on the zone determination includes determining the one or more policies based on the destination zone without regard for the source zone.

8. A device comprising:
- a multi-mode switch for classifying received data packets as L2 or L3 packets;
  
  a zone processing module to perform zone determination that includes only a destination zone, but not a source zone, associated with the classified received data packets, wherein the destination zone is associated with at least one policy rule;
  
  an L2 forwarding table for determining a L2 forwarding definition;
  
  an L3 routing table for determining a L3 routing definition;
  
  a policy engine for determining one or more policies associated with the classified received data packets based on the zone determination, the policy engine including a policy set indexed by only the destination zone and excluding the source zone;
  
  a processing engine for processing the classified received data packets in accordance with any associated policies including;
  
  performing content based pattern matching on the classified received data packets in accordance with signature data including determining one or more content based policies associated with matched packets; and
  
  forwarding data packets in accordance with any determined policies, the L2 forwarding definition and the L3 routing definition; and
  
  a session engine for determining a session associated with a packet flow of the classified received data packets based on the destination zone.
- View Dependent Claims (9)
- - 9. The device of claim 8 further comprising a plurality of ingress ports, egress ports and a switch fabric.

10. A method comprising:
- receiving, by a processor, a data packet;
  
  examining the data packet using the processor to determine if the data packet is a layer 2 or layer 3 data packet for forwarding purposes;
  
  performing zone determination on the examined data packet including;
  
  determining a destination zone associated with the examined data packet; and
  
  determining a security policy for the examined data packet based only on the destination zone and without regard for a source zone associate with the data packet, wherein the destination zone is associated with at least one policy rule, and wherein a policy includes one or more policy rules that are indexed by the destination zone;
  
  starting a session based on the destination zone and the determined security policy;
  
  performing content based pattern matching on the examined data packet including determining one or more content based policies associated with matched packets; and
  
  forwarding the data packets in accordance with any determined policies.
- View Dependent Claims (11)
- - 11. The method of claim 10 further comprising processing subsequent packets in accordance with any determined policies, session information associated with the session, L2 forwarding definition and L3 routing definition.

12. A method for forwarding data packets in a computer network comprising:
- receiving, by a processor, a data packet;
  
  examining the data packet to classify the data packet including classifying the data packet as a L2 or L3 packet;
  
  performing zone determination on the classified data packet including determining only a destination zone associated with the classified data packet;
  
  determining one or more policies associated with the determined destination zone associated with at least one policy rule without referencing any other zone associated with the classified data packet, and wherein each of the one or more policies includes one or more policy rules that are indexed by the determined destination zone;
  
  processing the classified data packet in accordance with the one or more determined policies including;
  
  performing content based pattern matching on the classified data packets including determining one or more content based policies associated with matched packets; and
  
  forwarding the data packets to an intended destination if the one or more determined policies permit based on the destination zone and content based pattern matching.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Zuk, Nir, Mao, Yuming, Xu, Haoying, Green, Arnit
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
Hsiung, Hai-Chang

Application Number

US11/734,198
Publication Number

US 20080253366A1
Time in Patent Office

2,421 Days
Field of Search

370/389
US Class Current

370/389
CPC Class Codes

H04L 45/04   Interdomain routing, e.g. h...

H04L 45/308   Route determination based o...

H04L 45/54   Organization of routing tables

H04L 45/56   Routing software

H04L 45/60   Router architectures

H04L 45/66   Layer 2 routing, e.g. in Et...

H04L 45/745   Address table lookup; Addre...

H04L 69/22   Parsing or analysis of headers

L2/L3 multi-mode switch including policy processing

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

47 Citations

12 Claims

Specification

Use Cases

Quick Links

Others

L2/L3 multi-mode switch including policy processing

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

12 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others