Domain isolation through virtual network machines
First Claim
1. A method performed by a single network device communicatively coupled with a plurality of end stations, comprising:
- authenticating, using an authentication, authorization and accounting (AAA) protocol, a plurality of users based upon a plurality of records, wherein the plurality of users utilize the plurality of end stations, wherein each of the plurality of records comprises information indicating which of a plurality of virtual routers the respective end station is to be currently coupled to, wherein the single network device comprises the plurality of virtual routers that share a set of physical resources of the single network device, and wherein each of the plurality of virtual routers belongs to a different one of a plurality of virtual private networks; and
communicatively coupling, within the single network device, different ones of the plurality of end stations with different ones of the virtual routers based on the information obtained using the AAA protocol during said authenticating.
0 Assignments
0 Petitions
Accused Products
Abstract
A method and device for communicating information resources between subscriber end stations and nodes belonging to different network domains is described. The device instantiates different virtual network machines for different network domains using separate independently administrable network databases. Each of the administrable chores of the separate independently administrable network databases includes the assignment of access control and the configuration of the policies for those network databases. The policies include traffic filtering policies to indicate what kind of information payloads can be carried, traffic and route filtering policies to indicate what paths through the network will be used for each payload carried. Each of the network domains includes one of the different virtual network machines and each of the different network domains is virtually isolated from other network domains.
77 Citations
26 Claims
-
1. A method performed by a single network device communicatively coupled with a plurality of end stations, comprising:
-
authenticating, using an authentication, authorization and accounting (AAA) protocol, a plurality of users based upon a plurality of records, wherein the plurality of users utilize the plurality of end stations, wherein each of the plurality of records comprises information indicating which of a plurality of virtual routers the respective end station is to be currently coupled to, wherein the single network device comprises the plurality of virtual routers that share a set of physical resources of the single network device, and wherein each of the plurality of virtual routers belongs to a different one of a plurality of virtual private networks; and communicatively coupling, within the single network device, different ones of the plurality of end stations with different ones of the virtual routers based on the information obtained using the AAA protocol during said authenticating. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A single network device, comprising:
-
a set of one or more processors; communications hardware to transmit and receive packets to and from a plurality of end stations; and a non-transitory computer-readable medium having stored therein a set of instructions that, when executed by the set of processors, cause the single network device to, create a plurality of virtual routers that will share a set of physical resources of the single network device, wherein each of the plurality of virtual routers is to belong to a different one of a plurality of virtual private networks, authenticate, using an authentication, authorization and accounting (AAA) protocol, users based upon a plurality of records, wherein the plurality of users utilize the plurality of end stations communicatively coupled with the single network device, wherein each of the plurality of records is to comprise information to indicate which of the plurality of virtual routers the respective end station is to be coupled to, and communicatively couple, within the single network device, different ones of the plurality of end stations with different ones of the virtual routers based on the information that is to be obtained using the AAA protocol during said authenticating. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A network, comprising:
-
an Authentication, Authorization, and Accounting (AAA) server that stores a plurality of records, wherein each of the plurality of records is to comprise information to indicate which of a plurality of virtual routers a respective end station of a plurality of end stations is to be coupled to; and a single network device coupled to the AAA server, wherein the single network device includes, a set of one or more processors, communications hardware that transmits and receives packets to and from the plurality of end stations, and a non-transitory computer-readable medium having stored therein a set of instructions, that, when executed by the set of processors, cause the single network device to, create the plurality of virtual routers that will share a set of physical resources of the single network device, wherein each of the plurality of virtual routers is to belong to a different one of a plurality of virtual private networks, authenticate, using an authentication, authorization and accounting (AAA) protocol and the AAA server, the plurality of users based upon the plurality of records, wherein the plurality of users utilize the plurality of end stations communicatively coupled with the single network device, and communicatively couple, within the single network device, different ones of the plurality of end stations with different ones of the virtual routers based on the information that is to be obtained using the AAA protocol during said authenticating. - View Dependent Claims (16, 17, 18, 19, 20)
-
-
21. A method performed by a single network device communicatively coupled with a plurality of end stations, wherein the single network device comprises a plurality of virtual routers that share a set of physical resources of the single network device, and wherein each of the plurality of virtual routers belongs to a different one of a plurality of virtual private networks, the method comprising:
-
responsive to an initial communication with an end station of a user, authenticating the user with an Authentication, Authorization, and Accounting (AAA) server to determine information identifying a virtual router of the plurality of virtual routers that the end station of the user is to be coupled to, wherein said authenticating utilizes a Remote Authentication Dial-In User Service (RADIUS) protocol; and communicatively coupling, within the single network device through a binding data structure, the end station of the user with the virtual router of the plurality of virtual routers based on said determined information.
-
-
22. A single network device to implement a plurality of virtual routers that share a set of physical resources of the single network device, wherein each of the plurality of virtual routers belongs to a different one of a plurality of virtual private networks, the single network device comprising:
-
a set of one or more processors; communications hardware to transmit and receive packets to and from a plurality of end stations; and a non-transitory computer-readable medium having stored therein a set of instructions that, when executed by the set of processors, cause the single network device to, responsive to an initial communication with an end station of the plurality of end stations that is to be utilized by a user, authenticate the user with an Authentication, Authorization, and Accounting (AAA) server to determine information that identifies a virtual router of a plurality of virtual routers that the end station of the user is to be coupled to, wherein said authentication is to utilize a Remote Authentication Dial-In User Service (RADIUS) protocol, and communicatively couple, within the single network device through a binding data structure, the end station of the user with the identified virtual router of the plurality of virtual routers based on said determined information.
-
-
23. A network, comprising:
-
an Authentication, Authorization, and Accounting (AAA) server that stores a plurality of records, wherein each of the plurality of records comprises information to indicate which virtual router of a plurality of virtual routers a respective end station of a plurality of end stations is to be coupled to; and a single network device coupled to the AAA server, wherein the single network device implements the plurality of virtual routers that share a set of physical resources of the single network device, wherein each of the plurality of virtual routers belongs to a different one of a plurality of virtual private networks, wherein the single network device includes, a set of one or more processors, communications hardware that transmits and receives packets to and from the plurality of end stations, and a non-transitory computer-readable medium having stored therein a set of instructions that, when executed by the set of processors, cause the single network device to, responsive to an initial communication with an end station of the plurality of end stations that is to be utilized by a user, authenticate the user with the AAA server to determine information that identifies a virtual router of the plurality of virtual routers that the end station of the user is to be coupled to, wherein said authentication is to utilize a Remote Authentication Dial-In User Service (RADIUS) protocol, and communicatively couple, within the single network device through a binding data structure, the end station of the user with the identified virtual router of the plurality of virtual routers based on said determined information.
-
-
24. A method performed by a single network device configured to be communicatively coupled with a plurality of end stations, comprising:
receiving authentication and authorization information of a user from an Authentication, Authorization, and Accounting (AAA) server wherein the user utilizes an end station, wherein the authentication and authorization information indicates which of a plurality of virtual routers the end station is to be coupled to, wherein the single network device includes the plurality of virtual routers that share a set of physical resources of the single network device, and wherein each of the plurality of virtual routers belongs to a different one of a plurality of virtual private networks.
-
25. A method performed by a single network device configurable to be communicatively coupled with a plurality of end stations, wherein the single network device includes a plurality of virtual routers that share a set of physical resources of the single network device, and wherein each of the plurality of virtual routers belongs to a different one of a plurality of virtual private networks, the method comprising:
-
responsive to an initial communication with an end station of a user, receiving authentication and authorization information about the user from an Authentication, Authorization, and Accounting (AAA) server, the authentication and authorization information for identifying a virtual router of the plurality of virtual routers that the end station of the user is to be coupled to, wherein said AAA server utilizes a Remote Authentication Dial-In User Service (RADIUS) protocol; and communicatively coupling, within the single network device through a binding data structure, the end station of the user with the virtual router of the plurality of virtual routers based on said authentication and authorization information.
-
-
26. A single network device to implement a plurality of virtual routers that share a set of physical resources of the single network device, wherein each of the plurality of virtual routers belongs to a different one of a plurality of virtual private networks, the single network device comprising:
-
a set of one or more processors; communications hardware to transmit and receive packets to and from a plurality of end stations; and a non-transitory computer-readable medium having stored therein a set of instructions that, when executed by the set of processors, cause the single network device to, responsive to an initial communication with an end station of the plurality of end stations that is to be utilized by a user, receive authentication and authorization information about the user from an Authentication, Authorization, and Accounting (AAA) server that identifies a virtual router of the plurality of virtual routers that the end station of the user is to be coupled to, wherein said AAA server utilizes a Remote Authentication Dial-In User Service (RADIUS) protocol, and communicatively couple, within the single network device through a binding data structure, the end station of the user with the identified virtual router of the plurality of virtual routers based on said authentication and authorization information.
-
Specification