Methods and apparatus for enforcing a common user policy within a network

US 9,374,835 B2
Filed: 08/07/2014
Issued: 06/21/2016
Est. Priority Date: 10/04/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving at a core network node configured to be operatively coupled to a plurality of wired network nodes, and at a first time, a first data packet to be sent to a wired device operatively coupled to a wired network node from the plurality of wired network nodes;

receiving, at the core network node and at a second time, a second data packet to be sent to a wireless device operatively coupled to a wireless network node from the plurality of wireless network nodes;

applying a common down-link policy to the first data packet and the second data packet based on an identifier of a user associated with both the wireless device and the wired device;

sending a common up-link policy to the wired network node without sending the common down-link policy to the wired network node such that (1) the wired network node applies the common up-link policy to a third data packet received from the wired device based on the identifier of the user, and (2) the wired network node does not apply the down-link policy to data packets to be sent to the wired device; and

sending the common up-link policy to the wireless network node without sending the common down-link policy to the wireless network node such that (1) the wireless network node applies the common up-link policy to a fourth data packet received from the wireless device based on the identifier of the user, and (2) the wireless network node does not apply the down-link policy to data packets to be sent to the wireless device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some embodiments, an apparatus includes a core network node configured to be operatively coupled to a set of wired network nodes and a set of wireless network nodes. The core network node is configured to receive, at a first time, a first data packet to be sent to a wired device operatively coupled to a wired network node from the set of wired network nodes. The core network node is configured to also receive, at a second time, a second data packet to be sent to a wireless device operatively coupled to a wireless network node from the set of wireless network nodes. The core network node is configured to apply a common policy to the first data packet and the second data packet based on an identifier of a user associated with both the wireless device and the wired device.

43 Citations

View as Search Results

18 Claims

1. A method, comprising:
- receiving at a core network node configured to be operatively coupled to a plurality of wired network nodes, and at a first time, a first data packet to be sent to a wired device operatively coupled to a wired network node from the plurality of wired network nodes;
  
  receiving, at the core network node and at a second time, a second data packet to be sent to a wireless device operatively coupled to a wireless network node from the plurality of wireless network nodes;
  
  applying a common down-link policy to the first data packet and the second data packet based on an identifier of a user associated with both the wireless device and the wired device;
  
  sending a common up-link policy to the wired network node without sending the common down-link policy to the wired network node such that (1) the wired network node applies the common up-link policy to a third data packet received from the wired device based on the identifier of the user, and (2) the wired network node does not apply the down-link policy to data packets to be sent to the wired device; and
  
  sending the common up-link policy to the wireless network node without sending the common down-link policy to the wireless network node such that (1) the wireless network node applies the common up-link policy to a fourth data packet received from the wireless device based on the identifier of the user, and (2) the wireless network node does not apply the down-link policy to data packets to be sent to the wireless device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the sending the common up-link policy to the wired network node includes sending the common up-link policy to the wired network node prior to the first time, the method further comprising:
    - sending, during a timer period that includes the second time, an instruction to remove the common up-link policy from the wired network node.
  - 3. The method of claim 1, wherein the sending the up-link policy to the wireless network node includes sending the common up-link policy to the wireless network node in response to the user connecting to the wireless network node using the wireless device, the method further comprising:
    - sending an instruction to remove the common up-link policy from the wireless network node in response to the wireless device disconnecting from the wireless network node.
  - 4. The method of claim 1, wherein the wireless device and the wired device are a single device.
  - 5. The method of claim 1, wherein the wireless device and the wired device are distinct devices.
  - 6. The method of claim 1, further comprising:
    - sending, in response to the receiving the first data packet, the first data packet to the wired network node via a multiprotocol label switching (MPLS) tunnel through an aggregation network node from the plurality of wired network nodes such that the aggregation network node does not store the common down-link policy or the common up-link policy.
  - 7. The method of claim 1, further comprising:
    - associating, using a policy database, the common down-link policy and the common up-link policy with the identifier of the user, the policy database including at least one of an allow list or a deny list associated with access control policies for the user.

8. A non-transitory processor-readable medium storing code representing instructions to cause a processor to:
- receive, during a first time period, a first data packet to be sent to a wired device, the wired device being operatively coupled to a first wired network node from a plurality of wired network nodes during the first time period, the code to cause the processor to receive the first data packet includes code to cause the processor to receive the first data packet via a multiprotocol label switching (MPLS) tunnel or a layer-3 protocol tunnel through an aggregation network node to which the first wired network node is operatively coupled;
  
  apply a policy to the first data packet based on a user identifier being associated with the wired device during the first time period, the policy not being stored at the aggregation network node;
  
  restrict the first data packet from being sent to the wired device based on (1) the policy being applied to the first data packet, and (2) the policy being applied to the first wired network node;
  
  receive, during a second time period, a second data packet to be sent to the wired device, the wired device being operatively coupled to a second wired network node from the plurality of wired network nodes during the second time period;
  
  apply the policy to the second data packet based on the user identifier being associated with the wired device during the second time period, andallow the second data packet to be sent to the wired device based on (1) the policy being applied to the second data packet, and (2) the policy being applied to the second wired network node.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The non-transitory processor-readable medium of claim 8, further comprising code representing instructions to cause the processor to:
    - retrieve the policy from a policy database that associates the policy with the user identifier.
  - 10. The non-transitory processor-readable medium of claim 8, further comprising code representing instructions to cause the processor to:
    - send an up-link policy to the first wired network node without sending a down-link policy to the first wired network node such that (1) the first wired network node applies the up-link policy to a third data packet received from the wired device based on the user identifier being associated with the wired device during the first time period, and (2) the first wired network node does not apply the down-link policy to data packets to be sent to the wired device; and
      
      send the up-link policy to a wireless network node from a plurality of wireless network nodes without sending the down-link policy to the wireless network node such that (1) the wireless network node applies the up-link policy to a fourth data packet received from a wireless device based on the user identifier being associated with the wireless device during the second time period, and (2) the wireless network node does not apply the down-link policy to data packets to be sent to the wireless device, the wireless device being operatively coupled to the wireless network node.
  - 11. The non-transitory processor-readable medium of claim 8, further comprising code representing instructions to cause the processor to:
    - send, to the first wired network node during the first time period, an up-link policy such that the first wired network node stores and applies the up-link policy; and
      
      send, to the first wired network node after the first time period, an instruction to remove the up-link policy from a database at the first wired network node.
  - 12. The non-transitory processor-readable medium of claim 10, wherein the wireless device and the wired device are a single device.
  - 13. The non-transitory processor-readable medium of claim 10, wherein the wireless device and the wired device are distinct devices.

14. A system, comprising:
- a wired network node configured to receive, from a core network node via a tunnel through an aggregation network node to which the wired network node is operatively coupled, an up-link policy associated with a user such that the up-link policy is not stored at the aggregation network node, the wired network node configured to receive the up-link policy based on the user being associated with a wired device operatively coupled to the wired network node when the user is associated with the wired device, the wired network node configured to apply the up-link policy to a first data packet received from the wired device prior to sending the first data packet to the core network node the tunnel being a multiprotocol label switching MPLS tunnel or a layer-3 protocol tunnel; and
  
  the up-link policy being applied, at a wireless network node based on the user being associated with a wireless device operatively coupled to the wireless network node, to a second data packet received from the wireless device prior to sending the second data packet to the core network node.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The system of claim 14, wherein the wired network node is configured to remove the up-link policy from a policy database at the wired network node a predetermined amount of time after at least one of the user is disassociated with the wired device or the wired device is decoupled from the wired network node, the policy database including at least one of an allow list or a deny list associated with access control policies for the user.
  - 16. The system of claim 14, wherein the wired network node includes a policy database that associates the up-link policy with an identifier of the wired device when the user is associated with the wired device, the policy database including at least one of an allow list or a deny list associated with access control policies for the user.
  - 17. The system of claim 14, wherein the wired network node is configured to receive a third data packet from the core network node subsequent the core network node applying a down-link policy associated with the user to the third data packet when the user is associated with the wired device.
  - 18. The system of claim 14, wherein the wired network node is configured to send an initiation signal to the core network node prior to receiving the up-link policy from the core network node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Mallya, Raghavendra, Murphy, James, Choudhury, Abhijit, Pogde, Pranay, Nanda, Phalguni, Boddu, Jayabharat, Sindhu, Pradeep
Primary Examiner(s)
Mered, Habte
Assistant Examiner(s)
COX, BRIAN P

Application Number

US14/454,193
Publication Number

US 20140348111A1
Time in Patent Office

684 Days
Field of Search

370/328
US Class Current

1/1
CPC Class Codes

H04L 63/20   for managing network securi...

H04L 9/40   Network security protocols

H04W 12/08   Access security

H04W 74/002   Transmission of channel acc...

H04W 80/04   Network layer protocols, e....

Methods and apparatus for enforcing a common user policy within a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

43 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for enforcing a common user policy within a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links