Performing logical segmentation based on remote device attributes

US 9,906,561 B2
Filed: 11/01/2015
Issued: 02/27/2018
Est. Priority Date: 08/28/2015
Status: Active Grant

First Claim

Patent Images

1. A non-transitory machine readable medium storing a program for processing mobile-device data messages entering a network, the program comprising sets of instructions for:

receiving a first data message sent by a first remote device through a first tunnel that connects the mobile-device to the network;

identifying a first set of remote device management (RDM) attributes associated with the first data message, wherein the mobile-device supplies at least a subset of the first remote device management (RDM) attribute set in a header of the first tunnel;

based on the first RDM attribute set, associating the first data message with a first logical network; and

forwarding the first data message to a destination within the network along a second tunnel, and inserting a first logical network identifier (LNI) for the first logical network in a header of the second tunnel.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments provide novel methods for processing remote-device data messages in a network based on data-message attributes from a remote device management (RDM) system. For instance, the method of some embodiments identifies a set of RDM attributes associated with a data message, and then performs one or more service operations based on identified RDM attribute set.

68 Citations

View as Search Results

21 Claims

1. A non-transitory machine readable medium storing a program for processing mobile-device data messages entering a network, the program comprising sets of instructions for:
- receiving a first data message sent by a first remote device through a first tunnel that connects the mobile-device to the network;
  
  identifying a first set of remote device management (RDM) attributes associated with the first data message, wherein the mobile-device supplies at least a subset of the first remote device management (RDM) attribute set in a header of the first tunnel;
  
  based on the first RDM attribute set, associating the first data message with a first logical network; and
  
  forwarding the first data message to a destination within the network along a second tunnel, and inserting a first logical network identifier (LNI) for the first logical network in a header of the second tunnel.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The non-transitory machine readable medium of claim 1, wherein the LNI is a logical layer 2 network identifier.
  - 3. The non-transitory machine readable medium of claim 1, wherein the LNI is a VXLAN network identifier.
  - 4. The non-transitory machine readable medium of claim 1, wherein the LNI is a logical layer 3 network identifier.
  - 5. The non-transitory machine readable medium of claim 1, wherein the first data message is part of a first data message flow, the program further comprising sets of instructions for:
    - receiving a second data message from the first remote device, said second data message part of a second data message flow from the first remote device;
      
      identifying a second RDM attribute associated with the received second data message;
      
      based on the second RDM attribute set, associating the second data message with a second logical network of the first tenant; and
      
      forwarding the data message to the message'"'"'s destination within the network along a second tunnel, and inserting a second LNI for the second logical network in a header of the second tunnel.

6. A non-transitory machine readable medium storing a program for processing mobile-device data messages entering a network, the program comprising sets of instructions for:
- receiving a first data message sent by a first remote device through a first tunnel that connects the mobile-device to the network;
  
  identifying a first set of remote device management (RDM) attributes associated with the first data message, said identifying comprising receiving at least a subset of the first RDM attribute set from an RDM server that is used to authenticate a request from the remote device to establish a VPN session through the first tunnel;
  
  based on the first RDM attribute set, associating the first data message with a first logical network; and
  
  forwarding the first data message to a destination within the network along a second tunnel, and inserting a first logical network identifier (LNI) for the first logical network in a header of the ssecond tunnel.
- View Dependent Claims (7, 8, 9)
- - 7. The non-transitory machine readable medium of claim 6, wherein the set of instructions for identifying the RDM attribute set further comprises a set of instructions for retrieving from a header of the first tunnel another subset of the RDM attribute set that is supplied by the remote device.
  - 8. The non-transitory machine readable medium of claim 6, wherein the set of instructions for receiving the RDM attribute subset comprises a set of instructions for receiving the RDM attribute subset as part of an authentication approval from the RDM server.
  - 9. The non-transitory machine readable medium of claim 6, wherein the program further comprises a set of instructions for receiving an authentication approval from the RDM server, wherein the set of instructions for receiving the RDM attribute subset comprises a set of instructions for receiving the RDM attribute subset in a communication from the RDM server that is separate from the authentication approval.

10. A non-transitory machine readable medium storing a program for processing mobile-device data messages entering a network, the program comprising sets of instructions for:
- receiving a first data message sent by a first remote device;
  
  identifying a first set of remote device management (RDM) attributes associated with the first data message;
  
  based on the first RDM attribute set, associating the first data message with a first logical network, said associating comprising using the identified first RDM attribute set to identify a first logical segmentation (LS) rule that identifies a first logical network identifier (LNI) for data messages associated with the identified first RDM set, the first LS rule stored in a rule storage that stores a plurality of logical segmentation rules, and at least two logical segmentation rules specifying two different LNIs for two different RDM attribute sets; and
  
  forwarding the first data message to a destination within the network along a first tunnel, and inserting a second logical network identifier (LNI) for the first logical network in a header of the first tunnel.
- View Dependent Claims (11)
- - 11. The non-transitory machine readable medium of claim 10, wherein the LNI is a logical layer 2 network identifier, a VXLAN network identifier, or a logical layer 3 network identifier.

12. A non-transitory machine readable medium storing a program for processing mobile-device data messages entering a network within a multi-tenant datacenter, the program comprising sets of instructions for:
- receiving a first data message sent by a first remote device that is associated with a first tenant;
  
  receiving a second data message sent by a second remote device that is associated with the first tenant;
  
  identifying a first RDM (remote device management) attribute set and a second RDM attribute set associated with the received first and second data messages, respectively;
  
  based on the first RDM attribute set, associating the first data message with a first logical network of the first tenant, and based on the second RDM attribute set, associating the second data message with a second logical network of the first tenant; and
  
  forwarding (i) the first data message to a destination within the network along a first tunnel and inserting a first logical network identifier (LNI) for the first logical network in a header of the first tunnel and (ii) the second data message to a destination within the network along a second tunnel; and
  
  inserting a second LNI for the second logical network in a header of the second tunnel.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The non-transitory machine readable medium of claim 12, wherein the first logical network is for a first set of users of the first tenant, and the second logical network is for a second set of users of the first tenant.
  - 14. The non-transitory machine readable medium of claim 12, wherein the first logical network is for a first set of devices of the first tenant, and the second logical network is for a second set of devices of the first tenant.
  - 15. The non-transitory machine readable medium of claim 12, wherein the first and second tunnels are the same tunnel.
  - 16. The non-transitory machine readable medium of claim 12, wherein the first and second tunnels are different tunnels.
  - 17. The non-transitory machine readable medium of claim 12, wherein the first or second LNI is a logical layer 2 network identifier, a VXLAN network identifier, or a logical layer 3 network identifier.

18. A non-transitory machine readable medium storing a program for processing mobile-device data messages entering a network within a multi-tenant datacenter, the program comprising sets of instructions for:
- receiving a first data message sent by a first remote device that is associated with a first tenant;
  
  receiving a second data message sent by a second remote device that is associated with a second tenant;
  
  identifying a first RDM attribute set and a second RDM attribute set associated with the received first and second data messages, respectively;
  
  based on the first RDM attribute set, associating the first data message with a first logical network associated with the first tenant, and based on the second RDM attribute set, associating the second data message with a second logical network associated with the second tenant; and
  
  forwarding (i) the first data message to a destination within the network along a first tunnel and inserting a first logical network identifier (LNI) for the first logical network in a header of the first tunnel and (ii) the second data message to a destination within the network along a second tunnel and inserting a second LNI for the second logical network in a header of the second tunnel.
- View Dependent Claims (19, 20, 21)
- - 19. The non-transitory machine readable medium of claim 18, wherein the first and second logical networks are overlay logical networks that are established by tunnels connecting a plurality of shared managed forwarding elements.
  - 20. The non-transitory machine readable medium of claim 19, wherein the plurality of shared managed forwarding elements communicatively connect computation nodes that execute on a plurality of shared computers.
  - 21. The non-transitory machine readable medium of claim 18, wherein the first or second LNI is a logical layer 2 network identifier, a VXLAN network identifier, or a logical layer 3 network identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Jain, Jayant, Sengupta, Anirban, Nimmagadda, Srinivas, Tiagi, Alok S., Kumar, Kausum
Primary Examiner(s)
McNally, Michael S

Application Number

US14/929,403
Publication Number

US 20170063822A1
Time in Patent Office

849 Days
Field of Search

726 1
US Class Current
CPC Class Codes

G06F 16/9024   Graphs; Linked lists G06F16...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/5045   Making service definitions ...

H04L 61/256   NAT traversal

H04L 61/2571   for identification, e.g. fo...

H04L 61/2585   through application level g...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/08   for authentication of entit...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/1004   Server selection for load b...

H04L 67/1097   for distributed storage of ...

H04L 69/22   Parsing or analysis of headers

H04W 12/08   Access security

H04W 76/12   Setup of transport tunnels

Performing logical segmentation based on remote device attributes

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

68 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Performing logical segmentation based on remote device attributes

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others