Method for performing tree based ACL lookups
First Claim
Patent Images
1. A method for performing a lookup of a packet against an access control list, comprising:
- receiving an access control list including a set of filtering rules;
identifying a decision point to partition the access control list into two or more complementary sets, wherein the decision point is identified such that the access control list is partitioned into nearly even groups, and wherein the decision point is identified to reduce the number of replicated filtering rules and minimizing memory utilization;
forming a tree for each complementary set, wherein the tree has one or more end nodes including a subset of filtering rules, and an internal decision node representing the decision point; and
traversing the two or more trees when a packet arrives and comparing header information from the packet against each of the two or more trees and determining a match, wherein the decision point in the internal decision nodes is used to guide the packet down the trees to an end node that includes at least one filtering rule that is included in the set of filtering rules.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for performing a lookup of a packet against an access control list. In one example, the method includes receiving an access control list, partioning said list into two or more complementary sets, and for each set, forming a tree having one or more end nodes including filtering rules, and internal nodes representing decision points, thereby forming at least two trees. In one example, when a packet arrives, the two or more trees are traversed using the packet header information, wherein the decision points in the internal nodes are used to guide the packet selection down the trees to an end node.
228 Citations
16 Claims
-
1. A method for performing a lookup of a packet against an access control list, comprising:
-
receiving an access control list including a set of filtering rules; identifying a decision point to partition the access control list into two or more complementary sets, wherein the decision point is identified such that the access control list is partitioned into nearly even groups, and wherein the decision point is identified to reduce the number of replicated filtering rules and minimizing memory utilization; forming a tree for each complementary set, wherein the tree has one or more end nodes including a subset of filtering rules, and an internal decision node representing the decision point; and traversing the two or more trees when a packet arrives and comparing header information from the packet against each of the two or more trees and determining a match, wherein the decision point in the internal decision nodes is used to guide the packet down the trees to an end node that includes at least one filtering rule that is included in the set of filtering rules. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A network device comprising:
-
at least one processor; a memory in communication with the at least one processor, the memory including logic encoded in one or more tangible media for execution and when executed operable to; receive an access control list including a set of filtering rules; identify a decision point to partition the access control list into two or more complementary sets, wherein the decision point is identified such that the access control list is partitioned into nearly even groups, and wherein the decision point is identified to reduce the number of replicated filtering rules and minimizing memory utilization; form a tree for each complementary set, wherein the tree has one or more end nodes including a subset of filtering rules, and an internal decision node representing the decision point; and traverse the two or more trees when a packet arrives and comparing header information from the packet against each of the two or more trees and determining a match, wherein the decision point in the internal decision nodes is used to guide the packet down the trees to an end node that includes at least one filtering rule that is included in the set of filtering rules. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. Logic encoded in one or more tangible media for execution and when executed operable to:
-
receive an access control list including a set of filtering rules; identify a decision point to partition the access control list into two or more complementary sets, wherein the decision point is identified such that the access control list is partitioned into nearly even groups, and wherein the decision point is identified to reduce the number of replicated filtering rules and minimizing memory utilization; form a tree for each complementary set, wherein the tree has one or more end nodes including a subset of filtering rules, and an internal decision node representing the decision point; and traverse the two or more trees when a packet arrives and comparing header information from the packet against each of the two or more trees and determining a match, wherein the decision point in the internal decision nodes are used to guide the packet down the trees to an end node that includes at least one filtering rule that is included in the set of filtering rules.
-
Specification