L2/L3 multi-mode switch including policy processing

摘要

Methods and apparatus for processing data packets in a computer network are described. One general method includes receiving a data packet; examining the data packet to classify the data packet including classifying the data packet as a L2 or L3 packet and including determining at least one zone associated with the packet; processing the packet in accordance with one or more policies associated with the zone; determining forwarding information associated with the data packet; and if one or more policies permit, forwarding the data packet toward an intended destination using the forwarding information.

主权项

1. A method for forwarding data packets in a computer network, the method comprising:
receiving a data packet; examining the data packet using a processor to classify the data packet including classifying the data packet as a layer 2 (L2) or layer 3 (L3) packet; performing a zone determination on the classified data packet including determining only a destination zone, but not a source zone, associated with the classified data packet, wherein the destination zone is associated with at least one policy rule, and wherein a policy includes one or more policy rules that are indexed by the destination zone; determining one or more policies based on the zone determination; processing the classified data packet in accordance with the one or more determined policies including:
performing content based pattern matching on the classified data packet in accordance with both content and header data including determining one or more content based policies associated with matched packets; andforwarding the classified data packets to an intended destination if the determined policies permit based on the destination zone and content based pattern matching.