GB2363284A - Two-stage deployment of policy to a communications network element - Google Patents

Two-stage deployment of policy to a communications network element Download PDF

Info

Publication number
GB2363284A
GB2363284A GB0100126A GB0100126A GB2363284A GB 2363284 A GB2363284 A GB 2363284A GB 0100126 A GB0100126 A GB 0100126A GB 0100126 A GB0100126 A GB 0100126A GB 2363284 A GB2363284 A GB 2363284A
Authority
GB
United Kingdom
Prior art keywords
policy
target
providing
electronic device
configuration
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB0100126A
Other versions
GB0100126D0 (en
GB2363284B (en
Inventor
Jason D Goldman
Bogunia E Pawlak
Robert C Vacante
Evelyn L Williams
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
HP Inc
Original Assignee
Hewlett Packard Co
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett Packard Co filed Critical Hewlett Packard Co
Publication of GB0100126D0 publication Critical patent/GB0100126D0/en
Publication of GB2363284A publication Critical patent/GB2363284A/en
Application granted granted Critical
Publication of GB2363284B publication Critical patent/GB2363284B/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q3/00Selecting arrangements
    • H04Q3/0016Arrangements providing connection between exchanges
    • H04Q3/0062Provisions for network management
    • H04Q3/0083Network planning or design; Modelling of planned or existing networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

As used herein, a "policy" means the combination of one or more rules assigned to a network element or elements. A policy typically contains one or more rules defining the conditions for provision or denial of bandwidth or priority. It is known that a network element may be programmed with a policy which is rejected due to inconsistencies in the policy or the condition of the network. To overcome this problem, an extra deployment stage is used wherein policies can be created, tested, changed or deleted prior to their transfer to the network elements. The extra deployment stage permits these functions to be performed at a single location.

Description

2363284 STAGED DEPLOYMENT OF POLICY IN POLICY-BASED NETWORK MANAGEMENT
SYSTEMS
5 FIELD OF THE INVENTION
The present invention relates generally to networks, more particularly to network management, and even more particularly to policy-based network management.
1 1=1 BACKGROUND OF THE INVENTION
The purpose of policy-based network management is to coordinate device management 15 across an entity's network to enforce policies relating to Service Level Agreements (SLAs). SLAs are agreements made between network users and the network provider.
Policy is a method of translating those agreements into actions designed to provide the type and level of service agreed upon. The policies describe sets of rules, where a rule specifies a set of conditions and an action to take when the conditions are satisfied. The 20 actions described within a policy's rules generally relate to Quality of Service (QoS) capabilities, e.g. bandwidth allocated or priority assigned to the traffic. By using policy based network management, a structural format is provided wherein network administrators can avoid the tedious process of individually configuring multiple network 0 devices, e.g., routers and traffic shapers, each of which has its own particular syntax and 25 mapping of QoS actions to device resources. For example, an Access Control List (ACL) maintains a list of network resources which could, among other things, define permissible actions of a port on a router under specified conditions.
As used herein, a policy means the combination of one or more rules assigned to a network component or components. Thus any given component has only one policy 1 Hewlett-Packard Docket No. 10992789 PATENT assigned to it, but it may be composed of a number of rules each having their own conditions and resultin. actions.
In general, the network administrator uses SLAs to author a set of policies of C varying types, determines what enforcement points in the network should enforce these 1 5 policies, and then deploys the policies to the enforcement points. The enforcement points are the components of the networks that are the targets of the policy.
Deploying policy involves moving the policy onto the target or taraet 1 0 t> configuration agent, translating the policy into target-specific configuration, and loading 0 0 0 Z:7 Z Z> this configuration. The notion of a two stage conunitment has been discussed within two 10 industry standard setting groups, the Distributed Management Task Force Service Level c) C> Agreement (DIATF SLA) working group and the Intemet Engineering Task Force (IETF) 1 Policy Framework working group. This is the idea that one can load the policy data onto c, several targets, the first commitment stage, and then trigger or activate all of the targets to reconfigure themselves at the same time, the second commitment stage. This idea 15 allows the network administrator to coordinate changes to a number of targets and avoid the problems of different targets having conflicting configuration because policy on one C of them may not have been updated while it had been on another target. DIATF is an industry organization involved in the development, adoption, and unification of management standards and initiatives for desktop, enterprise and Internet environments.
20 The IETF (Internet Engineering Task Force) is a large open intemational community of 0 0 network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture, as well as the smooth operation of the Intemet.
While policy commitment in two stages solves the timing issue with respect to policy deployment, other problems remain. In particular, policies may have been 25 programmed into the target which are rejected due to inconsistencies in the policy and other reasons which could be for example associated with the condition of the network.
Note that in two stage commitment, actual activation occurs after the target is programmed and may fail.
Thus, there is a need for another step in the policy deployment process within 30 which policies can be created, tested, changed, and deleted prior to their transfer to the 2 Hewlett-Packard Docket No. 10992788 PATENT policy configuration agents of the targets to which it is intended that they will eventlially be deployed. In addition, it is desirable that this step permit these functions to be performed at a single location for multiple policies and their associated targets.
Z"D - Z" 3 I-lc%N lett-Pack-ard Docket No. 10992788 PATENT SUMMARY OF THE INVENTION
The present patent document relates to a novel method for deployment of policy to a tarcret connected to a network for the purpose of controlling the actions of that target I- -- C 5 based upon certain predefined conditions. In representative embodiments, methods are disclosed for creating another step in the policy deployment process within which policies can be created, tested, changed, and deleted prior to their transfer to the policy configuration agents of the targets to which it is intended that they will eventually be 11 4-1 deployed.
Electronic systems, such as networks, that comprise resources or processes can control the interaction of such items by means of Quality of Service (QoS) mechanisms.
These mechanisms can be controlled at a higher level of abstraction using rules, which ?n relate an action, i.e., controlling the QoS mechanism, to a set of conditions describing C C, when to apply the rule. The combination of one or more rules for a given device is 15 referred to herein as a policy. The controlled items could be for example processes, functions, abstract objects, or physical electronic devices such as computers, printers, etc.
Thus, policy refers to the description of behaviors or actions that are desired for the item to which the policy applies. In network systems, policies are typically associated with items that affect the flow of data on that network. In order to affect that network traffic 20 flow, policies are directed toward or targeted at managed or controlled entities.
As referred to herein, a target is a process or resource that is being managed using r.) policy. The managed item itself may be able to recognize and conform to the policy tD directly, or may be managed by a proxy which recognizes policy information and converts it to configuration information that the managed entity can recognize and 25 conform to.
Using the concept of targets, a particular capability or rule can be isolated to a single manageable element which has that capability or functions according to the rules of the policy. In this way the administrator can more readily deal with the manner in which network traffic is to be treated at specific points in the network.
30 The concept of policy deployment is extended to have two steps: policy 4 Hem- lett-P ack-ard Docket No. 10992788 PATENT assignment and policy commitment. Commitment occurs only after the policy is resident on the target device. In two stage commitment. a first stage comprises the programming of the policy into the target or onto a policy configuration agent, while a second stage 1_ Z comprises the activation of the policy on the target. Prior to activation the policy resides 5 on the target or on the policy configuration agent but is not active in the operation of the Z7 target. Following activation, any previous policy is replaced by the activated policy. In I one stage commitment, activation of the policy occurs concurrent with the programming 1 0 zn of the policy on the target.
While the commitment step may or may not have two stages, as described above, adding an assignment step addresses a different set of concerns, Providing an assignment Z:- stage allows users to make an association between a policy and the policy enforcement point, or target, without affecting or committing to changing the active policy on that 1 Z2 Z2 4__ 1=5 target. Note that two stage deployment is independent of supporting a two step commitment process.
This association grants two main benefits: (1) users are provided with a forgiving I model for changing policy on the target and (2) the policy-based network management system can allow target specific operations on a policy without changing the target's configuration. The first point is that users can safely stage a policy change for the target I t, since the target's configuration is not changed until the user is certain of the change and 20 commits the assigned policy. Users can plan for policy changes that may occur in the future without locking in those chan es. They can also see a policy change on one target 9 C in the context of other policy changes on other targets before actually changing their network's behavior with respect to Quality of Service (QoS) policy. This process could also integrate with the user's change management process, e.g., review and approve 25 policy changes before committing them. The second benefit mentioned above is that there are target-specific operations that users might want to perform on a particular policy/target pair. One clear example is to validate the policy for a particular target. This validation step is important because a target may support a given policy type and yet not support all possible condition types for that policy type or the given policy may conflict H with other exiting target configuration information. If users can validate the policy for the 1 le,,%.lett-Packard Docket No. 10992788 PATENT intended target before committing the policy, they can avoid problems like leaving the -- C:1 1 target incorrectly configured or un-configured with respect to QoS. Another example of a target- spec i fic operation would be polIC,,r simulation.
C> The policy-based network management system supports a number of operations Z 5 related to the two stage deployment mechanism comprising the following: (1) assignment 1 -- of policy to targets on a per target basis which creates and stores the assignment Z:1,P relationship, (2) display of assigned policy, (3) tests and simulation of assigned policy, (4) clearing of assigned policy, (5) identify to which targets a given policy, is assigned, C1 121 C tn and (6) commit an assigned policy to the target.
10 Primary advantages of the embodiment as described in the present Patent document over prior methods for deploying policy is the ability to overcome the problem that policies may be programmed into the target which. may be subsequently rejected due to policy inconsistencies and other reasons and the ability to perform target specific operations such as testing and simulation of policy prior to commitment.
15 Other aspects and advantages of the present invention will become apparent from the following detailed description, taken in conjunction with the accompanying drawings, t:> Z> illustrating by way of example the principles of the invention.
Z 6 Hewlett-Packard Docket No. 1099279S IIATPT BRIEF DESCRIPTION OF THE DRA'WINGS
The accompanying drawings provide visual representations which will be used to more fully describe the invention and can be used by those skilled in the art to better 5 understand it and its inherent advantages. In these drawings, like reference numerals identify corresponding elements and:
I., Figure I is a drawing showing a policy related to a target as described in various 1-1> tD representative embodiments of the present patent document.
Figure 2A is a drawing of the target connected to a network as described in I C 10 various representative embodiments of the present patent document.
Figure 2B is a drawing of another target connected to the network as described in various representative embodiments of the present patent document.
Figure -3) is a drawing of policy deployment to the target as described in various C) - representative embodiments of the present patent document.
Figure 4A is a drawing of a system for policy management by a server program I - I= C Z for the target as described in various representative embodiments of the present patent document.
Figure 4B is a drawing of another system for policy management by the server program for the target as described in various representative embodiments of the present 20 patent document.
Figure 5A is a flow chart of policy deployment to the target with one stage policy tD ZD commitment as described in various representative embodiments of the present patent document.
Figure 5B is another flow chart of policy deployment to the target with one stage 25 policy commitment as described in various representative embodiments of the present patent document.
Figure 6A is a flow chart of policy deployment to the target with two stage policy t:.
commitment as described in various representative embodiments of the present patent document.
Figure 6B is another flow chart of policy deployment to the target with two stage 7 Hewlett-Packard Docket No. 10992788 PATENIT policy commitment as described in various representative embodiments of the present patent document.
Ficrure 7 is a drawina of a block dia-ram of operations that can be performed on 1-1 -- the assigned policy.
8 1-lewlett-Packard Docket No. 10992788 PATENT DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
1. Introduction
5 As shown in the drawings for purposes of illustration, the present patent L- document relates to a novel method for deployment of policy to a target connected to a network for the purpose of controlling the actions of that target based upon certain predefined conditions. In representative embodiments, the present patent document discloses methods for creating another step in the policy deployment process within 10 which policies can be created, tested, changed, and deleted prior to their transfer to the policy agents of the targets to which it is intended that they will eventually be deployed. In the following detailed description and in the several figures of the drawings, like elements are identified with like reference numerals.
15 2. Policies Electronic systems, such as networks, that comprise resources or processes can control the interaction of such items by means of Quality of Service (QoS) mechanisms. These mechanisms can be controlled at a higher level of abstraction using rales, which relate an action, i.e., controlling the QoS mechanism, to a set of conditions describing 20 when to apply the rule. The combination of one or more rules for a given device is referred to herein as a policy. The controlled items could be for example processes, functions, abstract objects, or physical electronic devices such as computers, printers, etc. Thus, policy refers to the description of behaviors or actions that are desired for the item to which the policy applies. In network systems, policies are typically associated with
25 items that affect the flow of data on that network. In order to affect that network traffic flow, policies are directed toward or targeted at managed or controlled entities. An example of a policy could be "assign priority 5 to traffic from the user whose name is user_one".
IM 3 3. Targets 9 Hewlett-Packard Docket No. 10992788 PATENT Figure I is a drawing showing a policy 120 related to a target 110 as described in various representative embodiments of the present patent document. As referred to herein. the target 110 is a process or resource that is being ri-ianaged using policy 120.
0- => -- - The managed item itself may be able to recognize and conforrn to the policy 120, or may 5 be managed by a proxy which recognizes policy 120 information and converts it to confiauration information that the managed entity can recognize and conform to.
V Modem network devices are typically managed as a unit, i.e., the various features of the device are all managed together. For example, a router has multiple interfaces, with each interface representing a connection to one or more networks. The router's 10 function is to route traffic between these networks. Further, each interface can have multiple capabilities, each of,.vhich can affect the traffic in different ways. These mechanisms can each be configured separately. But, in modem network devices all of these different aspects of a single device are typically managed together, usually 1 --1 presenting a difficult to understand interface to the administrator of the network. As a 15 result, the management of even a single device can become a daunting task. In I -- 0 representative embodiments, the present patent document discloses techniques by which policy 120 can be deployed in order to manage separate aspects of specified devices, i.e., targets 110.
Figure 2A is a drawing of the target 110 connected to a network 220 as described 20 in various representative embodiments of the present patent document. In the example of Figure 2A, the target 110 is a controllable entity of an electronic device 230 which is connected to the network- 220. Using the concept of the target 110, a particular capability or rule can be isolated to a single manageable element which has that capability or functions according to the rules of the policy. In this way the administrator can more 25 readily deal with the manner in which network traffic is to be treated at specific points in the network.
In the above example, the router could be the electronic device 230 and could also be the target 110. Altematively, any interface of the electronic device 230, which in this example is any interface of the router, could be the target 110. In another example, the 30 target 110 on the router could also be the priority queuing of messages on a specific Hewlett-Packard Docket No. 10992788 PATENT individual interface, since it is at this point that the network traffic is actually affected. Figure 2B is a drawing of another target 110 connected to the network 220 as described in various representative embodiments of the present patent document. In the example of Figure 2B, the target 110 is a controllable entity of a software process 240 5 which is connected to the network 220. Again using the concept of the target 110, a particular capability can be isolated to a single manageable function within the software process 240 which has the specified capability or functions according to the rules of the policy.
Breaking such capabilities into separate conceptual targets 110 of policy 120, as 10 in the example of the interfaces of the router, enables the same description of behavior to be applied to many different deviceswhich, in a high-level abstraction, provide similar capabilities. In addition, with the appropriate abstractions, devices from different vendors, and indeed different types of devices, e.g., routers, switches, and traffic shapers C can be managed with identical policies 120. Traffic shapers are a class of devices that 15 regulate or shape the flow of network traffic based on a histogram of such traffic.
Z_ 11.1 Thus, the concept of targets 110 can be abstracted down to a discreet function of the smallest manageable item on the single electronic device 230 or system, thereby providing the capability for efficient, simplified, large-scale management of the network In 220 with policies 120.
4. Target Deployment Figure 3 is a drawing of policy deployment 300 to the target 110 as described in various representative embodiments of the present patent document. The concept of policy deployment 300 is extended to have two steps: policy assignment 310 and policy 25 commitment 320. Commitment 320 occurs only after the policy is resident on the target Z device. In two stage commitment, a first stage 330 comprises the programming of the policy into the target 110, while a second stage 340 comprises the activation of the policy 120 on the target 110. Prior to activation the policy 120 resides on the target 110 but is not active in the operation of the target 110. Following activation, any previous policy M is replaced by the activated policy 120. In one stage commitment, activation of the I I I lev.-lett-Packard Docket No. 10992788 PATENT policy 120 occurs concurrent with the programming of the policy 120 on the target 110.
Z: 11) Z__ While the commitment step 320 may or may not have two stages 330,340, as Z7 described above, adding assignment step 310 addresses a different set of concerns.
C C_ Providing assigrinient stage 310 allows users to make an association between a policy and the policy enforcement point 110, or target 110, without affecting or committing to changing the active policy on that target 110.
t) C7 tl.
This association grants two main benefits: (1) users are provided with a forgiving model for changing policy 120 on the target 110 and (2) the policy-based network management system can allow target 110 specific operations on a policy without In t__ 10 changing the target's 110 configuration. The first point is that users can safely stage policy 120 change for the target 110 since the target's 110 configuration is not changed until the user is certain of the chanae and commits the assigned policy. Users can plan for policy 120 changes that may occur in the future without locking in those changes.
C C) 1 They can also see policy 120 change on one target 110 in the context of other policy 120 1 zn 15 changes on other targets I 10 before actually changing their network's 220 behavior with C in respect to Quality of Service (QoS) policy. This process could also integrate with the 1.
user's change management process, e.g., review and approve policy 120 changes before committing them. The second benefit mentioned above is that there are target-specific operations that users might want to perform on a particular policy/target pair. One clear 20 example is to validate the policy 120 for a particular target 110. This validation step is important because the target 110 may support a given policy 120 type and yet not support all possible condition types for that policy 120 type or the given policy 120 may conflict with other exiting target 110 configuration information. If users can validate the policy for the intended target 110 before committing the policy 120, they can avoid 25 problems like leaving the target 110 incorrectly configured or Lin- configured with respect M C) to QoS. Another example of a target-specific operation would be to simulate network 220 operation with given policies 120 implemented on targets 110 attached to the network 220.
As can be observed in Figure 3, two stage deployment is independent of 30 supporting a two step commitment process. In fact the two ideas can coexist well 12 Hewlett-Packard Docket No. 10992788 PATENT together. In two stage commitment, the new policy is moved onto the target 110 and 1= I -P translated into configuration changes. Once a policy is in the first stage 330 of a two stage commitment, it is effectively locked into the target 110, merely awaiting the trigger signal to make the configuration change. The assignment step 310 of two stage C) 1 Z:
5 deployment 300 is much more fluid and versatile. It has the advantage that it is visible C) to the user and can allow target-specific operations to be performed on the policy prior to commitment 320.
Note that the policy-based network management system tracks objects corresponding to policies and targets 110. Relationships between these ob ect are also 10 maintained: for a given target 110, the system tracks what policy 120 is assigned and what policy 120 is committed. This is tracked by target 110 since the target 110 can have at most one policy 120 of a given policy type assigned and one committed. A given policy 120, on the other hand, may be assigned to Target I and deployed on Target 2.
C) 1-:1 - - Figure 4A is a drawing of a system 400 for policy 120 management by a server 15 program 410 for the target 110 as described in various representative embodiments of the present patent document. A console 430 connected to the server program 410 provides the user interface to enable the assignment of policy 120 to the appropriate targets 110 prior to commitment. The policy 120 is typically stored in a memory 445 located on a computer program storage medium 447 connected to the server program 410, all of which I 4 20 could be located on a computer 405.
Figure 4B is a drawing of another system 402 for policy 120 management by the server program 410 for the target 110 as described in various representative embodiments of the present patent document. In figure 4B, the server program 410 transfers policy 120 to a policy configuration agent 450 which in turn installs the policy 120 onto the target 25 110. The policy configuration agent 450 translates the policy 120 as received from the server program 410 into policy 120 configuration specific to the target 110. The policy configuration agent 450 is typically a software program operating on a computer on the network 220.
Figure 5A is a flow chart of policy deployment 300 to the target 110 with one 30 stage of policy commitment 320 as described in various representative embodiments of 13 Hewlett-Packard Docket No. 10992788 PATENT the present patent document. In a manner similar to that of figure 3, in block 510 the server program 410 assigns policy 120 to the target 110. Block 510 then transfers control 4-- zn to block 520.
In block 520 the server pro-ram 410 activates policy 120 on the target 110.
5 Activation is effected by the reconfiguration of the target 110 to reflect the policy 120.
ID Reconfiguration could be effected by first clearing the old policy and then rewriting the =1 Z I ne,v% policy 120 into the target. Reconfiguration could also be effected by writing the new C, L_ policy 120 over the old policy on the target.
ZD Note that in one stage policy loading and activating policy 120 on the target 110 4 ZD 1> 10 occurs as substantially one step.
Fic,Ure 5B is another flow chart of policy deployment 300 to the target 110 with one stage of policy commitment 320 as described in various representative embodiments of the present patent document. In a manner similar to that of figure 3), in block 515 the server program 410 assigns policy 120 to the target 110. Block 515 then transfers control zn 15 to block 525.
In block 525 the server program 410 transfers policy 120 to the policy t, configuration agent 450. The policy configuration agent 450 translates the policy 120 as I CD received from the server program 410 into policy 120 configuration specific to the target 110. Block 525 then transfers control to block 535.
20 In block 535 the policy configuration agent 450 activates policy 120 on the target 110. Activation is effected by the reconfiguration of the target 110 to reflect the policy 120. Reconfiguration could be effected by first clearing the old policy and then rewriting the new policy 120 into the target. ReconfigUration could also be effected by writing the new policy 120 over the old policy on the target.
25 Note that in one stage policy transfer of the policy 120 from the server program 410 to the policy configuration agent 450 and subsequent loading and activating policy by the policy configuration agent 450 on the target 110 occurs as substantially without further user input.
Figure 6A is a flow chart of policy deployment 30 0 to the target 110 with two 0 stage policy commitment 320 as described in various representative embodiments of the 14 Hewlett-Packard Docket No. 10992788 PATENT present patent document. In a manner similar to that of fiQure 3. in block 610 the server program 410 assigns policy 120 to the target 110. Block 610 then transfers control to block 620.
In block 620 the server program 410 loads policy 120 on the target 110. Block 5 620 then transfers control to block 630.
In block 630 the server program 410 activates policy 120 on the target 110.
Activation is effected by the reconfiguration of the target I 10 to reflect the policy 120.
Reconfiguration could be effected by first clearing the old policy and then rewriting the new policy 120 into the target. Reconfiguration could also be effected by writing the new 10 policy 120 over the old policy on the target. Figure 6B is another flow chart of policy deployment 300 to the target 110
with two stage policy commitment 320 as described in various representative embodiments of the present patent document. In a manner similar to that of figure 3, in block 615 the server program 410 assigns policy 120 to the target 110. Block 615 then transfers control 15 to block 625.
In block 625 the server program 410 transfers policy 120 to the policy configuration agent 450. The policy configuration agent 450 translates the policy 120 as received from the server program 410 into policy 120 configuration specific to the target 110. Block 625 then transfers control to block 635.
20 In block 635 the policy configuration agent 450 loads policy 120 onto the target 110. Block 635 then transfers control to block 645.
In block 645 the server program 410 activates policy 120 on the target 110.
Activation is effected by the reconfiguration of the target 110 to reflect the policy 120.
Reconfiguration. could be effected by first clearing the old policy and then rewriting the 25 new policy 120 into the target. Reconfiguration. could also be effected by,%NTiting the new Z policy 120 over the old policy on the target.
In another representative embodiment, the assigned policy 120 is retained by the policy configuration agent 450 until the command is received to activate the policy 120.
At that time the policy 120 is loaded onto the target 110 and activated.
Hewlett-Packard Docket No. 1099278S PATENT 5. Summary of Operations - Two Stage Policy Commitment
The policy-based network management system supports a number of operations related to the t,vo stage deployment mechanism. Figure 7 is a drawing of a block 1.) C diac,ram of various operations that can be performed on the assigned policy 120.
5 Operation 310 of figure 7, as in figure 3), assigns policy 120. The systern 400 allows the user to assign the policy 120 to the target 110 on a per target 110 basis, i.e., I - given the target 110, present the list of possible policies 120 so that one can be assigned, or on a per policy 120 basis, i.e., given the policy 120, present the list of targets 110 which support the policy's 120 type so the policy 120 can be assigned to one of them.
10 This operation will create and store the assignment relationship based on the target 110 as described above.
Operation 710 of figure 7 displays assigned policy 120 for a given target 110.
:z ID ZD The system 400 displays a list of tarGets 110. For each target 110, the system 400 =1 I displays its assigned policies 120 and committed policies 120. This requires the system 15 400 to support finding the assignment relationship for a given target 110 so the policy can be displayed.
Operation 720 of figure 7 tests/simulates assigned policy 120 for a given target r:1 rD 110.
Operation 730 of figure 7 clears assigned policy 120 for a given target 110. The 20 system 400 allows the user to clear the assigned policy 120 for a given target 110. In this case, the system clears the assigned policy 120 relationship for that target 110.
Operation 740 of figure 7 determines to which targets 110 the policy 120 is assigned. The system 400 allows the user to see to which targets 110 a given policy 120 is assigned. This operation is supported by a query which searches through the Z 25 assignment relationships for entries which include a reference to the given policy 120.
Operation 320 of figure 7, as in- figure 3, commits assigned policy 120 for the given target 110. The system 400 allows the user to commit the assigned policy 120 on t> - the given target 110. This operation moves the assigned policy 120 into the committed state on the target 110, overwriting the target's 110 previously cornmitted policy 120 and 0 clearing the target's 110 assigned policy 120. This operation affects both the stored 16 Hewlett-Packard Docket No. 10992788 PATENT relationships for the target 110, i.e., assigned and committed policy 120, as well as the zn target's 110 configuration, i.e., changing the installed policy 120 on the target 110.
Differences between one stage and two stage commitment have been previous]), C described.
6. Concluding Reniax-ks Primary advantages of the embodiment as described in the present patent document over prior methods for deploying policy are the ability to overcome the cp problem that policies 120 may be programmed into the target 110 which may be I 10 subsequently rejected due to policy 120 inconsistencies and other reasons and the ability to perform target specific operations such as testing and simulation of policy prior to n I commitment.
While the present invention has been described in detail in relation to preferred embodiments thereof, the described embodiments have been presented by way of 15 example and not by way of limitation. It will be understood by those skilled in the art that various changes may be made in the form and details of the described embodiments resulting in equivalent embodiments that remain within the scope of the appended claims.
17

Claims (1)

  1. What is claimed is:
    1. A computer implemented method for deploying a policy [1201 to a target t [1101, comprising the steps of..
    Z=1 4 assigning the policy [1201 to the target [1101, providing the policy [1201 t specifies conditional action implementable on the target [ 1101, providing 6 the target is a resource on a network [2201, and providing policy [1201 assignment comprises association of the policy [120] with the target [1101 8 prior to policy [1201 reconfiguration of the target [1101; and 10 activating the policy [1201 on the target [1101, providing the policy [1201 has been activated when target 11101 actions comply with the policy 12 [120].
    2. The computer implemented method as recited in claim 1, providing the 1) target 11101 is selected from the group consisting of an electronic device [2301, an interface [1101 of the electronic device [230], a function 4 implementable on the interface [1101 of the electronic device [2301, a software program [1101, and a function implementable in the software 6 program 11101.
    11 Hem 1,-ti-Packai.d Docket No. 1 0Q92788 PATENT 1 3. A computer implemented method for deploying a policy. [120] to a target 1 Z c 1) [1101. comprising the steps of.
    0 4 assigning the policy [120] to the target [1101, providing the policy [1201 C1 In specifies conditional action implementable on the target [1101, providing 6 the target is a resource on a network [2201, and providing policy [1201 assignment comprises association of the policy [120] with the target [1101 8 prior to policy [120] reconfiguration of the target [1101; 10 loading the policy [120] onto the target [1101 prior to policy [1201 activation on the target [ 1101; and 12 activating the policy [1201 on the target [1101, providing the policy [1201 14 has been activated when target [1101 actions comply with the policy [1201.
    4. The computer implemented method as recited in claim 3 providing:
    2 the method step of loading the policy [1201 onto the target [1101 flirther 4 comprises the steps of.
    6 transferring the policy [120] from a server program [4101 to a policy configuration agent [4501, wherein the policy configuration 8 agent [4501 has capability of translating the policy 1120] as received from the server program. [4101 into policy [1201 10 configuration specific to the target [1101; 12 translating the policy [1201 by the policy configuration agent [4501 as received from the server program [4101 into policy [1201 14 configuration specific to the target [1101; and (R Fle\\ lett-Packard Docket No. 109927 88 PATENT loading the policy [1201 onto the target [1101 by the policy t, 1 16 configuration agent 14501 and 18 the method step of assigning policy [1201 further comprises association of the policy [1201 with the target [1101 prior to transfer of the policy 20 [1201 to the policy configuration agent [4501.
    1 5. The computer implemented method as recited in claim 3, providing the target [110] is selected from the group consisting of an electronic device [2301, an interface [1101 of the electronic device [2301, a function 4 implementable on the interface [1101 of the electronic device [2301, a software program [1101, and a function implementable in the software 6 program [1101.
    tn 6. A computer program storage medium [4471 readable by a computer, tangibly embodying a computer program of instructions executable by the computer to perform method steps, the method steps comprising:
    assigning a policy [1201 to a target [1101, providing the policy [120] C 6 specifies conditional action implernentable on the target [ 1101, providing the target is a resource on a network [2201, and providing policy [1201 8 assignment comprises association of the policy 11201 with the target [1101 C1 prior to policy [1201 reconfiguration of the target [1101; and activating the policy [1201 on the target [1101, providing the policy [1201 C. 0 12 has been activated when target [1101 actions comply with the policy [1201.
    7. The computer proo-,rani storaore medium [4471 as recited in claim 6, wherein the target [1101 is selected from the group consisting of an He,lett-llack-,ird Docket No. 10992788 PATENT electronic device [230], an interface [110] of the electronic device [2301.
    4 a function implementable on the interface [110] of the electronic device [230], a software program [110], and a function implementable in the 6 software program [1101.
    8. A computer program storage medium [4471 readable by a computer, 2 tangibly embodying a computer program of instructions executable by the computer to perform method steps, the method steps comprising:
    4 assigning a policy [1201 to a target 11101, providing the policy [1201 6 specifies conditional action implementable on the target [1101, providing the target is a resource on a network [2201, and providing policy 11201 8 assignment comprises association of the policy [120] with the target [110] prior to policy [120] reconfiguration of the target [1101; loading the policy [1201 onto the target [1101 prior to policy [1201 12 activation on the target [1101; and 14 activating the policy [1201 on the target [1101, providing the policy [1201 has been activated when target [1101 actions comply with the policy 16 [1201.
    9. The computer program storage medium [4471 as recited in claim 8, 9 providing:
    4 the method step of loading the policy [1201 onto the target [1101 further comprises the method steps of.
    6 transferring the policy [1201 from a server program [4101 to a policy configuration agent [4501, wherein the policy configuration 21 1-1clett-Pack-ard Docket No. 10992788 PATENT agent [4501 has capabilivs; of translating, the policy7 [1201 as 10 received from the server program [4101 into policy [1201 configuration specific to the target [1101; c t> 12 translating the policy, [120] by the policy configuration agent 14 [4501 as received from the server program [4101 into policy [1201 configuration specific to the target [ 1101; and 16 loading the policy [1201 onto the target [1101 by the policy 18 configuration agent [4501; and 20 the method step assigning policy [1201 flirther comprises the method step of associating the policy [120] with the target [1101 prior to transfer of the 22 policy [1201 to the policy configuration agent [4501.
    10. The computer program storage medium [4471 as recited in claim 8, 2 wherein the target [110] is selected from the group consisting of an electronic device [2301, an interface [1101 of the electronic device [2301, 4 a function implementable on the interface [1101 of the electronic device [2301, a software program [1101, and a function implementable in the 6 software program [1101.
    qn
GB0100126A 2000-01-07 2001-01-03 Staged deployment of policy in policy-based network management systems Expired - Fee Related GB2363284B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US47920600A 2000-01-07 2000-01-07

Publications (3)

Publication Number Publication Date
GB0100126D0 GB0100126D0 (en) 2001-02-14
GB2363284A true GB2363284A (en) 2001-12-12
GB2363284B GB2363284B (en) 2003-10-29

Family

ID=23903078

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0100126A Expired - Fee Related GB2363284B (en) 2000-01-07 2001-01-03 Staged deployment of policy in policy-based network management systems

Country Status (1)

Country Link
GB (1) GB2363284B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2415858A (en) * 2004-06-15 2006-01-04 Sun Microsystems Inc Providing rule set verification and increased observability of policy application to packet flows in a data center
US7505463B2 (en) 2004-06-15 2009-03-17 Sun Microsystems, Inc. Rule set conflict resolution
US7512071B2 (en) 2004-06-15 2009-03-31 Sun Microsystems, Inc. Distributed flow enforcement
US7548967B2 (en) 2002-10-17 2009-06-16 Mitel Networks Corporation Interactive conflict resolution for personalized policy-based services

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2337409A (en) * 1997-02-05 1999-11-17 Firsttel Systems Corp Automatic generation of reconfiguration scripts for telecommunication devices
GB2356316A (en) * 1999-08-24 2001-05-16 Hewlett Packard Co Explicit targeting of management policies

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2337409A (en) * 1997-02-05 1999-11-17 Firsttel Systems Corp Automatic generation of reconfiguration scripts for telecommunication devices
GB2356316A (en) * 1999-08-24 2001-05-16 Hewlett Packard Co Explicit targeting of management policies

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7548967B2 (en) 2002-10-17 2009-06-16 Mitel Networks Corporation Interactive conflict resolution for personalized policy-based services
GB2415858A (en) * 2004-06-15 2006-01-04 Sun Microsystems Inc Providing rule set verification and increased observability of policy application to packet flows in a data center
GB2415858B (en) * 2004-06-15 2007-05-09 Sun Microsystems Inc Methods for providing rule set verification and increased observability of policy application to packet flows in a data center
US7505463B2 (en) 2004-06-15 2009-03-17 Sun Microsystems, Inc. Rule set conflict resolution
US7512071B2 (en) 2004-06-15 2009-03-31 Sun Microsystems, Inc. Distributed flow enforcement
US7760730B2 (en) 2004-06-15 2010-07-20 Oracle America, Inc. Rule set verification

Also Published As

Publication number Publication date
GB0100126D0 (en) 2001-02-14
GB2363284B (en) 2003-10-29

Similar Documents

Publication Publication Date Title
US6684244B1 (en) Aggregated policy deployment and status propagation in network management systems
US6651191B1 (en) Testing of policy prior to deployment in a policy-based network management system
Dulay et al. A policy deployment model for the ponder language
US8843561B2 (en) Common cluster model for configuring, managing, and operating different clustering technologies in a data center
US6539425B1 (en) Policy-enabled communications networks
KR100296362B1 (en) Client-server system with central application management and providing export agent capability for retrofitting existing hardware and application into the system
US7490323B2 (en) Method and system for monitoring distributed applications on-demand
JP3670965B2 (en) Client / server system for maintaining application preferences in a hierarchical data structure according to user and user group or terminal and terminal group context
Sloman et al. Policy specification for programmable networks
US20020019864A1 (en) System and method for managing the configuration of hierarchically networked data processing devices
US20040230681A1 (en) Apparatus and method for implementing network resources to provision a service using an information model
US20090019138A1 (en) Repository-Independent System and Method for Asset Management and Reconciliation
US20030051020A1 (en) Method and apparatus to facilitate remote software management by applying network address-sorting rules on a hierarchical directory structure
US20100218103A1 (en) Discovering, defining, and implementing computer application topologies
Flegkas et al. On policy-based extensible hierarchical network management in QoS-enabled IP networks
KR19990087923A (en) Client-server systems with central application management allowing an administrator to configure end user applications by executing them in the context of users and groups
CA2249487A1 (en) Remote object access
JPH09266476A (en) Network topology management system
JP2002368743A (en) Network design support system
CN109947534B (en) Cloud security function scheduling system based on SDN
US7903678B2 (en) Internet protocol address management system and method
GB2363284A (en) Two-stage deployment of policy to a communications network element
Strassner How policy empowers business-driven device management
US7610584B2 (en) Method, system, and product for defining and managing provisioning states for resources in provisioning data processing systems
Davy et al. Policy interactions and management of traffic engineering services based on ontologies

Legal Events

Date Code Title Description
732E Amendments to the register in respect of changes of name or changes affecting rights (sect. 32/1977)

Free format text: REGISTERED BETWEEN 20120329 AND 20120404

PCNP Patent ceased through non-payment of renewal fee

Effective date: 20140103