US20210281656A1 - Applying application-based policy rules using a programmable application cache - Google Patents
Applying application-based policy rules using a programmable application cache Download PDFInfo
- Publication number
- US20210281656A1 US20210281656A1 US17/303,294 US202117303294A US2021281656A1 US 20210281656 A1 US20210281656 A1 US 20210281656A1 US 202117303294 A US202117303294 A US 202117303294A US 2021281656 A1 US2021281656 A1 US 2021281656A1
- Authority
- US
- United States
- Prior art keywords
- application
- packet
- network device
- information
- cache
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 claims description 85
- 230000015654 memory Effects 0.000 claims description 42
- 230000001360 synchronised effect Effects 0.000 claims description 13
- 230000006855 networking Effects 0.000 claims description 5
- 230000008569 process Effects 0.000 description 62
- 238000003860 storage Methods 0.000 description 31
- 238000012545 processing Methods 0.000 description 26
- 238000004891 communication Methods 0.000 description 22
- 238000007689 inspection Methods 0.000 description 11
- 230000007423 decrease Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 8
- 238000012546 transfer Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 230000003287 optical effect Effects 0.000 description 4
- 230000001419 dependent effect Effects 0.000 description 2
- 238000005538 encapsulation Methods 0.000 description 2
- 238000000926 separation method Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 239000000872 buffer Substances 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000011960 computer-aided design Methods 0.000 description 1
- 238000007596 consolidation process Methods 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 230000014759 maintenance of location Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000013508 migration Methods 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 238000012913 prioritisation Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
Images
Classifications
-
- H04L67/2852—
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/568—Storing data temporarily at an intermediate stage, e.g. caching
- H04L67/5682—Policies or rules for updating, deleting or replacing the stored data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
- H04L45/742—Route cache; Operation thereof
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W40/00—Communication routing or communication path finding
- H04W40/24—Connectivity information management, e.g. connectivity discovery or connectivity update
- H04W40/246—Connectivity information discovery
Definitions
- an entity such as an enterprise, an educational institution, a government agency, and/or the like, may have multiple geographic locations that each have a local network.
- the local networks may interconnect and exchange network packets via a network device located at each of the geographic locations.
- a network device may include one or more memories, and one or more processors, communicatively coupled to the one or more memories, to receive a packet from a client device, and to identify, based on receiving the packet, a destination of the packet.
- the one or more processors may determine, based on information included in an application cache, an application associated with the destination of the packet, wherein the network device, the client device, and the application cache are included in a first local network.
- the one or more processors may determine, based on the information included in the application cache, a policy rule associated with the application, and may apply the policy rule to the packet.
- a non-transitory computer-readable medium may store instructions that include one or more instructions that, when executed by one or more processors of a device, cause the one or more processors to receive a packet from a client device, and to identify, based on receiving the packet, a destination associated with the packet.
- the one or more instructions may cause the one or more processors to determine, based on information included in a first application cache, an application associated with the destination of the packet, wherein the first network device, the client device, and the first application cache are included in a first local network.
- the one or more instructions may cause the one or more processors to determine, based on the application associated with the destination of the packet and based on the information included in the first application cache, whether to transmit the packet to an application platform without transmitting the packet to a second network device, wherein the second network device is included in a second local network that is different than the first local network.
- the one or more instructions may cause the one or more processors to transmit the packet to the application platform without transmitting the packet to the second network device based on determining to transmit the packet to the application platform without transmitting the packet to the second network device.
- a method may include receiving, at a first network device, a packet from a client device, and identifying, by the first network device and based on receiving the packet, a destination of the packet.
- the method may include determining, by the first network device and based on information included in a first application cache, an application associated with the destination of the packet, wherein the first network device, the client device, and the first application cache are included in a first local network.
- the method may include determining, by the first network device, based on the application associated with the destination of the packet and based on the information included in the first application cache, whether to transmit the packet to a second network device or to transmit the packet to an application platform without transmitting the packet to the second network device, wherein the second network device is included in a second local network that is different from the first local network.
- the method may include transmitting, by the first network device and based on determining to transmit the packet to the application platform without transmitting the packet to the second network device, the packet to the application platform without transmitting the packet to the second network device, or transmitting, by the first network device and based on determining to transmit the packet to the second network device, the packet to the second network device.
- FIGS. 1A-1I are diagrams of an example implementation described herein.
- FIG. 2 is a diagram of an example environment in which systems and/or methods, described herein, may be implemented.
- FIGS. 3A and 3B are diagrams of example components of one or more devices of FIG. 2 .
- FIGS. 4-6 are flow charts of example processes for applying application-based policy rules.
- a first network device included in a first local network associated with an entity may receive a packet from a client device included in the first local network, and may transmit the packet to a second network device included in a second local network associated with the entity.
- the second network device may receive the packet from the first network device, and may perform various actions associated with the packet, such as applying one or more policy rules to the packet, transmitting the packet to another device (e.g., an application platform, another network device included in another network, etc.), and/or the like.
- a packet, associated with the client device may be transmitted from the first local network to the second local network prior to transmitting the packet to the application platform.
- an enterprise may be associated with a main office or an outsourced location where policy rules are applied in a centralized way to packets that are transmitted and/or received by client devices of the enterprise.
- the client devices may be located at satellite or remote offices of the enterprise, which may include on the order of hundreds, thousands, etc., locations. This centralized way for applying policy rules may cause an increase in latency between the client devices and the application platform, which in turn may result in a degraded user experience, periodic disconnects between the client devices and the application platform, and/or the like.
- applying policy rules at a network device in a centralized location may cause the network device to become a bottleneck for communications between the client devices and the application platform as the enterprise continues to grow, which may result in the processing queue for the network device to increase, which in turn may cause increased packet processing times, dropped packets, and/or the like.
- the network device may receive a packet from a client device, may identify a destination of the packet, may determine an application associated with the destination of the packet, may determine a policy rule associated with the application, and may apply the policy rule to the packet.
- the network device may apply application-based policy rules even when the network device may be incapable of performing deep packet inspection or other techniques to inspect the payload of a packet to identify the application associated with the packet, which increases the functionality of the network device without increasing the processing and/or memory capabilities of the network device.
- the network device may transmit a packet associated with a particular application such that the packet is transmitted to a destination without first transmitting the packet to another network device included in a second local network associated with the entity, which decreases latency between a client device that generated the packet and the destination, which in turn improves user experience associated with the client device.
- transmitting the packet to the destination without first transmitting the packet to the other network device included in the second local network decreases the quantity of packets transmitted between the first local network and the second local network, which decreases network resource usage between the first local network and the second local network and allows network resources that would have otherwise been used to transmit the packet between the first local network and the second local network to be used for other purposes.
- transmitting the packet to the destination without first transmitting the packet to the other network device included in the second local network deceases the quantity of packets the other network device is to process, which reduces processing and/or memory resource usage of the other network device, reduces the time it takes to process a packet at the other network device (e.g., because the packet processing queue at the other network device is reduced), and allows the other network device to use the processing and/or memory resources that would have otherwise been used to process the packet for other purposes.
- FIGS. 1A-1I are diagrams of an example implementation 100 described herein.
- implementation 100 may include a plurality of local networks (e.g., local network 1 , local network 2 , etc.), an application platform, and/or the like. While implementation 100 is illustrated in FIGS. 1A-1B as including local network 1 and local network 2 , other quantities of local networks may be included in implementation 100 .
- Local network 1 and local network 2 may include various types of wired and/or wireless local area networks (LANs), such as a wired LAN, a wireless LAN (WLAN), a home network, an office network, a campus network, and/or the like.
- LANs local area networks
- WLAN wireless local area networks
- local network 1 and local network 2 may be associated with the same entity, such as an enterprise, corporation, government agency, educational institution, and/or the like.
- local network 1 and local network 2 may be associated with different offices, different locations, different networks, and/or the like, of the entity.
- local network 1 may be located in a satellite office, a remote office, and/or the like, of the entity and local network 2 may be located in a main office, headquarters office, and/or the like of the entity.
- Local network 1 and local network 2 may include various devices.
- local network 1 may include a client device (or a plurality of client devices), a network device (e.g., network device 1 ), an application cache (e.g., application cache 1 ), and/or the like; and local network 2 may include another network device (e.g., network device 2 ) and another application cache (e.g., application cache 2 ).
- Network device 1 and network device 2 may include various types of network devices that are capable of transmitting packets over a connection between network device 1 and network device 2 , capable of transmitting packets to the application platform, and/or the like.
- network device 1 may receive a packet from the client device, may transmit the packet to network device 2 , and network device 2 may transmit the packet to the application platform.
- network device 1 may receive a packet from the client device and may transmit the packet to the application platform without transmitting the packet to network device 2 .
- Application cache 1 and application cache 2 may store information associated with various software applications, such as a productivity application (e.g., a word processing application, a spreadsheet application, an email application etc.), a client management application, a computer-aided design application, and/or the like.
- a productivity application e.g., a word processing application, a spreadsheet application, an email application etc.
- client management application e.g., a client management application, a computer-aided design application, and/or the like.
- the information associated with a particular application may include information identifying the application (e.g., the name of the application, the version number of the application, etc.), information identifying one or more addresses associated with the application (e.g., a source address associated with a device that originates packets associated with the application, a destination address associated with a device that is the destination of the packets associated with the application, a port identifier associated with the source and/or destination of the packets associated with the application, etc.), information identifying one or more communications protocols associated with the application (e.g., a communications protocol that the client device and/or the application platform may use to transmit and/or receive packets associated with the application), information identifying one or more policy rules associated with the application (e.g., a policy rule for routing traffic associated with the application, a policy rule for quality of service (QoS) treatment of the traffic associated with the application, a policy rule for inspection of the traffic associated with the application, a policy rule that specifies that the traffic associated with the application is to be rate limited,
- the information associated with the application may include information associated with usage of the application (e.g., overall traffic volume observed for the application, a quantity of open and/or active sessions associated with the application, a time of day for peak session usage of the application, a time of day for peak users of the application, etc.), which network device 1 , network device 2 , and/or another device may analyze to automatically generate new application policies for the application.
- information associated with usage of the application e.g., overall traffic volume observed for the application, a quantity of open and/or active sessions associated with the application, a time of day for peak session usage of the application, a time of day for peak users of the application, etc.
- Network device 1 , network device 2 , and/or the like may access the information associated with the various applications, stored in application cache 1 and/or application cache 2 , by querying application cache 1 and/or application cache 2 via an application programming interface (API) to request a list of applications supported by application cache 1 and/or application cache 2 (e.g., a list including application identifiers, application names, application descriptions, etc.), to request a list of groups of applications supported by application cache 1 and/or application cache 2 (e.g., a list including information associated with a productivity suite of applications, information associated with a computer-aided engineering suite of applications, etc.), to request information associated with application usage, to request information associated with a particular entry (e.g., based on source address, destination address, port identifiers, application, etc.), and/or the like.
- API application programming interface
- application cache 1 and/or application cache 2 may be updated to store information associated with new and/or additional applications.
- application cache 1 and/or application cache 2 may be updated via input, such as data input from a user.
- application cache 1 and application cache 2 may synchronize such that application cache 1 and/or application cache 2 may determine whether application cache 2 stores information associated with an application that is not stored in application cache 1 .
- application cache 2 may transmit the information to application cache 1 .
- application cache 2 may automatically transmit the information based on determining that application cache 2 is storing information associated with an application that is not stored in application cache 1 , may transmit the information based on receiving a request from application cache 1 , and/or the like.
- network device 1 may use application cache 1 to apply application-based policy rules to packets generated and transmitted by the client device.
- the client device may generate a packet.
- the packet may be associated with an application, such as any of the applications described above or another application.
- the packet may include data associated with the application, such as a portion of email data, a portion of a word processing electronic file, and/or the like.
- the application may be associated with the application platform.
- the application may be a client-side application (e.g., an application installed or located on the client device), a cloud-based application (e.g., an application hosted on the application platform), and/or the like.
- the client device may be instructed (e.g., by a user, by the application, etc.) to transmit the application to the application platform. Accordingly, and as shown by reference number 104 , the client device may transmit the packet to network device 1 .
- network device 1 may receive the packet from the client device. As shown by reference number 106 , network device 1 may identify a destination of the packet. In some implementations, network device 1 may identify the destination of the packet by analyzing a header included in the packet to identify information, included in the header, that identifies the destination of the packet. The information identifying the destination may include information specifying an address associated with the destination of the packet, a port identifier associated with the destination of the packet, and/or the like.
- network device 1 may attempt to determine the application associated with the destination of the packet.
- application cache 1 may include information associated with various applications. Accordingly, network device 1 may attempt to determine the application associated with the destination of the packet based on the information included in application cache 1 . For example, network device 1 may determine whether the information, included in application cache 1 , includes information associating the destination of the packet with the application associated with the destination.
- the information associating the destination with the application may be included in metadata associated with the application, in a structured electronic file (e.g., an extensible markup language (XML) file, a JavaScript Object Notation (JSON) file, etc.) associated with the application, and/or the like.
- XML extensible markup language
- JSON JavaScript Object Notation
- network device 1 may be unable to determine the application associated with the destination of the packet.
- Network device 1 may be unable to determine the application associated with the destination of the packet for various reasons, such as because application cache 1 does not include information associating the destination with an application, because the packet is not associated with an application, and/or the like.
- network device 1 may transmit the packet to network device 2 included in local network 2 .
- network device 1 may automatically transmit the packet to network device 2 , upon being unable to determine the application associated with the destination of the packet, based on being configured to transmit packets for which network device 1 is unable to determine the application associated with the destination of the packet.
- network device 2 may receive the packet from network device 1 .
- network device 2 may determine the application associated with the packet.
- network device 2 may be configured to inspect a payload of the packet to determine the application associated with the packet.
- network device 2 may be configured to perform deep packet inspection, or another type of inspection that allows network device 2 to examine the payload of the packet.
- Network device 2 may determine the application associated with the packet by identifying information, associated with the application, included in the payload. For example, network device 2 may identify a file type or extension associated with the application, may identify the application based on metadata included in the payload, and/or the like.
- network device 2 may store information, associated with the application, in application cache 2 .
- the information associated with the application may be stored in application cache 2 as metadata, an electronic file such as an XML file, a JSON file, and/or the like.
- the information associated with the application may include information associating the destination of the packet with the application, information associating the application with a policy rule, and/or the like.
- the information associating the destination of the packet with the application may include information associating an address of the destination with the application (e.g., an Internet Protocol (IP) address and/or the like), information associating a port identifier of the destination with the application (e.g., a port number, a port name, and/or the like), and/or the like.
- IP Internet Protocol
- the policy rule may include various types of policy rules, such as a policy rule for routing traffic associated with the application (e.g., a policy rule specifying that the traffic associated with the application is to be transmitted to the application platform without transmitting the traffic to local network 2 , a policy rule specifying that the traffic associated with the application is to be transmitted to local network 2 , and/or the like), a policy rule for QoS of the traffic associated with the application (e.g., a policy rule specifying a QoS class of the traffic, a policy rule specifying a prioritization of the traffic, and/or the like), a policy rule for inspecting the traffic associated with the application (e.g., a policy rule specifying a frequency of inspection of the traffic, a policy rule specifying a level of inspection of the traffic, and/or the like), a policy rule that specifies that the traffic associated with the application is to be rate limited, a policy rule that specifies that the traffic associated with the application is to be dropped, and/or the like.
- network device 2 may determine the policy rule that is to be associated with the application based on various factors, such as network device 2 being provisioned with information associating the policy rule with the application (e.g., by the entity associated with local network 1 and local network 2 , by an entity responsible for operating and maintaining network device 2 , and/or the like), such as the application being a particular type of application that is associated with the policy rule (e.g., such as productivity applications being associated with a policy rule that specifies traffic associated with productivity applications is to be transmitted to the application platform without transmitting the traffic to local network 2 ), and/or the like.
- network device 2 being provisioned with information associating the policy rule with the application (e.g., by the entity associated with local network 1 and local network 2 , by an entity responsible for operating and maintaining network device 2 , and/or the like), such as the application being a particular type of application that is associated with the policy rule (e.g., such as productivity applications being associated with a policy rule that specifies traffic associated with productivity applications is to be
- network device 2 may automatically generate the policy rule that is to be associated with the application. For example, network device 2 may automatically generate the policy rule based on usage information associated with the application (e.g., a quantity of users associated with the entity that use the application, traffic volume of the application in the entity, peak session and usage times associated with the application in the entity, and/or the like), latency requirements for the application, and/or the like. For example, network device 2 may determine that the application is a video conferencing application that requires low latency, and therefore may generate a policy rule for the application that specifies packets associated with the application are to be transmitted to the application platform without transmitting the packets to local network 2 in order to decrease the latency associated with the application.
- usage information associated with the application e.g., a quantity of users associated with the entity that use the application, traffic volume of the application in the entity, peak session and usage times associated with the application in the entity, and/or the like
- network device 2 may determine that the application is a video conferencing application that requires low latency, and therefore
- network device 2 may determine that the application has a particular peak usage time, and may generate a policy rule for the application that specifies packets associated with the application are to be transmitted to local network 2 prior to being transmitted to the application platform except during the peak usage time, where the packets may be transmitted to the application platform without transmitting the packets to local network 2 .
- network device 2 may transmit the packet to the platform, after determining the application associated with the packet and storing the information associated with the application in application cache 2 .
- application cache 1 and application cache 2 may synchronize so that the information associated with the application, stored in application cache 2 , may be stored in application cache 1 and used by network device 1 to apply application-based policy rules.
- Application cache 1 and application cache 2 may synchronize such that application cache 2 transmits the information associated with the application to application cache 1 , and such that application cache 1 stores the information associated with the application, and/or vice-versa.
- network device 2 may obtain the information associated with the application from application cache 2 , may transmit the information associated with the application to network device 1 , and network device 1 may store the information associated with the application in application cache 1 .
- application cache 2 may transmit the information associated with the application to application cache 1 using an application programming interface (API), such as a representational state transfer (RESTful) API and/or the like, over a hypertext transfer protocol (HTTP) connection.
- application cache 2 may transmit the information associated with the application to application cache 1 via the RESTful API using HTTP commands.
- application cache 2 may initiate a transfer of the information associated with an application to application cache 1 by using a HTTP post command and/or a HTTP put command.
- application cache 1 may initiate a transfer of the information associated with an application by using a HTTP get command.
- application cache 2 may remove information stored in application cache 2 by using a HTTP delete command.
- a connection between application cache 1 and application cache 2 may be encrypted (e.g., using secure sockets layer (SSL) encryption, transport layer security (TLS) encryption, etc.) and/or authenticated prior to application cache 1 and application cache 2 being synchronized.
- application cache 1 may initiate the synchronization by transmitting information to application cache 2 , that indicates that application cache 1 is available to be synchronized.
- the information may include a notification, a message, a packet, and/or the like, that indicates application cache 1 is available to be synchronized.
- network device 1 may apply policy rules to packets associated with the application based on the information associated with the application that was synchronized between application cache 1 and application cache 2 .
- the network device 1 may apply application-based policy rules where network device 1 may be incapable of performing deep packet inspection or another technique to inspect the payload of a packet to identify the application associated with the packet.
- network device 1 may be incapable of performing deep packet inspection of a packet because the packet is encrypted (e.g., using SSL encryption, TLS encryption, etc.), and network device 1 is incapable of decrypting the packet.
- network device 1 may not have the processing and/or memory resources available to perform deep packet inspection of a packet. Accordingly, application cache 1 allows network device 1 to perform functions that network device 1 may not otherwise be capable of performing, which adds functionality to local network 1 .
- the client device may generate a packet.
- the packet may be associated with the application and may be destined for the application platform.
- the client device may transmit the packet to network device 1 .
- network device 1 may identify the destination associated with the packet.
- network device 1 may identify the destination of the packet by analyzing a header included in the packet to identify information, included in the header, that identifies the destination of the packet.
- the information identifying the destination may include information specifying an address associated with the destination of the packet, a port identifier associated with the destination of the packet, and/or the like.
- network device 1 may attempt to determine the application associated with the destination of the packet.
- Network device 1 may attempt to determine the application associated with the destination of the packet based on the information included in application cache 1 . For example, network device 1 may determine whether the information, included in application cache 1 , includes the information associating the destination of the packet with the application.
- network device 1 may determine that application cache 1 includes the information associated with the application, which includes the information associating the destination of the packet with the application. For example, network device 1 may determine that application cache 1 includes information associating the address and/or port identifier of the destination with the application. Accordingly, network device 1 may determine, based on the information associated with the application, a policy rule associated with the application. For example, network device 1 may determine the policy rule based on the information, included in the information associated with the application, associating the application with the policy rule.
- network device 1 may apply the policy rule to the packet.
- the policy rule may specify that traffic associated with the application is to be transmitted to the destination (e.g., the application platform) without transmitting the packet to local network 2 .
- Other examples of policy rules that may be applied to the packet are described above.
- the application platform may receive the packet and, based on receiving the packet, may store the packet, may transmit the packet to another location, may modify the packet, may transmit one or more packets to the client device, may analyze the packet, and/or the like.
- network device 1 may apply application-based policy rules without having to inspect a payload of a packet to determine the application associated with the packet.
- This allows network device 1 to transmit the packet to an application platform (or another destination) without first transmitting the packet to network device 2 included in local network 2 , which decreases latency between the client device and the application, which in turn improves user experience associated with the client device.
- transmitting the packet to the application platform without first transmitting the packet to network device 2 deceases the quantity of packets transmitted between local network 1 and local network 2 , which decreases network resource usage between local network 1 and local network 2 and allows network resources that would have otherwise been used to transmit the packet between local network 1 and local network 2 to be used for other purposes.
- transmitting the packet to the application platform without first transmitting the packet to network device 2 deceases the quantity of packets network device 2 is to process, which reduces processing and/or memory resource usage of network device 2 , reduces the time it takes to process a packet at network device 2 (e.g., because the packet processing queue at network device 2 is reduced), and allows network device 2 to use the processing and/or memory resources that would have otherwise been used to process the packet for other purposes.
- FIGS. 1A-1I are provided merely as an example. Other examples are possible and may differ from what was described with regard to FIGS. 1A-1I .
- FIG. 2 is a diagram of an example environment 200 in which systems and/or methods, described herein, may be implemented.
- environment 200 may include a client device 210 , a plurality of application caches 220 (e.g., application cache 220 - 1 and application cache 220 - 2 , collectively referred to as “application caches 220 ” and individually as “application cache 220 ”), a plurality of network devices (e.g., network device 230 - 1 through network device 230 - n, collectively referred to as “network devices 230 ” and individually as “network device 230 ”), an application platform 240 in a cloud computing environment 242 that includes a set of computing resources 244 , a network 250 , and/or the like.
- Devices of environment 200 may interconnect via wired connections, wireless connections, or a combination of wired and wireless connections.
- Client device 210 includes one or more devices capable of receiving, generating, storing, processing, and/or providing data associated with applying application-based policy rules.
- client device 210 may include a mobile phone (e.g., a smart phone, a radiotelephone, etc.), a laptop computer, a tablet computer, a handheld computer, a gaming device, a wearable communication device (e.g., a smart wristwatch, a pair of smart eyeglasses, etc.), a desktop computer, or a similar type of device.
- Client device 210 may generate a packet (e.g., a packet associated with an application), may transmit a packet to network device 230 (e.g., based on being instructed to transmit an application to application platform 240 ), and/or the like.
- Application cache 220 includes one or more devices capable of receiving, generating, storing, processing, and/or providing data associated with applying application-based policy rules.
- application cache 220 may include a storage device, a memory device, and/or the like that stores information associated with one or more applications, such as information identifying the application, information associating the application with a destination, information associating the application with one or more policy rules, and/or the like.
- application cache 220 - 1 and/or application cache 220 - 2 may be standalone devices, may be included in a network device (e.g., network device 230 - 1 , network device 230 - 2 , etc.) or another device, and/or the like.
- application cache 220 - 1 and application cache 220 - 2 may synchronize by exchanging information associated with one or more applications. For example, application cache 220 - 2 may transmit information associated with a new application to application cache 220 - 1 , may transmit updated information associated with an application to application cache 220 - 1 , and/or the like.
- Network device 230 includes one or more devices capable of receiving, generating, storing, processing, and/or providing data associated with applying application-based policy rules.
- network device 230 may include a firewall, a router, a gateway, a switch, a bridge, a wireless access point, a base station (e.g., eNodeB, NodeB, gNodeB, and/or the like), and/or the like.
- network device 230 may be implemented as a physical device implemented within a housing, such as a chassis.
- network device 230 may be implemented as a virtual device implemented by one or more computer devices of a cloud computing environment or a data center.
- network device 230 may receive a packet from client device 210 , and may identify a destination of the packet. In some implementations, network device 230 may attempt to determine an application associated with a destination of a packet (e.g., based on information included in application cache 220 ). In some implementations, network device 230 may, based on being unable to determine an application associated with a destination of the packet, transmit the packet to another network device 230 , which may receive the packet, determine an application associated with the packet, store information associated with the application in another application cache 220 , and transmit the packet to application platform 240 .
- Application platform 240 includes one or more devices capable of receiving, generating, storing, processing, and/or providing data associated with applying application-based policy rules.
- application platform 240 may include a server device (e.g., a host server, a web server, an application server, etc.), a data center device, or a similar device.
- Application platform 240 may receive a packet from network device 230 , may store the packet, may transmit the packet to another location, may modify the packet, may transmit one or more packets to the client device, may analyze the packet, and/or the like.
- application platform 240 may be associated with an application, and may receive the application, traffic associated with the application, a packet associated with the application, and/or the like.
- application platform 240 may be hosted in cloud computing environment 242 .
- application platform 240 may not be cloud-based (i.e., may be implemented outside of a cloud computing environment) or may be partially cloud-based.
- Cloud computing environment 242 includes an environment that hosts application platform 240 .
- Cloud computing environment 242 may provide computation, software, data access, storage, and/or other services.
- cloud computing environment 242 may include a group of computing resources 244 (referred to collectively as “computing resources 244 ” and individually as “computing resource 244 ”).
- Computing resource 244 includes one or more personal computers, workstation computers, server devices, or another type of computation and/or communication device.
- computing resource 244 may host application platform 240 .
- the cloud resources may include compute instances executing in computing resource 244 , storage devices provided in computing resource 244 , data transfer devices provided by computing resource 244 , etc.
- computing resource 244 may communicate with other computing resources 244 via wired connections, wireless connections, or a combination of wired and wireless connections.
- computing resource 244 may include a group of cloud resources, such as one or more applications (“APPs”) 244 - 1 , one or more virtual machines (“VMs”) 244 - 2 , one or more virtualized storages (“VSs”) 244 - 3 , or one or more hypervisors (“HYPs”) 244 - 4 .
- APPs applications
- VMs virtual machines
- VSs virtualized storages
- HOPs hypervisors
- Application 244 - 1 includes one or more software applications that may be provided to or accessed by one or more devices of environment 200 .
- Application 244 - 1 may eliminate a need to install and execute the software applications on devices of environment 200 .
- application 244 - 1 may include software associated with application platform 240 and/or any other software capable of being provided via cloud computing environment 242 .
- one application 244 - 1 may send/receive information to/from one or more other applications 244 - 1 , via virtual machine 244 - 2 .
- application 244 - 1 may include a software application associated with one or more databases and/or operating systems.
- application 244 - 1 may include an enterprise application, a functional application, an analytics application, and/or the like.
- Virtual machine 244 - 2 includes a software implementation of a machine (e.g., a computer) that executes programs like a physical machine.
- Virtual machine 244 - 2 may be either a system virtual machine or a process virtual machine, depending upon use and degree of correspondence to any real machine by virtual machine 244 - 2 .
- a system virtual machine may provide a complete system platform that supports execution of a complete operating system (“OS”).
- a process virtual machine may execute a single program, and may support a single process.
- virtual machine 244 - 2 may execute on behalf of a user (e.g., a user of client device 210 and/or an operator of application platform 240 ), and may manage infrastructure of cloud computing environment 242 , such as data management, synchronization, or long-duration data transfers.
- a user e.g., a user of client device 210 and/or an operator of application platform 240
- infrastructure of cloud computing environment 242 such as data management, synchronization, or long-duration data transfers.
- Virtualized storage 244 - 3 includes one or more storage systems and/or one or more devices that use virtualization techniques within the storage systems or devices of computing resource 244 .
- types of virtualizations may include block virtualization and file virtualization.
- Block virtualization may refer to abstraction (or separation) of logical storage from physical storage so that the storage system may be accessed without regard to physical storage or heterogeneous structure. The separation may permit administrators of the storage system flexibility in how the administrators manage storage for end users.
- File virtualization may eliminate dependencies between data accessed at a file level and a location where files are physically stored. This may enable optimization of storage use, server consolidation, and/or performance of non-disruptive file migrations.
- Hypervisor 244 - 4 provides hardware virtualization techniques that allow multiple operating systems (e.g., “guest operating systems”) to execute concurrently on a host computer, such as computing resource 244 .
- Hypervisor 244 - 4 may present a virtual operating platform to the guest operating systems, and may manage the execution of the guest operating systems. Multiple instances of a variety of operating systems may share virtualized hardware resources.
- Network 250 includes one or more wired and/or wireless networks.
- network 250 may include a mobile network (e.g., a long-term evolution (LTE) network, a code division multiple access (CDMA) network, a 3G network, a 4G network, a 5G network, another type of next generation network, etc.), a public land mobile network (PLMN), a local area network (LAN), a wide area network (WAN), a metropolitan area network (MAN), a telephone network (e.g., the Public Switched Telephone Network (PSTN)), a private network, an ad hoc network, an intranet, the Internet, a fiber optic-based network, a cloud computing network, or the like, and/or a combination of these or other types of networks.
- LTE long-term evolution
- CDMA code division multiple access
- 3G Third Generation
- 4G fourth generation
- 5G Fifth Generation
- PLMN public land mobile network
- PLMN public land mobile network
- LAN local area network
- WAN
- the number and arrangement of devices and networks shown in FIG. 2 are provided as an example. In practice, there may be additional devices and/or networks, fewer devices and/or networks, different devices and/or networks, or differently arranged devices and/or networks than those shown in FIG. 2 . Furthermore, two or more devices shown in FIG. 2 may be implemented within a single device, or a single device shown in FIG. 2 may be implemented as multiple, distributed devices. Additionally, or alternatively, a set of devices (e.g., one or more devices) of environment 200 may perform one or more functions described as being performed by another set of devices of environment 200 .
- FIGS. 3A and 3B are diagrams of example components of one or more devices of FIG. 2 .
- FIG. 3A is a diagram of example components of a device 300 .
- Device 300 may correspond to client device 210 , application cache 220 , network device 230 , application platform 240 , and/or the like.
- client device 210 , application cache 220 , network device 230 , application platform 240 , and/or the like may include one or more devices 300 and/or one or more components of device 300 .
- device 300 may include a bus 305 , a processor 310 , a memory 315 , a storage component 320 , an input component 325 , an output component 330 , and a communication interface 335 .
- Bus 305 includes a component that permits communication among the components of device 300 .
- Processor 310 is implemented in hardware, firmware, or a combination of hardware and software.
- Processor 310 takes the form of a central processing unit (CPU), a graphics processing unit (GPU), an accelerated processing unit (APU), a microprocessor, a microcontroller, a digital signal processor (DSP), a field-programmable gate array (FPGA), an application-specific integrated circuit (ASIC), or another type of processing component.
- processor 310 includes one or more processors capable of being programmed to perform a function.
- Memory 315 includes a random access memory (RAM), a read only memory (ROM), and/or another type of dynamic or static storage device (e.g., a flash memory, a magnetic memory, and/or an optical memory) that stores information and/or instructions for use by processor 310 .
- RAM random access memory
- ROM read only memory
- static storage device e.g., a flash memory, a magnetic memory, and/or an optical memory
- Storage component 320 stores information and/or software related to the operation and use of device 300 .
- storage component 320 may include a hard disk (e.g., a magnetic disk, an optical disk, a magneto-optic disk, and/or a solid state disk), a compact disc (CD), a digital versatile disc (DVD), a floppy disk, a cartridge, a magnetic tape, and/or another type of non-transitory computer-readable medium, along with a corresponding drive.
- Input component 325 includes a component that permits device 300 to receive information, such as via user input (e.g., a touch screen display, a keyboard, a keypad, a mouse, a button, a switch, and/or a microphone). Additionally, or alternatively, input component 325 may include a sensor for sensing information (e.g., a global positioning system (GPS) component, an accelerometer, a gyroscope, and/or an actuator).
- Output component 330 includes a component that provides output information from device 300 (e.g., a display, a speaker, and/or one or more light-emitting diodes (LEDs)).
- LEDs light-emitting diodes
- Communication interface 335 includes a transceiver-like component (e.g., a transceiver and/or a separate receiver and transmitter) that enables device 300 to communicate with other devices, such as via a wired connection, a wireless connection, or a combination of wired and wireless connections.
- Communication interface 335 may permit device 300 to receive information from another device and/or provide information to another device.
- communication interface 335 may include an Ethernet interface, an optical interface, a coaxial interface, an infrared interface, a radio frequency (RF) interface, a universal serial bus (USB) interface, a Wi-Fi interface, a cellular network interface, or the like.
- RF radio frequency
- USB universal serial bus
- Device 300 may perform one or more processes described herein. Device 300 may perform these processes based on processor 310 executing software instructions stored by a non-transitory computer-readable medium, such as memory 315 and/or storage component 320 .
- a computer-readable medium is defined herein as a non-transitory memory device.
- a memory device includes memory space within a single physical storage device or memory space spread across multiple physical storage devices.
- Software instructions may be read into memory 315 and/or storage component 320 from another computer-readable medium or from another device via communication interface 335 .
- software instructions stored in memory 315 and/or storage component 320 may cause processor 310 to perform one or more processes described herein.
- hardwired circuitry may be used in place of or in combination with software instructions to perform one or more processes described herein.
- implementations described herein are not limited to any specific combination of hardware circuitry and software.
- device 300 may include additional components, fewer components, different components, or differently arranged components than those shown in FIG. 3A . Additionally, or alternatively, a set of components (e.g., one or more components) of device 300 may perform one or more functions described as being performed by another set of components of device 300 .
- FIG. 3B is a diagram of example components of a device 350 .
- Device 350 may correspond to network device 230 .
- network device 230 may include one or more devices 350 and/or one or more components of device 350 .
- device 350 may include one or more input components 355 - 1 through 355 -B (B ⁇ 1) (hereinafter referred to collectively as input components 355 , and individually as input component 355 ), a switching component 360 , one or more output components 365 - 1 through 365 -C (C ⁇ 1) (hereinafter referred to collectively as output components 365 , and individually as output component 365 ), and a controller 370 .
- Input component 355 may be points of attachment for physical links and may be points of entry for incoming traffic, such as packets. Input component 355 may process incoming traffic, such as by performing data link layer encapsulation or decapsulation. In some implementations, input component 355 may send and/or receive packets. In some implementations, input component 355 may include an input line card that includes one or more packet processing components (e.g., in the form of integrated circuits), such as one or more interface cards (IFCs), packet forwarding components, line card controller components, input ports, processors, memories, and/or input queues. In some implementations, device 350 may include one or more input components 355 .
- packet processing components e.g., in the form of integrated circuits
- IFCs interface cards
- packet forwarding components line card controller components
- input ports e.g., processors, memories, and/or input queues.
- device 350 may include one or more input components 355 .
- Switching component 360 may interconnect input components 355 with output components 365 .
- switching component 360 may be implemented via one or more crossbars, via busses, and/or with shared memories.
- the shared memories may act as temporary buffers to store packets from input components 355 before the packets are eventually scheduled for delivery to output components 365 .
- switching component 360 may enable input components 355 , output components 365 , and/or controller 370 to communicate.
- Output component 365 may store packets and may schedule packets for transmission on output physical links. Output component 365 may support data link layer encapsulation or decapsulation, and/or a variety of higher-level protocols. In some implementations, output component 365 may send packets and/or receive packets. In some implementations, output component 365 may include an output line card that includes one or more packet processing components (e.g., in the form of integrated circuits), such as one or more IFCs, packet forwarding components, line card controller components, output ports, processors, memories, and/or output queues. In some implementations, device 350 may include one or more output components 365 . In some implementations, input component 355 and output component 365 may be implemented by the same set of components (e.g., and input/output component may be a combination of input component 355 and output component 365 ).
- packet processing components e.g., in the form of integrated circuits
- IFCs packet forwarding components
- line card controller components e.g., packet forward
- Controller 370 includes a processor in the form of, for example, a CPU, a GPU, an APU, a microprocessor, a microcontroller, a DSP, an FPGA, an ASIC, and/or another type of processor.
- the processor is implemented in hardware, firmware, or a combination of hardware and software.
- controller 370 may include one or more processors that can be programmed to perform a function.
- controller 370 may include a RAM, a ROM, and/or another type of dynamic or static storage device (e.g., a flash memory, a magnetic memory, an optical memory, etc.) that stores information and/or instructions for use by controller 370 .
- a RAM random access memory
- ROM read-only memory
- static storage device e.g., a flash memory, a magnetic memory, an optical memory, etc.
- controller 370 may communicate with other devices, networks, and/or systems connected to device 300 to exchange information regarding network topology. Controller 370 may create routing tables based on the network topology information, create forwarding tables based on the routing tables, and forward the forwarding tables to input components 355 and/or output components 365 . Input components 355 and/or output components 365 may use the forwarding tables to perform route lookups for incoming and/or outgoing packets.
- Controller 370 may perform one or more processes described herein. Controller 370 may perform these processes in response to executing software instructions stored by a non-transitory computer-readable medium.
- a computer-readable medium is defined herein as a non-transitory memory device.
- a memory device includes memory space within a single physical storage device or memory space spread across multiple physical storage devices.
- Software instructions may be read into a memory and/or storage component associated with controller 370 from another computer-readable medium or from another device via a communication interface. When executed, software instructions stored in a memory and/or storage component associated with controller 370 may cause controller 370 to perform one or more processes described herein. Additionally, or alternatively, hardwired circuitry may be used in place of or in combination with software instructions to perform one or more processes described herein. Thus, implementations described herein are not limited to any specific combination of hardware circuitry and software.
- device 350 may include additional components, fewer components, different components, or differently arranged components than those shown in FIG. 3B . Additionally, or alternatively, a set of components (e.g., one or more components) of device 350 may perform one or more functions described as being performed by another set of components of device 350 .
- FIG. 4 is a flow chart of an example process 400 for applying application-based policy rules.
- one or more process blocks of FIG. 4 may be performed by a network device (e.g., network device 230 ).
- one or more process blocks of FIG. 4 may be performed by another device or a group of devices separate from or including the network device, such as client device 210 , application cache 220 , another network device 230 , application platform 240 , and/or computing resource 244 .
- process 400 may include receiving a packet from a client device (block 410 ).
- the network device e.g., using processor 310 , communication interface 335 , input component 355 , controller 370 , and/or the like
- process 400 may include identifying, based on receiving the packet, a destination of the packet (block 420 ).
- the network device e.g., using processor 310 , memory 315 , controller 370 , and/or the like
- process 400 may include determining, based on information included in an application cache, an application associated with the destination of the packet, wherein the network device, the client device, and the application cache are included in a first local network (block 430 ).
- the network device e.g., using processor 310 , storage component 320 , communication interface 335 , input component 355 , output component 365 , controller 370 , and/or the like
- the network device, the client device, and the application cache may be included in a first local network.
- process 400 may include determining, based on the information included in the application cache, a policy rule associated with the application (block 440 ).
- the network device e.g., using processor 310 , memory 315 , controller 370 , and/or the like
- process 400 may include applying the policy rule to the packet (block 450 ).
- the network device e.g., using processor 310 , output component 330 , communication interface 335 , output component 365 , controller 370 , and/or the like
- Process 400 may include additional implementations, such as any single implementation or any combination of implementations described below and/or described with regard to any other process described herein.
- the information included in the application cache may include information associating the destination of the packet with the application.
- the network device may receive, from a second local network, different than the first local network, and prior to receiving the packet from the client device, the information associating the destination with the application, and may store, in the application cache, the information associating the destination with the application.
- the policy rule associated with the application may include a policy rule that specifies that traffic associated with the application is to be transmitted to an application server, associated with the application, without being transmitted to a second network device included in a second local network different than the first local network, a policy rule for quality of service (QoS) treatment of the traffic associated with the application, a policy rule for inspection of the traffic associated with the application, a policy rule that specifies that the traffic associated with the application is to be rate limited, or a policy rule that specifies that the traffic associated with the application is to be dropped.
- QoS quality of service
- the first local network and the second local network may be associated with a same entity.
- the first network device when applying the policy rule to the packet, may transmit the packet to the application server without transmitting the packet to the second network device included in the second local network.
- the information included in the first application cache may be populated in the first application cache by a centralized software-defined networking (SDN) controller using an application programming interface (API).
- SDN software-defined networking
- API application programming interface
- process 400 may include additional blocks, fewer blocks, different blocks, or differently arranged blocks than those depicted in FIG. 4 . Additionally, or alternatively, two or more of the blocks of process 400 may be performed in parallel.
- FIG. 5 is a flow chart of an example process 500 for applying application-based policy rules.
- one or more process blocks of FIG. 5 may be performed by a first network device (e.g., network device 230 ).
- one or more process blocks of FIG. 5 may be performed by another device or a group of devices separate from or including the first network device, such as client device 210 , application cache 220 , another network device 230 , application platform 240 , and/or computing resource 244 .
- process 500 may include receiving a packet from a client device (block 510 ).
- the first network device e.g., using processor 310 , input component 325 , communication interface 335 , input component 355 , controller 370 , and/or the like
- process 500 may include identifying, based on receiving the packet, a destination associated with the packet (block 520 ).
- the first network device e.g., using processor 310 , memory 315 , controller 370 , and/or the like
- process 500 may include determining, based on information included in a first application cache, an application associated with the destination of the packet, wherein the first network device, the client device, and the first application cache are included in a first local network (block 530 ).
- the first network device e.g., using processor 310 , memory 315 , communication interface 335 , input component 355 , controller 370 , and/or the like
- the first network device, the client device, and the first application cache may be included in a first local network.
- process 500 may include determining, based on the application associated with the destination of the packet and based on the information included in the first application cache, whether to transmit the packet to an application server without transmitting the packet to a second network device, wherein the second network device is included in a second local network that is different than the first local network (block 540 ).
- the first network device e.g., using processor 310 , memory 315 , controller 370 , and/or the like
- the second network device may be included in a second local network that is different than the first local network.
- process 500 may include transmitting the packet to the application server without transmitting the packet to the second network device based on determining to transmit the packet to the application server without transmitting the packet to the second network device (block 550 ).
- the first network device e.g., using processor 310 , output component 330 , communication interface 335 , output component 365 , controller 370 , and/or the like
- Process 500 may include additional implementations, such as any single implementation or any combination of implementations described below and/or described with regard to any other process described herein.
- the first application cache may be synchronized with a second application cache included in the second local network.
- a connection between the first application cache and the second application cache may be encrypted based on secure sockets layer (SSL) encryption, and/or based on transport layer security (TLS) encryption.
- SSL secure sockets layer
- TLS transport layer security
- a connection between the first application cache and the second application cache may be authenticated prior to the first application cache being synchronized with the second application cache.
- the first application cache may initiate synchronization with the second application cache by transmitting, to the second application cache, information indicating that the first application cache is available for synchronization.
- the information included in the first application cache may be populated in the first application cache by a centralized software-defined networking (SDN) controller using an application programming interface (API).
- SDN software-defined networking
- API application programming interface
- the first local network and the second local network may be associated with a same entity.
- process 500 may include additional blocks, fewer blocks, different blocks, or differently arranged blocks than those depicted in FIG. 5 . Additionally, or alternatively, two or more of the blocks of process 500 may be performed in parallel.
- FIG. 6 is a flow chart of an example process 600 for applying application-based policy rules.
- one or more process blocks of FIG. 6 may be performed by a first network device (e.g., network device 230 ).
- one or more process blocks of FIG. 6 may be performed by another device or a group of devices separate from or including the first network device, such as client device 210 , application cache 220 , another network device 230 , application platform 240 , and/or computing resource 244 .
- process 600 may include receiving a packet from a client device (block 610 ).
- the first network device e.g., using processor 310 , input component 325 , communication interface 335 , input component 355 , controller 370 , and/or the like
- process 600 may include identifying, based on receiving the packet, a destination of the packet (block 620 ).
- the first network device e.g., using processor 310 , memory 315 , controller 370 , and/or the like
- process 600 may include determining, based on information included in a first application cache, an application associated with the destination of the packet, wherein the first network device, the client device, and the first application cache are included in a first local network (block 630 ).
- the first network device e.g., using processor 310 , storage component 320 , controller 370 , and/or the like
- the first network device, the client device, and the first application cache may be included in a first local network.
- process 600 may include determining, based on the application associated with the destination of the packet and based on the information included in the first application cache, whether to transmit the packet to a second network device or to transmit the packet to an application server without transmitting the packet to the second network device, wherein the second network device is included in a second local network that is different from the first local network (block 640 ).
- the first network device (e.g., using processor 310 , memory 315 , controller 370 , and/or the like) may determine, based on the application associated with the destination of the packet and based on the information included in the first application cache, whether to transmit the packet to a second network device or to transmit the packet to an application server without transmitting the packet to the second network device, as described above in connection with FIGS. 1A-1I .
- the second network device may be included in a second local network that is different from the first local network.
- process 600 may include transmitting, based on determining to transmit the packet to the application server without transmitting the packet to the second network device, the packet to the application server without transmitting the packet to the second network device (block 650 ).
- the first network device e.g., using processor 310 , output component 330 , communication interface 335 , output component 365 , controller 370 , and/or the like
- process 600 may include transmitting, based on determining to transmit the packet to the second network device, the packet to the second network device (block 660 ).
- the first network device e.g., using processor 310 , output component 330 , communication interface 335 , output component 365 , controller 370 , and/or the like
- Process 600 may include additional implementations, such as any single implementation or any combination of implementations described below and/or described with regard to any other process described herein.
- the packet may be encrypted based on at least one of secure sockets layer (SSL) encryption, or transport layer security (TLS) encryption.
- the first application cache may be synchronized with a second application cache using a representational state transfer (RESTful) application programming interface (API), and the second application cache is at least one of included in the second local network, or associated with a different vendor than the first application cache.
- RESTful representational state transfer
- API application programming interface
- the information included in the first application cache is populated in the first application cache by a centralized software-defined networking (SDN) controller using an application programming interface (API).
- SDN software-defined networking
- the first network device may determine to transmit the packet to the application server without transmitting the packet to the second network device based information, included in the first application cache, associating the application with a policy rule that specifies that traffic associated with the application is to be transmitted to the application server without transmitting the packet to the second network device.
- the first network device may determine to transmit the packet to the second network device based on determining that the information included in the first application cache does not include information associating the destination with the application.
- process 600 may include additional blocks, fewer blocks, different blocks, or differently arranged blocks than those depicted in FIG. 6 . Additionally, or alternatively, two or more of the blocks of process 600 may be performed in parallel.
- the network device 230 may receive a packet from a client device 210 , may identify a destination of the packet, may determine an application associated with the destination of the packet, may determine a policy rule for routing the traffic associated with the application, and may transmit the packet based on the policy rule.
- a network device 230 included in a first local network associated with an entity may apply application-based policy rules even when the network device 230 may be incapable of performing deep packet inspection or other techniques to inspect the payload of a packet to identify the application associated with the packet, which increases the functionality of the network device 230 without increasing the processing and/or memory capabilities of the network device.
- the network device 230 may transmit a packet associated with a particular application such that the packet is transmitted to a destination without first transmitting the packet to another network device 230 included in a second local network associated with the entity, which decreases latency between a client device 210 that generated the packet and the destination, which in turn improves user experience associated with the client device 210 .
- transmitting the packet to the destination without first transmitting the packet to the other network device 230 included in the second local network deceases the quantity of packets transmitted between the first local network and the second local network, which decreases network resource usage between the first local network and the second local network and allows network resources that would have otherwise been used to transmit the packet between the first local network and the second local network to be used for other purposes.
- transmitting the packet to the destination without first transmitting the packet to the other network device 230 included in the second local network deceases the quantity of packets the other network device is to process, which reduces processing and/or memory resource usage of the other network device 230 , reduces the time it takes to process a packet at the other network device 230 (e.g., because the packet processing queue at the other network device 230 is reduced), and allows the other network device to use the processing and/or memory resources that would have otherwise been used to process the packet for other purposes.
- traffic or content may include a set of packets.
- a packet may refer to a communication structure for communicating information, such as a protocol data unit (PDU), a network packet, a datagram, a segment, a message, a block, a cell, a frame, a subframe, a slot, a symbol, a portion of any of the above, and/or another type of formatted or unformatted unit of data capable of being transmitted via a network.
- PDU protocol data unit
- the term component is intended to be broadly construed as hardware, firmware, and/or a combination of hardware and software.
Abstract
Description
- This application is a continuation of U.S. patent application Ser. No. 16/053,532, filed Aug. 2, 2018 (now U.S. Pat. No. 11,032,389), which is incorporated herein by reference in its entirety.
- In some cases, an entity, such as an enterprise, an educational institution, a government agency, and/or the like, may have multiple geographic locations that each have a local network. The local networks may interconnect and exchange network packets via a network device located at each of the geographic locations.
- According to some implementations, a network device may include one or more memories, and one or more processors, communicatively coupled to the one or more memories, to receive a packet from a client device, and to identify, based on receiving the packet, a destination of the packet. The one or more processors may determine, based on information included in an application cache, an application associated with the destination of the packet, wherein the network device, the client device, and the application cache are included in a first local network. The one or more processors may determine, based on the information included in the application cache, a policy rule associated with the application, and may apply the policy rule to the packet.
- According to some implementations, a non-transitory computer-readable medium may store instructions that include one or more instructions that, when executed by one or more processors of a device, cause the one or more processors to receive a packet from a client device, and to identify, based on receiving the packet, a destination associated with the packet. The one or more instructions may cause the one or more processors to determine, based on information included in a first application cache, an application associated with the destination of the packet, wherein the first network device, the client device, and the first application cache are included in a first local network. The one or more instructions may cause the one or more processors to determine, based on the application associated with the destination of the packet and based on the information included in the first application cache, whether to transmit the packet to an application platform without transmitting the packet to a second network device, wherein the second network device is included in a second local network that is different than the first local network. The one or more instructions may cause the one or more processors to transmit the packet to the application platform without transmitting the packet to the second network device based on determining to transmit the packet to the application platform without transmitting the packet to the second network device.
- According to some implementations, a method may include receiving, at a first network device, a packet from a client device, and identifying, by the first network device and based on receiving the packet, a destination of the packet. The method may include determining, by the first network device and based on information included in a first application cache, an application associated with the destination of the packet, wherein the first network device, the client device, and the first application cache are included in a first local network. The method may include determining, by the first network device, based on the application associated with the destination of the packet and based on the information included in the first application cache, whether to transmit the packet to a second network device or to transmit the packet to an application platform without transmitting the packet to the second network device, wherein the second network device is included in a second local network that is different from the first local network. The method may include transmitting, by the first network device and based on determining to transmit the packet to the application platform without transmitting the packet to the second network device, the packet to the application platform without transmitting the packet to the second network device, or transmitting, by the first network device and based on determining to transmit the packet to the second network device, the packet to the second network device.
-
FIGS. 1A-1I are diagrams of an example implementation described herein. -
FIG. 2 is a diagram of an example environment in which systems and/or methods, described herein, may be implemented. -
FIGS. 3A and 3B are diagrams of example components of one or more devices ofFIG. 2 . -
FIGS. 4-6 are flow charts of example processes for applying application-based policy rules. - The following detailed description of example implementations refers to the accompanying drawings. The same reference numbers in different drawings may identify the same or similar elements.
- In some cases, a first network device included in a first local network associated with an entity may receive a packet from a client device included in the first local network, and may transmit the packet to a second network device included in a second local network associated with the entity. The second network device may receive the packet from the first network device, and may perform various actions associated with the packet, such as applying one or more policy rules to the packet, transmitting the packet to another device (e.g., an application platform, another network device included in another network, etc.), and/or the like.
- In some cases, such as when the client device is communicating with an application platform, a packet, associated with the client device, may be transmitted from the first local network to the second local network prior to transmitting the packet to the application platform. For example, an enterprise may be associated with a main office or an outsourced location where policy rules are applied in a centralized way to packets that are transmitted and/or received by client devices of the enterprise. The client devices may be located at satellite or remote offices of the enterprise, which may include on the order of hundreds, thousands, etc., locations. This centralized way for applying policy rules may cause an increase in latency between the client devices and the application platform, which in turn may result in a degraded user experience, periodic disconnects between the client devices and the application platform, and/or the like. Moreover, applying policy rules at a network device in a centralized location may cause the network device to become a bottleneck for communications between the client devices and the application platform as the enterprise continues to grow, which may result in the processing queue for the network device to increase, which in turn may cause increased packet processing times, dropped packets, and/or the like.
- Some implementations described herein provide a network device capable of applying application-based policy rules. In some implementations, the network device may receive a packet from a client device, may identify a destination of the packet, may determine an application associated with the destination of the packet, may determine a policy rule associated with the application, and may apply the policy rule to the packet.
- In this way, the network device may apply application-based policy rules even when the network device may be incapable of performing deep packet inspection or other techniques to inspect the payload of a packet to identify the application associated with the packet, which increases the functionality of the network device without increasing the processing and/or memory capabilities of the network device. In this way, the network device may transmit a packet associated with a particular application such that the packet is transmitted to a destination without first transmitting the packet to another network device included in a second local network associated with the entity, which decreases latency between a client device that generated the packet and the destination, which in turn improves user experience associated with the client device. Moreover, transmitting the packet to the destination without first transmitting the packet to the other network device included in the second local network decreases the quantity of packets transmitted between the first local network and the second local network, which decreases network resource usage between the first local network and the second local network and allows network resources that would have otherwise been used to transmit the packet between the first local network and the second local network to be used for other purposes. Further, transmitting the packet to the destination without first transmitting the packet to the other network device included in the second local network deceases the quantity of packets the other network device is to process, which reduces processing and/or memory resource usage of the other network device, reduces the time it takes to process a packet at the other network device (e.g., because the packet processing queue at the other network device is reduced), and allows the other network device to use the processing and/or memory resources that would have otherwise been used to process the packet for other purposes.
-
FIGS. 1A-1I are diagrams of anexample implementation 100 described herein. As shown inFIG. 1A ,implementation 100 may include a plurality of local networks (e.g.,local network 1,local network 2, etc.), an application platform, and/or the like. Whileimplementation 100 is illustrated inFIGS. 1A-1B as includinglocal network 1 andlocal network 2, other quantities of local networks may be included inimplementation 100. -
Local network 1 andlocal network 2 may include various types of wired and/or wireless local area networks (LANs), such as a wired LAN, a wireless LAN (WLAN), a home network, an office network, a campus network, and/or the like. In some implementations,local network 1 andlocal network 2 may be associated with the same entity, such as an enterprise, corporation, government agency, educational institution, and/or the like. In some implementations,local network 1 andlocal network 2 may be associated with different offices, different locations, different networks, and/or the like, of the entity. For example,local network 1 may be located in a satellite office, a remote office, and/or the like, of the entity andlocal network 2 may be located in a main office, headquarters office, and/or the like of the entity. -
Local network 1 andlocal network 2 may include various devices. In some implementations,local network 1 may include a client device (or a plurality of client devices), a network device (e.g., network device 1), an application cache (e.g., application cache 1), and/or the like; andlocal network 2 may include another network device (e.g., network device 2) and another application cache (e.g., application cache 2). -
Network device 1 andnetwork device 2 may include various types of network devices that are capable of transmitting packets over a connection betweennetwork device 1 andnetwork device 2, capable of transmitting packets to the application platform, and/or the like. For example,network device 1 may receive a packet from the client device, may transmit the packet tonetwork device 2, andnetwork device 2 may transmit the packet to the application platform. As another example,network device 1 may receive a packet from the client device and may transmit the packet to the application platform without transmitting the packet tonetwork device 2. -
Application cache 1 andapplication cache 2 may store information associated with various software applications, such as a productivity application (e.g., a word processing application, a spreadsheet application, an email application etc.), a client management application, a computer-aided design application, and/or the like. The information associated with a particular application may include information identifying the application (e.g., the name of the application, the version number of the application, etc.), information identifying one or more addresses associated with the application (e.g., a source address associated with a device that originates packets associated with the application, a destination address associated with a device that is the destination of the packets associated with the application, a port identifier associated with the source and/or destination of the packets associated with the application, etc.), information identifying one or more communications protocols associated with the application (e.g., a communications protocol that the client device and/or the application platform may use to transmit and/or receive packets associated with the application), information identifying one or more policy rules associated with the application (e.g., a policy rule for routing traffic associated with the application, a policy rule for quality of service (QoS) treatment of the traffic associated with the application, a policy rule for inspection of the traffic associated with the application, a policy rule that specifies that the traffic associated with the application is to be rate limited, a policy rule that specifies that the traffic associated with the application is to be dropped, etc.), and/or the like. In some implementations, the information associated with the application, stored inapplication cache 1 and/orapplication cache 2, may include information associated with usage of the application (e.g., overall traffic volume observed for the application, a quantity of open and/or active sessions associated with the application, a time of day for peak session usage of the application, a time of day for peak users of the application, etc.), whichnetwork device 1,network device 2, and/or another device may analyze to automatically generate new application policies for the application. -
Network device 1,network device 2, and/or the like may access the information associated with the various applications, stored inapplication cache 1 and/orapplication cache 2, byquerying application cache 1 and/orapplication cache 2 via an application programming interface (API) to request a list of applications supported byapplication cache 1 and/or application cache 2 (e.g., a list including application identifiers, application names, application descriptions, etc.), to request a list of groups of applications supported byapplication cache 1 and/or application cache 2 (e.g., a list including information associated with a productivity suite of applications, information associated with a computer-aided engineering suite of applications, etc.), to request information associated with application usage, to request information associated with a particular entry (e.g., based on source address, destination address, port identifiers, application, etc.), and/or the like. - In some implementations,
application cache 1 and/orapplication cache 2 may be updated to store information associated with new and/or additional applications. For example,application cache 1 and/orapplication cache 2 may be updated via input, such as data input from a user. As another example,application cache 1 andapplication cache 2 may synchronize such thatapplication cache 1 and/orapplication cache 2 may determine whetherapplication cache 2 stores information associated with an application that is not stored inapplication cache 1. Based on determining thatapplication cache 2 is storing information associated with an application that is not stored inapplication cache 1,application cache 2 may transmit the information toapplication cache 1. For example,application cache 2 may automatically transmit the information based on determining thatapplication cache 2 is storing information associated with an application that is not stored inapplication cache 1, may transmit the information based on receiving a request fromapplication cache 1, and/or the like. - Turning to
FIG. 1B ,network device 1 may useapplication cache 1 to apply application-based policy rules to packets generated and transmitted by the client device. As shown byreference number 102, the client device may generate a packet. In some implementations, the packet may be associated with an application, such as any of the applications described above or another application. For example, the packet may include data associated with the application, such as a portion of email data, a portion of a word processing electronic file, and/or the like. In some implementations, the application may be associated with the application platform. The application may be a client-side application (e.g., an application installed or located on the client device), a cloud-based application (e.g., an application hosted on the application platform), and/or the like. - In some implementations, the client device may be instructed (e.g., by a user, by the application, etc.) to transmit the application to the application platform. Accordingly, and as shown by
reference number 104, the client device may transmit the packet to networkdevice 1. - Turning to
FIG. 1C ,network device 1 may receive the packet from the client device. As shown byreference number 106,network device 1 may identify a destination of the packet. In some implementations,network device 1 may identify the destination of the packet by analyzing a header included in the packet to identify information, included in the header, that identifies the destination of the packet. The information identifying the destination may include information specifying an address associated with the destination of the packet, a port identifier associated with the destination of the packet, and/or the like. - As shown by
reference number 108,network device 1 may attempt to determine the application associated with the destination of the packet. As explained above,application cache 1 may include information associated with various applications. Accordingly,network device 1 may attempt to determine the application associated with the destination of the packet based on the information included inapplication cache 1. For example,network device 1 may determine whether the information, included inapplication cache 1, includes information associating the destination of the packet with the application associated with the destination. The information associating the destination with the application may be included in metadata associated with the application, in a structured electronic file (e.g., an extensible markup language (XML) file, a JavaScript Object Notation (JSON) file, etc.) associated with the application, and/or the like. - In some implementations, and as shown by
reference number 110,network device 1 may be unable to determine the application associated with the destination of the packet.Network device 1 may be unable to determine the application associated with the destination of the packet for various reasons, such as becauseapplication cache 1 does not include information associating the destination with an application, because the packet is not associated with an application, and/or the like. As a result of being unable to determine the application associated with the destination of the packet,network device 1 may transmit the packet to networkdevice 2 included inlocal network 2. In some implementations,network device 1 may automatically transmit the packet to networkdevice 2, upon being unable to determine the application associated with the destination of the packet, based on being configured to transmit packets for whichnetwork device 1 is unable to determine the application associated with the destination of the packet. - Turning to
FIG. 1D ,network device 2 may receive the packet fromnetwork device 1. As shown byreference number 112,network device 2 may determine the application associated with the packet. In some implementations,network device 2 may be configured to inspect a payload of the packet to determine the application associated with the packet. For example,network device 2 may be configured to perform deep packet inspection, or another type of inspection that allowsnetwork device 2 to examine the payload of the packet.Network device 2 may determine the application associated with the packet by identifying information, associated with the application, included in the payload. For example,network device 2 may identify a file type or extension associated with the application, may identify the application based on metadata included in the payload, and/or the like. - As shown by
reference number 114,network device 2 may store information, associated with the application, inapplication cache 2. In some implementations, the information associated with the application may be stored inapplication cache 2 as metadata, an electronic file such as an XML file, a JSON file, and/or the like. - The information associated with the application may include information associating the destination of the packet with the application, information associating the application with a policy rule, and/or the like. The information associating the destination of the packet with the application may include information associating an address of the destination with the application (e.g., an Internet Protocol (IP) address and/or the like), information associating a port identifier of the destination with the application (e.g., a port number, a port name, and/or the like), and/or the like.
- The policy rule may include various types of policy rules, such as a policy rule for routing traffic associated with the application (e.g., a policy rule specifying that the traffic associated with the application is to be transmitted to the application platform without transmitting the traffic to
local network 2, a policy rule specifying that the traffic associated with the application is to be transmitted tolocal network 2, and/or the like), a policy rule for QoS of the traffic associated with the application (e.g., a policy rule specifying a QoS class of the traffic, a policy rule specifying a prioritization of the traffic, and/or the like), a policy rule for inspecting the traffic associated with the application (e.g., a policy rule specifying a frequency of inspection of the traffic, a policy rule specifying a level of inspection of the traffic, and/or the like), a policy rule that specifies that the traffic associated with the application is to be rate limited, a policy rule that specifies that the traffic associated with the application is to be dropped, and/or the like. - In some implementations,
network device 2 may determine the policy rule that is to be associated with the application based on various factors, such asnetwork device 2 being provisioned with information associating the policy rule with the application (e.g., by the entity associated withlocal network 1 andlocal network 2, by an entity responsible for operating and maintainingnetwork device 2, and/or the like), such as the application being a particular type of application that is associated with the policy rule (e.g., such as productivity applications being associated with a policy rule that specifies traffic associated with productivity applications is to be transmitted to the application platform without transmitting the traffic to local network 2), and/or the like. - In some implementations,
network device 2 may automatically generate the policy rule that is to be associated with the application. For example,network device 2 may automatically generate the policy rule based on usage information associated with the application (e.g., a quantity of users associated with the entity that use the application, traffic volume of the application in the entity, peak session and usage times associated with the application in the entity, and/or the like), latency requirements for the application, and/or the like. For example,network device 2 may determine that the application is a video conferencing application that requires low latency, and therefore may generate a policy rule for the application that specifies packets associated with the application are to be transmitted to the application platform without transmitting the packets tolocal network 2 in order to decrease the latency associated with the application. As another example,network device 2 may determine that the application has a particular peak usage time, and may generate a policy rule for the application that specifies packets associated with the application are to be transmitted tolocal network 2 prior to being transmitted to the application platform except during the peak usage time, where the packets may be transmitted to the application platform without transmitting the packets tolocal network 2. - As shown by
reference number 116,network device 2 may transmit the packet to the platform, after determining the application associated with the packet and storing the information associated with the application inapplication cache 2. - Turning now to
FIG. 1E , and as shown byreference number 118,application cache 1 andapplication cache 2 may synchronize so that the information associated with the application, stored inapplication cache 2, may be stored inapplication cache 1 and used bynetwork device 1 to apply application-based policy rules.Application cache 1 andapplication cache 2 may synchronize such thatapplication cache 2 transmits the information associated with the application toapplication cache 1, and such thatapplication cache 1 stores the information associated with the application, and/or vice-versa. In some implementations, to synchronizeapplication cache 1 andapplication cache 2,network device 2 may obtain the information associated with the application fromapplication cache 2, may transmit the information associated with the application to networkdevice 1, andnetwork device 1 may store the information associated with the application inapplication cache 1. - In some implementations,
application cache 2 may transmit the information associated with the application toapplication cache 1 using an application programming interface (API), such as a representational state transfer (RESTful) API and/or the like, over a hypertext transfer protocol (HTTP) connection. In some implementations,application cache 2 may transmit the information associated with the application toapplication cache 1 via the RESTful API using HTTP commands. For example,application cache 2 may initiate a transfer of the information associated with an application toapplication cache 1 by using a HTTP post command and/or a HTTP put command. As another example,application cache 1 may initiate a transfer of the information associated with an application by using a HTTP get command. In some implementations,application cache 2 may remove information stored inapplication cache 2 by using a HTTP delete command. - In some implementations, a connection between
application cache 1 andapplication cache 2 may be encrypted (e.g., using secure sockets layer (SSL) encryption, transport layer security (TLS) encryption, etc.) and/or authenticated prior toapplication cache 1 andapplication cache 2 being synchronized. In some implementations,application cache 1 may initiate the synchronization by transmitting information toapplication cache 2, that indicates thatapplication cache 1 is available to be synchronized. The information may include a notification, a message, a packet, and/or the like, that indicatesapplication cache 1 is available to be synchronized. - Turning to
FIG. 1F ,network device 1 may apply policy rules to packets associated with the application based on the information associated with the application that was synchronized betweenapplication cache 1 andapplication cache 2. In this way, thenetwork device 1 may apply application-based policy rules wherenetwork device 1 may be incapable of performing deep packet inspection or another technique to inspect the payload of a packet to identify the application associated with the packet. For example,network device 1 may be incapable of performing deep packet inspection of a packet because the packet is encrypted (e.g., using SSL encryption, TLS encryption, etc.), andnetwork device 1 is incapable of decrypting the packet. As another example,network device 1 may not have the processing and/or memory resources available to perform deep packet inspection of a packet. Accordingly,application cache 1 allowsnetwork device 1 to perform functions that networkdevice 1 may not otherwise be capable of performing, which adds functionality tolocal network 1. - As shown by
reference number 120, the client device may generate a packet. The packet may be associated with the application and may be destined for the application platform. As shown byreference number 122, to transmit the packet to the application platform, the client device may transmit the packet to networkdevice 1. - Turning to
FIG. 1G , and as shown byreference number 124,network device 1 may identify the destination associated with the packet. In some implementations,network device 1 may identify the destination of the packet by analyzing a header included in the packet to identify information, included in the header, that identifies the destination of the packet. The information identifying the destination may include information specifying an address associated with the destination of the packet, a port identifier associated with the destination of the packet, and/or the like. - As shown by
reference number 126,network device 1 may attempt to determine the application associated with the destination of the packet.Network device 1 may attempt to determine the application associated with the destination of the packet based on the information included inapplication cache 1. For example,network device 1 may determine whether the information, included inapplication cache 1, includes the information associating the destination of the packet with the application. - Turning to
FIG. 1H , and as shown byreference number 128,network device 1 may determine thatapplication cache 1 includes the information associated with the application, which includes the information associating the destination of the packet with the application. For example,network device 1 may determine thatapplication cache 1 includes information associating the address and/or port identifier of the destination with the application. Accordingly,network device 1 may determine, based on the information associated with the application, a policy rule associated with the application. For example,network device 1 may determine the policy rule based on the information, included in the information associated with the application, associating the application with the policy rule. - Turning to
FIG. 1I , and as shown byreference number 130,network device 1 may apply the policy rule to the packet. For example, and as shown inFIG. 1I , the policy rule may specify that traffic associated with the application is to be transmitted to the destination (e.g., the application platform) without transmitting the packet tolocal network 2. Other examples of policy rules that may be applied to the packet are described above. - In some implementations, the application platform may receive the packet and, based on receiving the packet, may store the packet, may transmit the packet to another location, may modify the packet, may transmit one or more packets to the client device, may analyze the packet, and/or the like.
- In this way,
network device 1 may apply application-based policy rules without having to inspect a payload of a packet to determine the application associated with the packet. This allowsnetwork device 1 to transmit the packet to an application platform (or another destination) without first transmitting the packet to networkdevice 2 included inlocal network 2, which decreases latency between the client device and the application, which in turn improves user experience associated with the client device. Moreover, transmitting the packet to the application platform without first transmitting the packet to networkdevice 2 deceases the quantity of packets transmitted betweenlocal network 1 andlocal network 2, which decreases network resource usage betweenlocal network 1 andlocal network 2 and allows network resources that would have otherwise been used to transmit the packet betweenlocal network 1 andlocal network 2 to be used for other purposes. Further, transmitting the packet to the application platform without first transmitting the packet to networkdevice 2 deceases the quantity ofpackets network device 2 is to process, which reduces processing and/or memory resource usage ofnetwork device 2, reduces the time it takes to process a packet at network device 2 (e.g., because the packet processing queue atnetwork device 2 is reduced), and allowsnetwork device 2 to use the processing and/or memory resources that would have otherwise been used to process the packet for other purposes. - As indicated above,
FIGS. 1A-1I are provided merely as an example. Other examples are possible and may differ from what was described with regard toFIGS. 1A-1I . -
FIG. 2 is a diagram of anexample environment 200 in which systems and/or methods, described herein, may be implemented. As shown inFIG. 2 ,environment 200 may include aclient device 210, a plurality of application caches 220 (e.g., application cache 220-1 and application cache 220-2, collectively referred to as “application caches 220” and individually as “application cache 220”), a plurality of network devices (e.g., network device 230-1 through network device 230-n, collectively referred to as “network devices 230” and individually as “network device 230”), anapplication platform 240 in acloud computing environment 242 that includes a set ofcomputing resources 244, anetwork 250, and/or the like. Devices ofenvironment 200 may interconnect via wired connections, wireless connections, or a combination of wired and wireless connections. -
Client device 210 includes one or more devices capable of receiving, generating, storing, processing, and/or providing data associated with applying application-based policy rules. For example,client device 210 may include a mobile phone (e.g., a smart phone, a radiotelephone, etc.), a laptop computer, a tablet computer, a handheld computer, a gaming device, a wearable communication device (e.g., a smart wristwatch, a pair of smart eyeglasses, etc.), a desktop computer, or a similar type of device.Client device 210 may generate a packet (e.g., a packet associated with an application), may transmit a packet to network device 230 (e.g., based on being instructed to transmit an application to application platform 240), and/or the like. - Application cache 220 includes one or more devices capable of receiving, generating, storing, processing, and/or providing data associated with applying application-based policy rules. For example, application cache 220 may include a storage device, a memory device, and/or the like that stores information associated with one or more applications, such as information identifying the application, information associating the application with a destination, information associating the application with one or more policy rules, and/or the like. In some implementations, application cache 220-1 and/or application cache 220-2 may be standalone devices, may be included in a network device (e.g., network device 230-1, network device 230-2, etc.) or another device, and/or the like. In some implementations, application cache 220-1 and application cache 220-2 may synchronize by exchanging information associated with one or more applications. For example, application cache 220-2 may transmit information associated with a new application to application cache 220-1, may transmit updated information associated with an application to application cache 220-1, and/or the like.
-
Network device 230 includes one or more devices capable of receiving, generating, storing, processing, and/or providing data associated with applying application-based policy rules. In some implementations,network device 230 may include a firewall, a router, a gateway, a switch, a bridge, a wireless access point, a base station (e.g., eNodeB, NodeB, gNodeB, and/or the like), and/or the like. In some implementations,network device 230 may be implemented as a physical device implemented within a housing, such as a chassis. In some implementations,network device 230 may be implemented as a virtual device implemented by one or more computer devices of a cloud computing environment or a data center. - In some implementations,
network device 230 may receive a packet fromclient device 210, and may identify a destination of the packet. In some implementations,network device 230 may attempt to determine an application associated with a destination of a packet (e.g., based on information included in application cache 220). In some implementations,network device 230 may, based on being unable to determine an application associated with a destination of the packet, transmit the packet to anothernetwork device 230, which may receive the packet, determine an application associated with the packet, store information associated with the application in another application cache 220, and transmit the packet toapplication platform 240. -
Application platform 240 includes one or more devices capable of receiving, generating, storing, processing, and/or providing data associated with applying application-based policy rules. For example,application platform 240 may include a server device (e.g., a host server, a web server, an application server, etc.), a data center device, or a similar device.Application platform 240 may receive a packet fromnetwork device 230, may store the packet, may transmit the packet to another location, may modify the packet, may transmit one or more packets to the client device, may analyze the packet, and/or the like. In some implementations,application platform 240 may be associated with an application, and may receive the application, traffic associated with the application, a packet associated with the application, and/or the like. - In some implementations, as shown,
application platform 240 may be hosted incloud computing environment 242. Notably, while implementations described herein describeapplication platform 240 as being hosted incloud computing environment 242, in some implementations,application platform 240 may not be cloud-based (i.e., may be implemented outside of a cloud computing environment) or may be partially cloud-based. -
Cloud computing environment 242 includes an environment that hostsapplication platform 240.Cloud computing environment 242 may provide computation, software, data access, storage, and/or other services. As shown,cloud computing environment 242 may include a group of computing resources 244 (referred to collectively as “computingresources 244” and individually as “computing resource 244”). -
Computing resource 244 includes one or more personal computers, workstation computers, server devices, or another type of computation and/or communication device. In some implementations,computing resource 244 may hostapplication platform 240. The cloud resources may include compute instances executing incomputing resource 244, storage devices provided incomputing resource 244, data transfer devices provided bycomputing resource 244, etc. In some implementations,computing resource 244 may communicate withother computing resources 244 via wired connections, wireless connections, or a combination of wired and wireless connections. - As further shown in
FIG. 2 ,computing resource 244 may include a group of cloud resources, such as one or more applications (“APPs”) 244-1, one or more virtual machines (“VMs”) 244-2, one or more virtualized storages (“VSs”) 244-3, or one or more hypervisors (“HYPs”) 244-4. - Application 244-1 includes one or more software applications that may be provided to or accessed by one or more devices of
environment 200. Application 244-1 may eliminate a need to install and execute the software applications on devices ofenvironment 200. For example, application 244-1 may include software associated withapplication platform 240 and/or any other software capable of being provided viacloud computing environment 242. In some implementations, one application 244-1 may send/receive information to/from one or more other applications 244-1, via virtual machine 244-2. In some implementations, application 244-1 may include a software application associated with one or more databases and/or operating systems. For example, application 244-1 may include an enterprise application, a functional application, an analytics application, and/or the like. - Virtual machine 244-2 includes a software implementation of a machine (e.g., a computer) that executes programs like a physical machine. Virtual machine 244-2 may be either a system virtual machine or a process virtual machine, depending upon use and degree of correspondence to any real machine by virtual machine 244-2. A system virtual machine may provide a complete system platform that supports execution of a complete operating system (“OS”). A process virtual machine may execute a single program, and may support a single process. In some implementations, virtual machine 244-2 may execute on behalf of a user (e.g., a user of
client device 210 and/or an operator of application platform 240), and may manage infrastructure ofcloud computing environment 242, such as data management, synchronization, or long-duration data transfers. - Virtualized storage 244-3 includes one or more storage systems and/or one or more devices that use virtualization techniques within the storage systems or devices of
computing resource 244. In some implementations, within the context of a storage system, types of virtualizations may include block virtualization and file virtualization. Block virtualization may refer to abstraction (or separation) of logical storage from physical storage so that the storage system may be accessed without regard to physical storage or heterogeneous structure. The separation may permit administrators of the storage system flexibility in how the administrators manage storage for end users. File virtualization may eliminate dependencies between data accessed at a file level and a location where files are physically stored. This may enable optimization of storage use, server consolidation, and/or performance of non-disruptive file migrations. - Hypervisor 244-4 provides hardware virtualization techniques that allow multiple operating systems (e.g., “guest operating systems”) to execute concurrently on a host computer, such as
computing resource 244. Hypervisor 244-4 may present a virtual operating platform to the guest operating systems, and may manage the execution of the guest operating systems. Multiple instances of a variety of operating systems may share virtualized hardware resources. -
Network 250 includes one or more wired and/or wireless networks. For example,network 250 may include a mobile network (e.g., a long-term evolution (LTE) network, a code division multiple access (CDMA) network, a 3G network, a 4G network, a 5G network, another type of next generation network, etc.), a public land mobile network (PLMN), a local area network (LAN), a wide area network (WAN), a metropolitan area network (MAN), a telephone network (e.g., the Public Switched Telephone Network (PSTN)), a private network, an ad hoc network, an intranet, the Internet, a fiber optic-based network, a cloud computing network, or the like, and/or a combination of these or other types of networks. - The number and arrangement of devices and networks shown in
FIG. 2 are provided as an example. In practice, there may be additional devices and/or networks, fewer devices and/or networks, different devices and/or networks, or differently arranged devices and/or networks than those shown inFIG. 2 . Furthermore, two or more devices shown inFIG. 2 may be implemented within a single device, or a single device shown inFIG. 2 may be implemented as multiple, distributed devices. Additionally, or alternatively, a set of devices (e.g., one or more devices) ofenvironment 200 may perform one or more functions described as being performed by another set of devices ofenvironment 200. -
FIGS. 3A and 3B are diagrams of example components of one or more devices ofFIG. 2 .FIG. 3A is a diagram of example components of adevice 300.Device 300 may correspond toclient device 210, application cache 220,network device 230,application platform 240, and/or the like. In some implementations,client device 210, application cache 220,network device 230,application platform 240, and/or the like, may include one ormore devices 300 and/or one or more components ofdevice 300. As shown inFIG. 3A ,device 300 may include abus 305, aprocessor 310, amemory 315, astorage component 320, aninput component 325, anoutput component 330, and acommunication interface 335. -
Bus 305 includes a component that permits communication among the components ofdevice 300.Processor 310 is implemented in hardware, firmware, or a combination of hardware and software.Processor 310 takes the form of a central processing unit (CPU), a graphics processing unit (GPU), an accelerated processing unit (APU), a microprocessor, a microcontroller, a digital signal processor (DSP), a field-programmable gate array (FPGA), an application-specific integrated circuit (ASIC), or another type of processing component. In some implementations,processor 310 includes one or more processors capable of being programmed to perform a function.Memory 315 includes a random access memory (RAM), a read only memory (ROM), and/or another type of dynamic or static storage device (e.g., a flash memory, a magnetic memory, and/or an optical memory) that stores information and/or instructions for use byprocessor 310. -
Storage component 320 stores information and/or software related to the operation and use ofdevice 300. For example,storage component 320 may include a hard disk (e.g., a magnetic disk, an optical disk, a magneto-optic disk, and/or a solid state disk), a compact disc (CD), a digital versatile disc (DVD), a floppy disk, a cartridge, a magnetic tape, and/or another type of non-transitory computer-readable medium, along with a corresponding drive. -
Input component 325 includes a component that permitsdevice 300 to receive information, such as via user input (e.g., a touch screen display, a keyboard, a keypad, a mouse, a button, a switch, and/or a microphone). Additionally, or alternatively,input component 325 may include a sensor for sensing information (e.g., a global positioning system (GPS) component, an accelerometer, a gyroscope, and/or an actuator).Output component 330 includes a component that provides output information from device 300 (e.g., a display, a speaker, and/or one or more light-emitting diodes (LEDs)). -
Communication interface 335 includes a transceiver-like component (e.g., a transceiver and/or a separate receiver and transmitter) that enablesdevice 300 to communicate with other devices, such as via a wired connection, a wireless connection, or a combination of wired and wireless connections.Communication interface 335 may permitdevice 300 to receive information from another device and/or provide information to another device. For example,communication interface 335 may include an Ethernet interface, an optical interface, a coaxial interface, an infrared interface, a radio frequency (RF) interface, a universal serial bus (USB) interface, a Wi-Fi interface, a cellular network interface, or the like. -
Device 300 may perform one or more processes described herein.Device 300 may perform these processes based onprocessor 310 executing software instructions stored by a non-transitory computer-readable medium, such asmemory 315 and/orstorage component 320. A computer-readable medium is defined herein as a non-transitory memory device. A memory device includes memory space within a single physical storage device or memory space spread across multiple physical storage devices. - Software instructions may be read into
memory 315 and/orstorage component 320 from another computer-readable medium or from another device viacommunication interface 335. When executed, software instructions stored inmemory 315 and/orstorage component 320 may causeprocessor 310 to perform one or more processes described herein. Additionally, or alternatively, hardwired circuitry may be used in place of or in combination with software instructions to perform one or more processes described herein. Thus, implementations described herein are not limited to any specific combination of hardware circuitry and software. - The number and arrangement of components shown in
FIG. 3A are provided as an example. In practice,device 300 may include additional components, fewer components, different components, or differently arranged components than those shown inFIG. 3A . Additionally, or alternatively, a set of components (e.g., one or more components) ofdevice 300 may perform one or more functions described as being performed by another set of components ofdevice 300. -
FIG. 3B is a diagram of example components of adevice 350.Device 350 may correspond tonetwork device 230. In some implementations,network device 230 may include one ormore devices 350 and/or one or more components ofdevice 350. As shown inFIG. 3B ,device 350 may include one or more input components 355-1 through 355-B (B≥1) (hereinafter referred to collectively asinput components 355, and individually as input component 355), aswitching component 360, one or more output components 365-1 through 365-C (C≥1) (hereinafter referred to collectively asoutput components 365, and individually as output component 365), and acontroller 370. -
Input component 355 may be points of attachment for physical links and may be points of entry for incoming traffic, such as packets.Input component 355 may process incoming traffic, such as by performing data link layer encapsulation or decapsulation. In some implementations,input component 355 may send and/or receive packets. In some implementations,input component 355 may include an input line card that includes one or more packet processing components (e.g., in the form of integrated circuits), such as one or more interface cards (IFCs), packet forwarding components, line card controller components, input ports, processors, memories, and/or input queues. In some implementations,device 350 may include one ormore input components 355. -
Switching component 360 may interconnectinput components 355 withoutput components 365. In some implementations, switchingcomponent 360 may be implemented via one or more crossbars, via busses, and/or with shared memories. The shared memories may act as temporary buffers to store packets frominput components 355 before the packets are eventually scheduled for delivery tooutput components 365. In some implementations, switchingcomponent 360 may enableinput components 355,output components 365, and/orcontroller 370 to communicate. -
Output component 365 may store packets and may schedule packets for transmission on output physical links.Output component 365 may support data link layer encapsulation or decapsulation, and/or a variety of higher-level protocols. In some implementations,output component 365 may send packets and/or receive packets. In some implementations,output component 365 may include an output line card that includes one or more packet processing components (e.g., in the form of integrated circuits), such as one or more IFCs, packet forwarding components, line card controller components, output ports, processors, memories, and/or output queues. In some implementations,device 350 may include one ormore output components 365. In some implementations,input component 355 andoutput component 365 may be implemented by the same set of components (e.g., and input/output component may be a combination ofinput component 355 and output component 365). -
Controller 370 includes a processor in the form of, for example, a CPU, a GPU, an APU, a microprocessor, a microcontroller, a DSP, an FPGA, an ASIC, and/or another type of processor. The processor is implemented in hardware, firmware, or a combination of hardware and software. In some implementations,controller 370 may include one or more processors that can be programmed to perform a function. - In some implementations,
controller 370 may include a RAM, a ROM, and/or another type of dynamic or static storage device (e.g., a flash memory, a magnetic memory, an optical memory, etc.) that stores information and/or instructions for use bycontroller 370. - In some implementations,
controller 370 may communicate with other devices, networks, and/or systems connected todevice 300 to exchange information regarding network topology.Controller 370 may create routing tables based on the network topology information, create forwarding tables based on the routing tables, and forward the forwarding tables to inputcomponents 355 and/oroutput components 365.Input components 355 and/oroutput components 365 may use the forwarding tables to perform route lookups for incoming and/or outgoing packets. -
Controller 370 may perform one or more processes described herein.Controller 370 may perform these processes in response to executing software instructions stored by a non-transitory computer-readable medium. A computer-readable medium is defined herein as a non-transitory memory device. A memory device includes memory space within a single physical storage device or memory space spread across multiple physical storage devices. - Software instructions may be read into a memory and/or storage component associated with
controller 370 from another computer-readable medium or from another device via a communication interface. When executed, software instructions stored in a memory and/or storage component associated withcontroller 370 may causecontroller 370 to perform one or more processes described herein. Additionally, or alternatively, hardwired circuitry may be used in place of or in combination with software instructions to perform one or more processes described herein. Thus, implementations described herein are not limited to any specific combination of hardware circuitry and software. - The number and arrangement of components shown in
FIG. 3B are provided as an example. In practice,device 350 may include additional components, fewer components, different components, or differently arranged components than those shown inFIG. 3B . Additionally, or alternatively, a set of components (e.g., one or more components) ofdevice 350 may perform one or more functions described as being performed by another set of components ofdevice 350. -
FIG. 4 is a flow chart of anexample process 400 for applying application-based policy rules. In some implementations, one or more process blocks ofFIG. 4 may be performed by a network device (e.g., network device 230). In some implementations, one or more process blocks ofFIG. 4 may be performed by another device or a group of devices separate from or including the network device, such asclient device 210, application cache 220, anothernetwork device 230,application platform 240, and/orcomputing resource 244. - As shown in
FIG. 4 ,process 400 may include receiving a packet from a client device (block 410). For example, the network device (e.g., usingprocessor 310,communication interface 335,input component 355,controller 370, and/or the like) may receive a packet from a client device, as described above in connection withFIGS. 1A-1I . - As further shown in
FIG. 4 ,process 400 may include identifying, based on receiving the packet, a destination of the packet (block 420). For example, the network device (e.g., usingprocessor 310,memory 315,controller 370, and/or the like) may identify, based on receiving the packet, a destination of the packet, as described above in connection withFIGS. 1A-1I . - As further shown in
FIG. 4 ,process 400 may include determining, based on information included in an application cache, an application associated with the destination of the packet, wherein the network device, the client device, and the application cache are included in a first local network (block 430). For example, the network device (e.g., usingprocessor 310,storage component 320,communication interface 335,input component 355,output component 365,controller 370, and/or the like) may determine, based on information included in an application cache, an application associated with the destination of the packet, as described above in connection withFIGS. 1A-1I . In some implementations, the network device, the client device, and the application cache may be included in a first local network. - As further shown in
FIG. 4 ,process 400 may include determining, based on the information included in the application cache, a policy rule associated with the application (block 440). For example, the network device (e.g., usingprocessor 310,memory 315,controller 370, and/or the like) may determine, based on the information included in the application cache, a policy rule associated with the application, as described above in connection withFIGS. 1A-1I . - As further shown in
FIG. 4 ,process 400 may include applying the policy rule to the packet (block 450). For example, the network device (e.g., usingprocessor 310,output component 330,communication interface 335,output component 365,controller 370, and/or the like) may apply the policy rule to the packet, as described above in connection withFIGS. 1A-1I . -
Process 400 may include additional implementations, such as any single implementation or any combination of implementations described below and/or described with regard to any other process described herein. - In some implementations, the information included in the application cache may include information associating the destination of the packet with the application. In some implementations, the network device may receive, from a second local network, different than the first local network, and prior to receiving the packet from the client device, the information associating the destination with the application, and may store, in the application cache, the information associating the destination with the application.
- In some implementations, the policy rule associated with the application may include a policy rule that specifies that traffic associated with the application is to be transmitted to an application server, associated with the application, without being transmitted to a second network device included in a second local network different than the first local network, a policy rule for quality of service (QoS) treatment of the traffic associated with the application, a policy rule for inspection of the traffic associated with the application, a policy rule that specifies that the traffic associated with the application is to be rate limited, or a policy rule that specifies that the traffic associated with the application is to be dropped.
- In some implementations, the first local network and the second local network may be associated with a same entity. In some implementations, when applying the policy rule to the packet, the first network device may transmit the packet to the application server without transmitting the packet to the second network device included in the second local network. In some implementations, the information included in the first application cache may be populated in the first application cache by a centralized software-defined networking (SDN) controller using an application programming interface (API).
- Although
FIG. 4 shows example blocks ofprocess 400, in some implementations,process 400 may include additional blocks, fewer blocks, different blocks, or differently arranged blocks than those depicted inFIG. 4 . Additionally, or alternatively, two or more of the blocks ofprocess 400 may be performed in parallel. -
FIG. 5 is a flow chart of anexample process 500 for applying application-based policy rules. In some implementations, one or more process blocks ofFIG. 5 may be performed by a first network device (e.g., network device 230). In some implementations, one or more process blocks ofFIG. 5 may be performed by another device or a group of devices separate from or including the first network device, such asclient device 210, application cache 220, anothernetwork device 230,application platform 240, and/orcomputing resource 244. - As shown in
FIG. 5 ,process 500 may include receiving a packet from a client device (block 510). For example, the first network device (e.g., usingprocessor 310,input component 325,communication interface 335,input component 355,controller 370, and/or the like) may receive a packet from a client device, as described above in connection withFIGS. 1A-1I . - As further shown in
FIG. 5 ,process 500 may include identifying, based on receiving the packet, a destination associated with the packet (block 520). For example, the first network device (e.g., usingprocessor 310,memory 315,controller 370, and/or the like) may identify, based on receiving the packet, a destination associated with the packet, as described above in connection withFIGS. 1A-1I . - As further shown in
FIG. 5 ,process 500 may include determining, based on information included in a first application cache, an application associated with the destination of the packet, wherein the first network device, the client device, and the first application cache are included in a first local network (block 530). For example, the first network device (e.g., usingprocessor 310,memory 315,communication interface 335,input component 355,controller 370, and/or the like) may determine, based on information included in a first application cache, an application associated with the destination of the packet, as described above in connection withFIGS. 1A-1I . In some implementations, the first network device, the client device, and the first application cache may be included in a first local network. - As further shown in
FIG. 5 ,process 500 may include determining, based on the application associated with the destination of the packet and based on the information included in the first application cache, whether to transmit the packet to an application server without transmitting the packet to a second network device, wherein the second network device is included in a second local network that is different than the first local network (block 540). For example, the first network device (e.g., usingprocessor 310,memory 315,controller 370, and/or the like) may determine, based on the application associated with the destination of the packet and based on the information included in the first application cache, whether to transmit the packet to an application server without transmitting the packet to a second network device, as described above in connection withFIGS. 1A-1I . In some implementations, the second network device may be included in a second local network that is different than the first local network. - As further shown in
FIG. 5 ,process 500 may include transmitting the packet to the application server without transmitting the packet to the second network device based on determining to transmit the packet to the application server without transmitting the packet to the second network device (block 550). For example, the first network device (e.g., usingprocessor 310,output component 330,communication interface 335,output component 365,controller 370, and/or the like) may transmit the packet to the application server without transmitting the packet to the second network device based on determining to transmit the packet to the application server without transmitting the packet to the second network device, as described above in connection withFIGS. 1A-1I . -
Process 500 may include additional implementations, such as any single implementation or any combination of implementations described below and/or described with regard to any other process described herein. - In some implementations, the first application cache may be synchronized with a second application cache included in the second local network. In some implementations, a connection between the first application cache and the second application cache may be encrypted based on secure sockets layer (SSL) encryption, and/or based on transport layer security (TLS) encryption. In some implementations, a connection between the first application cache and the second application cache may be authenticated prior to the first application cache being synchronized with the second application cache.
- In some implementations, the first application cache may initiate synchronization with the second application cache by transmitting, to the second application cache, information indicating that the first application cache is available for synchronization. In some implementations, the information included in the first application cache may be populated in the first application cache by a centralized software-defined networking (SDN) controller using an application programming interface (API). In some implementations, the first local network and the second local network may be associated with a same entity.
- Although
FIG. 5 shows example blocks ofprocess 500, in some implementations,process 500 may include additional blocks, fewer blocks, different blocks, or differently arranged blocks than those depicted inFIG. 5 . Additionally, or alternatively, two or more of the blocks ofprocess 500 may be performed in parallel. -
FIG. 6 is a flow chart of anexample process 600 for applying application-based policy rules. In some implementations, one or more process blocks ofFIG. 6 may be performed by a first network device (e.g., network device 230). In some implementations, one or more process blocks ofFIG. 6 may be performed by another device or a group of devices separate from or including the first network device, such asclient device 210, application cache 220, anothernetwork device 230,application platform 240, and/orcomputing resource 244. - As shown in
FIG. 6 ,process 600 may include receiving a packet from a client device (block 610). For example, the first network device (e.g., usingprocessor 310,input component 325,communication interface 335,input component 355,controller 370, and/or the like) may receive a packet from a client device, as described above in connection withFIGS. 1A-1I . - As further shown in
FIG. 6 ,process 600 may include identifying, based on receiving the packet, a destination of the packet (block 620). For example, the first network device (e.g., usingprocessor 310,memory 315,controller 370, and/or the like) may identify, based on receiving the packet, a destination of the packet, as described above in connection withFIGS. 1A-1I . - As further shown in
FIG. 6 ,process 600 may include determining, based on information included in a first application cache, an application associated with the destination of the packet, wherein the first network device, the client device, and the first application cache are included in a first local network (block 630). For example, the first network device (e.g., usingprocessor 310,storage component 320,controller 370, and/or the like) may determine, based on information included in a first application cache, an application associated with the destination of the packet, as described above in connection withFIGS. 1A-1I . In some implementations, the first network device, the client device, and the first application cache may be included in a first local network. - As further shown in
FIG. 6 ,process 600 may include determining, based on the application associated with the destination of the packet and based on the information included in the first application cache, whether to transmit the packet to a second network device or to transmit the packet to an application server without transmitting the packet to the second network device, wherein the second network device is included in a second local network that is different from the first local network (block 640). For example, the first network device (e.g., usingprocessor 310,memory 315,controller 370, and/or the like) may determine, based on the application associated with the destination of the packet and based on the information included in the first application cache, whether to transmit the packet to a second network device or to transmit the packet to an application server without transmitting the packet to the second network device, as described above in connection withFIGS. 1A-1I . In some implementations, the second network device may be included in a second local network that is different from the first local network. - As further shown in
FIG. 6 ,process 600 may include transmitting, based on determining to transmit the packet to the application server without transmitting the packet to the second network device, the packet to the application server without transmitting the packet to the second network device (block 650). For example, the first network device (e.g., usingprocessor 310,output component 330,communication interface 335,output component 365,controller 370, and/or the like) may transmit, based on determining to transmit the packet to the application server without transmitting the packet to the second network device, the packet to the application server without transmitting the packet to the second network device, as described above in connection withFIGS. 1A-1I . - As further shown in
FIG. 6 ,process 600 may include transmitting, based on determining to transmit the packet to the second network device, the packet to the second network device (block 660). For example, the first network device (e.g., usingprocessor 310,output component 330,communication interface 335,output component 365,controller 370, and/or the like) may transmit, based on determining to transmit the packet to the second network device, the packet to the second network device, as described above in connection withFIGS. 1A-1I . -
Process 600 may include additional implementations, such as any single implementation or any combination of implementations described below and/or described with regard to any other process described herein. - In some implementations, the packet may be encrypted based on at least one of secure sockets layer (SSL) encryption, or transport layer security (TLS) encryption. In some implementations, the first application cache may be synchronized with a second application cache using a representational state transfer (RESTful) application programming interface (API), and the second application cache is at least one of included in the second local network, or associated with a different vendor than the first application cache. In some implementations, wherein the information included in the first application cache is populated in the first application cache by a centralized software-defined networking (SDN) controller using an application programming interface (API).
- In some implementations, when determining whether to transmit the packet to the second network device or to transmit the packet to the application server without transmitting the packet to the second network device, the first network device may determine to transmit the packet to the application server without transmitting the packet to the second network device based information, included in the first application cache, associating the application with a policy rule that specifies that traffic associated with the application is to be transmitted to the application server without transmitting the packet to the second network device.
- In some implementations, when determining whether to transmit the packet to the second network device or to transmit the packet to the application server without transmitting the packet to the second network device, the first network device may determine to transmit the packet to the second network device based on determining that the information included in the first application cache does not include information associating the destination with the application.
- Although
FIG. 6 shows example blocks ofprocess 600, in some implementations,process 600 may include additional blocks, fewer blocks, different blocks, or differently arranged blocks than those depicted inFIG. 6 . Additionally, or alternatively, two or more of the blocks ofprocess 600 may be performed in parallel. - Some implementations described herein provide a
network device 230 capable of applying application-based policy rules. In some implementations, thenetwork device 230 may receive a packet from aclient device 210, may identify a destination of the packet, may determine an application associated with the destination of the packet, may determine a policy rule for routing the traffic associated with the application, and may transmit the packet based on the policy rule. - In this way, a
network device 230 included in a first local network associated with an entity may apply application-based policy rules even when thenetwork device 230 may be incapable of performing deep packet inspection or other techniques to inspect the payload of a packet to identify the application associated with the packet, which increases the functionality of thenetwork device 230 without increasing the processing and/or memory capabilities of the network device. For example, thenetwork device 230 may transmit a packet associated with a particular application such that the packet is transmitted to a destination without first transmitting the packet to anothernetwork device 230 included in a second local network associated with the entity, which decreases latency between aclient device 210 that generated the packet and the destination, which in turn improves user experience associated with theclient device 210. Moreover, transmitting the packet to the destination without first transmitting the packet to theother network device 230 included in the second local network deceases the quantity of packets transmitted between the first local network and the second local network, which decreases network resource usage between the first local network and the second local network and allows network resources that would have otherwise been used to transmit the packet between the first local network and the second local network to be used for other purposes. Further, transmitting the packet to the destination without first transmitting the packet to theother network device 230 included in the second local network deceases the quantity of packets the other network device is to process, which reduces processing and/or memory resource usage of theother network device 230, reduces the time it takes to process a packet at the other network device 230 (e.g., because the packet processing queue at theother network device 230 is reduced), and allows the other network device to use the processing and/or memory resources that would have otherwise been used to process the packet for other purposes. - As used herein, the term traffic or content may include a set of packets. A packet may refer to a communication structure for communicating information, such as a protocol data unit (PDU), a network packet, a datagram, a segment, a message, a block, a cell, a frame, a subframe, a slot, a symbol, a portion of any of the above, and/or another type of formatted or unformatted unit of data capable of being transmitted via a network.
- The foregoing disclosure provides illustration and description, but is not intended to be exhaustive or to limit the implementations to the precise form disclosed. Modifications and variations are possible in light of the above disclosure or may be acquired from practice of the implementations.
- As used herein, the term component is intended to be broadly construed as hardware, firmware, and/or a combination of hardware and software.
- It will be apparent that systems and/or methods, described herein, may be implemented in different forms of hardware, firmware, or a combination of hardware and software. The actual specialized control hardware or software code used to implement these systems and/or methods is not limiting of the implementations. Thus, the operation and behavior of the systems and/or methods were described herein without reference to specific software code—it being understood that software and hardware can be designed to implement the systems and/or methods based on the description herein.
- Even though particular combinations of features are recited in the claims and/or disclosed in the specification, these combinations are not intended to limit the disclosure of possible implementations. In fact, many of these features may be combined in ways not specifically recited in the claims and/or disclosed in the specification. Although each dependent claim listed below may directly depend on only one claim, the disclosure of possible implementations includes each dependent claim in combination with every other claim in the claim set.
- No element, act, or instruction used herein should be construed as critical or essential unless explicitly described as such. Also, as used herein, the articles “a” and “an” are intended to include one or more items, and may be used interchangeably with “one or more.” Furthermore, as used herein, the term “set” is intended to include one or more items (e.g., related items, unrelated items, a combination of related and unrelated items, etc.), and may be used interchangeably with “one or more.” Where only one item is intended, the term “one” or similar language is used. Also, as used herein, the terms “has,” “have,” “having,” or the like are intended to be open-ended terms. Further, the phrase “based on” is intended to mean “based, at least in part, on” unless explicitly stated otherwise.
Claims (20)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US17/303,294 US20210281656A1 (en) | 2018-08-02 | 2021-05-26 | Applying application-based policy rules using a programmable application cache |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/053,532 US11032389B1 (en) | 2018-08-02 | 2018-08-02 | Applying application-based policy rules using a programmable application cache |
US17/303,294 US20210281656A1 (en) | 2018-08-02 | 2021-05-26 | Applying application-based policy rules using a programmable application cache |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/053,532 Continuation US11032389B1 (en) | 2018-08-02 | 2018-08-02 | Applying application-based policy rules using a programmable application cache |
Publications (1)
Publication Number | Publication Date |
---|---|
US20210281656A1 true US20210281656A1 (en) | 2021-09-09 |
Family
ID=76213324
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/053,532 Active 2038-10-13 US11032389B1 (en) | 2018-08-02 | 2018-08-02 | Applying application-based policy rules using a programmable application cache |
US17/303,294 Pending US20210281656A1 (en) | 2018-08-02 | 2021-05-26 | Applying application-based policy rules using a programmable application cache |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/053,532 Active 2038-10-13 US11032389B1 (en) | 2018-08-02 | 2018-08-02 | Applying application-based policy rules using a programmable application cache |
Country Status (1)
Country | Link |
---|---|
US (2) | US11032389B1 (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20220029921A1 (en) * | 2020-02-21 | 2022-01-27 | Cisco Technology, Inc. | Passing application network metadata to network controllers using service registries |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150055657A1 (en) * | 2008-12-24 | 2015-02-26 | Palo Alto Networks, Inc. | Application based packet forwarding |
US20150180768A1 (en) * | 2009-12-07 | 2015-06-25 | Amazon Technologies, Inc. | Using virtual networking devices to manage routing cost information |
US20160269432A1 (en) * | 2013-11-22 | 2016-09-15 | Huawei Technologies Co.,Ltd. | Malicious attack detection method and apparatus |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7769896B2 (en) * | 2001-08-30 | 2010-08-03 | Siebel Systems, Inc. | Method, apparatus and system for dispatching messages within a system |
US8185653B2 (en) * | 2004-08-09 | 2012-05-22 | Johnny Yau | Method and apparatus for ad hoc mesh routing |
US8539098B2 (en) * | 2007-10-17 | 2013-09-17 | Dispersive Networks, Inc. | Multiplexed client server (MCS) communications and systems |
WO2010117623A2 (en) * | 2009-03-31 | 2010-10-14 | Coach Wei | System and method for access management and security protection for network accessible computer services |
US20150188949A1 (en) * | 2013-12-31 | 2015-07-02 | Lookout, Inc. | Cloud-based network security |
US9673998B2 (en) | 2014-05-15 | 2017-06-06 | Futurewei Technologies, Inc. | Differential cache for representational state transfer (REST) API |
US10334014B2 (en) | 2016-11-17 | 2019-06-25 | Futurewei Technologies, Inc. | Accessing connected service resources in a distributed application programming interface |
-
2018
- 2018-08-02 US US16/053,532 patent/US11032389B1/en active Active
-
2021
- 2021-05-26 US US17/303,294 patent/US20210281656A1/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150055657A1 (en) * | 2008-12-24 | 2015-02-26 | Palo Alto Networks, Inc. | Application based packet forwarding |
US20150180768A1 (en) * | 2009-12-07 | 2015-06-25 | Amazon Technologies, Inc. | Using virtual networking devices to manage routing cost information |
US20160269432A1 (en) * | 2013-11-22 | 2016-09-15 | Huawei Technologies Co.,Ltd. | Malicious attack detection method and apparatus |
Also Published As
Publication number | Publication date |
---|---|
US11032389B1 (en) | 2021-06-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11856041B2 (en) | Distributed routing and load balancing in a dynamic service chain | |
US10721096B2 (en) | Intelligent multi-channel VPN orchestration | |
US11489779B2 (en) | Systems and methods for managing streams of packets via intermediary devices | |
US20210273977A1 (en) | Control access to domains, servers, and content | |
US20200007445A1 (en) | Enhanced service function chain | |
US10291598B1 (en) | Transmitting and storing different types of encrypted information using TCP urgent mechanism | |
US11178218B2 (en) | Bidirectional communication clusters | |
US11265254B1 (en) | Systems and methods for determining a policy that allocates traffic associated with a network protocol type to a network slice | |
US20220272041A1 (en) | Controlling a destination of network traffic | |
US10178033B2 (en) | System and method for efficient traffic shaping and quota enforcement in a cluster environment | |
US11496599B1 (en) | Efficient flow management utilizing control packets | |
US20210337017A1 (en) | Hybrid cloud computing network management | |
US11743236B2 (en) | Generating an application-based proxy auto configuration | |
US20210281656A1 (en) | Applying application-based policy rules using a programmable application cache | |
US11349936B2 (en) | System and related methods providing channel switching between appliances |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: JUNIPER NETWORKS, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:CHAUBEY, RAJEEV;KUMAR, ASHOK;SIGNING DATES FROM 20180801 TO 20180802;REEL/FRAME:056358/0979 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: ADVISORY ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |