Electrical computers and digital processing systems: multicomput – Computer network managing
Reexamination Certificate
1998-12-03
2001-12-04
Sheikh, Ayaz (Department: 2155)
Electrical computers and digital processing systems: multicomput
Computer network managing
C709S221000, C709S222000, C707S793000, C370S254000
Reexamination Certificate
active
06327618
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to data processing. The invention relates more specifically to computer systems or software systems that manage policy-based systems, and which can recognize and process conflicts in policies that control the policy-based system.
BACKGROUND OF THE INVENTION
Computer networks have become ubiquitous in the home, office, and industrial environment. As computer networks have grown ever complex, automated mechanisms for organizing and managing the networks have emerged. These mechanisms are generally implemented in the form of one or more computer programs, and are generically known as network management systems or applications.
FIG. 1
is a simplified diagram of a network
100
that is managed by a network management station
10
. The network
100
comprises one or more network devices
102
, such as switches, routers, bridges, gateways, and other devices. Each network device
102
is coupled to another network device
102
, or to one or more end stations
120
. Each end station
120
is a terminal node of the network
100
at which some type of work is carried out. For example, an end station
120
is a workstation, a printer, a server, or similar device.
Each network device
102
executes an operating system
110
. An example of such an operating system is the Internetworking Operating System (IOS) commercially available from Cisco Systems, Inc. Each network device
102
also executes one or more applications
112
under control of or embedded within the operating system
110
. The operating system
110
supervises operation of the applications
112
and communicates over network connections
104
using an agreed-upon network communication protocol, such as Simple Network Management Protocol (SNMP).
Each device
102
stores information about its current configuration, and other information, in a one or more information bases (IBs) such as one or more Management Information Bases (MIBs)
114
. Information in an MIB
114
is organized in a manner appropriate for that IB, for example, in one or more MIB variables. The network management station
10
can use means appropriate to each kind of network device
102
and send it appropriate commands to read or alter information in its information bases. For example, network management station
10
can send “fetch” and “set” commands to the device
102
in order to retrieve or set values of MIB variables. Examples of MIB variables include sysObjectID and sysDescr.
Preferably the network management station
10
is a general-purpose computer system of the type shown and described further herein in connection with FIG.
3
. The network management station
10
executes one or more software components that carry out the functions shown in block diagram form in FIG.
1
. For example, the network management station
10
executes a basic input/output system (BIOS)
20
that controls and governs interaction of upper logical layers of the software components with hardware of the network management station. An example of a suitable BIOS is the Phoenix ROM BIOS. The network management station
10
also executes an operating system
30
that supervises and controls operation of upper-level application programs. An example of a suitable operating system is the Microsoft Windows NT® operating system. The network management station
10
may also execute other operating systems that may not require a BIOS
20
, such as UNIX-type operating systems, microkernel-based operating systems, etc.
The network management station
10
executes an asynchronous network interface (ANI) program
50
under control of the operating system
30
. The ANI
50
provides an interface to the network
100
and communicates with the network using SNMP or another agreed-upon protocol. The ANI
50
provides numerous low-level services and functions for use by higher-level applications.
The network management station
10
executes a network management system
40
that interacts with an information base
60
containing information about the managed network
100
. This information base may be one or more data bases, one or more directories, one or more flat-files, or any other convenient storage mechanism or mechanisms. The network management system
40
is an example of a network management application. Using a network management application, a manager can monitor and control network components. For example, a network management application enables a manager to interrogate devices such as host computers, routers, switches, and bridges to determine their status, and to obtain statistics about the networks to which they attach. The network management application also enables a manager to control such devices by changing routes and configuring network interfaces. Examples of network management applications are CiscoWorks, CiscoWorks 2000, and CiscoView, each of which is commercially available from Cisco Systems, Inc.
The ANI
50
and network management system
40
need not execute or reside on the same physical computer. They may execute on different machines.
The behavior of some network management applications or network devices
102
may be governed by one or more abstract policies. A network management policy expresses a business goal for use of the network; the network management application can convert the policy into instructions to network devices, such as switches, routers, firewalls, and other hardware and software, to implement the policy. An example of a policy is: “All administrative assistants may use the World Wide Web only between 11 a.m. and 3 p.m., Monday through Friday.” A system that can receive and act on such policies is sometimes called a policy-based network management system.
Policy-based management is used in other, specific contexts within the broad field of network management. For example, Cisco Centri Firewall software product, commercially available from Cisco Systems, Inc. of San Jose, Calif., is a policy-driven product. The use of policies to control a firewall is disclosed in co-pending U.S. patent application Ser. No. 60/074945, filed Feb. 17, 1998, entitled “Graphical Network Security Policy Management,” and naming Scott L. Wiegel as inventor.
Other information about policy-based networking is described in CiscoAssure Policy Networking: Enabling Business Applications through Intelligent Networking, http://www.cisco.com/warp/public/734/capn/assur_sd.htm (posted Jun. 13, 1998); CiscoAssure Policy Networking End-to-End Quality of Service, http://www.cisco.com/warp/public/734/capn/caqos_wp.htm (posted Jun. 24, 1998); Delivering End-to-End Security in Policy-Based Networks, http://www.cisco.com/warp/public/734/capn/deesp_wp.htm (posted Sep. 11, 1998); User Registration and Address Management Services for Policy Networking, http://www.cisco.com/warp/public/734/capn/polnt_wp.htm (posted Sep. 11, 1998); CiscoAssure User Registration Tool, http://www.cisco.com/warp/public/734/capn/caurt_ai.htm (posted Oct. 8, 1998).
The ease by which policy-based network management systems permit a user or administrator to create network management policies is also a disadvantage of such systems. When a large number of policies is developed, a risk of damaging the network, through conflicting policies or non-conflicting policies that achieve different goals, is created. There is a need for a system, mechanism or process of preventing conflicting policies from damaging a network.
For example, conflicting policies may leave a network or other policy-based system in an inconsistent state, or may make it difficult or impossible to understand the effects of the set of policies. A set of policies may be difficult or impossible to understand even if it is possible to understand the effect of each individual policy in isolation. These problems exist, in part, because past systems have provided no formal way to define the structure of a policy or a policy conflict. Past systems may provide a grammar in which a policy must be expressed, but in past approaches there is no formal definition of a policy, or of a conflict, or of how to re
Ahlstrom John K.
Schleimer Stephen I.
Cisco Technology Inc.
Hickman Palermo & Truong & Becker LLP
Holmes Craig G.
Jean Frantz Blanchard
Palermo Christopher J.
LandOfFree
Recognizing and processing conflicts in network management... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Recognizing and processing conflicts in network management..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Recognizing and processing conflicts in network management... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2573653