Cisco Patent Complaint against Arista - December 5, 2014

9,809 views
9,458 views

Published on

On December 5, 2014 Cisco filed suit against Arista for copyright and patent infringement. This is the patent complaint. The blog by our General Counsel Mark Chandler delineating why we filed suit can be viewed here: http://blogs.cisco.com/news/protecting-innovation

Published in: Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
9,809
On SlideShare
0
From Embeds
0
Number of Embeds
57
Actions
Shares
0
Downloads
151
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Cisco Patent Complaint against Arista - December 5, 2014

  1. 1. Case3:14-cv-05343 Document1 Filed12/05/14 Page1 of 22 COMPLAINT FOR PATENT INFRINGEMENT Case No. 3:14-cv-5343 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Steven Cherny (admission pro hac vice pending) steven.cherny@kirkland.com KIRKLAND & ELLIS LLP 601 Lexington Avenue New York, New York 10022 Telephone: (212) 446-4800 Facsimile: (212) 446-4900 Adam R. Alper (SBN 196834) adam.alper@kirkland.com KIRKLAND & ELLIS LLP 555 California Street San Francisco, California 94104 Telephone: (415) 439-1400 Facsimile: (415) 439-1500 Michael W. De Vries (SBN 211001) michael.devries@kirkland.com KIRKLAND & ELLIS LLP 333 South Hope Street Los Angeles, California 90071 Telephone: (213) 680-8400 Facsimile: (213) 680-8500 Attorneys for Plaintiff Cisco Systems, Inc. UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA CISCO SYSTEMS, INC., Plaintiff, v. ARISTA NETWORKS, INC., Defendant. ))))))))) ) ) CASE NO. 3:14-cv-5343 COMPLAINT FOR PATENT INFRINGEMENT DEMAND FOR JURY TRIAL
  2. 2. Case3:14-cv-05343 Document1 Filed12/05/14 Page2 of 22 2 COMPLAINT FOR PATENT INFRINGEMENT Case No. 3:14-cv-5343 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 COMPLAINT FOR PATENT INFRINGEMENT Plaintiff Cisco Systems, Inc. (“Cisco”), for its complaint against Defendant Arista Networks, Inc. (“Arista”), hereby demands a jury trial and alleges as follows: INTRODUCTION 1. Cisco is an information technology (IT) company that was founded in 1984. Cisco is the worldwide leader in developing and implementing the networking technologies that enable global interconnectivity and the Internet of Everything. Cisco employs thousands of networking engineers at its headquarters in San Jose, California, and elsewhere, and invests billions of dollars annually in research and development focused on creating the future of networking technologies. 2. Decades after Cisco’s founding, Arista was founded by former Cisco employees, many of whom are named inventors on Cisco’s networking patents. Among others, Arista’s 1) founders, 2) President and CEO, 3) Chief Development Officer, 4) Chief Technology Officer, 5) Senior Vice President for Customer Engineering, 6) Vice President of Business Alliances, 7) former Vice President for Global Operations and Marketing, 8) Vice President of Systems Engineering and Technology Marketing, 9) Vice President of Hardware Engineering, 10) Vice President of Software Engineering, and 11) Vice President of Manufacturing and Platform Engineering all were employed by Cisco prior to joining Arista. Moreover, four out of the seven members of Arista’s Board of Directors were previously employed by Cisco. Arista’s goal is to sell networking products. Rather than building its products and services based on new technologies developed by Arista, however, and providing legitimate competition to Cisco, Arista took a shortcut by using innovative networking technologies designed, developed, and patented by Cisco. 3. Notably, Arista was founded by former Cisco employees who were intimately and directly familiar with Cisco’s patented networking technologies, including those protected by patents asserted in this action. Two of Arista’s founders, Andreas Bechtolsheim and David Cheriton, developed patented technologies while at Cisco. While each has had a long career in the networking and computing fields, they are each named inventors on a number of the Cisco patents asserted in this case. Messrs. Bechtolsheim and Cheriton are aware of Cisco patents on which they were named inventors and that they developed while employed by Cisco. Arista, despite knowing that Cisco’s networking
  3. 3. Case3:14-cv-05343 Document1 Filed12/05/14 Page3 of 22 3 COMPLAINT FOR PATENT INFRINGEMENT Case No. 3:14-cv-5343 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 technologies are protected by Cisco’s patents, blatantly incorporated those technologies into Arista’s products. 4. Arista has acknowledged the substantial investment in time and employment that would have been required to legitimately compete with Cisco. Arista’s President and Chief Executive Officer, former Cisco employee Jayshree Ullal, has stated: “Since I helped build the enterprise [at Cisco], I would never compete with Cisco directly in the enterprise in a conventional way. It makes no sense. It would take me 15 years and 15,000 engineers, and that’s not a recipe for success.” (emphasis added) By simply incorporating numerous patented technologies developed by Cisco into Arista’s products, covering a variety of critical features, Arista avoided hiring the thousands of engineers and making the substantial investments that would otherwise have been needed to legitimately develop its own technologies. Arista took an unfair shortcut to compete with Cisco using Cisco’s own technologies, while avoiding the investments in employees, money, and time that would have been needed to develop products based on new technologies. Indeed, Cisco is not the only party to find itself aggrieved regarding Arista’s alleged misappropriation of intellectual property. Arista co-founder David Cheriton has himself alleged that Arista misappropriated his own intellectual property in a complaint filed against Arista by his company, Optumsoft. 5. Arista’s actions have caused harm to Cisco, as alleged below, by incorporating Cisco’s patented technologies into Arista’s products. The patents asserted in this case were invented by Cisco personnel, are proprietary, and are implemented by Cisco in its innovative products in order to successfully compete in the marketplace. Arista’s actions also significantly harm innovation. If Arista’s use of Cisco technologies allows it to avoid what is needed to develop new technologies, other companies will be encouraged to simply use others’ proprietary technologies rather than to hire engineers, invest in innovation, and develop new technologies. Cisco therefore seeks injunctive relief to stop Arista’s widespread and improper infringement of Cisco’s lawful patent rights. 6. Cisco welcomes legitimate competition in the marketplace. Its executives have written and spoken in support of employee mobility, and Cisco believes strongly and has stated that allowing
  4. 4. Case3:14-cv-05343 Document1 Filed12/05/14 Page4 of 22 4 COMPLAINT FOR PATENT INFRINGEMENT Case No. 3:14-cv-5343 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 people to move freely between companies fosters innovation.1 But Arista has unlawfully and intentionally used technologies developed by Cisco’s personnel, including without limitation technologies that Arista’s own founders had developed while at Cisco, where Cisco invested the necessary research and development, funding, personnel, and engineering hours to support these innovations. Arista’s intellectual property infringement stifles innovation and cannot be condoned. NATURE OF THE ACTION 7. This is a civil action for patent infringement under the Patent Laws of the United States, 35 U.S.C. §§ 1 et seq., and for such other relief as the Court deems just and proper. THE PARTIES 8. Plaintiff Cisco is a company duly organized and existing under the laws of California, having its principal place of business at 170 West Tasman Drive, San Jose, CA 95134. 9. On information and belief, Defendant Arista is a corporation duly organized and existing under the laws of Delaware, having its principal place of business at 5453 Great America Parkway, Santa Clara, CA 95054. JURISDICTION 10. This civil action asserts claims arising under the Patent Laws of the United States, 35 U.S.C. §§ 1 et seq. This Court has subject matter jurisdiction under 28 U.S.C. §§ 1331 and 1338(a). 11. This Court has personal jurisdiction over Arista. Arista has maintained its principal place of business in the Northern District of California since 2004. Arista also has engaged in substantial and not isolated business activities in the Northern District of California. Specifically, Arista, directly and/or through third parties, has made, used, sold, and/or offered for sale within the Northern District of California and/or imported into the Northern District of California infringing networking products. VENUE 12. Venue properly lies in this District under 28 U.S.C. §§ 1391 and 1400(b) because Arista’s principal place of business is in this District, acts of infringement have been committed in this district, and Arista is subject to personal jurisdiction in this district. In addition, venue is proper because 1 Cisco, Cisco Blog - The Platform, “Employee Mobility,” available at http://blogs.cisco.com/tag/employee-mobility/.
  5. 5. Case3:14-cv-05343 Document1 Filed12/05/14 Page5 of 22 5 COMPLAINT FOR PATENT INFRINGEMENT Case No. 3:14-cv-5343 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Cisco has suffered harm in this district. INTRADISTRICT ASSIGNMENT 13. This Complaint includes an Intellectual Property Action, which is an excepted category under Civil Local Rule 3-2(c). Consequently, this action is assigned on a district-wide basis. GENERAL ALLEGATIONS CISCO IS THE WORLDWIDE LEADER IN NETWORKING INNOVATIONS 14. Founded in 1984, Cisco is the worldwide leader in developing, implementing, and providing the technologies behind networking products and services. Cisco develops and provides a broad range of networking products and services that enable seamless communication among individuals, businesses, public institutions, government agencies, and service providers. Specifically, the thousands of engineers who work at Cisco develop and provide networking hardware, software, and services that utilize cutting-edge technologies to transport data, voice, and video within buildings, across cities and campuses, and around the world. 15. Since its founding, Cisco has pioneered many of the important technologies that created and enabled global interconnectivity. During the past three decades, Cisco has invested billions of dollars, and the time and dedication of thousands of its engineers, in the research and development of networking products and services, culminating in the development of a highly-successful interface and related technologies that have driven the proliferation of Cisco’s computer networking technologies and the Internet. 16. Cisco’s networking devices and operating systems (including its Internetwork Operating System (“IOS”, “IOS XR”, and “IOS XE”) and its Nexus Operating System (“NX-OS”)) are recognized by customers and the industry generally as very important and unique, contributing tremendously to the success and widespread acceptance of Cisco’s products. Included in Cisco’s products are features important to the successful deployment of large and small networks and crucial to meeting the demands of today’s networking environments, including networking device System Database (“SysDB”), Zero- Touch Provisioning (“ZTP”), On Board Failure Logging (“OBFL”), Control Plane Policing (“CoPP”), Spanning Tree Loop Guard, In-Service System Upgrades (“ISSU”), Virtual Port Channels (“vPC”), Access Control Lists (“ACL”), and Private Virtual Local Area Networks (“Private VLANs”).
  6. 6. Case3:14-cv-05343 Document1 Filed12/05/14 Page6 of 22 6 COMPLAINT FOR PATENT INFRINGEMENT Case No. 3:14-cv-5343 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 17. As computing technologies evolve and new networking challenges arise, Cisco has continued to innovate and develop new solutions for its customers. No matter what type of network environment – whether large scale Internet backbone networks, enterprise-level local area networks, or networks supporting data centers and today’s “cloud computing” services – Cisco’s technologies have transformed how people connect, communicate, and collaborate. Cisco remains at the forefront of developing cutting-edge networking technologies: in its last fiscal year alone (FY 2014), Cisco invested more than $6 billion in ongoing research and development and employed more than ten thousand engineers in California and elsewhere. 18. Cisco’s intellectual property rights, including its patent rights, protect the valuable technologies developed by Cisco. As a result of its innovations, Cisco has developed a substantial portfolio of U.S. patents, including the 12 patents asserted in this action. CISCO’S PATENTED TECHNOLOGIES 19. Cisco’s products incorporate numerous patented technologies developed and owned by Cisco. Twelve examples of Cisco’s patented technologies that are included in Cisco’s products are described below (collectively, “the Patents-in-Suit”). See Exhibit 1. These patented technologies drive customer demand for Cisco’s products, and Cisco relies on these technologies to lawfully compete in the marketplace. U.S. Patent No. 6,377,577 20. U.S. Patent No. 6,377,577 (“the ’577 patent”) entitled “Access Control List Processing in Hardware” issued on April 23, 2002 and lists Andreas V. Bechtolsheim and David R. Cheriton as inventors. A true and correct copy of the ’577 patent is attached hereto as Exhibit 2. 21. Cisco is the owner by assignment of the ’577 patent and has the full right to enforce and/or license the ’577 patent. 22. The ’577 patent is valid and enforceable. U.S. Patent No. 7,023,853 23. U.S. Patent No. 7,023,853 (“the ’853 patent”) entitled “Access Control List Processing in Hardware” issued on April 4, 2006 and lists Andreas V. Bechtolsheim and David R. Cheriton as inventors. A true and correct copy of the ’853 patent is attached hereto as Exhibit 3.
  7. 7. Case3:14-cv-05343 Document1 Filed12/05/14 Page7 of 22 7 COMPLAINT FOR PATENT INFRINGEMENT Case No. 3:14-cv-5343 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 24. Cisco is the owner by assignment of the ’853 patent and has the full right to enforce and/or license the ’853 patent. 25. The ’853 patent is valid and enforceable. U.S. Patent No. 7,340,597 26. U.S. Patent No. 7,340,597 (“the ’597 patent”) entitled “Method and Apparatus for Securing a Communications Device Using a Logging Module” issued on March 4, 2008 and lists David R. Cheriton as inventor. A true and correct copy of the ’597 patent is attached hereto as Exhibit 4. 27. Cisco is the owner by assignment of the ’597 patent and has the full right to enforce and/or license the ’597 patent. 28. The ’597 patent is valid and enforceable. U.S. Patent No. 7,162,537 29. U.S. Patent No. 7,162,537 (“the ’537 patent”) entitled “Method and System for Externally Managing Router Configuration Data in Conjunction With a Centralized Database” issued on January 9, 2007 and lists Pradeep Kathail as inventor. A true and correct copy of the ’537 patent is attached hereto as Exhibit 5. 30. Cisco is the owner by assignment of the ’537 patent and has the full right to enforce and/or license the ’537 patent. 31. The ’537 patent is valid and enforceable. U.S. Patent No. 8,051,211 32. U.S. Patent No. 8,051,211 (“the ’211 patent”) entitled “Multi-Bridge LAN Aggregation” issued on November 1, 2011 and lists Norman W. Finn as the inventor. A true and correct copy of the ’211 patent is attached hereto as Exhibit 6. 33. Cisco is the owner by assignment of the ’211 patent and has the full right to enforce and/or license the ’211 patent. 34. The ’211 patent is valid and enforceable. U.S. Patent No. 8,356,296 35. U.S. Patent No. 8,356,296 (“the ’296 patent”) entitled “Method and System for Minimal Disruption During Software Upgrade or Reload of a Network Device” issued on January 15, 2013 and
  8. 8. Case3:14-cv-05343 Document1 Filed12/05/14 Page8 of 22 8 COMPLAINT FOR PATENT INFRINGEMENT Case No. 3:14-cv-5343 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 lists John Thomas Welder, Ratheesh Krishna Vadhyar, Sudhir Rao, and Thomas W. Uban as inventors. A true and correct copy of the ’296 patent is attached hereto as Exhibit 7. 36. Cisco is the owner by assignment of the ’296 patent and has the full right to enforce and/or license the ’296 patent. 37. The ’296 patent is valid and enforceable. U.S. Patent No. 7,290,164 38. U.S. Patent No. 7,290,164 (“the ’164 patent”) entitled “Method of Reverting to a Recovery Configuration in Response to Device Faults” issued on October 30, 2007 and lists Andrew G. Harvey, John Ng, and Gilbert R. Woodman III as inventors. A true and correct copy of the ’164 patent is attached hereto as Exhibit 8. 39. Cisco is the owner by assignment of the ’164 patent and has the full right to enforce and/or license the ’164 patent. 40. The ’164 patent is valid and enforceable. U.S. Patent No. 6,741,592 41. U.S. Patent No. 6,741,592 (“the ’592 patent”) entitled “Private VLANs” issued on May 25, 2004 and lists Thomas J. Edsall, Marco Foschiano, Michael Fine, and Thomas Nosella as inventors. A true and correct copy of the ’592 patent is attached hereto as Exhibit 9. 42. Cisco is the owner by assignment of the ’592 patent and has the full right to enforce and/or license the ’592 patent. 43. The ’592 patent is valid and enforceable. U.S. Patent No. 7,200,145 44. U.S. Patent No. 7,200,145 (“the ’145 patent”) entitled “Private VLANs” issued on April 3, 2007 and lists Thomas J. Edsall, Marco Foschiano, Michael Fine, and Thomas Nosella as inventors. A true and correct copy of the ’145 patent is attached hereto as Exhibit 10. 45. Cisco is the owner by assignment of the ’145 patent and has the full right to enforce and/or license the ’145 patent. 46. The ’145 patent is valid and enforceable.
  9. 9. Case3:14-cv-05343 Document1 Filed12/05/14 Page9 of 22 9 COMPLAINT FOR PATENT INFRINGEMENT Case No. 3:14-cv-5343 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 U.S. Patent No. 7,460,492 47. U.S. Patent No. 7,460,492 (“the ’492 patent”) entitled “Spanning Tree Loop Guard” issued on December 2, 2008 and lists Maurizio Portolani, Shayamasundar S. Kaluve, and Marco E. Foschiano as inventors. A true and correct copy of the ’492 patent is attached hereto as Exhibit 11. 48. Cisco is the owner by assignment of the ’492 patent and has the full right to enforce and/or license the ’492 patent. 49. The ’492 patent is valid and enforceable. U.S. Patent No. 7,061,875 50. U.S. Patent No. 7,061,875 (“the ’875 patent”) entitled “Spanning Tree Loop Guard” issued on June 13, 2006 and lists Maurizio Portolani, Shayamasundar S. Kaluve, and Marco E. Foschiano as inventors. A true and correct copy of the ’875 patent is attached hereto as Exhibit 12. 51. Cisco is the owner by assignment of the ’875 patent and has the full right to enforce and/or license the ’875 patent. 52. The ’875 patent is valid and enforceable. U.S. Patent No. 7,224,668 53. U.S. Patent No. 7,224,668 (“the ’668 patent”) entitled “Control Plane Security and Traffic Flow Management” issued on May 29, 2007 and lists Adrian C. Smethurst, Michael F. Keohane, and R. Wayne Ogozaly as inventors. A true and correct copy of the ’668 patent is attached hereto as Exhibit 13. 54. Cisco is the owner by assignment of the ’668 patent and has the full right to enforce and/or license the ’668 patent. 55. The ’668 patent is valid and enforceable. ARISTA IS WILLFULLY INFRINGING CISCO’S PATENTS 56. Decades after Cisco’s founding, Arista was founded by former Cisco employees who were intimately and directly familiar with Cisco’s pioneering networking technologies, including those protected by patents asserted in this action. Since its founding, numerous additional Cisco employees have also joined Arista. For example, Arista founder and Chief Development Officer Andreas Bechtolsheim served as Vice President and General Manager of Cisco’s Gigabit Systems Business Unit;
  10. 10. Case3:14-cv-05343 Document1 Filed12/05/14 Page10 of 22 10 COMPLAINT FOR PATENT INFRINGEMENT Case No. 3:14-cv-5343 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Arista founder and Chief Scientist David Cheriton served as a Chief Architect on Cisco’s Catalyst products; Arista founder, Chief Technology Officer, and Senior Vice President Kenneth Duda worked at Cisco for several years as a software engineer in Cisco’s Gigabit Systems Business Unit; and Arista’s current President and Chief Executive Officer, Jayshree Ullal, worked at Cisco for more than a decade, including as Senior Vice President of Cisco’s Data Center, Switching, and Services Group (which is responsible for some of Cisco’s flagship networking product lines). Cisco strongly believes, and has repeatedly stated, that mobility of employees between companies fosters innovation.2 But widespread intellectual property infringement like that engaged in by Arista stifles innovation and cannot be condoned. 57. Arista knew that Cisco’s pioneering networking technologies drive customer demand for and are important to the market success of Cisco’s products. Rather than invest in the expensive and time-consuming effort that would have been necessary to develop its own features for Arista’s products, and specifically instead of investing the time and expense of developing its own technologies, Arista instead decided to use Cisco’s pioneering proprietary technologies, and even to explicitly tout these technologies to the market in attempts to sell Arista products that compete directly with Cisco products. 58. Cisco inventions are important to and drive customer demand for Arista’s products. For example, Cisco’s patented technology can be found in Arista’s System Database (“SysDB”), Zero- Touch Provisioning (“ZTP”), Multi-Chassis Link Aggregation (“MLAG”), Control Plane Protection (“CoPP”), In-Service System Upgrades (“ISSU”), Extensible API (“eAPI”), Access Control Lists (“ACL”), Spanning Tree Loop Guard, and Private Virtual Local Area Networks (“Private VLANs”). 59. Arista’s misappropriation of Cisco technology has been crucial to Arista’s attempts to compete with Cisco. Arista claims that the Cisco technologies it has unlawfully used are the “secret sauce” of its product line, and touts that these features, inter alia, “simplif[y] deployment and minimize[] errors,” function as the “core” of its operating system, “eliminate bottlenecks and provide resiliency” to “protect the control plane from potential denial of service attacks,” and “provide[] the foundation for . . . updates and self-healing resiliency.” By extensively using Cisco’s patented 2 Cisco, Cisco Blog - The Platform, “Employee Mobility,” available at http://blogs.cisco.com/tag/employee-mobility/.
  11. 11. Case3:14-cv-05343 Document1 Filed12/05/14 Page11 of 22 11 COMPLAINT FOR PATENT INFRINGEMENT Case No. 3:14-cv-5343 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 technologies, Arista took improper shortcuts, thereby avoiding the investments that would have been necessary had Arista not used Cisco’s technology. 60. There is no question that Arista personnel – many of whom worked at Cisco at or after the time the technologies were developed by Cisco – were aware that the pioneering Cisco networking technologies that Arista appropriated are protected by U.S. patents. For example, two of Arista’s own founders are named inventors on a number of Cisco patents asserted in this action. By this action, Cisco seeks to stop Arista’s willful, unauthorized, and improper use of Cisco’s patented technologies, and to obtain damages for the significant harm caused to Cisco by Arista’s willful infringement of certain Patents-in-Suit. COUNT I – INFRINGEMENT OF THE ’577 PATENT 61. Cisco incorporates and realleges Paragraphs 1 through 60 of this Complaint as if fully set forth herein. 62. The USPTO duly and legally issued the ’577 patent on April 23, 2002. 63. Arista has infringed, and continues to infringe, one or more claims of the ’577 patent, including at least claim 1, either literally or under the doctrine of equivalents, by making, using, selling, and/or offering for sale within the United States and/or importing into the United States networking products that are covered by one or more claims of the ’577 patent, including but not limited to the Arista 7048, 7050X, 7250X, 7300, 7300X, and 7500E series of switches, including, without limitation, those devices’ implementations of access control list functionality. 64. The ’577 patent was issued to Messrs. Bechtolsheim and Cheriton on April 23, 2002, while they were Cisco employees. The ’577 patent is assigned to Cisco. Messrs. Bechtolsheim and Cheriton are co-founders of Arista. Accordingly, Arista has had knowledge of the ’577 patent since its founding in October 2004. In addition to directly infringing the ’577 patent, Arista has indirectly infringed and continues to indirectly infringe one or more claims of the ’577 patent, including at least claim 1, by actively inducing others to directly infringe the ’577 patent in violation of 35 U.S.C. § 271(b). Specifically, and in light of the knowledge of its founders, Arista knowingly induced infringement of the ’577 patent with specific intent to do so by its activities relating to the marketing, distribution, and/or sale of its networking products to their purchasers, including but not limited to the
  12. 12. Case3:14-cv-05343 Document1 Filed12/05/14 Page12 of 22 12 COMPLAINT FOR PATENT INFRINGEMENT Case No. 3:14-cv-5343 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Arista 7048, 7050X, 7250X, 7300, 7300X, and 7500E series of switches, and by instructing and encouraging purchasers (including through product documentation) to operate and use those products in an infringing manner with knowledge that these actions would infringe the ’577 patent. 65. Arista has contributed to infringement of the ’577 patent by others by selling and/or offering for sale to Arista’s purchasers within the United States and/or importing into the United States networking products, including but not limited to the Arista 7048, 7050X, 7250X, 7300, 7300X, and 7500E series of switches, that are especially made and/or adapted for infringing the ’577 patent and are not staple articles of commerce suitable for substantial noninfringing use and that have been sold to purchasers who infringe the ’577 patent. As alleged in the prior paragraphs, the ’577 patent was issued to Messrs. Bechtolsheim and Cheriton on April 23, 2002, while they were Cisco employees. Specifically, and in light of the knowledge of its founders, Arista had knowledge that its networking products, including but not limited to the Arista 7048, 7050X, 7250X, 7300, 7300X, and 7500E series of switches, were specifically made and/or adapted for infringement of the ’577 patent and are not staple articles of commerce suitable for substantial noninfringing use. 66. Arista’s infringement has caused and is continuing to cause damage and irreparable injury to Cisco, and Cisco will continue to suffer damage and irreparable injury unless and until that infringement is enjoined by this Court. 67. Cisco is entitled to injunctive relief and damages in accordance with 35 U.S.C. §§ 271, 281, 283, and 284. 68. Arista has infringed the ’577 patent as alleged above despite having prior knowledge of the patent and has acted with willful, intentional, and conscious disregard of the objectively high likelihood that its acts constitute infringement of the ’577 patent. Arista’s infringement of the ’577 patent has been and continues to be willful, entitling Cisco to enhanced damages under 35 U.S.C. § 284. COUNT II – INFRINGEMENT OF THE ’853 PATENT 69. Cisco incorporates and realleges Paragraphs 1 through 68 of this Complaint as if fully set forth herein. 70. The USPTO duly and legally issued the ’853 patent on April 4, 2006. 71. Arista has infringed, and continues to infringe, one or more claims of the ’853 patent,
  13. 13. Case3:14-cv-05343 Document1 Filed12/05/14 Page13 of 22 13 COMPLAINT FOR PATENT INFRINGEMENT Case No. 3:14-cv-5343 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 including at least claim 63, either literally or under the doctrine of equivalents, by making, using, selling, and/or offering for sale within the United States and/or importing into the United States networking products that are covered by one or more claims of the ’853 patent, including but not limited to the Arista 7048, 7050X, 7250X, 7300, 7300X, and 7500E series of switches, including, without limitation, those devices’ implementations of access control list functionality. 72. The ’853 patent is a continuation of the ’577 patent and was issued on April 4, 2006 to Messrs. Bechtolsheim and Cheriton, and is assigned to Cisco. In addition to directly infringing the ’853 patent, Arista has indirectly infringed and continues to indirectly infringe one or more claims of the ’853 patent, including at least claim 63, including by actively inducing others to directly infringe the ’853 patent in violation of 35 U.S.C. § 271(b). Specifically, and in light of the knowledge of Arista’s founders of their Cisco patent, Arista knowingly induced infringement of the ’853 patent with specific intent to do so by its activities relating to the marketing, distribution, and/or sale of its networking products, including but not limited to the Arista 7048, 7050X, 7250X, 7300, 7300X, and 7500E series of switches, and by instructing and encouraging purchasers (including through product documentation) to operate and use those products in an infringing manner with knowledge that these actions would infringe the ’853 patent. 73. Arista has contributed to infringement of the ’853 patent by others by selling and/or offering for sale to Arista’s purchasers within the United States and/or importing into the United States networking products, including but not limited to the Arista 7048, 7050X, 7250X, 7300, 7300X, and 7500E series of switches, that are especially made and/or adapted for infringing the ’853 patent and are not staple articles of commerce suitable for substantial noninfringing use. As alleged in the prior paragraphs, the ’853 patent was issued to Messrs. Bechtolsheim and Cheriton on April 6, 2006 and is assigned to Cisco. Specifically, and in light of the knowledge of its co-founders, Arista had knowledge that its networking products, including but not limited to the Arista 7048, 7050X, 7250X, 7300, 7300X, and 7500E series of switches, were specifically made and/or adapted for infringement of the ’853 patent and are not staple articles of commerce suitable for substantial noninfringing use. 74. Arista’s infringement has caused and is continuing to cause damage and irreparable injury to Cisco, and Cisco will continue to suffer damage and irreparable injury unless and until that
  14. 14. Case3:14-cv-05343 Document1 Filed12/05/14 Page14 of 22 14 COMPLAINT FOR PATENT INFRINGEMENT Case No. 3:14-cv-5343 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 infringement is enjoined by this Court. 75. Cisco is entitled to injunctive relief and damages in accordance with 35 U.S.C. §§ 271, 281, 283, and 284. 76. Arista has infringed the ’853 patent as alleged above despite having prior knowledge of the patent and has acted with willful, intentional, and conscious disregard of the objectively high likelihood that its acts constitute infringement of the ’853 patent. Arista’s infringement of the ’853 patent has been and continues to be willful, entitling Cisco to enhanced damages under 35 U.S.C. § 284. COUNT III – INFRINGEMENT OF THE ’597 PATENT 77. Cisco incorporates and realleges Paragraphs 1 through 76 of this Complaint as if fully set forth herein. 78. The USPTO duly and legally issued the ’597 patent on March 4, 2008. 79. Arista has infringed, and continues to infringe, one or more claims of the ’597 patent, including at least claim 1, either literally or under the doctrine of equivalents, by making, using, selling, and/or offering for sale within the United States and/or importing into the United States networking products that are covered by one or more claims of the ’597 patent, including but not limited to the Arista 7010, 7048, 7050, 7050X, 7100, 7150, 7250X, 7280E, 7300, 7300X, 7500, and 7500E series of switches, including, without limitation, those devices’ implementations of Arista’s process manager functionality. 80. The ’597 patent was issued to Arista co-founder Cheriton on March 4, 2008, and is assigned to Cisco. In addition to directly infringing the ’597 patent, Arista has indirectly infringed and continues to indirectly infringe one or more claims of the ’597 patent, including at least claim 1, including by actively inducing others to directly infringe the ’597 patent in violation of 35 U.S.C. § 271(b). Specifically, and in light of the knowledge of its co-founder, Arista knowingly induced infringement of the ’597 patent with specific intent to do so by its activities relating to the marketing, distribution, and/or sale its networking products, including but not limited to the Arista 7010, 7048, 7050, 7050X, 7100, 7150, 7250X, 7280E, 7300, 7300X, 7500, and 7500E series of switches, and by instructing and encouraging purchasers (including through product documentation) to operate and use those products in an infringing manner with knowledge that these actions would infringe the ’597 patent.
  15. 15. Case3:14-cv-05343 Document1 Filed12/05/14 Page15 of 22 15 COMPLAINT FOR PATENT INFRINGEMENT Case No. 3:14-cv-5343 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 81. Arista has contributed to infringement of the ’597 patent by others by selling and/or offering for sale to Arista’s purchasers within the United States and/or importing into the United States networking products, including but not limited to the Arista 7010, 7048, 7050, 7050X, 7100, 7150, 7250X, 7280E, 7300, 7300X, 7500, and 7500E series of switches, which are especially made and/or adapted for infringing the ’597 patent and are not staple articles of commerce suitable for substantial noninfringing use. As alleged in the prior paragraphs, the ’597 patent was issued to Arista co-founder Cheriton on March 4, 2008, and is assigned to Cisco. Specifically, and in light of the knowledge of its co-founder, Arista had knowledge that its networking products, including but not limited to the Arista 7010, 7048, 7050, 7050X, 7100, 7150, 7250X, 7280E, 7300, 7300X, 7500, and 7500E series of switches, were specifically made and/or adapted for infringement of the ’597 patent and are not staple articles of commerce suitable for substantial noninfringing use. 82. Arista’s infringement has caused and is continuing to cause damage and irreparable injury to Cisco, and Cisco will continue to suffer damage and irreparable injury unless and until that infringement is enjoined by this Court. 83. Cisco is entitled to injunctive relief and damages in accordance with 35 U.S.C. §§ 271, 281, 283, and 284. 84. Arista has infringed the ’597 patent as alleged above despite having prior knowledge of the patent and has acted with willful, intentional, and conscious disregard of the objectively high likelihood that its acts constitute infringement of the ’597 patent. Arista’s infringement of the ’597 patent has been and continues to be willful, entitling Cisco to enhanced damages under 35 U.S.C. § 284. COUNT IV – INFRINGEMENT OF THE ’537 PATENT 85. Cisco incorporates and realleges Paragraphs 1 through 84 of this Complaint as if fully set forth herein. 86. The USPTO duly and legally issued the ’537 patent on January 9, 2007. 87. Arista has infringed, and continues to infringe, one or more claims of the ’537 patent, including at least claim 1, either literally or under the doctrine of equivalents, by making, using, selling, and/or offering for sale within the United States and/or importing into the United States networking products that are covered by one or more claims of the ’537 patent, including but not limited to the
  16. 16. Case3:14-cv-05343 Document1 Filed12/05/14 Page16 of 22 16 COMPLAINT FOR PATENT INFRINGEMENT Case No. 3:14-cv-5343 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Arista 7010, 7048, 7050, 7050X, 7100, 7150, 7250X, 7280E, 7300, 7300X, 7500, and 7500E series of switches, including, without limitation, those devices’ implementations of Arista’s SysDB functionality. 88. Arista’s infringement has caused and is continuing to cause damage and irreparable injury to Cisco, and Cisco will continue to suffer damage and irreparable injury unless and until that infringement is enjoined by this Court. 89. Cisco is entitled to injunctive relief and damages in accordance with 35 U.S.C. §§ 271, 281, 283, and 284. COUNT V – INFRINGEMENT OF THE ’211 PATENT 90. Cisco incorporates and realleges Paragraphs 1 through 89 of this Complaint as if fully set forth herein. 91. The USPTO duly and legally issued the ’211 patent on November 1, 2011. 92. Arista has infringed, and continues to infringe, one or more claims of the ’211 patent, including at least claim 1, either literally or under the doctrine of equivalents, by making, using, selling, and/or offering for sale within the United States and/or importing into the United States networking products that are covered by one or more claims of the ’211 patent, including but not limited to the Arista 7010, 7048, 7050, 7050X, 7100, 7150, 7250X, 7280E, 7300, 7300X, 7500, and 7500E series of switches, including, without limitation, those devices’ implementations of Arista’s multi-chassis link aggregation, or MLAG, functionality. 93. Arista’s infringement has caused and is continuing to cause damage and irreparable injury to Cisco, and Cisco will continue to suffer damage and irreparable injury unless and until that infringement is enjoined by this Court. 94. Cisco is entitled to injunctive relief and damages in accordance with 35 U.S.C. §§ 271, 281, 283, and 284. COUNT VI – INFRINGEMENT OF THE ’296 PATENT 95. Cisco incorporates and realleges Paragraphs 1 through 94 of this Complaint as if fully set forth herein. 96. The USPTO duly and legally issued the ’296 patent on January 15, 2013. 97. Arista has infringed, and continues to infringe, one or more claims of the ’296 patent,
  17. 17. Case3:14-cv-05343 Document1 Filed12/05/14 Page17 of 22 17 COMPLAINT FOR PATENT INFRINGEMENT Case No. 3:14-cv-5343 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 including at least claim 1, either literally or under the doctrine of equivalents, by making, using, selling, and/or offering for sale within the United States and/or importing into the United States networking products that are covered by one or more claims of the ’296 patent, including but not limited to the Arista 7300, 7300X, 7500, and 7500E series of switches, including, without limitation, those devices’ implementations of Arista’s in-service software upgrade, or ISSU, functionality. 98. Arista’s infringement has caused and is continuing to cause damage and irreparable injury to Cisco, and Cisco will continue to suffer damage and irreparable injury unless and until that infringement is enjoined by this Court. 99. Cisco is entitled to injunctive relief and damages in accordance with 35 U.S.C. §§ 271, 281, 283, and 284. COUNT VII – INFRINGEMENT OF THE ’164 PATENT 100. Cisco incorporates and realleges Paragraphs 1 through 99 of this Complaint as if fully set forth herein. 101. The USPTO duly and legally issued the ’164 patent on October 30, 2007. 102. Arista has infringed, and continues to infringe, one or more claims of the ’164 patent, including at least claim 1, either literally or under the doctrine of equivalents, by making, using, selling, and/or offering for sale within the United States and/or importing into the United States networking products that are covered by one or more claims of the ’164 patent, including but not limited to the Arista 7010, 7048, 7050, 7050X, 7100, 7150, 7250X, 7280E, 7300, 7300X, 7500, and 7500E series of switches, including, without limitation, those devices’ implementations of Arista’s zero touch provisioning, or ZTP, functionality. 103. Arista’s infringement has caused and is continuing to cause damage and irreparable injury to Cisco, and Cisco will continue to suffer damage and irreparable injury unless and until that infringement is enjoined by this Court. 104. Cisco is entitled to injunctive relief and damages in accordance with 35 U.S.C. §§ 271, 281, 283, and 284. COUNT VIII – INFRINGEMENT OF THE ’592 PATENT 105. Cisco incorporates and realleges Paragraphs 1 through 104 of this Complaint as if fully
  18. 18. Case3:14-cv-05343 Document1 Filed12/05/14 Page18 of 22 18 COMPLAINT FOR PATENT INFRINGEMENT Case No. 3:14-cv-5343 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 set forth herein. 106. The USPTO duly and legally issued the ’592 patent on May 25, 2004. 107. Arista has infringed, and continues to infringe, one or more claims of the ’592 patent, including at least claim 6, either literally or under the doctrine of equivalents, by making, using, selling, and/or offering for sale within the United States and/or importing into the United States networking products that are covered by one or more claims of the ’592 patent, including but not limited to the Arista 7010, 7050, 7050X, 7100, 7150, 7250X, 7300, and 7300X series of switches, including, without limitation, those devices’ implementations of Arista’s private VLAN functionality. 108. Arista’s infringement has caused and is continuing to cause damage and irreparable injury to Cisco, and Cisco will continue to suffer damage and irreparable injury unless and until that infringement is enjoined by this Court. 109. Cisco is entitled to injunctive relief and damages in accordance with 35 U.S.C. §§ 271, 281, 283, and 284. COUNT IX – INFRINGEMENT OF THE ’145 PATENT 110. Cisco incorporates and realleges Paragraphs 1 through 109 of this Complaint as if fully set forth herein. 111. The USPTO duly and legally issued the ’145 patent on April 3, 2007. 112. Arista has infringed, and continues to infringe, one or more claims of the ’145 patent, including at least claim 5, either literally or under the doctrine of equivalents, by making, using, selling, and/or offering for sale within the United States and/or importing into the United States networking products that are covered by one or more claims of the ’145 patent, including but not limited to the Arista 7010, 7050, 7050X, 7100, 7150, 7250X, 7300, and 7300X series of switches, including, without limitation, those devices’ implementations of Arista’s private VLAN functionality. 113. Arista’s infringement has caused and is continuing to cause damage and irreparable injury to Cisco, and Cisco will continue to suffer damage and irreparable injury unless and until that infringement is enjoined by this Court. 114. Cisco is entitled to injunctive relief and damages in accordance with 35 U.S.C. §§ 271, 281, 283, and 284.
  19. 19. Case3:14-cv-05343 Document1 Filed12/05/14 Page19 of 22 19 COMPLAINT FOR PATENT INFRINGEMENT Case No. 3:14-cv-5343 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 COUNT X – INFRINGEMENT OF THE ’492 PATENT 115. Cisco incorporates and realleges Paragraphs 1 through 114 of this Complaint as if fully set forth herein. 116. The USPTO duly and legally issued the ’492 patent on December 2, 2008. 117. Arista has infringed, and continues to infringe, one or more claims of the ’492 patent, including at least claim 1, either literally or under the doctrine of equivalents, by making, using, selling, and/or offering for sale within the United States and/or importing into the United States networking products that are covered by one or more claims of the ’492 patent, including but not limited to the Arista 7010, 7048, 7050, 7050X, 7100, 7150, 7250X, 7280E, 7300, 7300X, 7500, and 7500E series of switches, including, without limitation, those devices’ implementations of Arista’s loop guard functionality. 118. Arista’s infringement has caused and is continuing to cause damage and irreparable injury to Cisco, and Cisco will continue to suffer damage and irreparable injury unless and until that infringement is enjoined by this Court. 119. Cisco is entitled to injunctive relief and damages in accordance with 35 U.S.C. §§ 271, 281, 283, and 284. COUNT XI – INFRINGEMENT OF THE ’875 PATENT 120. Cisco incorporates and realleges Paragraphs 1 through 119 of this Complaint as if fully set forth herein. 121. The USPTO duly and legally issued the ’875 patent on June 13, 2006. 122. Arista has infringed, and continues to infringe, one or more claims of the ’875 patent, including at least claim 1, either literally or under the doctrine of equivalents, by making, using, selling, and/or offering for sale within the United States and/or importing into the United States networking products that are covered by one or more claims of the ’875 patent, including but not limited to the Arista 7010, 7048, 7050, 7050X, 7100, 7150, 7250X, 7280E, 7300, 7300X, 7500, and 7500E series of switches, including, without limitation, those devices’ implementations of Arista’s loop guard functionality. 123. Arista’s infringement has caused and is continuing to cause damage and irreparable
  20. 20. Case3:14-cv-05343 Document1 Filed12/05/14 Page20 of 22 20 COMPLAINT FOR PATENT INFRINGEMENT Case No. 3:14-cv-5343 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 injury to Cisco, and Cisco will continue to suffer damage and irreparable injury unless and until that infringement is enjoined by this Court. 124. Cisco is entitled to injunctive relief and damages in accordance with 35 U.S.C. §§ 271, 281, 283, and 284. COUNT XII – INFRINGEMENT OF THE ’668 PATENT 125. Cisco incorporates and realleges Paragraphs 1 through 124 of this Complaint as if fully set forth herein. 126. The USPTO duly and legally issued the ’668 patent on May 29, 2007. 127. Arista has infringed, and continues to infringe, one or more claims of the ’668 patent, including at least claim 1, either literally or under the doctrine of equivalents, by making, using, selling, and/or offering for sale within the United States and/or importing into the United States networking products that are covered by one or more claims of the ’668 patent, including but not limited to the Arista 7010, 7048, 7050, 7050X, 7100, 7150, 7250X, 7280E, 7300, 7300X, 7500, and 7500E series of switches, including, without limitation, those devices’ implementations of Arista’s control plane policing, or CoPP, functionality. 128. Arista’s infringement has caused and is continuing to cause damage and irreparable injury to Cisco, and Cisco will continue to suffer damage and irreparable injury unless and until that infringement is enjoined by this Court. 129. Cisco is entitled to injunctive relief and damages in accordance with 35 U.S.C. §§ 271, 281, 283, and 284. PRAYER FOR RELIEF WHEREFORE, Cisco prays for relief as follows: 1. For a declaration that Arista has infringed the Patents-in-Suit; 2. For a declaration of a substantial likelihood that Arista will continue to infringe Cisco’s intellectual property unless enjoined from doing so; 3. That, in accordance with 35 U.S.C. § 283, Arista, and all affiliates, employees, agents, officers, directors, attorneys, successors, and assigns, and all those acting on behalf of or in active concert or participation with any of them, be preliminarily and permanently
  21. 21. Case3:14-cv-05343 Document1 Filed12/05/14 Page21 of 22 21 COMPLAINT FOR PATENT INFRINGEMENT Case No. 3:14-cv-5343 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 enjoined from infringing the Patents-in-Suit; 4. For an award of damages sufficient to compensate Cisco for Arista’s infringement of the Patents-in-Suit, including lost profits suffered by Cisco as a result of Arista’s infringement and in an amount not less than a reasonable royalty; 5. For an award of increased damages in an amount not less than three times the damages assessed for Arista’s infringement of the Patents-in-Suit, in accordance with 35 U.S.C. § 284; 6. For a declaration that this case is “exceptional” under 35 U.S.C. § 285, and an award to Cisco of its reasonable attorneys’ fees, expenses, and costs incurred in this action; 7. For an award of prejudgment and post-judgment interest; and 8. For such other and further relief as this Court shall deem appropriate. DEMAND FOR JURY TRIAL Pursuant to Rule 38(b) of the Federal Rules of Civil Procedure, Cisco demands a trial by jury on all issues raised by the Complaint.
  22. 22. Case3:14-cv-05343 Document1 Filed12/05/14 Page22 of 22 22 COMPLAINT FOR PATENT INFRINGEMENT Case No. 3:14-cv-5343 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 DATED: December 5, 2014 Respectfully submitted, /s/ Adam R. Alper Steven Cherny steven.cherny@kirkland.com KIRKLAND & ELLIS LLP 601 Lexington Avenue New York, New York 10022 Telephone: (212) 446-4800 Facsimile: (212) 446-4900 Adam R. Alper (SBN 196834) adam.alper@kirkland.com KIRKLAND & ELLIS LLP 555 California Street San Francisco, California 94104 Telephone: (415) 439-1400 Facsimile: (415) 439-1500 Michael W. De Vries (SBN 211001) michael.devries@kirkland.com 333 South Hope Street Los Angeles, California 90071 Telephone: (213) 680-8400 Facsimile: (213) 680-8500 Attorneys for Plaintiff Cisco Systems, Inc.
  23. 23. Case3:14-cv-05343 Document1-1 Filed12/05/14 Page1 of 2 Exhibit 1
  24. 24. Case3:14-cv-05343 Document1-1 Filed12/05/14 Page2 of 2 Patents in Suit Patent # Technology Area Description Injunction Available Until Drives Customer Demand Used In Cisco Products 7,162,537 Configuration / Management networking device sysDB 1/6/2020 Yes Yes 8,356,296 Configuration / Management ISSU 1/26/2024 Yes Yes 7,290,164 Configuration / Management ZTP 6/7/2025 Yes Yes 7,340,597 Configuration / Management configuration change detection 1/26/2026 Yes Yes 7,023,853 Access Control (ACL) ACL/TCAM 6/30/2018 Yes Yes 6,377,577 Access Control (ACL) ACL/TCAM 6/30/2018 Yes Yes 7,460,492 Router / Switch Control loop guard 2/12/2022 Yes Yes 7,061,875 Router / Switch Control loop guard 9/17/2024 Yes Yes 7,224,668 Router / Switch Control CoPP 8/23/2025 Yes Yes 8,051,211 Router / Switch Control MLAG 12/20/2028 Yes Yes 6,741,592 VLAN private VLANs 5/22/2020 Yes Yes 7,200,145 VLAN private VLANs 5/22/2020 Yes Yes
  25. 25. Case3:14-cv-05343 Document1-2 Filed12/05/14 Page1 of 13 Exhibit 2
  26. 26. Case3:14-cv-05343 Document1-2 Filed12/05/14 Page2 of 13 (12) United States Patent Bechtolsheim et al. (54) ACCESS CONTROL LIST PROCESSING IN HARDWARE (75) Inventors: Andreas V. Bechtolsheim, Stanford; David R. Cheriton, Palo Alto, both of CA(US) (73) Assignee: Cisco Technology, Inc., San Jose, CA (US) ( *) Notice: Subject to any disclaimer, the term of this patent is extended or adjusted under 35 U.S.C. 154(b) by 0 days. (21) Appl. No.: 09/108,071 (22) (51) (52) (58) (56) Filed: Jun. 30, 1998 Int. Cl? . ... ... .. ... ... ... ... .. ... ... ... ... ... .. ... ... ... . G06F 9/34 U.S. Cl. ................... 370/392; 370/395.32; 370/389 Field of Search ................................. 370/392, 393, 370/394, 396, 397, 398, 399, 400, 389, 395.32; 709/220, 221, 222, 227, 228, 229 References Cited U.S. PATENT DOCUMENTS 4,131,767 A 12/1978 4,161,719 A 7/1979 4,316,284 A 2/1982 4,397,020 A 8/1983 4,419,728 A 12/1983 4,424,565 A 1!1984 4,437,087 A 3/1984 4,438,511 A 3/1984 4,439,763 A 3/1984 4,445,213 A 4/1984 4,446,555 A 5/1984 4,456,957 A 6/1984 4,464,658 A 8/1984 4,499,576 A 2/1985 4,506,358 A 3/1985 4,507,760 A 3/1985 4,532,626 A 7/1985 4,644,532 A 2/1987 4,646,287 A 2/1987 4,677,423 A 6/1987 Weinstein Parikh eta!. Howson Howson Larson Larson Petr Baran Limb Baugh eta!. Devault et a!. Schieltz Thelen Fraser Montgomery Fraser Flores eta!. George eta!. Larson eta!. Benvenuto et a!. 100" PACKET INPUT INTERFACES 111111 1111111111111111111111111111111111111111111111111111111111111 US006377577Bl (10) Patent No.: US 6,377,577 Bl (45) Date of Patent: Apr. 23, 2002 4,679,189 A 4,679,227 A 4,723,267 A 4,731,816 A 7/1987 Olson eta!. 7/1987 Hughes-Hartogs 2/1988 Jones et a!. 3/1988 Hughes-Hartogs (List continued on next page.) OTHER PUBLICATIONS Alessandri, Access Control List Processing in Hardware, Diploma Thesis, ETH, pp. 1-85, Oct. 1997.* Primary Examiner-Wellington Chin Assistant Examiner-Frank Duong (74) Attorney, Agent, or Firm---Skjerven Morrill MacPherson LLP (57) ABSTRACT The invention provides for hardware processing of ACLs and thus hardware enforcement of access control. A sequence of access control specifiers from an ACL are recorded in a CAM, and information from the packet header is used to attempt to match selected source and destination IP addresses or subnets, ports, and protocols, against all the ACL specifiers at once. Successful matches are input to a priority selector, which selects the match with the highest priority (that is, the match that is first in the sequence of access control specifiers). The specified result of the selected match is used to permit or deny access for the packet without need for software processing, preferably at a rate compa­rable to wirespeed. The CAM includes an ordered sequence of entries, each of which has an array of ternary elements for matching "0", "1", or any value, and each of which gener­ates a match signal. The ACL entered for recording in the CAM can be optimized to reduce the number of separate entries in the CAM, such as by combining entries which are each special cases of a more general access control specifier. A router including the CAM can also include preprocessing circuits for certain range comparisons which have been found both to be particularly common and to be otherwise inefficiently represented by the ternary nature of the CAM, such as comparisons of the port number against known special cases such as "greater than 1023" or "within the range 6000 to 6500". 31 Claims, 3 Drawing Sheets PACKET OUTPUT INTERFACES
  27. 27. Case3:14-cv-05343 Document1-2 Filed12/05/14 Page3 of 13 US 6,377,577 Bl Page 2 U.S. PATENT DOCUMENTS 5,309,437 A 5/1994 Perlman et a!. .......... 730/85.13 5,311,509 A 5/1994 Heddes eta!. 4,750,136 A 6/1988 Arpin eta!. 5,313,454 A 5/1994 Bustini et a!. 4,757,495 A 7/1988 Decker eta!. 5,313,582 A 5/1994 Hendel eta!. 4,763,191 A 8/1988 Gordon eta!. 5,317,562 A 5/1994 Nardin eta!. 4,769,810 A 9/1988 Eckberg, Jr. et a!. 5,319,644 A 6/1994 Liang 4,769,811 A 9/1988 Eckberg, Jr. et a!. 4,771,425 A 9/1988 Baran eta!. 5,327,421 A 7/1994 Hiller eta!. 4,819,228 A 4/1989 Baran eta!. 5,331,637 A 7/1994 Francis et a!. 4,827,411 A 5/1989 Arrowood et a!. 5,345,445 A 9/1994 Hiller eta!. 4,833,706 A 5/1989 Hughes-Hartogs 5,345,446 A 9/1994 Hiller eta!. 4,835,737 A 5/1989 Herrig eta!. 5,359,591 A 10/1994 Corbalis et a!. 4,879,551 A 11/1989 Georgiou et a!. 5,361,250 A 11/1994 Nguyen eta!. 4,893,306 A 1!1990 Chao eta!. 5,361,256 A 11/1994 Doeringer et a!. 4,903,261 A 2/1990 Baran eta!. 5,361,259 A 11/1994 Hunt eta!. 4,922,486 A 5/1990 Lidinsky et a!. 5,365,524 A 11/1994 Hiller eta!. 4,933,937 A 6/1990 Konishi 5,367,517 A 11/1994 Cidon eta!. 4,960,310 A 10/1990 Cushing 5,371,852 A 12/1994 Attanasio et a!. 4,962,497 A 10/1990 Ferenc eta!. 5,386,567 A 1!1995 Lien eta!. 4,962,532 A 10/1990 Kasirai et a!. 5,390,170 A 2/1995 Sawant eta!. 4,965,772 A 10/1990 Daniel eta!. 5,390,175 A 2/1995 Hiller eta!. 4,970,678 A 11/1990 Sladowski et a!. 5,394,394 A 2/1995 Crowther et a!. 4,979,118 A 12/1990 Kheradpir ................... 364/436 5,394,402 A 2/1995 Ross 4,980,897 A 12/1990 Decker eta!. 5,400,325 A 3/1995 Chatwani et a!. 4,991,169 A 2/1991 Davis eta!. 5,408,469 A 4/1995 Opher eta!. 5,003,595 A 3/1991 Collins eta!. 5,416,842 A 5/1995 Aziz 5,014,265 A 5/1991 Hahne eta!. 5,422,880 A 6/1995 Heitkamp et a!. 5,020,058 A 5/1991 Holden eta!. 5,422,882 A 6/1995 Hiller eta!. 5,033,076 A 7/1991 Jones eta!. 5,423,002 A 6/1995 Hart 5,054,034 A 10/1991 Hughes-Hartogs 5,426,636 A 6/1995 Hiller eta!. 5,059,925 A 10/1991 Weisbloom 5,428,607 A 6/1995 Hiller eta!. 5,072,449 A 12/1991 Enns eta!. 5,430,715 A 7/1995 Corbalis et a!. 5,088,032 A 2/1992 Bosack 5,430,729 A 7/1995 Rahnema 5,095,480 A 3/1992 Fenner 5,442,457 A 8/1995 Najafi RE33,900 E 4/1992 Howson 5,442,630 A 8/1995 Gagliardi et a!. 5,115,431 A 5/1992 Williams et a!. 5,452,297 A 9/1995 Hiller eta!. 5,128,945 A 7/1992 Enns eta!. 5,473,599 A 12/1995 Li eta!. 5,136,580 A 8/1992 Videlock et a!. 5,473,607 A 12/1995 Hausman et a!. 5,166,930 A 11/1992 Braff eta!. 5,477,541 A 12/1995 White eta!. 5,199,049 A 3/1993 Wilson 5,485,455 A 1!1996 Dobbins et a!. 5,206,886 A 4/1993 Bingham 5,490,140 A 2/1996 Abensour et a!. 5,208,811 A 5/1993 Kashio eta!. 5,490,257 A 2/1996 Fenner 5,212,686 A 5/1993 Joy eta!. 5,491,687 A 2/1996 Christensen et a!. 5,224,099 A 6/1993 Corbalis et a!. 5,491,804 A 2/1996 Heath eta!. 5,226,120 A 7/1993 Brown eta!. 5,497,368 A 3/1996 Reijnierse et a!. 5,228,062 A 7/1993 Bingham 5,504,747 A 4/1996 Sweasey 5,229,994 A 7/1993 Balzano et a!. 5,509,006 A 4/1996 Wilford et a!. 5,237,564 A 8/1993 Lespagnol et a!. 5,517,494 A 5/1996 Green 5,241,682 A 8/1993 Bryant eta!. 5,519,704 A 5/1996 Farinacci et a!. 5,243,342 A 9/1993 Kattemalalavadi et a!. 5,519,858 A 5/1996 Walton eta!. .............. 395/600 5,243,596 A 9/1993 Port eta!. 5,526,489 A 6/1996 Nilakantan et a!. 5,247,516 A 9/1993 Bernstein et a!. 5,530,963 A 6/1996 Moore eta!. 5,249,178 A 9/1993 Kurano eta!. 5,535,195 A 7/1996 Lee 5,253,251 A 10/1993 Aramaki 5,539,734 A 7/1996 Burwell eta!. 5,255,291 A 10/1993 Holden eta!. 5,541,911 A 7/1996 Nilakantan et a!. 5,260,933 A 11/1993 Rouse 5,546,370 A 8/1996 Ishikawa 5,260,978 A 11/1993 Fleischer et a!. 5,555,244 A 9/1996 Gupta eta!. 5,268,592 A 12/1993 Bellamy eta!. 5,561,669 A 10/1996 Lenney eta!. 5,268,900 A 12/1993 Hluchyj et a!. 5,583,862 A 12/1996 Calion 5,271,004 A 12/1993 Proctor et a!. 5,592,470 A 1!1997 Rudrapatna et a!. 5,274,631 A 12/1993 Bhardwaj 5,598,581 A 1!1997 Daines eta!. 5,274,635 A 12/1993 Rahman eta!. 5,600,798 A 2/1997 Chenrukuri et a!. 5,274,643 A 12/1993 Fisk 5,604,868 A 2/1997 Komine eta!. 5,280,470 A 1!1994 Buhrke eta!. 5,608,726 A 3/1997 Virgile 5,280,480 A 1!1994 Pitt eta!. 5,617,417 A 4/1997 Sathe eta!. 5,280,500 A 1!1994 Mazzola eta!. 5,617,421 A 4/1997 Chin eta!. 5,283,783 A 2/1994 Nguyen eta!. 5,630,125 A 5/1997 Zellweger 5,287,103 A 2/1994 Kasprzyk et a!. 5,631,908 A 5/1997 Saxe 5,287,453 A 2/1994 Roberts 5,632,021 A 5/1997 Jennings et a!. 5,291,482 A 3/1994 McHarg eta!. 5,634,010 A 5/1997 Ciscon eta!. 5,305,311 A 4/1994 Lyles 5,638,359 A 6/1997 Peltola et a!. 5,307,343 A 4/1994 Bostica et a!. 5,644,718 A 7/1997 Belove eta!.
  28. 28. Case3:14-cv-05343 Document1-2 Filed12/05/14 Page4 of 13 US 6,377,577 Bl Page 3 5,659,684 A 8/1997 Giovannoni et a!. 5,748,617 A 5/1998 McLain, Jr. 5,666,353 A 9/1997 Klausmeier et a!. 5,754,547 A 5/1998 Nakazawa 5,673,265 A 9/1997 Gupta eta!. 5,802,054 A 9/1998 Bellenger 5,678,006 A 10/1997 Valizadeh et a!. 5,835,710 A 11/1998 Nagami eta!. 5,680,116 A 10/1997 Hashimoto et a!. 5,854,903 A 12/1998 Morrison et a!. 5,684,797 A 11/1997 Aznar eta!. 5,856,981 A 1!1999 Voelker 5,687,324 A 11/1997 Green eta!. 5,892,924 A 4/1999 Lyon eta!. ............ 395/200.75 5,689,506 A 11/1997 Chiussi et a!. 5,898,686 A 4/1999 Virgile 5,694,390 A 12/1997 Yamato eta!. 5,903,559 A 5/1999 Acharya et a!. 5,724,351 A 3/1998 chao eta!. 5,748,186 A 5/1998 Raman * cited by examiner
  29. 29. 100'..._ • • • PACKET INPUT INTERFACES / 110 ROUTING ACCESS ELEMENT CONTROL ELEMENT FIG. 1 ~ • • • PACKET OUTPUT INTERFACES d • Jl • ~ .~.... . ~ =...... > 't:l :-: N ~~ N cc N 'JJ. =- ~ .~... . 0.'".." ..".,' ~ e rJ'l 0'1 ~ ""-l ""-l 11. ""-l ""-l ~ 1-" Case3:14-cv-05343 Document1-2 Filed12/05/14 Page5 of 13
  30. 30. Case3:14-cv-05343 Document1-2 Filed12/05/14 Page6 of 13 U.S. Patent INPUT PORT 201 Apr. 23, 2002 COMPARE CIRCUIT 230 COMPARE BITS 231 Sheet 2 of 3 213 211 ACCESS • CONTROL • PATTERN SPECIFIER 211 ACCESS CONTROL MEMORY 210 FIG. 2 US 6,377,577 Bl OlJTPUT PORT 202 PRIORITY ENCODER 220
  31. 31. Case3:14-cv-05343 Document1-2 Filed12/05/14 Page7 of 13 U.S. Patent Apr. 23, 2002 Sheet 3 of 3 300..., RECEIVE ~READYTO 321 RECEIVE PACKET i 322 IDENTIFY HEADER ~ 323 SELECT LABEL ! 324 COUPLE LABEL TO A.C. ELEM. i 325 DETERMINE OUTPUT INTERFACE I FIG. 3 US 6,377,577 Bl l 326 DETERMINE INPUT PERMISSION l 327 COUPLE LABEL & OIFTO OUTPUT A. C. ~ 328 DETERMINE OlfTPUT PERMISSION ~READY TO TRANS MIT
  32. 32. Case3:14-cv-05343 Document1-2 Filed12/05/14 Page8 of 13 US 6,377,577 Bl 1 ACCESS CONTROL LIST PROCESSING IN HARDWARE 2 these applications is hereby incorporated by reference as if fully set forth herein. In a computer network for transmitting information, messages can be restricted from being transmitted from 5 selected source devices to selected destination devices. In While netflow switching achieves the goal of improving the speed of enforcing access control by the router, it still has the drawback that comparing at least some incoming packets against the ACL must be performed using software. Thus, known computer networks, this form of restriction is known as "access control" and is performed by routers, which route messages (in the form of individual packets of information) from source devices to destination devices. One known technique for access control is for each router to perform access control by reference to one or more ACLs (access control lists); the ACL describes which selected source devices are permitted (and which denied) to send packets to which selected destination devices. In a known standard for ACL format, each ACL includes a plurality of access control specifiers, each of which selects a range of sender and destination IP address prefix or subnet, and port, and provides that packet transmission from that selected set of senders to that selected set of destinations is either specifically permitted or specifically denied. ACLs are associated with input interfaces and independently with output interfaces for each router. In known routers such as those manufactured by Cisco Systems, Inc., of San Jose, Calif., the router is provided with an ACL using an ACL command language, interpreted by operating system soft­ware for the router, such as the lOS operating system. One problem in the known art is that processing of packets to enforce access control according to the ACL is processor-intensive and can therefore be relatively slow, particularly in comparison with desired rates of speed for routing packets. This problem is exacerbated when access control is enforced for packets using software in the router, because software processing of the ACL can be quite slow relative to hardware processing of the packet for routing. One known solution is to reduce the number of packets for which access control requires actual access to the ACL. In a technique known as "netflow switching," packets are identified as belonging to selected "flows," and each packet the relative slowness required by software processing of the ACL is not completely avoided. A second problem in the known art is that software 10 processing of the ACL takes increased time when the ACL has numerous entries, such as when the requirements for access control are complex. The more entries in the ACL, the more time is expected to be required for software processing of the ACL, and thus the more time is expected to be required for software enforcement of access control. Since 15 known routers require at least some software enforcement of access control, this reduces the routing speed at which the router can operate. For example, for some large ACLs, routing speed can be reduced to as low as about 10,000 packets per second. 20 However, the wirespeed rate of incoming packets is pres­ently (for relatively short packets) about 1.5 million packets per gigabit per second transmission capacity, or in the range of about tens to hundreds of millions of packets per second for gigabit networks. Since it would be desirable for routers 25 to operate at speeds comparable to the wirespeed, the present limitation on router speed is unacceptably low. Accordingly, it would be desirable to provide a method and system for hardware processing of ACLs and thus hardware enforcement of access control. This advantage is 30 achieved in an embodiment of the invention in which a sequence of access control specifiers from an ACL are recorded in a CAM (content-addressable memory), and in which matching (or lack of matching) of information from the packet header to specifiers recorded in the CAM are used 35 to enforce access control. SUMMARY OF THE INVENTION in a flow is expected to have identical routing and access 40 control characteristics. Therefore, access control only requires reference to the ACL for the first packet in a flow; subsequent packets in the same flow can have access control enforced identically to the first packet, by reference to a routing result cached by the router and used for the entire 45 flow. The invention provides a method and system for hardware processing of ACLs and thus hardware enforcement of access control. A sequence of access control specifiers from an ACL are recorded in a CAM, and information from the packet header is used to attempt to match selected source and destination IP addresses or subnets, ports, and protocols, against all the ACL specifiers at once. Successful matches are input to a priority selector, which selects the match with the highest priority (that is, the match that is first in the Netflow switching is further described in detail in the following patent applications: U.S. application Ser. No. 08/581,134, titled "Method For Traffic Management, Traffic Prioritization, Access Control, and Packet Forwarding in a Datagram Com­puter Network", filed Dec. 29, 1995, in the name of inventors David R. Cheriton and Andreas V. Bechtolsheim, assigned to Cisco Technology, Inc., attorney docket number CIS-019; U.S. application Ser. No. 08/655,429, titled "Network Flow Switching and Flow Data Export", filed May 28, 1996, in the name of inventors Darren Kerr and Barry Bruins, and assigned to Cisco Technology, Inc., attor­ney docket number CIS-016; and U.S. application Ser. No. 08/771,438, titled "Network Flow Switching and Flow Data Export", filed Dec. 20, 1996, in the name of inventors Darren Kerr and Barry Bruins, assigned to Cisco Technology, Inc., attorney docket number CIS-017. These patent applications are collectively referred to herein as the "Netflow Switching Disclosures". Each of sequence of access control specifiers). The specified result of the selected match is used to permit or deny access for the packet without need for software processing, preferably at a 50 rate comparable to wirespeed. In a preferred embodiment, the CAM includes an ordered sequence of entries, each of which has an array of ternary elements for matching on logical "0", logical "1", or on any value, and each of which generates a match signal. The ACL 55 entered for recording in the CAM can be optimized to reduce the number of separate entries in the CAM, such as by combining entries which are each special cases of a more general access control specifier. A router including the CAM can also include preprocess- 60 ing circuits for certain range comparisons which have been found both to be particularly common and to be otherwise inefficiently represented by the ternary nature of the CAM. For example, comparisons of the port number against known special cases, such as "greater than 1023" and "within the 65 range 6000 to 6500", can be treated by circuitry for per­forming range comparisons or by reference to one or more auxiliary CAMs.
  33. 33. Case3:14-cv-05343 Document1-2 Filed12/05/14 Page9 of 13 US 6,377,577 Bl 3 The invention can also be used to augment or override routing decisions otherwise made by the router, so as to implement QOS (quality of service), and other administra­tive policies, using the CAM. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 shows a block diagram of a system for access control list processing. FIG. 2 shows a block diagram of an access control element. FIG. 3 shows a flow diagram of a method for access control list processing in hardware. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT In the following description, a preferred embodiment of the invention is described with regard to preferred process steps and data structures. Those skilled in the art would recognize after perusal of this application that embodiments of the invention can be implemented using circuits adapted to particular process steps and data structures described herein, and that implementation of the process steps and data structures described herein would not require undue experi­mentation or further invention. System Elements FIG. 1 shows a block diagram of a system for access control list processing. A system 100 includes a set of packet input interfaces 101, a routing element 10, an access control element 120, and a set of packet output interfaces 102. The system 100 receives packets 130 at the input interfaces 101; each packet 130 indicates a source device 131, from which it was sent, and a destination device 132, to which it is intended to go. The routing element 110 processes each packet 130 to select one or more of the output interfaces 102 to which the packet 130 should be forwarded. The access control element 120 deter­mines if the packet 130 has permission to be forwarded from its source device 131 to its destination device 132. Each packet 130 that has permission to be forwarded is output to its selected output interfaces 102. In a first set of alternative embodiments, the system 100 may include a plurality of access control elements 120 operating in parallel in place of the single access control element 120. In a second set of alternative embodiments, the system 100 may include one or more access control elements 120 coupled to the input interfaces 101 and operating to deter­mine if packets 130 have permission to be forwarded from their source devices 131 at all. The access control element 120 is shown coupled to the routing element 110 to perform access control after a routing decision has been made. However, the access control element 120 is still capable of denying access to packets 130 responsive to whether they have permission to be forwarded from their source devices 131 at all. In a third set of alternative embodiments, the system 100 may include one or more access control elements 120 coupled to individual input interfaces 101 and operating to make access control determinations for packets 130 arriving 5 4 In a preferred embodiment, the access control element 120 operates on a set of selected elements of a packet header 133 for each packet 130. The system 100 collects the selected elements into a packet label 200. In a preferred embodiment using netfiow switching, the packet label 200 used for access control at the input inter­faces 101 includes a source device 131, the destination device 132, a port identifier for a port at the source device 131, a port identifier for a port at the destination device 132, 10 and a protocol type. In alternative embodiments, the packet label200 may be any collection of information derived from the packet 130 (preferably from the packet header 133) used for access control. The concept of preprocessing the packet label has wide applicability, including determining other routing inform a- 15 tion in response to data in the packet header. For example, in addition to or instead of comparing data in the packet header against known special cases, such as "greater than 1023" and "within the range 6000 to 6500," preprocessing can include performing logical or arithmetic operations on 20 data in the packet header. Preprocessing can also include data lookup, or substituting new data, in response to data in the packet header. The access control element 120 includes an input port 201 coupled to the packet label 200, an access control memory 25 210, a priority encoder 220, and an output port 202 coupled to the priority encoder 220. When the access control element 120 is disposed for controlling access for packets responsive to their input interfaces 101, the packet label200 includes an identifier for 30 the input interface 101. When the access control element 120 is disposed for controlling access for packets responsive to their output interfaces 102, the packet label 200 includes an identifier for the output interface 102. The access control memory 210 includes a CAM 35 (content-addressable memory) having a sequence of access control specifiers 211. Each access control specifier 211 includes a label match mask 212 and a label match pattern 213. For each access control specifier 211, each bit of the label match mask 212 determines whether or not a corre- 40 sponding bit of the packet label 200 is tested. If so, the corresponding bit of the label match pattern 213 is compared for equality with the corresponding bit of the packet label 200. If all compared bits are equal, the access control specifier 211 matches the packet label200. Bits that are not 45 compared have no effect on whether the access control specifier 211 is considered to match the packet label 200 or not. The priority encoder 220 is coupled to all of the access control specifiers 211, and receives an indicator from each 50 one whether or not that access control specifier 211 matched the packet label 200. The priority encoder 220 selects the single access control specifier 211 with the highest priority (in a preferred embodiment, the one with the lowest address in the access control memory 210) and provides an indicator 55 of that single access control specifier 211 to the output port 202. The indicator provided to the output port 202 specifies at particular input interfaces 101. Similarly, the system 100 60 may include one or more access control elements 120 coupled to individual output interfaces 102 and operating to make access control determinations for packets 130 for­warded to particular output interfaces 102. whether or not the packet 130 has permission to be for­warded from its specified source device 131 to its specified destination device 132. In a preferred embodiment, the indicator specifies one of three possibilities: (a) the packet 130 is forwarded to its calculated output interface and on to its specified destination device 132; (b) the packet 130 is dropped; or (c) the packet 130 is forwarded to a "higher- Access Control Element FIG. 2 shows a block diagram of an access control element. 65 level" processor for further treatment. When a packet 130 is dropped it is effectively denied access from its specified source device 131 to its specified destination device 132.
  34. 34. Case3:14-cv-05343 Document1-2 Filed12/05/14 Page10 of 13 US 6,377,577 Bl 5 6 number with these known ranges and provides a set of comparison bits 231 indicating whether or not the source port number and the destination port number are within each specified range. The comparison circuit 230 includes a finite The higher-level processor includes a general-purpose processor, program and data memory, and mass storage, executing operating system and application software for software (rather than hardware) examination of the packet 130. The packet 130 is compared, possibly to the access control specifiers 211 and possibly to other administrative policies or restrictions, by the higher-level processor. The higher-level processor specifies whether the packet 130, after processing by the higher-level processor, is forwarded to a selected output interface or is dropped. 5 state machine 232 (or other element) for storing lower and upper bounds for each specified range. The comparison bits 231 are coupled to the input port 201 of the access control element 120 for treatment as matchable input bits supple­mental to the header of the packet 130. Access Control Lists 10 In various embodiments, the invention can be used to augment or override routing decisions otherwise made by the router, using the access control element 120. In addition to specifying that the packet 130 is to be dropped or forwarded to the higher-level processor, the access control element 120 can alter the output interface, which was A Cisco access control list includes a sequence of access control entries, which are mapped to a set of access control specifiers 211. Each access control entry has a structure according to the following syntax: access-list access-list-number [dynamic dynamic-name [timeout minutes]] { denylpermit} protocol source source-wildcard [operator port [port]] destination destination-wildcard [operator port [port]] [established] [precedence precedence] [tos tos] [log] 15 selected by the routing element 110, to another selected output interface. The invention can thus be used to imple­ment QOS (quality of service) policies and other adminis­trative policies. This syntax, its meaning, and access control entries in 20 general, are further described in documentation for Cisco lOS software, available from Cisco Systems, Inc., in San Jose, Calif., and hereby incorporated by reference as if fully set forth herein. Method of Operation FIG. 3 shows a flow diagram of a method for access control list processing in hardware. A method 300 includes a set of flow points to be noted, and steps to be executed, cooperatively by the elements of the system 100. At a flow point 310, a packet is received at one of the packet input inter-faces 101. At a step 321, the routing element 110 receives an input packet 130. Access control entries can specify that particular actions 25 are permitted, denied, or that they will be recorded in a log. Access control entries are interpreted sequentially. Thus, an earlier more specific access control entry can prohibit par­ticular actions (such as receiving messages from a particular sending device), while a later more general access control entry can permit the same actions for other devices (such as other sending devices in the same network). At a step 322, the routing element 110 identifies the 30 header for the packet 130. At a step 323, the routing element 110 selects portions of the header for use as the packet label 200 for access control. In a preferred embodiment, the packet label 200 used for access control at the input interfaces 101 includes the source device 131, the destination device 132, the port identifier at When an access control list is translated for entry into the access control memory, it is optimized to reduce the number of separate entries that are used. Thus, an access control list with N separate access control entries is translated into a set of access control specifiers 211 that can be smaller or larger than N, depending on the effect of optimization. 35 the source device 131, the port identifier at the destination device 132, and a protocol type. A first optimization detects separate access control entries that each refer to a special case of a more general access 40 control specifier 211, such as in one of the following cases: At a step 324, the routing element 110 couples the packet label 200 and an input interface specifier to the input access control element 120. At a step 325, the routing element 10 determines a selected output inter-face for the packet 130. A first access control entry provides a selected permission for a selected source device 131 2S, and a second access control entry provides the same permission for a selected source device 1312S+l. The first and second access control entries can be translated into a single more general access control specifier 211 with an unmatched bit in the 2° position. At a step 326, preferably performed in parallel with the step 325, the input access control element 120 determines the input permission for the packet 130, that is, whether the 45 routing element 110 permits forwarding the packet 130 from the source device 131 for the packet 130. The step 326 includes matching the packet label 200 against the access control memory 210 for the input access A set of access control entries each provides the same control element 120, determining all of the successful selected permission for a range of selected source 50 matches, coupling the successful matches to the priority devices 131 S through T, and the rangeS through T can be represented as a smaller number of bit strings with unmatched bits. encoder 220 for the input access control element 120, determining the highest-priority match, and providing an output result from the input access control element 120. A set of access control entries provides a selected per­mission for a comparison of source device 131 55 addresses with a test value V. A second optimization detects range comparisons that have been found to be particularly common. For example, it is common to compare the source or destination port number for being greater than 1023, or for being within the range 60 6000 to 6500. To compare the source or destination port number for being greater than 1023 with matched and unmatched bits would use about six entries for each such comparison (to test each one of the six high-order bits of the port number for being logical "1"). 65 In a preferred embodiment, a comparison circuit 230 compares the source port number and the destination port If at the step 326, the input access control element 120 determines that the higher-level processor should process the packet 130, the higher-level processor processes the packet 130. A result from the higher-level processor is substituted for the result from the input access control element 120. If at the step 326, the input access control element 120 (or the higher-level processor) determines that the packet 130 should be dropped, the packet 130 is dropped, and the routing element 110 takes no further action with regard to the packet 130. At a step 327, the routing element 110 couples the packet label 200 and the output interface specifier to the output access control element 120.
  35. 35. Case3:14-cv-05343 Document1-2 Filed12/05/14 Page11 of 13 US 6,377,577 Bl 7 At a step 328, the output access control element 120 determines the output permission for the packet 130, that is, whether the routing element 110 permits forwarding the packet 130 to the destination device 132 for the packet 130. The step 326 includes the following actions: matching the packet label 200 against the access control memory 210 for the out-put access control element 120; determining all of the successful matches; coupling the successful matches to the priority encoder 220 for the output access control element 120; determining the highest-priority match; and providing an output result from the output access control element 120. If at the step 328, the output access control element 120 determines that the higher-level processor should process the packet 130, the higher-level processor processes the packet 130. A result from the higher-level processor is substituted for the result from the output access control element 120. If at the step 328, the output access control element 120 (or the higher-level processor) determines that the packet 130 should be dropped, the packet 130 is dropped, and the routing element 110 takes no further action with regard to 8 each row being associated with a pattern of bits not for matching, said set of patterns of bits not for matching being fewer than a number of said rows. 7. A method as in claim 1, wherein said associative 5 memory includes a ternary content-associative memory. 8. A method as in claim 1, wherein said packet label includes a source IP address or subnet, a destination IP address or subnet, a source port, a destination port, a protocol specifier, or an input interface. 10 9. A method as in claim 1, wherein said priority informa-tion for each said access control pattern is responsive to a position of said access control pattern in a memory. 10. A method as in claim 1, wherein said priority infor- 15 mation includes a position in said associative memory, and said step of selecting includes choosing a first one of said matches. 20 11. A method as in claim 1, wherein said routing decision includes a committed access rate decision. 12. A method as in claim 1, wherein said routing decision includes an administrative policy decision regarding treat­ment of said packet. the packet 130. 25 At a flow point 330, the packet is ready for transmission 13. A method as in claim 1, wherein said routing decision includes determining an output interface for said packet. 14. A method as in claim 1, wherein said routing decision to one of the packet output interfaces 102. includes implementing a quality of service policy. Alternative Embodiments Although preferred embodiments are disclosed herein, many variations are possible which remain within the concept, scope, and spirit of the invention, and these varia­tions would become clear to those skilled in the art after perusal of this application. What is claimed is: 1. A method, including the steps of maintaining a set of access control patterns in at least one associative memory; receiving a packet label responsive to a packet, said packet label being sufficient to perform access control processing for said packet; matching matchable information, said matchable infor­mation being responsive to said packet label, with said set of access control patterns in parallel, and generating a set of matches in response thereto, each said match having priority information associated therewith; selecting at least one of said matches in response to said priority information, and generating an access result in response to said at least one selected match; and making a outing-decision in response to said access result. 2. A method as in claim 1, including the step of perform­ing at least two of said steps of receiving, matching, selecting, and making a routing decision, in parallel using a pipeline technique. 3. A method as in claim 1, wherein said access control patterns each include a bit pattern for matching and a mask pattern of bits not for matching. 4. A method as in claim 1, wherein said access control patterns each include a set of ternary elements, each repre­sentative of a logical "0," logical "1", or "don't care" value. 15. A method as in claim 1, wherein said routing decision includes permitting or denying access for said packet. 16. A method as in claim 1, wherein said step of gener- 30 ating said access result is responsive to a plurality of said at least one matches. 17. A method as in claim 1, wherein said step of matching is performed in order of constant time, whereby said step of 35 matching is performed in time not responsive to a number of said access control patterns. 18. A method as in claim 1, wherein said steps of matching and selecting are performed at a rate exceeding 1 megapacket per second. 40 19. A method as in claim 1, including the step of making a preliminary routing decision for said packet, wherein said packet routing information includes a result of said prelimi­nary routing decision. 20. A method as in claim 19, wherein said preliminary 45 routing decision includes determining at least one output interface for said packet. 21. A method as in claim 19, wherein said packet routing information includes an output interface for said packet. 22. A method as in claim 1, including the step of prepro- 50 cessing said packet label to generate said matchable infor­mation. 55 23. A method as in claim 22, wherein said step of preprocessing includes the steps of performing an arithmetic, logical, or comparison opera­tion on said packet label; and generating a bit string for said matchable information in response to said arithmetic, logical, or comparison operation. 24. A method as in claim 22, wherein said step of preprocessing includes the step of comparing a field of said packet label with an arithmetic range or mask value. 5. A method as in claim 1, wherein said associative memory includes a hardware content-associative memory 60 having a plurality of rows, each row including one of said access control patterns and one of said access results. 25. A method as in claim 22, wherein said step of preprocessing includes the step of comparing a source IP port value or a destination IP port value with a selected port 65 value. 6. A method as in claim 1, wherein said associative memory includes a hardware content-associative memory having a plurality of rows, each row including a bit pattern for matching and one of said access results, and 26. A method as in claim 1, including the step of post­processing said selected match to generate said access result.
  36. 36. Case3:14-cv-05343 Document1-2 Filed12/05/14 Page12 of 13 US 6,377,577 Bl 9 27. A method as in claim 26, wherein said step of postprocessing includes accessing a memory in response to a bitstring included in said selected match. 10 storing said sequence of access control patterns in said associative memory. 30. A method as in claim 29, wherein said step of translating includes the step of generating a plurality of said access control patterns in response to one of said access control specifiers. 28. A method as in claim 1, wherein said set of access control patterns is responsive to a sequence of access control s specifiers, each one of said sequence of access control specifiers declaring whether to permit or deny access for a set of packets. 31. A method as in claim 29, wherein said step of translating includes the step of generating a single one of 10 said access control patterns in response to a plurality of said 29. A method as in claim 28, wherein said step of maintaining includes the steps of receiving said sequence of access control specifiers; translating said sequence of access control specifiers into said sequence of access control patterns; and access control specifiers. * * * * *
  37. 37. Case3:14-cv-05343 Document1-2 Filed12/05/14 Page13 of 13 UNITED STATES PATENT AND TRADEMARK OFFICE CERTIFICATE OF CORRECTION PATENT NO. : 6,377,577 B1 Page 1 of 1 DATED : Apri123, 2002 INVENTOR(S) : Bechtolsheim et al. It is certified that error appears in the above-identified patent and that said Letters Patent is hereby corrected as shown below: Column 7, Line 48, please delete "outing-decision" and insert therefore-- routing decision--. Signed and Sealed this Twelfth Day of August, 2003 JAMES E. ROGAN Director of the United States Patent and Trademark Office
  38. 38. Case3:14-cv-05343 Document1-3 Filed12/05/14 Page1 of 12 Exhibit 3
  39. 39. Case3:14-cv-05343 Document1-3 Filed12/05/14 Page2 of 12 c12) United States Patent Bechtolsheim et al. (54) ACCESS CONTROL LIST PROCESSING IN HARDWARE (75) Inventors: Andreas V. Bechtolsheim, Stanford, CA (US); David R. Cheriton, Palo Alto, CA (US) (73) Assignee: Cisco Technology, Inc., San Jose, CA (US) ( *) Notice: Subject to any disclaimer, the term of this patent is extended or adjusted under 35 U.S.C. 154(b) by 297 days. This patent is subject to a terminal dis­claimer. (21) Appl. No.: 10/087,342 (22) Filed: Mar. 1, 2002 Related U.S. Application Data (63) Continuation of application No. 09/108,071, filed on Jun. 30, 1998, now Pat. No. 6,377,577. (51) Int. Cl. H04L 12128 (2006.01) (52) U.S. Cl. ...................................................... 370/392 (58) Field of Classification Search ................ 370/392, (56) 370/393,394,396,397,398,389,400,399, 370/395.32; 709/220, 221, 222, 227, 228, 709/229; 711/108 See application file for complete search history. References Cited U.S. PATENT DOCUMENTS 5,386,413 A * 5,414,704 A * 5,509,006 A * 5,920,886 A * 5,938,736 A * 111995 McAuley eta!. ........... 370/392 5/1995 Spinney ...................... 370/389 4/1996 Wilford eta!. ............. 370/401 7/1999 Feldmeier ................... 7111108 8/1999 Muller et a!. ............... 709/243 100" PACKET INPUT INTERFACES 111111 1111111111111111111111111111111111111111111111111111111111111 US007023 853B 1 (10) Patent No.: US 7,023,853 Bl (45) Date of Patent: *Apr. 4, 2006 OTHER PUBLICATIONS Alessandri, Access Control List Processing in Hardware, Diploma Thesis, pp. 1-85, Oct. 1997.* Miei et a!, Parallelization of IP-Packet Filter Rules, IEEE, pp. 381-388, 1997.* (Continued) Primary Examiner-Frank Duong (74) Attorney, Agent, or Firm--Campbell Stephenson Ascolese LLP (57) ABSTRACT The invention provides for hardware processing of ACLs and thus hardware enforcement of access control. A sequence of access control specifiers from an ACL are recorded in a CAM, and information from the packet header is used to attempt to match selected source and destination IP addresses or subnets, ports, and protocols, against all the ACL specifiers at once. Successful matches are input to a priority selector, which selects the match with the highest priority (that is, the match that is first in the sequence of access control specifiers). The specified result of the selected match is used to permit or deny access for the packet without need for software processing, preferably at a rate compa­rable to wirespeed. The CAM includes an ordered sequence of entries, each of which has an array of ternary-elements for matching "0", "1 ", or any value, and each of which gener­ates a match signal. The ACL entered for recording in the CAM can be optimized to reduce the number of separate entries in the CAM, such as by combining entries which are each special cases of a more general access control specifier. A router including the CAM can also include preprocessing circuits for certain range comparisons which have been found both to be particularly common and to be otherwise inefficiently represented by the ternary nature of the CAM, such as comparisons of the port number against known special cases such as "greater than 1023" or "within the range 6000 to 6500". 63 Claims, 3 Drawing Sheets PACKET OUTPUT INTERFACES
  40. 40. Case3:14-cv-05343 Document1-3 Filed12/05/14 Page3 of 12 US 7,023,853 Bl Page 2 OTHER PUBLICATIONS McAuley et a!, Fast Routing Table Lookup Using CAMs, Bellcore, pp. 1-10, 1993.* Doeringer et a!, Routing on Longest-Matching Prefixes, IEEE, pp. 86-97, 1996.* Shaffer, Designing Very Large Content-Addressable Memories, University of Pennsylvania, pp. 1-38, 1992. * Molitor, Architecture for Advanced Packet Filtering, USENIX UNIX Security Symposium, pp. 1-13, 1995.* * cited by examiner
  41. 41. 100"' • • • PACKET INPUT INTERFACES / 110 ROUTING ELEMENT FIG. 1 ACCESS CONTROL ' • ELEMENT • • PACKET OUTPUT INTERFACES e • 00 • ~ ~ ~ ~ = ~ ~ :-: ~ ... N 0 0 0 rFJ =- ('D (..'D... .... 0... .. (.H d rJl "'--...1 = N w Ouo. w = """"' Case3:14-cv-05343 Document1-3 Filed12/05/14 Page4 of 12
  42. 42. Case3:14-cv-05343 Document1-3 Filed12/05/14 Page5 of 12 U.S. Patent Apr. 4, 2006 COMPARE CIRCUIT 230 COMPARE BITS 231 212MASK ACCESS CONTROL MEMORY 210 Sheet 2 of 3 FIG. 2 US 7,023,853 Bl OUTPUT PORT 202 PRIORITY ENCODER 220
  43. 43. Case3:14-cv-05343 Document1-3 Filed12/05/14 Page6 of 12 U.S. Patent Apr. 4, 2006 300"' RECEIVE YREADYTO 321 RECEIVE PACKET ! 322 - IDENTIFY HEADER ! ~ SELECT LABEL l 324 COUPLE LABEL TO A. C. ELEM. ~ 325 DETERMINE OlffPUT INTERFACE I Sheet 3 of 3 US 7,023,853 Bl FIG. 3 J !l2Q DETERMINE INPUT PERMISSION ~ 327 COUPLE LABEL & OIFTO Olf{PUT A. G. ~ 328 DETERMINE OUTPUT PERMISSION ~~M£sY TO MIT

×