In packet data networks, such as Ethernet networks, policy-based network security may be implemented by defining different sets or groups of users and applying different sets of rules governing network security to the users of each set. Current approaches for implementing network security in such networks include defining the sets of users and applying the sets of rules using a classification module. Such classification modules include a lookup table implemented in a memory structure that is used to determine what rules to apply to the different sets of users.
In current approaches, each rule has a corresponding entry for each user to which the particular rule applies. By way of simple example, in a data network with ten users (e.g., in one particular group) and ten rules that are to be applied to those ten users, the lookup table would include one-hundred entries, i.e., one entry for each user for each rule. Accordingly, the number of entries needed in such a classification module is the product of the number of users (M) and the number of rules (N) to be applied to data packets associated with (i.e., communicated to or from) the M users. Therefore, using such an approach, the number of rules equals approximately M*N.
As the complexity of data networks, such as corporate networks, increases and the number of users and rules (e.g., policy-based rules) applied to those users increases, the size of a lookup table that is required in a classification module to implement such rules can become excessively large. For instance, in a network with 500 users and 100 rules that are applied to each of those 500 users, the lookup table in such a classification module would include approximately 50,000 entries. Of course, other groups of users (e.g., a group of W users) and other sets of rules (e.g., a set of X rules applied to the W users) could also be implemented, thus further increasing the number of entries needed in the lookup table (i.e., by W*X in this example, resulting in M*N+W*X rules or entries).
Because such lookup tables are typically implemented using content-addressable memory, which is costly to implement (e.g., in terms of design effort and in terms of the semiconductor area used in integrated circuit embodiments), using such classification techniques can result in undue product design and manufacturing costs.