PACKET ROUTING SYSTEM AND METHOD
First Claim
1. A method comprising:
- partitioning a plurality of virtual routers (VRs) of a service processing switch of a service provider between a first subscriber and a second subscriber of the service provider by associating a first processor element identifier (PEID) with a first set of VRs of the plurality of VRs partitioned to the first subscriber and a second PEID with a second set of VRs of the plurality of VRs partitioned to the second subscriber;
configuring the first set of VRs to provide a first set of security services on behalf of the first subscriber by creating within the first set of VRs a first object group supportive of the first set of security services;
configuring the second set of VRs to provide a second set of security services on behalf of the second subscriber by creating within the second set of VRs a second object group supportive of the second set of security services;
the service processing switch providing appropriate security services for the first subscriber and the second subscriber by steering a first subscriber packet destined for or originating from a site of the first subscriber to an appropriate VR of the first set of VRs and an appropriate object within the first object group based on a value of the first PEID being associated with the first subscriber packet and a logical queue identifier (LQID) value associated with the first subscriber packet, the LQID value associated with the first subscriber packet corresponding to an LQID assigned to the appropriate object within the first object group and steering a second subscriber packet destined for or originating from a site of the second subscriber to an appropriate VR of the second set of VRs and an appropriate object within the second object group based on a value of the first PEID being associated with the second subscriber packet and a logical queue identifier (LQID) value associated with the second subscriber packet, the LQID value associated with the second subscriber packet corresponding to an LQID assigned to the appropriate object within the second object group.
0 Assignments
0 Petitions
Accused Products
Abstract
A flexible, scalable hardware and software platform that allows a service provider to easily provide internet services, virtual private network services, firewall services, etc., to a plurality of customers. One aspect provides a method and system for delivering security services. This includes connecting a plurality of processors in a ring configuration within a first processing system, establishing a secure connection between the processors in the ring configuration across an internet protocol (IP) connection to a second processing system to form a tunnel, and providing both router services and host services for a customer using the plurality of processors in the ring configuration and using the second processing system, a packet routing system and method is described that includes a processor identifier in each packet to route the packets to a physical processor, and a logical queue identifier to route the packets to the destination object within that processor.
-
Citations
12 Claims
-
1. A method comprising:
-
partitioning a plurality of virtual routers (VRs) of a service processing switch of a service provider between a first subscriber and a second subscriber of the service provider by associating a first processor element identifier (PEID) with a first set of VRs of the plurality of VRs partitioned to the first subscriber and a second PEID with a second set of VRs of the plurality of VRs partitioned to the second subscriber;
configuring the first set of VRs to provide a first set of security services on behalf of the first subscriber by creating within the first set of VRs a first object group supportive of the first set of security services;
configuring the second set of VRs to provide a second set of security services on behalf of the second subscriber by creating within the second set of VRs a second object group supportive of the second set of security services;
the service processing switch providing appropriate security services for the first subscriber and the second subscriber by steering a first subscriber packet destined for or originating from a site of the first subscriber to an appropriate VR of the first set of VRs and an appropriate object within the first object group based on a value of the first PEID being associated with the first subscriber packet and a logical queue identifier (LQID) value associated with the first subscriber packet, the LQID value associated with the first subscriber packet corresponding to an LQID assigned to the appropriate object within the first object group and steering a second subscriber packet destined for or originating from a site of the second subscriber to an appropriate VR of the second set of VRs and an appropriate object within the second object group based on a value of the first PEID being associated with the second subscriber packet and a logical queue identifier (LQID) value associated with the second subscriber packet, the LQID value associated with the second subscriber packet corresponding to an LQID assigned to the appropriate object within the second object group. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An Internet Protocol (IP) service delivery architecture comprising:
-
a Service Management System (SMS) residing in a Network Operations Center (NOC) of a service provider;
an IP service processing switch located within a service provider'"'"'s Point of Presence (POP) and communicatively coupled to the service provider via a backbone of the service provider, the IP service processing switch providing customized security services to each of a plurality of subscribers of the service provider by (i) allocating one or more virtual routers (VRs) of a plurality of VRs to each of the plurality of subscribers based on processor element identifiers (PEIDs) associated with the plurality of VRs, (ii) instantiating object groups within the one or more VRs allocated to each subscriber based on security service needs of the subscriber, (iii) assigning logical queue identifiers (LQIDs) to objects of the object groups; and
(iv) steering packets to appropriate objects of the object groups based on PEID values and LQID values associated with the packets;
a Customer Network Management (CNM) system communicatively coupled with the IP service processing switch and located at a site within each subscriber;
wherein the SMS enables centralized deployment, configuration and management of a managed network-based security service on behalf of the plurality of subscribers; and
wherein the CMNs provide the respective subscribers with the ability to (i) initiate service provisioning and augmentation of the customized security services and (ii) obtain detailed network and service performance information.
-
-
12. An Internet Protocol (IP) service processing switch comprising:
-
a plurality of blades each having a plurality of processor elements (PEs), each of the plurality of PEs running a plurality of virtual routers (VRs) configured to provide customized security services to a subscriber of a plurality of subscribers of a service provider by (i) creating object groups within the plurality of VRs in accordance with security service needs of respective subscribers and (ii) assigning logical queue identifiers (LQIDs) to objects of the object groups, the objects including one or more of a routing object, a packet filtering object a firewall object and a network address translation (NAT) object, each of the plurality of PEs being assigned a PE identifier (PEID) that is unique within the IP service processing switch;
a packet-passing ring coupling the plurality of blades in communication; and
wherein upon a blade of the plurality of blades receiving a packet,the blade inspects a PEID value associated with the packet and if the PEID value corresponds to a PE of the plurality of PEs on the blade, then the packet is steered to an object of the plurality of VRs running on the PE that corresponds to the LQID value, and if the PEID value does not correspond to any of the PEs of the plurality of PEs on the blade, then the packet is forwarded to the next blade of the plurality of blades on the packet-passing ring.
-
Specification