ROUTING DEVICE HAVING INTEGRATED MPLS-AWARE FIREWALL
First Claim
1. A network router comprising:
- a plurality of interfaces configured to send and receive packets for virtual private networks (VPNs) associated with one or more customer networks;
a firewall integrated within the network router, the firewall configured to apply stateful firewall services to the packets; and
a control unit that executes a routing protocol to maintain routing information specifying routes through a network, wherein the control unit executes at least one multi-protocol label switched (MPLS) protocol to establish a plurality of MPLS label switched paths (LSPs) through the service provider network to carry the packets for the customer VPNs;
wherein the control unit of the routing engine executes a network services protocol that programs the firewall with mapping information that specifies one or more MPLS labels for each of the MPLS LSPs and that maps the MPLS labels to the customer VPNs,wherein the firewall applies policies to the packets received from the service provider network having MPLS labels that match the MPLS labels specified within the mapping information programmed into the firewall by the network services protocol of the routing engine.
0 Assignments
0 Petitions
Accused Products
Abstract
An MPLS-aware firewall allows firewall security policies to be applied to MPLS traffic. The firewall, which may be integrated within a routing device, can be configured into multiple virtual security systems. The routing device provides a user interface by which a user specifies one or more zones to be recognized by the integrated firewall when applying stateful firewall services to the packets. The user interface allows the user to define different zones and policies for different ones of the virtual security systems. In addition, the user interface supports a syntax that allows the user to define the zones for the firewall by specifying the customer VPNs as interfaces associated with the zones. The routing device generates mapping information for the integrated firewall to map the customer VPNs to specific MPLS labels for the MPLS tunnels carrying the customer'"'"'s traffic.
77 Citations
25 Claims
-
1. A network router comprising:
-
a plurality of interfaces configured to send and receive packets for virtual private networks (VPNs) associated with one or more customer networks; a firewall integrated within the network router, the firewall configured to apply stateful firewall services to the packets; and a control unit that executes a routing protocol to maintain routing information specifying routes through a network, wherein the control unit executes at least one multi-protocol label switched (MPLS) protocol to establish a plurality of MPLS label switched paths (LSPs) through the service provider network to carry the packets for the customer VPNs; wherein the control unit of the routing engine executes a network services protocol that programs the firewall with mapping information that specifies one or more MPLS labels for each of the MPLS LSPs and that maps the MPLS labels to the customer VPNs, wherein the firewall applies policies to the packets received from the service provider network having MPLS labels that match the MPLS labels specified within the mapping information programmed into the firewall by the network services protocol of the routing engine. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method comprising:
-
executing, with a routing engine of a router, at least one multi-protocol label switched (MPLS) protocol to establish MPLS label switched paths (LSPs) through the service provider network to carry packets for one or more customer virtual private networks (VPNs) for one or more customer networks; communicating mapping information from the routing engine to a firewall integrated within the router, wherein the mapping information associates one or more MPLS labels for the MPLS LSPs with the customer VPNs; and applying stateful firewall services to the packets with the firewall of the network router based on the zones specified by the user and the mapping information received from the routing engine, wherein applying stateful firewall services comprises applying the policies to the packets received from the service provider network having MPLS labels that match the MPLS labels specified within the mapping information and to packets received from the customer networks that are destined to be forwarded by the router as MPLS packets. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
Specification