HIERARCHICAL CLUSTERING IN A GEOGRAPHICALLY DISPERSED NETWORK ENVIRONMENT

US 20160234168A1
Filed: 02/11/2015
Published: 08/11/2016
Est. Priority Date: 02/11/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a packet at one of a plurality of adaptive security appliance (ASA) units in one of a plurality of ASA clusters in a cluster domain of a network environment;

identifying the packet, by the ASA unit, as matching an inter-data center (DC) live traffic profile;

identifying, by the ASA unit, a target ASA cluster in the plurality of ASA clusters in the cluster domain;

querying, by the ASA unit, a domain director in the target ASA cluster for a flow owner;

if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster; and

if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An example method for facilitating hierarchical clustering in a geographically dispersed network environment is provided and includes receiving a packet at one of a plurality of adaptive security appliance (ASA) units in one of a plurality of ASA clusters in a cluster domain of a network environment, identifying the packet as matching an inter-data center live traffic profile, identifying a target ASA cluster in the plurality of ASA clusters in the cluster domain, querying a domain director in the target ASA cluster for a flow owner, and if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster, and if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner.

43 Citations

View as Search Results

20 Claims

1. A method comprising:
- receiving a packet at one of a plurality of adaptive security appliance (ASA) units in one of a plurality of ASA clusters in a cluster domain of a network environment;
  
  identifying the packet, by the ASA unit, as matching an inter-data center (DC) live traffic profile;
  
  identifying, by the ASA unit, a target ASA cluster in the plurality of ASA clusters in the cluster domain;
  
  querying, by the ASA unit, a domain director in the target ASA cluster for a flow owner;
  
  if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster; and
  
  if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising dropping the packet if the flow owner is not identified by the domain director, the domain director does not include a flow state for the flow to which the packet belongs, and the packet is not a connection-initiating packet.
  - 3. The method of claim 1, further comprising identifying the ASA unit as the flow owner if the flow owner is not identified by the domain director, the domain director includes a flow state for the flow to which the packet belongs, and the packet is not a connection-initiating packet.
  - 4. The method of claim 1, wherein identifying the target ASA cluster comprises querying a database.
  - 5. The method of claim 1, wherein identifying the target ASA cluster comprises computing a consistent hash (cHash) of all the ASA clusters in the cluster domain.
  - 6. The method of claim 1, further comprising identifying the domain director in the target ASA cluster by computing a cHash of all the ASA units in the target ASA cluster.
  - 7. The method of claim 6, further comprising obtaining an Internet Protocol/Media Access Control (IP/MAC) address of the domain director from a local copy of a remote cluster membership list at the ASA unit.
  - 8. The method of claim 1, wherein each ASA cluster comprises a plurality of ASA units.
  - 9. The method of claim 1, wherein site-independent configuration of the ASA units in the cluster domain is the same among all the ASA units in all the ASA clusters in the cluster domain, wherein site-specific configuration of the ASA units in each ASA cluster is different from corresponding configuration of the ASA units in other ASA clusters in the cluster domain.
  - 10. The method of claim 9, wherein ASA unit is a cluster master, wherein updates to the site-independent configuration of the ASA unit triggers an update, by the ASA unit, to other cluster masters in the other ASA clusters in the cluster domain.

11. Non-transitory tangible media encoding logic that includes instructions for execution, which when executed by a processor of an ASA unit, is operable to perform operations comprising:
- receiving a packet at the ASA unit, wherein the ASA unit comprises one of a plurality of ASA units in one of a plurality of ASA clusters in a cluster domain of a network environment;
  
  identifying the packet as matching an inter-DC live traffic profile;
  
  identifying a target ASA cluster in the plurality of ASA clusters in the cluster domain;
  
  querying a domain director in the target ASA cluster for a flow owner;
  
  if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster; and
  
  if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The media of claim 11, the operations further comprising dropping the packet if the flow owner is not identified by the domain director, the domain director does not include a flow state for the flow to which the packet belongs, and the packet is not a connection-initiating packet.
  - 13. The media of claim 11, the operations further comprising identifying the ASA unit as the flow owner if the flow owner is not identified by the domain director, the domain director includes a flow state for the flow to which the packet belongs, and the packet is not a connection-initiating packet.
  - 14. The media of claim 11, wherein identifying the target ASA cluster comprises computing a cHash of all the ASA clusters in the cluster domain.
  - 15. The media of claim 11, the operations further comprising identifying the domain director in the target ASA cluster by computing a cHash of all the ASA units in the target ASA cluster.

16. An apparatus, comprising:
- a memory element for storing data; and
  
  a processor, wherein the processor executes instructions associated with the data, wherein the processor and the memory element cooperate, such that the apparatus is configured as an ASA unit for;
  
  receiving a packet at the ASA unit, wherein the ASA unit comprises one of a plurality of ASA units in one of a plurality of ASA clusters in a cluster domain of a network environment;
  
  identifying the packet as matching an inter-DC live traffic profile;
  
  identifying a target ASA cluster in the plurality of ASA clusters in the cluster domain;
  
  querying a domain director in the target ASA cluster for a flow owner;
  
  if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster; and
  
  if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The apparatus of claim 16, further configured for dropping the packet if the flow owner is not identified by the domain director, the domain director does not include a flow state for the flow to which the packet belongs, and the packet is not a connection-initiating packet.
  - 18. The apparatus of claim 16, further configured for identifying the ASA unit as the flow owner if the flow owner is not identified by the domain director, the domain director includes a flow state for the flow to which the packet belongs, and the packet is not a connection-initiating packet.
  - 19. The apparatus of claim 16, wherein identifying the target ASA cluster comprises computing a cHash of all the ASA clusters in the cluster domain.
  - 20. The apparatus of claim 16, further configured for identifying the domain director in the target ASA cluster by computing a cHash of all the ASA units in the target ASA cluster.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Liu, Zhijun, Kunder, Jonathan Augustine, Leung, Kent K., Wang, Xun, Ossipov, Andrew E.

Granted Patent

US 9,800,549 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 61/5007   Internet protocol [IP] addr...

H04L 61/5061   Pools of addresses

H04L 63/0218   Distributed architectures, ...

H04L 63/0254   Stateful filtering

HIERARCHICAL CLUSTERING IN A GEOGRAPHICALLY DISPERSED NETWORK ENVIRONMENT

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

43 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

HIERARCHICAL CLUSTERING IN A GEOGRAPHICALLY DISPERSED NETWORK ENVIRONMENT

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links