Distributed virtual system to support managed, network-based services

US 7,818,452 B2
Filed: 06/16/2008
Issued: 10/19/2010
Est. Priority Date: 09/13/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

providing a virtual router (VR)-based switch configured for operation at an Internet point-of-presence (POP) of a service provider, the VR-based switch having a plurality of processing elements;

segmenting, by a network operating system (NOS) operable within the VR-based switch, resources of the VR-based switch between at least a first subscriber of the service provider and a second subscriber of the service provider by;

associating a first plurality of VRs with the first subscriber;

associating a second plurality of VRs with the second subscriber;

mapping the first plurality of VRs onto a first set of one or more of the plurality of processing elements; and

mapping the second plurality of VRs onto a second set of one or more of the plurality of processing elements;

configuring, by the NOS, a first set of customized services including a plurality of firewalling, virtual private networking, encryption, traffic shaping, routing and network address translation (NAT) to be provided by the VR-based switch on behalf of the first subscriber by allocating a first service object group within the first plurality of VRs, the first service object group including a service object corresponding to each service of the first set of customized services and wherein each service object of the first service object group can be dynamically distributed by the NOS to customized processors of the first set of one or more of the plurality of processing elements to achieve desired computational supportconfiguring, by the NOS, a second set of customized services including a plurality of firewalling, virtual private networking, encryption, traffic shaping, routing and NAT to be provided by the VR-based switch on behalf of the second subscriber by allocating a second service object group within the second plurality of VRs, the second service object group including a service object corresponding to each service of the second set of customized services and wherein each service object of the second service object group can be dynamically distributed by the NOS to customized processors of the second set of one or more of the plurality of processing elements to achieve desired computational support; and

wherein the NOS is implemented in one or more processors and one or more computer-readable storage media of one or more of the plurality of processing elements, the one or more computer-readable storage media having instructions tangibly embodied therein representing the NOS that are executable by the one or more processors.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are provided for allocating network resources of a distributed virtual system to support managed, network-based services. According to one embodiment, a VR-based switch having multiple processing elements is configured for operation at an Internet POP. An NOS is provided on each of the processing elements. Resources of the VR-based switch are segmented between a first and second subscriber by mapping VRs assigned to the first and second subscriber onto appropriate processing elements. Then, a first and second set of customized services are configured, each including two or more of firewalling, virtual private networking, encryption, traffic shaping, routing and network address translation (NAT), to be provided by the VR-based switch. Customized services are configured by allocating appropriate service object groups to the VRs, which can be dynamically distributed by the NOS to customized processors of the processing elements to achieve desired computational support.

Citations

19 Claims

1. A method comprising:
- providing a virtual router (VR)-based switch configured for operation at an Internet point-of-presence (POP) of a service provider, the VR-based switch having a plurality of processing elements;
  
  segmenting, by a network operating system (NOS) operable within the VR-based switch, resources of the VR-based switch between at least a first subscriber of the service provider and a second subscriber of the service provider by;
  
  associating a first plurality of VRs with the first subscriber;
  
  associating a second plurality of VRs with the second subscriber;
  
  mapping the first plurality of VRs onto a first set of one or more of the plurality of processing elements; and
  
  mapping the second plurality of VRs onto a second set of one or more of the plurality of processing elements;
  
  configuring, by the NOS, a first set of customized services including a plurality of firewalling, virtual private networking, encryption, traffic shaping, routing and network address translation (NAT) to be provided by the VR-based switch on behalf of the first subscriber by allocating a first service object group within the first plurality of VRs, the first service object group including a service object corresponding to each service of the first set of customized services and wherein each service object of the first service object group can be dynamically distributed by the NOS to customized processors of the first set of one or more of the plurality of processing elements to achieve desired computational supportconfiguring, by the NOS, a second set of customized services including a plurality of firewalling, virtual private networking, encryption, traffic shaping, routing and NAT to be provided by the VR-based switch on behalf of the second subscriber by allocating a second service object group within the second plurality of VRs, the second service object group including a service object corresponding to each service of the second set of customized services and wherein each service object of the second service object group can be dynamically distributed by the NOS to customized processors of the second set of one or more of the plurality of processing elements to achieve desired computational support; and
  
  wherein the NOS is implemented in one or more processors and one or more computer-readable storage media of one or more of the plurality of processing elements, the one or more computer-readable storage media having instructions tangibly embodied therein representing the NOS that are executable by the one or more processors.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising defining, by the NOS, a system VR within the VR-based switch;
    - and the system VR aggregating traffic from the first plurality of VRs and the second plurality of VRs and transferring the aggregated traffic across the Internet.
  - 3. The method of claim 1, wherein at least one of the first plurality of VRs spans two or more of the first set of one or more of the plurality of processing elements.
  - 4. The method of claim 2, wherein at least one of the second plurality of VRs spans two or more of the second set of one or more of the plurality of processing elements.
  - 5. The method of claim 1, further comprising defining, by the NOS, a first configured topology among the first plurality of VRs by configuring virtual interfaces (VIs) of the first plurality of VRs to provide desired paths for packet flows associated with the first subscriber and permissible transformations of the packet flows associated with the first subscriber.
  - 6. The method of claim 5, further comprising defining, by the NOS, a second configured topology among the second plurality of VRs by configuring virtual interfaces (VIs) of the second plurality of VRs to provide desired paths for packet flows associated with the second subscriber and permissible transformations of the packet flows associated with the second subscriber.
  - 7. The method of claim 1, wherein the VR-based switch includes a first server blade and a second server blade and each of the plurality of processing elements are associated with the first server blade or the second server blade, and wherein a VR of the first plurality of VRs terminates links on both the first server blade and the second server blade, and the method further comprises forwarding agents associated with the VR maintaining a replicated forwarding information base.

8. A virtual router (VR)-based switch comprising:
- a storage device having stored therein one or more routines of a network operating system (NOS) operable to create discrete customized services for subscribers of a service provider by providing the subscribers with different configurations of service object groups;
  
  one or more processors coupled to the storage device and operable to execute the one or more routines;
  
  a plurality of processing elements coupled to the storage device and the one or more processors, whereresources of the VR-based switch are segmented between at least a first subscriber of the service provider and a second subscriber of the service provider by;
  
  instantiating a plurality of VRs within the VR-based switch;
  
  associating a first set of VRs of the plurality of VRs with the first subscriber;
  
  associating a second set of VRs of the plurality of VRs with the second subscriber;
  
  mapping the first set of VRs onto a first set of one or more of the plurality of processing elements; and
  
  mapping the second set of VRs onto a second set of one or more of the plurality of processing elements;
  
  a first set of customized services, including a plurality of firewalling, virtual private networking, encryption, traffic shaping, routing and network address translation (NAT), is configured to be provided by the VR-based switch on behalf of the first subscriber by creating a first service object group within the first set of VRs, the first service object group including a service object corresponding to each service of the first set of customized services and wherein each service object of the first service object group can be dynamically distributed by the NOS to customized processors of the first set of one or more of the plurality of processing elements to achieve desired computational support; and
  
  a second set of customized services, including a plurality of firewalling, virtual private networking, encryption, traffic shaping, routing and NAT, is configured to be provided by the VR-based switch on behalf of the second subscriber by creating a second service object group within the second set of VRs, the second service object group including a service object corresponding to each service of the second set of customized services and wherein each service object of the second service object group can be dynamically distributed by the NOS to customized processors of the second set of one or more of the plurality of processing elements to achieve desired computational support.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The VR-based switch of claim 8, wherein the method further comprises defining a system VR within the VR-based switch;
    - and the system VR aggregating traffic from the first plurality of VRs and the second plurality of VRs and transferring the aggregated traffic across the Internet.
  - 10. The VR-based switch of claim 8, wherein at least one of the first set of VRs spans two or more of the first set of one or more of the plurality of processing elements.
  - 11. The VR-based switch of claim 9, wherein at least one of the second set of VRs spans two or more of the second set of one or more of the plurality of processing elements.
  - 12. The VR-based switch of claim 8, wherein a first configured topology is defined among the first set of VRs by configuring virtual interfaces (VIs) of the first set of VRs to provide desired paths for packet flows associated with the first subscriber and permissible transformations of the packet flows associated with the first subscriber.
  - 13. The VR-based switch of claim 12, wherein a second configured topology is defined among the second set of VRs by configuring virtual interfaces (VIs) of the second set of VRs to provide desired paths for packet flows associated with the second subscriber and permissible transformations of the packet flows associated with the second subscriber.
  - 14. The VR-based switch of claim 8, further comprising a first server blade and a second server blade and each of the plurality of processing elements are associated with the first server blade or the second server blade, and wherein a VR of the first set of VRs terminates links on both the first server blade and the second server blade, and wherein forwarding agents associated with the VR maintain a replicated forwarding information base.

15. A computer-readable storage medium readable by one or more processing elements of a plurality of processing elements of a virtual router (VR)-based switch, the computer-readable storage medium tangibly embodying a set of instructions executable by one or more processors of the plurality of processing elements to perform method steps for creating discrete customized services for subscribers of a service provider by providing the subscribers with different configurations of service object groups, the method steps comprising:
- segmenting resources of the VR-based switch between at least a first subscriber of the service provider and a second subscriber of the service provider by;
  
  instantiating a plurality of VRs within the VR-based switch;
  
  associating a first set of VRs of the plurality of VRs with the first subscriber;
  
  associating a second set of VRs of the plurality of VRs with the second subscriber;
  
  mapping the first set of VRs onto a first set of one or more of the plurality of processing elements; and
  
  mapping the second set of VRs onto a second set of one or more of the plurality of processing elements;
  
  configuring a first set of customized services, including a plurality of firewalling, virtual private networking, encryption, traffic shaping, routing and network address translation (NAT), to be provided by the VR-based switch on behalf of the first subscriber by allocating a first service object group within the first set of VRs, the first service object group including a service object corresponding to each service of the first set of customized services and wherein each service object of the first service object group can be dynamically distributed to customized processors of the first set of one or more of the plurality of processing elements to achieve desired computational support; and
  
  configuring a second set of customized services, including a plurality of firewalling, virtual private networking, encryption, traffic shaping, routing and NAT, to be provided by the VR-based switch on behalf of the second subscriber by allocating a second service object group within the second set of VRs, the second service object group including a service object corresponding to each service of the second set of customized services and wherein each service object of the second service object group can be dynamically distributed to customized processors of the second set of one or more of the plurality of processing elements to achieve desired computational support.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer-readable storage medium of claim 15, further comprising defining, by the NOS, a system VR within the VR-based switch;
    - and the system VR aggregating traffic from the first plurality of VRs and the second plurality of VRs and transferring the aggregated traffic across the Internet.
  - 17. The computer-readable storage medium of claim 15, wherein at least one of the first set of VRs spans two or more of the first set of one or more of the plurality of processing elements.
  - 18. The computer-readable storage medium of claim 16, wherein at least one of the second set of VRs spans two or more of the second set of one or more of the plurality of processing elements.
  - 19. The computer-readable storage medium of claim 15, wherein the VR-based switch includes a first server blade and a second server blade and each of the plurality of processing elements are associated with the first server blade or the second server blade, and wherein a VR of the first set of VRs terminates links on both the first server blade and the second server blade, and wherein the method steps further comprise maintaining a replicated forwarding information base.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Matthews, Abraham Rabindranath, Naveed, Alam
Primary Examiner(s)
BAROT, BHARAT

Application Number

US12/140,249
Publication Number

US 20080259934A1
Time in Patent Office

855 Days
Field of Search

709201-205, 709223-226, 709238-239, 370400-401
US Class Current

709/238
CPC Class Codes

H04L 12/2876   Handling of subscriber poli...

H04L 12/5691   Access to open networks; In...

H04L 41/0803   Configuration setting

H04L 41/0895   Configuration of virtualise...

H04L 41/122   of virtualised topologies, ...

H04L 41/40   using virtualisation of net...

H04L 41/5054   Automatic deployment of ser...

H04L 45/586   of virtual routers

H04L 49/70   Virtual switches

H04L 61/2521   Translation architectures o...

H04L 63/0272   Virtual private networks

Distributed virtual system to support managed, network-based services

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed virtual system to support managed, network-based services

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links