Layer two firewall with active-active high availability support
First Claim
Patent Images
1. A method comprising:
- concurrently designating a first layer two (L2) firewall and a second L2 firewall as active L2 firewalls within the same L2 network; and
concurrently applying L2 firewall services to packets within the L2 network with the first L2 firewall and the second L2 firewall by;
receiving, with the first L2 firewall and the second L2 firewall, copies of a same one of the packets within the L2 network; and
disregarding one of the copies of the packet with one of the L2 firewalls based on a virtual local area network (VLAN) identifier associated with the packet,wherein the first L2 firewall operates with the second L2 firewall within the same L2 network without executing the Spanning Tree Protocol on a per-VLAN basis.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are described to enable two or more layer two (L2) firewall devices to be configured as a high availability (HA) cluster in an active-active configuration. A first layer two (L2) firewall and a second L2 firewall are positioned within the same L2 network. The first L2 firewall and the second L2 firewall are concurrently configured with active virtual security devices (VSDs) within the L2 network, and concurrently apply L2 firewall services to packets within the L2 network. A VSD of one of the L2 firewalls automatically switches to an active VSD status for a VSD group in place of a VSD of another L2 firewall when the other L2 firewall fails.
58 Citations
23 Claims
-
1. A method comprising:
-
concurrently designating a first layer two (L2) firewall and a second L2 firewall as active L2 firewalls within the same L2 network; and concurrently applying L2 firewall services to packets within the L2 network with the first L2 firewall and the second L2 firewall by; receiving, with the first L2 firewall and the second L2 firewall, copies of a same one of the packets within the L2 network; and disregarding one of the copies of the packet with one of the L2 firewalls based on a virtual local area network (VLAN) identifier associated with the packet, wherein the first L2 firewall operates with the second L2 firewall within the same L2 network without executing the Spanning Tree Protocol on a per-VLAN basis.
-
-
2. A method comprising:
-
assigning a first layer two (L2) firewall to a plurality of different virtual security device (VSD) groups for a single L2 network, wherein each of the VSD groups has at least one other assigned VSD on another L2 firewall within the single L2 network; designating a first VSD within the first L2 firewall as an active VSD for at least a first one of the VSD groups; designating the first VSD within a second L2 firewall of the L2 network as a backup VSD for the first VSD group; designating a second VSD within the first L2 firewall as a backup VSD for at least a second one of the VSD groups; designating the second VSD within the second L2 firewall as an active VSD for the second VSD group; associating one or more virtual local area network (VLAN) identifiers with the VSD groups; and selectively applying firewall services to packets with the first and second L2 firewall based on VLAN identifiers within the packets. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9)
-
-
10. A layer two (L2) firewall comprising:
-
a physical network interface that receives a packet having a virtual local area network (VLAN) identifier; a computer-readable storage medium for storing configuration information, wherein the configuration information configures the L2 firewall with a plurality of virtual security devices (VSDs) that provide L2 firewall services within a single L2 network, and associates each of the VSDs with a VSD group, wherein the configuration information specifies at least one of the VSDs of the L2 firewall as an active VSD within one of a plurality of VSD groups, and wherein the configuration information associates one or more VLAN identifiers with the VSD groups, wherein the L2 firewall is configured to determine that another L2 firewall within the single L2 network has the one of the VSDs specified as a backup VSD; and a control unit to apply the L2 firewall services. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A system comprising:
-
a first layer two (L2) firewall with an L2 network; and a second L2 firewall positioned within the same L2 network as the first L2 firewall such that duplicate copies of L2 communications at least are initially communicated to both the first and second L2 firewalls when the first and second L2 firewalls are concurrently configured with active VSDs, wherein the first L2 firewall and the second L2 firewall are concurrently configured with active virtual security devices (VSDs) within the same L2 network and concurrently apply L2 firewall services to packets within the L2 network, and wherein the first L2 firewall operates with second L2 firewall within the same L2 network without executing the Spanning Tree Protocol on a per-VLAN basis. - View Dependent Claims (18, 19, 20, 21, 22)
-
-
23. A non-transitory computer-readable medium comprising instructions for causing a programmable processor to:
-
receive configuration information at a layer two (L2) firewall having L2 connectivity to configure the L2 firewall to include a plurality of virtual security devices (VSD), wherein each of the VSDs belongs to one of a plurality of VSD groups having other VSDs configured on at least one other L2 firewall; receive configuration information at the L2 firewall that specifies a priority level of the VSDs of the L2 firewall for each of the VSD groups, wherein the priority level dictates whether the VSDs of the L2 firewall are active VSDs for the respective VSD group; receive configuration information at the L2 firewall that associates one or more virtual local area network (VLAN) identifiers with the VSDs; receive a packet having a VLAN identifier; and determine, with the L2 firewall, whether the VLAN identifier of the packet corresponds to an active VSD for the L2 firewall.
-
Specification