Layer two firewall with active-active high availability support

US 7,941,837 B1
Filed: 05/22/2007
Issued: 05/10/2011
Est. Priority Date: 04/18/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

concurrently designating a first layer two (L2) firewall and a second L2 firewall as active L2 firewalls within the same L2 network; and

concurrently applying L2 firewall services to packets within the L2 network with the first L2 firewall and the second L2 firewall by;

receiving, with the first L2 firewall and the second L2 firewall, copies of a same one of the packets within the L2 network; and

disregarding one of the copies of the packet with one of the L2 firewalls based on a virtual local area network (VLAN) identifier associated with the packet,wherein the first L2 firewall operates with the second L2 firewall within the same L2 network without executing the Spanning Tree Protocol on a per-VLAN basis.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described to enable two or more layer two (L2) firewall devices to be configured as a high availability (HA) cluster in an active-active configuration. A first layer two (L2) firewall and a second L2 firewall are positioned within the same L2 network. The first L2 firewall and the second L2 firewall are concurrently configured with active virtual security devices (VSDs) within the L2 network, and concurrently apply L2 firewall services to packets within the L2 network. A VSD of one of the L2 firewalls automatically switches to an active VSD status for a VSD group in place of a VSD of another L2 firewall when the other L2 firewall fails.

58 Citations

View as Search Results

23 Claims

1. A method comprising:
- concurrently designating a first layer two (L2) firewall and a second L2 firewall as active L2 firewalls within the same L2 network; and
  
  concurrently applying L2 firewall services to packets within the L2 network with the first L2 firewall and the second L2 firewall by;
  
  receiving, with the first L2 firewall and the second L2 firewall, copies of a same one of the packets within the L2 network; and
  
  disregarding one of the copies of the packet with one of the L2 firewalls based on a virtual local area network (VLAN) identifier associated with the packet,wherein the first L2 firewall operates with the second L2 firewall within the same L2 network without executing the Spanning Tree Protocol on a per-VLAN basis.

2. A method comprising:
- assigning a first layer two (L2) firewall to a plurality of different virtual security device (VSD) groups for a single L2 network, wherein each of the VSD groups has at least one other assigned VSD on another L2 firewall within the single L2 network;
  
  designating a first VSD within the first L2 firewall as an active VSD for at least a first one of the VSD groups;
  
  designating the first VSD within a second L2 firewall of the L2 network as a backup VSD for the first VSD group;
  
  designating a second VSD within the first L2 firewall as a backup VSD for at least a second one of the VSD groups;
  
  designating the second VSD within the second L2 firewall as an active VSD for the second VSD group;
  
  associating one or more virtual local area network (VLAN) identifiers with the VSD groups; and
  
  selectively applying firewall services to packets with the first and second L2 firewall based on VLAN identifiers within the packets.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9)
- - 3. The method of claim 2, wherein selectively applying firewall services comprises:
    - receiving one of the packets having one of the VLAN identifiers; and
      
      determining, with the first L2 firewall, whether the VLAN identifier of the packet corresponds to an active VSD within the first L2 firewall; and
      
      applying an action to the packet based on a firewall rule when the VLAN identifier of the packet corresponds to an active VSD within the first L2 firewall.
  - 4. The method of claim 3, further comprising:
    - dropping the packet when the VLAN identifier of the packet does not correspond to an active VSD within the first L2 firewall.
  - 5. The method of claim 2,wherein designating the VSD within the first L2 firewall as an active VSD comprises receiving configuration information at the first L2 firewall that specifies a priority level of the VSD for the at least one VSD group, andwherein the priority level controls whether the VSD is the active VSD for the corresponding VSD group.
  - 6. The method of claim 2, further comprising exchanging messages via a private network connection with the other L2 firewalls assigned to the VSD groups to determine whether the VSD of the first L2 firewall has a highest priority level for the one of the plurality of VSD groups.
  - 7. The method of claim 6, further comprising:
    - determining that one of the other L2 firewalls comprising an active VSD for one of the VSD groups has failed; and
      
      changing an operational status for a VSD of the first L2 firewall to become a new active VSD for the VSD group based on the determination.
  - 8. The method of claim 2, wherein each of the VSD groups includes only a single active VSD at a given time.
  - 9. The method of claim 2, wherein the first L2 firewall operates with other L2 firewalls within the single L2 network without executing the Spanning Tree Protocol on a per-VLAN basis.

10. A layer two (L2) firewall comprising:
- a physical network interface that receives a packet having a virtual local area network (VLAN) identifier;
  
  a computer-readable storage medium for storing configuration information, wherein the configuration information configures the L2 firewall with a plurality of virtual security devices (VSDs) that provide L2 firewall services within a single L2 network, and associates each of the VSDs with a VSD group, wherein the configuration information specifies at least one of the VSDs of the L2 firewall as an active VSD within one of a plurality of VSD groups, and wherein the configuration information associates one or more VLAN identifiers with the VSD groups,wherein the L2 firewall is configured to determine that another L2 firewall within the single L2 network has the one of the VSDs specified as a backup VSD; and
  
  a control unit to apply the L2 firewall services.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The L2 firewall of claim 10, further comprising a virtual security device (VSD) manager that determines whether the VLAN identifier of the received packet corresponds to an active VSD within the L2 firewall.
  - 12. The L2 firewall of claim 11, wherein the control unit applies L2 firewall services to the packet when the VSD manager determines that the VLAN identifier of the packet corresponds to an active VSD within the L2 firewall.
  - 13. The L2 firewall of claim 11, wherein the control unit drops the packet without applying the firewall services to the packet when the VSD manager determines that the VLAN identifier of the packet does not correspond to an active VSD within the L2 firewall.
  - 14. The L2 firewall of claim 11, wherein the L2 firewall exchanges message via a private network connection with other L2 firewalls assigned to the VSD group to determine whether the VSD of the L2 firewall has a highest priority level for the VSD group.
  - 15. The L2 firewall of claim 11, wherein the VSD manager determines that one of the other L2 firewalls comprising an active VSD for the VSD group has failed, and identifies a VSD of the L2 firewall as a new active VSD for the VSD group based on the determination.
  - 16. The L2 firewall of claim 10, wherein the VSD group includes only a single active VSD at a given time.

17. A system comprising:
- a first layer two (L2) firewall with an L2 network; and
  
  a second L2 firewall positioned within the same L2 network as the first L2 firewall such that duplicate copies of L2 communications at least are initially communicated to both the first and second L2 firewalls when the first and second L2 firewalls are concurrently configured with active VSDs,wherein the first L2 firewall and the second L2 firewall are concurrently configured with active virtual security devices (VSDs) within the same L2 network and concurrently apply L2 firewall services to packets within the L2 network, andwherein the first L2 firewall operates with second L2 firewall within the same L2 network without executing the Spanning Tree Protocol on a per-VLAN basis.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The system of claim 17, further comprising a switch coupling the first L2 firewall to the second L2 firewall, wherein the switch initially forwards copies of the same packets to the first L2 firewall and the second L2 firewall.
  - 19. The system of claim 17, wherein the VSDs of the first and second L2 firewalls are both assigned to a common plurality of VSD groups, and wherein the first and second L2 firewalls are configured with information that associates one or more virtual local area network (VLAN) identifiers with the VSDs.
  - 20. The system of claim 19,wherein the packets include L2 headers having a VLAN identifier, andwherein the first L2 firewall and the second L2 firewall respectively determine whether the VLAN identifiers of the packets correspond to an active VSDs of the first L2 firewall and the second L2 firewall.
  - 21. The system of claim 19, wherein a VSD of the second L2 firewall automatically switches to an active VSD status for a VSD group in place of a VSD of the first L2 firewall when the first L2 firewall fails.
  - 22. The system of claim 19, wherein each of the VSD groups includes only a single active VSD at a given time.

23. A non-transitory computer-readable medium comprising instructions for causing a programmable processor to:
- receive configuration information at a layer two (L2) firewall having L2 connectivity to configure the L2 firewall to include a plurality of virtual security devices (VSD), wherein each of the VSDs belongs to one of a plurality of VSD groups having other VSDs configured on at least one other L2 firewall;
  
  receive configuration information at the L2 firewall that specifies a priority level of the VSDs of the L2 firewall for each of the VSD groups, wherein the priority level dictates whether the VSDs of the L2 firewall are active VSDs for the respective VSD group;
  
  receive configuration information at the L2 firewall that associates one or more virtual local area network (VLAN) identifiers with the VSDs;
  
  receive a packet having a VLAN identifier; and
  
  determine, with the L2 firewall, whether the VLAN identifier of the packet corresponds to an active VSD for the L2 firewall.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Chao, Chih-Wei, Hirschberg, Daniel, Jiang, Dongyi, Nair, Rakesh
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
TABOR, AMARE F

Application Number

US11/751,731
Time in Patent Office

1,449 Days
Field of Search

726/11
US Class Current

726/11
CPC Class Codes

H04L 63/0209 Architectural arrangements,...

H04L 63/0236 Filtering by address, proto...

Layer two firewall with active-active high availability support

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

58 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Layer two firewall with active-active high availability support

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links