Service processing switch
First Claim
1. A system for providing Internet Protocol (IP) services, comprising:
- a switch fabric;
a line interface/network module coupled to the switch fabric;
a plurality of virtual routing engines (VREs) coupled to the switch fabric; and
a virtual services engine (VSE), coupled to the switch fabric, including at least one central processing unit configured to perform firewall processing, Uniform Resource Locator (URL) filtering and anti-virus processing;
wherein the line interface/network module receives packets and steers ingress packets across the switch fabric to a selected VRE of the plurality of VREs and transmits egress packets according to their relative priority;
wherein the line interface/network module includes an egress forwarding manager which applies priority queuing to the egress packets based on DiffServ marking and transmits the egress packets out of the line interface/network module;
wherein the selected VRE determines if a packet associated with a packet flow requires processing by the VSE by performing flow-based packet classification on the packet and evaluating forwarding state information associated with previously stored flow learning results based on a previously received packet of the packet flow; and
if the packet is determined to require processing by the VSE, then steering the packet across the switch fabric to the VSE for one or more of the firewall processing, the URL filtering and the anti-virus processing.
0 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems for providing IP services in an integrated fashion are provided. According to one embodiment, a system includes a switch fabric and a line interface/network module, multiple virtual routing engines (VREs) and a virtual services engine (VSE) coupled with the switch fabric. The line interface/network module receives packets, steers ingress packets to a selected VRE and transmits egress packets according to their relative priority. VREs determines if a packet associated with a packet flow requires processing by the VSE by performing flow-based packet classification on the packet and evaluating forwarding state information associated with previously stored flow learning results. The VSE includes a central processing unit configured to perform firewall processing, Uniform Resource Locator (URL) filtering and anti-virus processing. If the packet is determined to require processing by the VSE, then the packet is steered to the VSE for firewall, URL filtering and/or anti-virus processing.
200 Citations
11 Claims
-
1. A system for providing Internet Protocol (IP) services, comprising:
-
a switch fabric; a line interface/network module coupled to the switch fabric; a plurality of virtual routing engines (VREs) coupled to the switch fabric; and a virtual services engine (VSE), coupled to the switch fabric, including at least one central processing unit configured to perform firewall processing, Uniform Resource Locator (URL) filtering and anti-virus processing; wherein the line interface/network module receives packets and steers ingress packets across the switch fabric to a selected VRE of the plurality of VREs and transmits egress packets according to their relative priority; wherein the line interface/network module includes an egress forwarding manager which applies priority queuing to the egress packets based on DiffServ marking and transmits the egress packets out of the line interface/network module; wherein the selected VRE determines if a packet associated with a packet flow requires processing by the VSE by performing flow-based packet classification on the packet and evaluating forwarding state information associated with previously stored flow learning results based on a previously received packet of the packet flow; and if the packet is determined to require processing by the VSE, then steering the packet across the switch fabric to the VSE for one or more of the firewall processing, the URL filtering and the anti-virus processing. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method for providing Internet Protocol (IP) services comprising:
-
providing within a flow manager of a switch a steering table mapping a plurality of virtual local area networks (VLANs) to one or more of a plurality of virtual routing engines (VREs) of the switch; receiving a packet associated with a VLAN of the plurality of VLANs at a line interface/network module of a plurality of line interface/network modules of the switch; the flow manager steering the packet across a fabric of the switch to a VRE of the plurality of VREs based on a result of a steering table lookup of the VLAN in the steering table; the VRE identifying a packet flow with which the packet is associated by performing deep packet classification; the VRE determining if the packet requires processing by a virtual services engine (VSE) of a plurality of VSEs of the switch by consulting a flow cache, the VSE including at least one central processing unit configured to perform firewall processing, Uniform Resource Locator (URL) filtering and anti-virus processing; if the packet requires processing by the VSE, transferring the packet across the fabric to the VSE for processing; if the packet is not dropped or otherwise blocked as a result of one or more of the firewall processing, the URL filtering and the anti-virus processing, the VSE transferring the processed packet back to the VRE for forwarding; applying, by an egress forwarding manager of the line interface/network manger, priority queuing to egress packets based on DiffServ marking; and transmitting, by the egress forwarding manager, the egress packets out of the line/interface/network module. - View Dependent Claims (10, 11)
-
-
7. A system for providing Internet Protocol (IP) services, comprising:
-
a fabric; a line interface/network module coupled to the fabric; a plurality of virtual routing engines (VREs) coupled to the fabric; and a virtual services engine (VSE), coupled to the switch fabric, including at least one central processing unit configured to perform firewall processing, Uniform Resource Locator (URL) filtering and anti-virus processing; an advanced security engine (ASE) coupled to the fabric; wherein the line interface/network module receives packets and steers the packets to a selected VRE of the plurality of VREs based on a result of a steering table lookup; wherein the line interface/network module includes an egress forwarding manager which applies priority queuing to egress packets based on DiffServ marking and transmits the egress packets out of the line interface/network module; wherein the selected VRE determines if a packet associated with a packet flow requires processing by the one or both of the VSE and the ASE by performing flow-based packet classification on the packet and evaluating forwarding state information associated with previously stored flow learning results based on a previously received packet of the packet flow; if the packet has been determined to require processing by the VSE, then steering the packet to the VSE for one or more of the firewall processing, the URL filtering and the anti-virus processing; and if the packet is not dropped or otherwise blocked as a result of one or more of the firewall processing, the URL filtering and the anti-virus processing and the packet has been determined to require processing by the ASE, then the VSE steering the processed packet to the ASE for processing. - View Dependent Claims (8, 9)
-
Specification