Service processing switch

US 8,064,462 B2
Filed: 05/17/2010
Issued: 11/22/2011
Est. Priority Date: 06/04/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A system for providing Internet Protocol (IP) services, comprising:

a switch fabric;

a line interface/network module coupled to the switch fabric;

a plurality of virtual routing engines (VREs) coupled to the switch fabric; and

a virtual services engine (VSE), coupled to the switch fabric, including at least one central processing unit configured to perform firewall processing, Uniform Resource Locator (URL) filtering and anti-virus processing;

wherein the line interface/network module receives packets and steers ingress packets across the switch fabric to a selected VRE of the plurality of VREs and transmits egress packets according to their relative priority;

wherein the line interface/network module includes an egress forwarding manager which applies priority queuing to the egress packets based on DiffServ marking and transmits the egress packets out of the line interface/network module;

wherein the selected VRE determines if a packet associated with a packet flow requires processing by the VSE by performing flow-based packet classification on the packet and evaluating forwarding state information associated with previously stored flow learning results based on a previously received packet of the packet flow; and

if the packet is determined to require processing by the VSE, then steering the packet across the switch fabric to the VSE for one or more of the firewall processing, the URL filtering and the anti-virus processing.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for providing IP services in an integrated fashion are provided. According to one embodiment, a system includes a switch fabric and a line interface/network module, multiple virtual routing engines (VREs) and a virtual services engine (VSE) coupled with the switch fabric. The line interface/network module receives packets, steers ingress packets to a selected VRE and transmits egress packets according to their relative priority. VREs determines if a packet associated with a packet flow requires processing by the VSE by performing flow-based packet classification on the packet and evaluating forwarding state information associated with previously stored flow learning results. The VSE includes a central processing unit configured to perform firewall processing, Uniform Resource Locator (URL) filtering and anti-virus processing. If the packet is determined to require processing by the VSE, then the packet is steered to the VSE for firewall, URL filtering and/or anti-virus processing.

200 Citations

11 Claims

1. A system for providing Internet Protocol (IP) services, comprising:
- a switch fabric;
  
  a line interface/network module coupled to the switch fabric;
  
  a plurality of virtual routing engines (VREs) coupled to the switch fabric; and
  
  a virtual services engine (VSE), coupled to the switch fabric, including at least one central processing unit configured to perform firewall processing, Uniform Resource Locator (URL) filtering and anti-virus processing;
  
  wherein the line interface/network module receives packets and steers ingress packets across the switch fabric to a selected VRE of the plurality of VREs and transmits egress packets according to their relative priority;
  
  wherein the line interface/network module includes an egress forwarding manager which applies priority queuing to the egress packets based on DiffServ marking and transmits the egress packets out of the line interface/network module;
  
  wherein the selected VRE determines if a packet associated with a packet flow requires processing by the VSE by performing flow-based packet classification on the packet and evaluating forwarding state information associated with previously stored flow learning results based on a previously received packet of the packet flow; and
  
  if the packet is determined to require processing by the VSE, then steering the packet across the switch fabric to the VSE for one or more of the firewall processing, the URL filtering and the anti-virus processing.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, further comprising a second VSE.
  - 3. The system of claim 2, wherein the second VSE comprises an advanced security engine (ASE).
  - 4. The system of claim 3, wherein the ASE comprises a plurality of encryption accelerators, a key accelerator and a security manager configured to load balance and manage security sessions across the plurality of encryption accelerators.
  - 5. The system of claim 1, wherein the line interface/network module includes an ingress forwarding manager which maintains a steering table mapping virtual local area networks to one or more VREs of the plurality of VREs.

6. A method for providing Internet Protocol (IP) services comprising:
- providing within a flow manager of a switch a steering table mapping a plurality of virtual local area networks (VLANs) to one or more of a plurality of virtual routing engines (VREs) of the switch;
  
  receiving a packet associated with a VLAN of the plurality of VLANs at a line interface/network module of a plurality of line interface/network modules of the switch;
  
  the flow manager steering the packet across a fabric of the switch to a VRE of the plurality of VREs based on a result of a steering table lookup of the VLAN in the steering table;
  
  the VRE identifying a packet flow with which the packet is associated by performing deep packet classification;
  
  the VRE determining if the packet requires processing by a virtual services engine (VSE) of a plurality of VSEs of the switch by consulting a flow cache, the VSE including at least one central processing unit configured to perform firewall processing, Uniform Resource Locator (URL) filtering and anti-virus processing;
  
  if the packet requires processing by the VSE, transferring the packet across the fabric to the VSE for processing;
  
  if the packet is not dropped or otherwise blocked as a result of one or more of the firewall processing, the URL filtering and the anti-virus processing, the VSE transferring the processed packet back to the VRE for forwarding;
  
  applying, by an egress forwarding manager of the line interface/network manger, priority queuing to egress packets based on DiffServ marking; and
  
  transmitting, by the egress forwarding manager, the egress packets out of the line/interface/network module.
- View Dependent Claims (10, 11)
- - 10. The method of claim 6, wherein the switch further comprises an advanced security engine (ASE), including a plurality of encryption accelerators, a key accelerator and a security manager, the method further comprising load balancing and managing security sessions, by the security manager, across the plurality of encryption accelerators.
  - 11. The method of claim 6, wherein the line interface/network module includes an ingress forwarding manager, the method further comprising maintaining, by the ingress forwarding manager, a steering table that maps virtual local area networks to one or more VREs of the plurality of VREs.

7. A system for providing Internet Protocol (IP) services, comprising:
- a fabric;
  
  a line interface/network module coupled to the fabric;
  
  a plurality of virtual routing engines (VREs) coupled to the fabric; and
  
  a virtual services engine (VSE), coupled to the switch fabric, including at least one central processing unit configured to perform firewall processing, Uniform Resource Locator (URL) filtering and anti-virus processing;
  
  an advanced security engine (ASE) coupled to the fabric;
  
  wherein the line interface/network module receives packets and steers the packets to a selected VRE of the plurality of VREs based on a result of a steering table lookup;
  
  wherein the line interface/network module includes an egress forwarding manager which applies priority queuing to egress packets based on DiffServ marking and transmits the egress packets out of the line interface/network module;
  
  wherein the selected VRE determines if a packet associated with a packet flow requires processing by the one or both of the VSE and the ASE by performing flow-based packet classification on the packet and evaluating forwarding state information associated with previously stored flow learning results based on a previously received packet of the packet flow;
  
  if the packet has been determined to require processing by the VSE, then steering the packet to the VSE for one or more of the firewall processing, the URL filtering and the anti-virus processing; and
  
  if the packet is not dropped or otherwise blocked as a result of one or more of the firewall processing, the URL filtering and the anti-virus processing and the packet has been determined to require processing by the ASE, then the VSE steering the processed packet to the ASE for processing.
- View Dependent Claims (8, 9)
- - 8. The system of claim 7, wherein the ASE comprises a plurality of encryption accelerators, a key accelerator and a security manager configured to load balance and manage security sessions across the plurality of encryption accelerators.
  - 9. The system of claim 7, wherein the line interface/network module includes an ingress forwarding manager which maintains a steering table mapping virtual local area networks to one or more VREs of the plurality of VREs.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Millet, Tim, Hussain, Zahid
Primary Examiner(s)
PHAN, MAN U

Application Number

US12/781,808
Publication Number

US 20100220732A1
Time in Patent Office

554 Days
Field of Search

370230-235, 370253-255, 370312-352, 370386-397, 709217-224, 709238-246, 714 14- 21
US Class Current

370/395
CPC Class Codes

H04L 2101/604   Address structures or formats

H04L 45/00   Routing or path finding of ...

H04L 45/20   Hop count for routing purpo...

H04L 45/586   of virtual routers

H04L 45/60   Router architectures

H04L 47/10   Flow control; Congestion co...

H04L 47/125   by balancing the load, e.g....

H04L 47/2408   for supporting different se...

H04L 47/2441   relying on flow classificat...

H04L 47/2491   Mapping quality of service ...

H04L 47/326   with random discard, e.g. r...

H04L 47/50   Queue scheduling

H04L 47/6215   Individual queue per QOS, r...

H04L 47/623   Weighted service order

H04L 49/70   Virtual switches

H04L 61/2503   Translation of Internet pro...

H04L 63/02   for separating internal fro...

H04L 63/0236   Filtering by address, proto...

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/061 : for key exchange, e.g. in p...

H04L 63/062 : for key distribution, e.g. ...

H04L 63/101 : Access control lists [ACL]

H04L 63/164 : at the network layer

H04L 69/22 : Parsing or analysis of headers

H04L 69/24 : Negotiation of communicatio...

View All

Service processing switch

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

200 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Service processing switch

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

200 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links