Packet routing system and method
First Claim
Patent Images
1. A method comprising:
- providing a service provider with a service processing switch including a plurality of blades each having a plurality of processor elements;
partitioning a plurality of virtual routers (VRs) of the service processing switch between a first subscriber and a second subscriber of the service provider by associating a first set of processor element identifiers (PEIDs) with a first set of processor elements of the plurality of processor elements supporting a first set of VRs of the plurality of VRs partitioned to the first subscriber and a second set of PEIDs with a second set of processor elements of the plurality of processor elements supporting a second set of VRs of the plurality of VRs partitioned to the second subscriber, wherein PEIDs are assigned to each of the plurality of processor elements based on a combination of a blade ID of a blade of the plurality of blades with which the processor element is associated and a processor element number of the processor element;
configuring the first set of VRs to provide a first set of managed network-based security services on behalf of the first subscriber by creating within the first set of VRs a first object group including a first subset of objects selected to be supportive of the first set of managed network-based security services;
configuring the second set of VRs to provide a second set of managed network-based security services on behalf of the second subscriber by creating within the second set of VRs a second object group including a second subset of objects selected to be supportive of the second set of managed network-based security services;
the service processing switch providing appropriate managed network-based security services for the first subscriber and the second subscriber bysteering a first subscriber packet destined for or originating from a site of the first subscriber to an appropriate processor element of the first set of processor elements supporting the first set of VRs and an appropriate object within the first object group based on a PEID value associated with the first subscriber packet and a logical queue identifier (LQID) value associated with the first subscriber packet, the PEID value associated with the first subscriber packet corresponding to a PEID assigned to the appropriate processor element of the first set of processor elements, and the LQID value associated with the first subscriber packet corresponding to an LQID assigned to the appropriate object within the first object group; and
steering a second subscriber packet destined for or originating from a site of the second subscriber to an appropriate processor element of the second set of processor elements supporting the second set of VRs and an appropriate object within the second object group based on a PEID value associated with the second subscriber packet and a logical queue identifier (LQID) value associated with the second subscriber packet, the PEID value associated with the second subscriber packet corresponding to a PEID assigned to the appropriate processor element of the second set of processor elements, and the LQID value associated with the second subscriber packet corresponding to an LQID assigned to the appropriate object within the second object group.
0 Assignments
0 Petitions
Accused Products
Abstract
A flexible, scalable hardware and software platform that allows a service provider to easily provide internet services, virtual private network services, firewall services, etc., to a plurality of customers. One aspect provides a method and system for delivering security services. This includes connecting a plurality of processors in a ring configuration within a first processing system, establishing a secure connection between the processors in the ring configuration across an internet protocol (IP) connection to a second processing system to form a tunnel, and providing both router services and host services for a customer using the plurality of processors in the ring configuration and using the second processing system, a packet routing system and method is described that includes a processor identifier in each packet to route the packets to a physical processor, and a logical queue identifier to route the packets to the destination object within that processor.
-
Citations
11 Claims
-
1. A method comprising:
-
providing a service provider with a service processing switch including a plurality of blades each having a plurality of processor elements; partitioning a plurality of virtual routers (VRs) of the service processing switch between a first subscriber and a second subscriber of the service provider by associating a first set of processor element identifiers (PEIDs) with a first set of processor elements of the plurality of processor elements supporting a first set of VRs of the plurality of VRs partitioned to the first subscriber and a second set of PEIDs with a second set of processor elements of the plurality of processor elements supporting a second set of VRs of the plurality of VRs partitioned to the second subscriber, wherein PEIDs are assigned to each of the plurality of processor elements based on a combination of a blade ID of a blade of the plurality of blades with which the processor element is associated and a processor element number of the processor element; configuring the first set of VRs to provide a first set of managed network-based security services on behalf of the first subscriber by creating within the first set of VRs a first object group including a first subset of objects selected to be supportive of the first set of managed network-based security services; configuring the second set of VRs to provide a second set of managed network-based security services on behalf of the second subscriber by creating within the second set of VRs a second object group including a second subset of objects selected to be supportive of the second set of managed network-based security services; the service processing switch providing appropriate managed network-based security services for the first subscriber and the second subscriber by steering a first subscriber packet destined for or originating from a site of the first subscriber to an appropriate processor element of the first set of processor elements supporting the first set of VRs and an appropriate object within the first object group based on a PEID value associated with the first subscriber packet and a logical queue identifier (LQID) value associated with the first subscriber packet, the PEID value associated with the first subscriber packet corresponding to a PEID assigned to the appropriate processor element of the first set of processor elements, and the LQID value associated with the first subscriber packet corresponding to an LQID assigned to the appropriate object within the first object group; and steering a second subscriber packet destined for or originating from a site of the second subscriber to an appropriate processor element of the second set of processor elements supporting the second set of VRs and an appropriate object within the second object group based on a PEID value associated with the second subscriber packet and a logical queue identifier (LQID) value associated with the second subscriber packet, the PEID value associated with the second subscriber packet corresponding to a PEID assigned to the appropriate processor element of the second set of processor elements, and the LQID value associated with the second subscriber packet corresponding to an LQID assigned to the appropriate object within the second object group. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An Internet Protocol (IP) service delivery architecture comprising:
-
a Service Management System (SMS) residing in a Network Operations Center (NOC) of a service provider; an IP service processing switch, including a plurality of blades each having a plurality of processor elements, located within a service provider'"'"'s Point of Presence (POP) and communicatively coupled to the service provider via a backbone of the service provider, the IP service processing switch providing customized, managed network-based security services to each of a plurality of subscribers of the service provider by (i) allocating one or more virtual routers (VRs) of a plurality of VRs to each of the plurality of subscribers based on processor element identifiers (PEIDs) associated with a set of processor elements of the plurality of processor elements supporting the plurality of VRs, (ii) instantiating object groups within the one or more VRs allocated to each subscriber based on security service needs of the subscriber, (iii) assigning logical queue identifiers (LQIDs) to objects of the object groups; and
(iv) steering received packets to appropriate objects of the object groups based on PEID values and LQID values associated with the packets, the PEID values containing information indicative of a blade ID of a blade of the plurality of blades and a processor element number of a processor element of the set of processor elements associated with the blade;a Customer Network Management (CNM) system communicatively coupled with the IP service processing switch and located at a site within each subscriber; wherein the SMS enables centralized deployment, configuration and management of a managed network-based security service on behalf of the plurality of subscribers; and wherein the CNMs provide the respective subscribers with the ability to (i) initiate service provisioning and augmentation of the customized, managed network-based security services and (ii) obtain detailed network and service performance information.
-
-
11. An Internet Protocol (IP) service processing switch comprising:
-
a plurality of blades each having a plurality of processor elements (PEs), each of the plurality of PEs running a plurality of virtual routers (VRs) configured to provide customized security services to a subscriber of a plurality of subscribers of a service provider by (i) creating object groups within the plurality of VRs in accordance with security service needs of respective subscribers and (ii) assigning logical queue identifiers (LQIDs) to objects of the object groups, the objects including one or more of a routing object, a packet filtering object a firewall object and a network address translation (NAT) object, each of the plurality of PEs being assigned a PE identifier (PEID), based on a PE number of the PE and a blade ID of a blade of the plurality of blades with which the PE is associated, that is unique within the IP service processing switch; a packet-passing ring coupling the plurality of blades in communication; and
wherein upon a blade of the plurality of blades receiving a packet,the blade inspects a PEID value associated with the packet and if the PEID value corresponds to a PE of the plurality of PEs on the blade, then the packet is steered to an object of the plurality of VRs running on the PE that corresponds to the LQID value, and if the PEID value does not correspond to any of the PEs of the plurality of PEs on the blade, then the packet is forwarded to the next blade of the plurality of blades on the packet-passing ring.
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeFortinet Inc.
-
Original AssigneeFortinet Inc.
-
InventorsMatthews, Abraham Rabindranath, Weir, Steven Patrick
-
Primary Examiner(s)ZHANG, SHIRLEY X
-
Application NumberUS11/530,901Publication NumberTime in Patent Office2,184 DaysField of Search709223-225, 709/245, 709217-219, 709/238, 370/351, 370/389US Class Current709/225CPC Class CodesH04L 12/42 Loop networksH04L 45/04 Interdomain routing, e.g. h...H04L 45/586 of virtual routersH04L 63/0272 Virtual private networksH04L 63/1408 by monitoring network traff...H04L 63/20 for managing network securi...
