Service processing switch

US 8,542,595 B2
Filed: 11/13/2011
Issued: 09/24/2013
Est. Priority Date: 06/04/2002
Status: Active Grant

First Claim

Patent Images

1. A method for delivering network-based Internet Protocol (IP) services to a plurality of customers of a service provider, the method comprising:

monitoring a load associated with a plurality of virtual routing processing resources of an IP service generator of a virtual router (VR) based switch, each of the plurality of virtual routing processing resources representing an application-tailored engine configured to perform packet classification and deep packet inspection;

load balancing received packets, by a flow manager of a line interface/network module of the IP service generator, among the plurality of virtual routing processing resources by directing received packets to a selected virtual routing processing resource of the plurality of virtual routing processing resources, the received packets representing service requests from the plurality of customers;

maintaining by the plurality of virtual routing processing resources a packet flow cache by setting up packet flow entries associated with each established packet flow, each packet flow entry of the packet flow cache containing information indicative of one or more packet processing actions or packet field manipulations to perform on packets associated with the established packet flow;

determining, by the selected virtual routing processing resource, whether a received packet is associated with an established packet flow within the packet flow cache by performing deep packet classification;

when an affirmative determination is made, directing, by the selected virtual routing processing resource, the received packet to a virtual services processing resource of a plurality of virtual services processing resources of the IP service generator, each of the plurality of virtual services processing resources representing an application-tailored engine configured to provide network-based IP services including one or more of virtual private network (VPN) processing, firewall processing, Uniform Resource Locator (URL) filtering and anti-virus processing; and

if the received packet is not dropped or otherwise blocked as a result of the network-based IP services performed by the virtual services processing resource, the virtual services processing resource returning the received packet to the selected virtual routing processing resource for forwarding.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for providing IP services in an integrated fashion are provided. According to one embodiment, a load associated with multiple virtual routing processing resources of an IP service generator of a virtual router (VR) based switch is monitored. Packets are load balanced among the virtual routing processing resources. A packet flow cache is maintained with packet flow entries containing information indicative of packet processing actions for established packet flows. Deep packet classification is performed to determine whether a packet is associated with an established packet flow. If so, the packet is directed to one of multiple virtual services processing resources representing application-tailored engines configured to provide network-based IP services including one or more of virtual private network (VPN) processing, firewall processing, Uniform Resource Locator (URL) filtering and anti-virus processing. If the packet is allowed, it is returned to the source virtual routing processing resource for forwarding.

151 Citations

16 Claims

1. A method for delivering network-based Internet Protocol (IP) services to a plurality of customers of a service provider, the method comprising:
- monitoring a load associated with a plurality of virtual routing processing resources of an IP service generator of a virtual router (VR) based switch, each of the plurality of virtual routing processing resources representing an application-tailored engine configured to perform packet classification and deep packet inspection;
  
  load balancing received packets, by a flow manager of a line interface/network module of the IP service generator, among the plurality of virtual routing processing resources by directing received packets to a selected virtual routing processing resource of the plurality of virtual routing processing resources, the received packets representing service requests from the plurality of customers;
  
  maintaining by the plurality of virtual routing processing resources a packet flow cache by setting up packet flow entries associated with each established packet flow, each packet flow entry of the packet flow cache containing information indicative of one or more packet processing actions or packet field manipulations to perform on packets associated with the established packet flow;
  
  determining, by the selected virtual routing processing resource, whether a received packet is associated with an established packet flow within the packet flow cache by performing deep packet classification;
  
  when an affirmative determination is made, directing, by the selected virtual routing processing resource, the received packet to a virtual services processing resource of a plurality of virtual services processing resources of the IP service generator, each of the plurality of virtual services processing resources representing an application-tailored engine configured to provide network-based IP services including one or more of virtual private network (VPN) processing, firewall processing, Uniform Resource Locator (URL) filtering and anti-virus processing; and
  
  if the received packet is not dropped or otherwise blocked as a result of the network-based IP services performed by the virtual services processing resource, the virtual services processing resource returning the received packet to the selected virtual routing processing resource for forwarding.
- View Dependent Claims (2, 3, 4, 5, 16)
- - 2. The method of claim 1, wherein said load balancing is based on a virtual local area network (VLAN) with which the received packet is associated.
  - 3. The method of claim 1, wherein said directing received packets to a selected virtual routing processing resource comprises steering the received packets across a switch fabric within the IP service generator.
  - 4. The method of claim 1, wherein the VR-based switch comprises a chassis-based switch and wherein the IP service generator is implemented within a blade of a plurality of blades of the chassis-based switch.
  - 5. The method of claim 4, wherein each of the plurality of virtual routing processing resources comprises a virtual routing engine (VRE) including at least one central processing unit and random access memory.
  - 16. The method of claim 4, wherein each of the plurality of virtual service processing resources comprises a virtual services engine (VSE) including at least one central processing unit and random access memory.

6. A system for providing network-based Internet Protocol (IP) services to a plurality of customers of a service provider, comprising:
- a plurality of virtual routing processing resources configured to perform packet classification and deep packet inspection and further configured to maintain a packet flow cache by setting up packet flow entries associated with each established packet flow, each packet flow entry of the packet flow cache containing information indicative of one or more packet processing actions or packet field manipulations to perform on packets associated with the established packet flow;
  
  a plurality of virtual services processing resources configured to provide network-based IP services including one or more of virtual private network (VPN) processing,a line interface/network module coupled in communication with the plurality of virtual routing processing resources, the line interface/network module including a flow manager configured to load balance received packets among the plurality of virtual routing processing resources by directing received packets to a selected virtual routing processing resource of the plurality of virtual routing processing resources, the received packets representing service requests from the plurality of customers;
  
  wherein the selected virtual routing processing resource determines whether a received packet is associated with an established packet flow within the packet flow cache by performing deep packet classification;
  
  wherein responsive to an affirmative determination the selected virtual routing processing resource directs the received packet to a virtual services processing resource of the plurality of virtual services processing resources; and
  
  wherein if the received packet is not dropped or otherwise blocked as a result of the network-based IP services performed by the virtual services processing resource, the virtual services processing resource returns the received packet to the selected virtual routing processing resource for forwarding.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 7. The system of claim 6, wherein the flow manager performs load balancing based on a virtual local area network (VLAN) with which the received packet is associated.
  - 8. The system of claim 6, further comprising a switch fabric and wherein the selected virtual routing processing resource directs the received packet to the virtual services processing resource by steering the received packets across the switch fabric.
  - 9. The system of claim 6, wherein the system is a chassis-based switch and wherein the plurality of virtual routing processing resources, the plurality of virtual service processing resources and the line interface/network module are implemented within a blade of a plurality of blades of the chassis-based switch.
  - 10. The system of claim 6, wherein each of the plurality of virtual routing processing resources comprises a virtual routing engine (VRE) including at least one central processing unit and random access memory.
  - 11. The system of claim 10, wherein the line interface/network module includes an ingress forwarding manager which maintains a steering table mapping virtual local area networks (VLANs) to one or more VREs of the plurality of VREs.
  - 12. The system of claim 6, wherein each of the plurality of virtual services processing resources comprises a virtual services engine (VSE) including at least one central processing unit and random access memory.
  - 13. The system of claim 12, wherein at least one of the plurality of VSEs comprises an advanced security engine (ASE).
  - 14. The system of claim 13, wherein the ASE comprises a plurality of encryption accelerators, a key accelerator and a security manager configured to load balance and manage security sessions across the one or more encryption accelerators.
  - 15. The system of claim 6, wherein the line interface/network module includes an egress forwarding manager which applies priority queuing to egress packets based on DiffServ marking and transmits the egress packets out of the line interface/network module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Hussain, Zahid, Millet, Tim
Primary Examiner(s)
Phan, M.

Application Number

US13/295,077
Publication Number

US 20120057460A1
Time in Patent Office

681 Days
Field of Search

370230-235, 370253-255, 370312-397, 709217-229, 709238-246, 714 4- 21
US Class Current

370/235
CPC Class Codes

H04L 2101/604   Address structures or formats

H04L 45/00   Routing or path finding of ...

H04L 45/20   Hop count for routing purpo...

H04L 45/586   of virtual routers

H04L 45/60   Router architectures

H04L 47/10   Flow control; Congestion co...

H04L 47/125   by balancing the load, e.g....

H04L 47/2408   for supporting different se...

H04L 47/2441   relying on flow classificat...

H04L 47/2491   Mapping quality of service ...

H04L 47/326   with random discard, e.g. r...

H04L 47/50   Queue scheduling

H04L 47/6215   Individual queue per QOS, r...

H04L 47/623   Weighted service order

H04L 49/70   Virtual switches

H04L 61/2503   Translation of Internet pro...

H04L 63/02   for separating internal fro...

H04L 63/0236   Filtering by address, proto...

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/061 : for key exchange, e.g. in p...

H04L 63/062 : for key distribution, e.g. ...

H04L 63/101 : Access control lists [ACL]

H04L 63/164 : at the network layer

H04L 69/22 : Parsing or analysis of headers

H04L 69/24 : Negotiation of communicatio...

View All

Service processing switch

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

151 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

Service processing switch

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

151 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others