Packet routing system and method
First Claim
1. An Internet Protocol (IP) service processing switch comprising:
- a plurality of service blades each having a plurality of processors including their own central processing unit (CPU) and memory, the plurality of processors providing customized security services to a plurality of subscribers of a service provider by (i) creating software entities, in a form of object groups within a plurality of virtual routers (VRs) executing on the plurality of processors, in accordance with security service needs of respective subscribers of the plurality of subscribers, (ii) assigning logical queue identifiers (LQIDs) to each of the software entities and (iii) assigning processor element identifiers (PEIDs) to each of the processors of the plurality of processors based on a processor element number of the processor and a blade ID of a service blade of the plurality of service blades with which the processor is associated, that is unique within the IP service processing switch;
one or more packet-passing data rings coupling the plurality of service blades in communication; and
wherein upon a service blade of the plurality of blades receiving a packet from the one or more packet-passing data rings,the service blade inspects a PEID value within the packet and when the PEID value corresponds to a PEID assigned to a processor of the plurality of processors on the service blade, the packet is steered to a software entity of a VR of the plurality of VR on the processor that corresponds to an LQID value within the packet, andwhen the PEID value does not correspond to any PEIDs assigned to the plurality of processors on the service blade, the packet is passed to a next service blade of the plurality of service blades on the one or more packet-passing data rings.
0 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems for offering network-based managed security services are provided. According to one embodiment, an IP service processing switch includes multiple service blades and one or more packet-passing data rings. The service blades each have multiple processors for providing customized security services to subscribers of a service provider. Upon receipt of a packet by a service blade from the one or more packet-passing data rings, a PEID value within the packet is inspected and when the PEID value corresponds to a PEID assigned to a processor associated with the service blade, the packet is steered to a software entity of a VR on the processor that corresponds to an LQID value within the packet. And, when the PEID value does not correspond to any PEIDs assigned to processors on the service blade, the packet is passed to a next service blade on the one or more packet-passing data rings.
-
Citations
17 Claims
-
1. An Internet Protocol (IP) service processing switch comprising:
-
a plurality of service blades each having a plurality of processors including their own central processing unit (CPU) and memory, the plurality of processors providing customized security services to a plurality of subscribers of a service provider by (i) creating software entities, in a form of object groups within a plurality of virtual routers (VRs) executing on the plurality of processors, in accordance with security service needs of respective subscribers of the plurality of subscribers, (ii) assigning logical queue identifiers (LQIDs) to each of the software entities and (iii) assigning processor element identifiers (PEIDs) to each of the processors of the plurality of processors based on a processor element number of the processor and a blade ID of a service blade of the plurality of service blades with which the processor is associated, that is unique within the IP service processing switch; one or more packet-passing data rings coupling the plurality of service blades in communication; and wherein upon a service blade of the plurality of blades receiving a packet from the one or more packet-passing data rings, the service blade inspects a PEID value within the packet and when the PEID value corresponds to a PEID assigned to a processor of the plurality of processors on the service blade, the packet is steered to a software entity of a VR of the plurality of VR on the processor that corresponds to an LQID value within the packet, and when the PEID value does not correspond to any PEIDs assigned to the plurality of processors on the service blade, the packet is passed to a next service blade of the plurality of service blades on the one or more packet-passing data rings. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method comprising:
-
partitioning a plurality of virtual routers (VRs) of a service processing switch, including a plurality of service blades each having a plurality of processors including their own central processing unit (CPU) and memory, between a first subscriber and a second subscriber of a network-based security service provider by (i) associating a first set of processor element identifiers (PEIDs) with a first set of processors of the plurality of processors, the first set of processors supporting a first set of VRs of the plurality of VRs partitioned to the first subscriber and (ii) associating a second set of PEIDs with a second set of processors of the plurality of processors, the second set of processors supporting a second set of VRs of the plurality of VRs partitioned to the second subscriber, wherein PEIDs are assigned to each of the plurality of processors based on a combination of a blade ID of a service blade of the plurality of service blades with which the processor is associated and a processor element number of the processor; configuring the first set of VRs to provide a first set of managed network-based security services on behalf of the first subscriber by creating within the first set of VRs a first software entity comprising a first object group including a first subset of objects selected to be supportive of the first set of managed network-based security services; configuring the second set of VRs to provide a second set of managed network-based security services on behalf of the second subscriber by creating within the second set of VRs a second software entity comprising a second object group including a second subset of objects selected to be supportive of the second set of managed network-based security services; the service processing switch providing the managed network-based security services for the first subscriber and the second subscriber by steering a first packet destined for or originating from a site of the first subscriber to an appropriate processor of the first set of processors and the first software entity based on a first PEID value within the first packet and a first logical queue identifier (LQID) value within the first packet, the first PEID value corresponding to a first PEID assigned to the appropriate processor of the first set of processors, and the first LQID value corresponding to a first LQID assigned an object of the first object group of the first software entity; and steering a second packet destined for or originating from a site of the second subscriber to an appropriate processor of the second set of processors and the second software entity based on a second PEID value within the second packet and a second LQID value within the second packet, the second PEID value corresponding to a second PEID assigned to the appropriate processor of the second set of processors, and the second LQID value corresponding to a second LQID assigned to an object of the second object group of the second software entity. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
Specification