Hierarchical clustering in a geographically dispersed network environment
First Claim
1. A method comprising:
- receiving a packet at one of a plurality of adaptive security appliance (ASA) units in one of a plurality of ASA clusters in a cluster domain of a network environment, wherein the cluster domain is generated by a data subnet extended between multiple DCs with the plurality of ASA clusters servicing traffic for a given set of protected endpoints within the multiple data centers (DCs), wherein any one ASA cluster in the plurality of ASA clusters services a corresponding one of the multiple DCs, wherein each ASA cluster comprises multiple ASA units;
identifying the packet, by the ASA unit, as matching an inter-data center (DC) live traffic profile;
identifying, by the ASA unit, a target ASA cluster in the plurality of ASA clusters in the cluster domain;
querying, by the ASA unit, a domain director in the target ASA cluster for a flow owner;
if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster;
if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner; and
identifying the ASA unit as the flow owner if the flow owner is not identified by the domain director, the domain director includes a flow state for the flow to which the packet belongs, and the packet is not a connection-initiating packet.
1 Assignment
0 Petitions
Accused Products
Abstract
An example method for facilitating hierarchical clustering in a geographically dispersed network environment is provided and includes receiving a packet at one of a plurality of adaptive security appliance (ASA) units in one of a plurality of ASA clusters in a cluster domain of a network environment, identifying the packet as matching an inter-data center live traffic profile, identifying a target ASA cluster in the plurality of ASA clusters in the cluster domain, querying a domain director in the target ASA cluster for a flow owner, and if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster, and if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner.
-
Citations
17 Claims
-
1. A method comprising:
-
receiving a packet at one of a plurality of adaptive security appliance (ASA) units in one of a plurality of ASA clusters in a cluster domain of a network environment, wherein the cluster domain is generated by a data subnet extended between multiple DCs with the plurality of ASA clusters servicing traffic for a given set of protected endpoints within the multiple data centers (DCs), wherein any one ASA cluster in the plurality of ASA clusters services a corresponding one of the multiple DCs, wherein each ASA cluster comprises multiple ASA units; identifying the packet, by the ASA unit, as matching an inter-data center (DC) live traffic profile; identifying, by the ASA unit, a target ASA cluster in the plurality of ASA clusters in the cluster domain; querying, by the ASA unit, a domain director in the target ASA cluster for a flow owner; if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster; if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner; and identifying the ASA unit as the flow owner if the flow owner is not identified by the domain director, the domain director includes a flow state for the flow to which the packet belongs, and the packet is not a connection-initiating packet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. Non-transitory tangible media encoding logic that includes instructions for execution, which when executed by a processor of an ASA unit, is operable to perform operations comprising:
-
receiving a packet at the ASA unit, wherein the ASA unit comprises one of a plurality of ASA units in one of a plurality of ASA clusters in a cluster domain of a network environment) wherein the cluster domain is generated by a data subnet extended between multiple data centers (DCs) with the plurality of ASA clusters servicing traffic for a given set of protected endpoints within the multiple DCs, wherein any one ASA cluster in the plurality of ASA clusters services a corresponding one of the multiple DCs, wherein each ASA cluster comprises multiple ASA units; identifying the packet as matching an inter-DC live traffic profile; identifying a target ASA duster in the plurality of ASA clusters in the cluster domain; querying a domain director in the target ASA cluster for a flow owner; if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster; if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner; and identifying the ASA unit as the flow owner if the flow owner is not identified by the domain director, the domain director includes a flow state for the flow to which the packet belongs, and the packet is not a connection-initiating packet. - View Dependent Claims (11, 12, 13)
-
-
14. An apparatus, comprising:
-
a memory element for storing data; and a processor, wherein the processor executes instructions associated with the data, wherein the processor and the memory dement cooperate, such that the apparatus is configured as an ASA unit for; receiving a packet at the ASA unit, wherein the ASA unit comprises one of a plurality of ASA units in one of a plurality of ASA dusters in a duster domain of a network environment, wherein the duster domain is generated by a data subnet extended between multiple data centers (DCs) with the plurality of ASA clusters servicing traffic for a given set of protected endpoints within the multiple DCs, wherein any one ASA cluster in the plurality of ASA clusters services a corresponding one of the multiple DCs, wherein each ASA cluster comprises multiple ASA units; identifying the packet as matching an inter-DC live traffic profile; identifying a target ASA duster in the plurality of ASA dusters in the cluster domain; querying a domain director in the target ASA cluster for a flow owner; if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster; if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner; and identifying the ASA unit as the flow owner if the flow owner is not identified by the domain director, the domain director includes a flow state for the flow to which the packet belongs, and the packet is not a connection-initiating packet. - View Dependent Claims (15, 16, 17)
-
Specification