Hierarchical clustering in a geographically dispersed network environment

US 9,800,549 B2
Filed: 02/11/2015
Issued: 10/24/2017
Est. Priority Date: 02/11/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a packet at one of a plurality of adaptive security appliance (ASA) units in one of a plurality of ASA clusters in a cluster domain of a network environment, wherein the cluster domain is generated by a data subnet extended between multiple DCs with the plurality of ASA clusters servicing traffic for a given set of protected endpoints within the multiple data centers (DCs), wherein any one ASA cluster in the plurality of ASA clusters services a corresponding one of the multiple DCs, wherein each ASA cluster comprises multiple ASA units;

identifying the packet, by the ASA unit, as matching an inter-data center (DC) live traffic profile;

identifying, by the ASA unit, a target ASA cluster in the plurality of ASA clusters in the cluster domain;

querying, by the ASA unit, a domain director in the target ASA cluster for a flow owner;

if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster;

if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner; and

identifying the ASA unit as the flow owner if the flow owner is not identified by the domain director, the domain director includes a flow state for the flow to which the packet belongs, and the packet is not a connection-initiating packet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An example method for facilitating hierarchical clustering in a geographically dispersed network environment is provided and includes receiving a packet at one of a plurality of adaptive security appliance (ASA) units in one of a plurality of ASA clusters in a cluster domain of a network environment, identifying the packet as matching an inter-data center live traffic profile, identifying a target ASA cluster in the plurality of ASA clusters in the cluster domain, querying a domain director in the target ASA cluster for a flow owner, and if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster, and if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner.

Citations

17 Claims

1. A method comprising:
- receiving a packet at one of a plurality of adaptive security appliance (ASA) units in one of a plurality of ASA clusters in a cluster domain of a network environment, wherein the cluster domain is generated by a data subnet extended between multiple DCs with the plurality of ASA clusters servicing traffic for a given set of protected endpoints within the multiple data centers (DCs), wherein any one ASA cluster in the plurality of ASA clusters services a corresponding one of the multiple DCs, wherein each ASA cluster comprises multiple ASA units;
  
  identifying the packet, by the ASA unit, as matching an inter-data center (DC) live traffic profile;
  
  identifying, by the ASA unit, a target ASA cluster in the plurality of ASA clusters in the cluster domain;
  
  querying, by the ASA unit, a domain director in the target ASA cluster for a flow owner;
  
  if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster;
  
  if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner; and
  
  identifying the ASA unit as the flow owner if the flow owner is not identified by the domain director, the domain director includes a flow state for the flow to which the packet belongs, and the packet is not a connection-initiating packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising dropping the packet if the flow owner is not identified by the domain director, the domain director does not include a flow state for the flow to which the packet belongs, and the packet is not a connection-initiating packet.
  - 3. The method of claim 1, wherein identifying the target ASA cluster comprises querying a database.
  - 4. The method of claim 1, wherein identifying the target ASA cluster comprises computing a consistent hash (cHash) of all the ASA clusters in the cluster domain.
  - 5. The method of claim 1, further comprising identifying the domain director in the target ASA cluster by computing a cHash of all the ASA units in the target ASA cluster.
  - 6. The method of claim 5, further comprising obtaining an Internet Protocol/Media Access Control (IP/MAC) address of the domain director from a local copy of a remote cluster membership list at the ASA unit.
  - 7. The method of claim 1, wherein each ASA cluster comprises a plurality of ASA units.
  - 8. The method of claim 1, wherein site-independent configuration of the ASA units in the cluster domain is the same among all the ASA units in all the ASA clusters in the cluster domain, wherein site-specific configuration of the ASA units in each ASA cluster is different from corresponding configuration of the ASA units in other ASA clusters in the cluster domain.
  - 9. The method of claim 8, wherein ASA unit is a cluster master, wherein updates to the site-independent configuration of the ASA unit triggers an update, by the ASA unit, to other cluster masters in the other ASA clusters in the cluster domain.

10. Non-transitory tangible media encoding logic that includes instructions for execution, which when executed by a processor of an ASA unit, is operable to perform operations comprising:
- receiving a packet at the ASA unit, wherein the ASA unit comprises one of a plurality of ASA units in one of a plurality of ASA clusters in a cluster domain of a network environment) wherein the cluster domain is generated by a data subnet extended between multiple data centers (DCs) with the plurality of ASA clusters servicing traffic for a given set of protected endpoints within the multiple DCs, wherein any one ASA cluster in the plurality of ASA clusters services a corresponding one of the multiple DCs, wherein each ASA cluster comprises multiple ASA units;
  
  identifying the packet as matching an inter-DC live traffic profile;
  
  identifying a target ASA duster in the plurality of ASA clusters in the cluster domain;
  
  querying a domain director in the target ASA cluster for a flow owner;
  
  if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster;
  
  if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner; and
  
  identifying the ASA unit as the flow owner if the flow owner is not identified by the domain director, the domain director includes a flow state for the flow to which the packet belongs, and the packet is not a connection-initiating packet.
- View Dependent Claims (11, 12, 13)
- - 11. The media of claim 10, the operations further comprising dropping the packet if the flow owner is not identified by the domain director, the domain director does not include a flow state for the flow to which the packet belongs, and the packet is not a connection-initiating packet.
  - 12. The media of claim 10, wherein identifying the target ASA cluster comprises computing a cHash of all the ASA clusters in the cluster domain.
  - 13. The media of claim 10, the operations further comprising identifying the domain director in the target ASA cluster by computing a cHash of all the ASA units in the target ASA cluster.

14. An apparatus, comprising:
- a memory element for storing data; and
  
  a processor, wherein the processor executes instructions associated with the data, wherein the processor and the memory dement cooperate, such that the apparatus is configured as an ASA unit for;
  
  receiving a packet at the ASA unit, wherein the ASA unit comprises one of a plurality of ASA units in one of a plurality of ASA dusters in a duster domain of a network environment, wherein the duster domain is generated by a data subnet extended between multiple data centers (DCs) with the plurality of ASA clusters servicing traffic for a given set of protected endpoints within the multiple DCs, wherein any one ASA cluster in the plurality of ASA clusters services a corresponding one of the multiple DCs, wherein each ASA cluster comprises multiple ASA units;
  
  identifying the packet as matching an inter-DC live traffic profile;
  
  identifying a target ASA duster in the plurality of ASA dusters in the cluster domain;
  
  querying a domain director in the target ASA cluster for a flow owner;
  
  if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster;
  
  if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner; and
  
  identifying the ASA unit as the flow owner if the flow owner is not identified by the domain director, the domain director includes a flow state for the flow to which the packet belongs, and the packet is not a connection-initiating packet.
- View Dependent Claims (15, 16, 17)
- - 15. The apparatus of claim 14, further configured for dropping the packet if the flow owner is not identified by the domain director, the domain director does not include a flow state for the flow to which the packet belongs, and the packet is not a connection-initiating packet.
  - 16. The apparatus of claim 14, wherein identifying the target ASA cluster comprises computing a cHash of all the ASA clusters in the cluster domain.
  - 17. The apparatus of claim 14, further configured for identifying the domain director in the target ASA cluster by computing a cHash of all the ASA units in the target ASA cluster.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Leung, Kent K., Wang, Xun, Ossipov, Andrew E., Liu, Zhijun, Kunder, Jonathan Augustine
Primary Examiner(s)
Hussain, Tauqir

Application Number

US14/619,759
Publication Number

US 20160234168A1
Time in Patent Office

986 Days
Field of Search

709238
US Class Current
CPC Class Codes

H04L 61/5007   Internet protocol [IP] addr...

H04L 61/5061   Pools of addresses

H04L 63/0218   Distributed architectures, ...

H04L 63/0254   Stateful filtering

Hierarchical clustering in a geographically dispersed network environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Hierarchical clustering in a geographically dispersed network environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links