Service processing switch
First Claim
1. A method comprising:
- establishing a flow cache having a plurality of entries each identifying one of a plurality of virtual router (VR) flows through a VR-based network device and corresponding forwarding state information;
receiving a packet at an input port of a line interface module of the VR-based network device;
the line interface module forwarding the packet to a virtual routing engine (VRE);
performing, by the VRE, flow-based packet classification on the packet;
attempting, by the VRE, to retrieve an entry of a plurality of entries of the flow cache based on a result of the flow-based packet classification;
on a flow cache hit, determining, based on the corresponding forwarding state information of the retrieved flow cache entry, one or more appropriate packet transformations for application to the packet and whether to process the packet with a virtual service engine (VSE) of the VR-based network device;
on a flow cache miss, identifying the existence of a new VR flow and adding the new VR flow to the flow cache by performing flow learning;
wherein the one or more appropriate packet transformations are associated with Network Address Translation (NAT) and comprise replacing one or more of an original IP source address, an original IP destination address, an original Transmission Control Protocol (TCP) source port, an original TCP destination port, an original User Datagram Protocol (UDP) source port and an original UDP destination port specified within a header of the packet;
wherein the VSE comprises an Advanced Security Engine (ASE) and wherein the method further comprises responsive to receiving, by the ASE, the packet, performing one or more hardware-accelerated security services; and
wherein the ASE includes a key accelerator and wherein the one or more hardware-accelerated security services include performing, by the key accelerator, hardware-assisted Internet Key Exchange (IKE) or hardware-assisted key generation.
0 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems for providing IP services in an integrated fashion are provided. According to one embodiment, a flow cache is established having multiple entries each identifying one of multiple VR flows through a VR-based network device and corresponding forwarding state information. A packet is received at an input port of a line interface module of the network device and forwarded to a VRE. Flow-based packet classification is performed by the VRE. An attempt is made to retrieve an entry of the flow cache based on a result of the flow-based packet classification. On a flow cache hit, one or more appropriate packet transformations are identified for application to the packet and it is determined whether to process the packet with a VSE based on the corresponding forwarding state information. On a flow cache miss, the new VR flow is added to the flow cache by performing flow learning.
-
Citations
9 Claims
-
1. A method comprising:
-
establishing a flow cache having a plurality of entries each identifying one of a plurality of virtual router (VR) flows through a VR-based network device and corresponding forwarding state information; receiving a packet at an input port of a line interface module of the VR-based network device; the line interface module forwarding the packet to a virtual routing engine (VRE); performing, by the VRE, flow-based packet classification on the packet; attempting, by the VRE, to retrieve an entry of a plurality of entries of the flow cache based on a result of the flow-based packet classification; on a flow cache hit, determining, based on the corresponding forwarding state information of the retrieved flow cache entry, one or more appropriate packet transformations for application to the packet and whether to process the packet with a virtual service engine (VSE) of the VR-based network device; on a flow cache miss, identifying the existence of a new VR flow and adding the new VR flow to the flow cache by performing flow learning; wherein the one or more appropriate packet transformations are associated with Network Address Translation (NAT) and comprise replacing one or more of an original IP source address, an original IP destination address, an original Transmission Control Protocol (TCP) source port, an original TCP destination port, an original User Datagram Protocol (UDP) source port and an original UDP destination port specified within a header of the packet; wherein the VSE comprises an Advanced Security Engine (ASE) and wherein the method further comprises responsive to receiving, by the ASE, the packet, performing one or more hardware-accelerated security services; and wherein the ASE includes a key accelerator and wherein the one or more hardware-accelerated security services include performing, by the key accelerator, hardware-assisted Internet Key Exchange (IKE) or hardware-assisted key generation. - View Dependent Claims (2, 3)
-
-
4. A method comprising:
-
establishing a flow cache having a plurality of entries each identifying one of a plurality of virtual router (VR) flows through a VR-based network device and corresponding forwarding state information; receiving a packet at an input port of a line interface module of the VR-based network device; the line interface module forwarding the packet to a virtual routing engine (VRE); performing, by the VRE, flow-based packet classification on the packet; attempting, by the VRE, to retrieve an entry of a plurality of entries of the flow cache based on a result of the flow-based packet classification; on a flow cache hit, determining, based on the corresponding forwarding state information of the retrieved flow cache entry, one or more appropriate packet transformations for application to the packet and whether to process the packet with a virtual service engine (VSE) of the VR-based network device; on a flow cache miss, identifying the existence of a new VR flow and adding the new VR flow to the flow cache by performing flow learning; wherein the one or more appropriate packet transformations comprise Differentiated Services (DiffServ) Type of Service (ToS) field marking; wherein the VSE comprises an Advanced Security Engine (ASE) and wherein the method further comprises responsive to receiving, by the ASE, the packet, performing one or more hardware-accelerated security services; and wherein the ASE includes a key accelerator and wherein the one or more hardware-accelerated security services include performing, by the key accelerator, hardware-assisted Internet Key Exchange (IKE) or hardware-assisted key generation. - View Dependent Claims (5, 6)
-
-
7. A method comprising:
-
establishing a flow cache having a plurality of entries each identifying one of a plurality of virtual router (VR) flows through a VR-based network device and corresponding forwarding state information; receiving a packet at an input port of a line interface module of the VR-based network device; the line interface module forwarding the packet to a virtual routing engine (VRE); performing, by the VRE, flow-based packet classification on the packet; attempting, by the VRE, to retrieve an entry of a plurality of entries of the flow cache based on a result of the flow-based packet classification; on a flow cache hit, determining, based on the corresponding forwarding state information of the retrieved flow cache entry, one or more appropriate packet transformations for application to the packet and whether to process the packet with a virtual service engine (VSE) of the VR-based network device; on a flow cache miss, identifying the existence of a new VR flow and adding the new VR flow to the flow cache by performing flow learning; wherein the one or more appropriate packet transformations are associated with Generic Routing Encapsulation (GRE) tunneling and comprise encapsulation the packet within another packet; wherein the VSE comprises an Advanced Security Engine (ASE) and wherein the method further comprises responsive to receiving, by the ASE, the packet, performing one or more hardware-accelerated security services; and wherein the ASE includes a key accelerator and wherein the one or more hardware-accelerated security services include performing, by the key accelerator, hardware-assisted Internet Key Exchange (IKE) or hardware-assisted key generation. - View Dependent Claims (8, 9)
-
Specification