公开(公告)号：US11159481B2

公开(公告)日：2021-10-26

申请号：US16885620

申请日：2020-05-28

Applicant: Cisco Technology, Inc.

Inventor： Andrew E. Ossipov ,  Kent Leung ,  Zhijun Liu

IPC: H04L29/12 ,  H04L12/24

Abstract: A method is performed by a master network device among network devices of a cluster. The master network device receives cluster configuration information including a set of Internet Protocol (IP) addresses and a pool of port blocks associated with the IP addresses. Each port block includes multiple ports, and the pool of the port blocks is to be shared across the network devices for port address translation. The master network device divides the port blocks in the pool into multiple buckets. The master network device allocates to each network device in the cluster a corresponding one of the buckets, and reserves each bucket that is not allocated for allocation to a potential new network device. When a new network device joins the cluster, the master network device allocates to the new network device the port blocks from a corresponding one of the reserved buckets.

公开(公告)号：US10938728B2

公开(公告)日：2021-03-02

申请号：US16520408

申请日：2019-07-24

Applicant: Cisco Technology, Inc.

Inventor： Kent Leung ,  Zhijun Liu ,  Andrew E. Ossipov

IPC: H04L12/851 ,  H04L12/715 ,  H04L12/721

Abstract: A method is provided including obtaining at a newly added flow mapper node of a plurality of flow mapper nodes, from a first flow locator node of a plurality of flow locator nodes, a flow owner lookup request for flow state information that includes identification of a particular flow locator that is to handle processing of a packet flow. The newly added flow mapper node determines whether it has stored flow state information. When the newly added flow mapper node does not have stored flow state information, the newly added flow mapper node identifies a particular flow mapper node of the plurality of flow mapper nodes which has stored flow state information for the particular packet flow and services the flow owner lookup request using flow state information stored by the particular flow mapper node.

公开(公告)号：US20160234168A1

公开(公告)日：2016-08-11

申请号：US14619759

申请日：2015-02-11

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Kent K. Leung ,  Xun Wang ,  Andrew E. Ossipov ,  Zhijun Liu ,  Jonathan Augustine Kunder

IPC: H04L29/06 ,  H04L29/12

CPC classification number: H04L63/0254 ,  H04L61/2007 ,  H04L61/2061 ,  H04L63/0218

Abstract: An example method for facilitating hierarchical clustering in a geographically dispersed network environment is provided and includes receiving a packet at one of a plurality of adaptive security appliance (ASA) units in one of a plurality of ASA clusters in a cluster domain of a network environment, identifying the packet as matching an inter-data center live traffic profile, identifying a target ASA cluster in the plurality of ASA clusters in the cluster domain, querying a domain director in the target ASA cluster for a flow owner, and if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster, and if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner.

Abstract translation: 提供了一种用于促进地理上分散的网络环境中的层次聚类的示例性方法，并且包括在网络环境的集群域中的多个ASA集群之一的多个自适应安全设备（ASA）单元之一中接收分组， 将数据包识别为匹配数据中心之间的实时流量简档，识别集群域中的多个ASA集群中的目标ASA集群，查询流所有者的目标ASA集群中的域控制器，以及流所有者是否为 由域主任识别，将分组转发到目标群集中的流所有者，并且如果域所有者没有被域主管识别，并且域主管包括该分组所属的流的流状态，则指定 ASA单位作为流动所有者。

公开(公告)号：US20210029047A1

公开(公告)日：2021-01-28

申请号：US16520408

申请日：2019-07-24

Applicant: Cisco Technology, Inc.

Inventor： Kent Leung ,  Zhijun Liu ,  Andrew E. Ossipov

IPC: H04L12/851 ,  H04L12/721 ,  H04L12/715

Abstract: A method is provided including obtaining at a newly added flow mapper node of a plurality of flow mapper nodes, from a first flow locator node of a plurality of flow locator nodes, a flow owner lookup request for flow state information that includes identification of a particular flow locator that is to handle processing of a packet flow. The newly added flow mapper node determines whether it has stored flow state information. When the newly added flow mapper node does not have stored flow state information, the newly added flow mapper node identifies a particular flow mapper node of the plurality of flow mapper nodes which has stored flow state information for the particular packet flow and services the flow owner lookup request using flow state information stored by the particular flow mapper node.

公开(公告)号：US10721211B2

公开(公告)日：2020-07-21

申请号：US15783706

申请日：2017-10-13

Applicant: Cisco Technology, Inc.

Inventor： Kent K. Leung ,  Xun Wang ,  Andrew E. Ossipov ,  Zhijun Liu ,  Jonathan Augustine Kunder

IPC: H04L29/06 ,  H04L29/12

Abstract: An example method for facilitating hierarchical clustering in a geographically dispersed network environment is provided and includes receiving a packet at one of a plurality of adaptive security appliance (ASA) units in one of a plurality of ASA clusters in a cluster domain of a network environment, identifying the packet as matching an inter-data center live traffic profile, identifying a target ASA cluster in the plurality of ASA clusters in the cluster domain, querying a domain director in the target ASA cluster for a flow owner, and if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster, and if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner.

公开(公告)号：US10715486B2

公开(公告)日：2020-07-14

申请号：US15890922

申请日：2018-02-07

Applicant: Cisco Technology, Inc.

Inventor： Andrew E. Ossipov ,  Kent Leung ,  Zhijun Liu

IPC: H04L29/12

Abstract: A method is performed by a master network device among network devices of a cluster. The master network device receives cluster configuration information including a set of Internet Protocol (IP) addresses and a pool of port blocks associated with the IP addresses. Each port block includes multiple ports, and the pool of the port blocks is to be shared across and used by the network devices for port address translation on network connections with the network devices. The master network device divides the port blocks in the pool into multiple buckets. The master network device first allocates to each network device in the cluster a corresponding one of the buckets, and reserves each bucket that is not allocated for allocation to a potential new network device. When a new network device joins the cluster, the master network device second allocates to the new network device the port blocks from a corresponding one of the reserved buckets.

公开(公告)号：US20190245828A1

公开(公告)日：2019-08-08

申请号：US15890922

申请日：2018-02-07

Applicant: Cisco Technology, Inc.

Inventor： Andrew E. Ossipov ,  Kent Leung ,  Zhijun Liu

IPC: H04L29/12

Abstract: A method is performed by a master network device among network devices of a cluster. The master network device receives cluster configuration information including a set of Internet Protocol (IP) addresses and a pool of port blocks associated with the IP addresses. Each port block includes multiple ports, and the pool of the port blocks is to be shared across and used by the network devices for port address translation on network connections with the network devices. The master network device divides the port blocks in the pool into multiple buckets. The master network device first allocates to each network device in the cluster a corresponding one of the buckets, and reserves each bucket that is not allocated for allocation to a potential new network device. When a new network device joins the cluster, the master network device second allocates to the new network device the port blocks from a corresponding one of the reserved buckets.

公开(公告)号：US20180041474A1

公开(公告)日：2018-02-08

申请号：US15783706

申请日：2017-10-13

Applicant: Cisco Technology, Inc.

Inventor： Kent K. Leung ,  Xun Wang ,  Andrew E. Ossipov ,  Zhijun Liu ,  Jonathan Augustine Kunder

IPC: H04L29/06 ,  H04L29/12

Abstract: An example method for facilitating hierarchical clustering in a geographically dispersed network environment is provided and includes receiving a packet at one of a plurality of adaptive security appliance (ASA) units in one of a plurality of ASA clusters in a cluster domain of a network environment, identifying the packet as matching an inter-data center live traffic profile, identifying a target ASA cluster in the plurality of ASA clusters in the cluster domain, querying a domain director in the target ASA cluster for a flow owner, and if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster, and if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner.

公开(公告)号：US09800549B2

公开(公告)日：2017-10-24

申请号：US14619759

申请日：2015-02-11

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Kent K. Leung ,  Xun Wang ,  Andrew E. Ossipov ,  Zhijun Liu ,  Jonathan Augustine Kunder

IPC: G06F15/173 ,  H04L29/06 ,  H04L29/12

CPC classification number: H04L63/0254 ,  H04L61/2007 ,  H04L61/2061 ,  H04L63/0218

Abstract: An example method for facilitating hierarchical clustering in a geographically dispersed network environment is provided and includes receiving a packet at one of a plurality of adaptive security appliance (ASA) units in one of a plurality of ASA clusters in a cluster domain of a network environment, identifying the packet as matching an inter-data center live traffic profile, identifying a target ASA cluster in the plurality of ASA clusters in the cluster domain, querying a domain director in the target ASA cluster for a flow owner, and if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster, and if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner.

公开(公告)号：US20160337312A1

公开(公告)日：2016-11-17

申请号：US14709777

申请日：2015-05-12

Applicant: Cisco Technology, Inc.

Inventor： Kevin A. Buchanan ,  Andrew E. Ossipov ,  Kent Leung ,  Xun Wang ,  Zhijun Liu ,  Weiwei Kang

IPC: H04L29/06

CPC classification number: H04L63/0227 ,  H04L47/10 ,  H04L63/0254

Abstract: A method operable in a security device cluster having a plurality of security devices each configured to receive respective data flows. The method includes receiving a first segment of a flow at a first security device of the plurality of security devices, sending the first segment of the flow toward a destination node without the first security device of the plurality of security devices asserting ownership over the flow, receiving, from the destination node, a second segment of the flow at a second security device of the plurality of security devices, the second segment of the flow being responsive to the first segment, asserting, by the second security device of the plurality of security devices, ownership over the flow, and forwarding, from the first security device, packets of the flow subsequently received by the first security device to the second security device.

Abstract translation: 一种在具有多个安全设备的安全设备集群中可操作的方法，每个安全设备被配置为接收相应的数据流。 该方法包括在多个安全设备中的第一安全设备处接收流的第一段，将流的第一段发送到目的地节点，而不使多个安全设备中的第一安全设备声明对流的所有权， 从所述目的地节点接收在所述多个安全设备中的第二安全设备处的所述流的第二段，所述流的第二段响应于所述第一段，由所述第二安全设备断言所述多个安全性 设备，流量的所有权以及来自第一安全设备的转发，随后由第一安全设备接收的流的分组传送到第二安全设备。