| 摘要 |
Methods and apparatus, including computer program products, implementing and using techniques for processing a data packet in a packet forwarding device. A data packet is received. A virtual local area network destination is determined for the received data packet, and a set of rules associated with the virtual local area network destination is identified. The rules are applied to the data packet. If a virtual local area network destination has been determined for the received data packet, the data packet is output to the destination, using the result from the application of the rules. If no destination has been determined, the data packet is dropped. A security system for partitioning security system resources into a plurality of separate security domains that are configurable to enforce one or more policies and to allocate security system resources to the one or more security domains, is also described. |
| 主权项 |
1. A system comprising:
a device comprising:
a firewall to:
receive a plurality of sets of firewall policies,
each set of firewall policies, of the plurality of sets of firewall policies, being associated with a different virtual private network of a plurality of virtual private networks; anda controller to:
receive a data packet;obtain, from the data packet, layer information that includes layer 2 information, layer 3 information, layer 4 information, and layer 7 information;search, using the layer 2 information without using the layer 7 information, a data structure to determine whether the data structure stores information regarding configuration data of a particular virtual private network of the plurality of virtual private networks,
the data packet being destined for the particular virtual private network,the data structure storing information regarding configuration data of one or more virtual private networks of the plurality of virtual private networks;when the data structure does not store the information regarding the configuration data of the particular virtual private network:
search another data structure to determine whether the other data structure stores the information regarding the configuration data of the particular virtual private network, the other data structure being searched using the layer information that includes the layer 2 information, the layer 3 information, the layer 4 information, and the layer 7 information;drop the data packet when the data structure and the other data structure do not store the information regarding the configuration data of the particular virtual private network;identify policies included in the configuration data of the particular virtual private network when the data structure or the other data structure stores the information regarding the configuration data of the particular virtual private network;determine that the policies include a set of firewall policies, of the plurality of sets of firewall policies, associated with the particular virtual private network;cause the firewall to apply, to the data packet, the set of firewall policies associated with the particular virtual private network based on determining that the policies, associated with the particular virtual private network, include the set of firewall policies; andcause the data packet to be routed toward the particular virtual private network after the set of firewall policies has been applied to the data packet. |
