Method and apparatus for ingress filtering

摘要

An example method is provided and, in an example embodiment, includes receiving a data packet at an ingress switch function, the data packet associated with a data packet flow; obtaining access control information associated with a destination of the data packet flow from a centralized service engine; and performing access filtering on the data packet flow at the ingress switch function using the access control information.

主权项

1. A method for ingress filtering in a network, comprising:
receiving a plurality of data packets at an ingress switch function, the data packets comprising a data packet flow; forwarding a first one of the received data packets to a centralized service engine wherein upon receipt of the first one of the received data packets, the centralized service engine accesses a database to determine a Security Group Tag (“SGT”) associated with a destination of the received first data packet and determines access control information associated with the destination SGT; downloading access control information from the centralized service engine to the ingress switch function; and performing access filtering on the data packet flow at the ingress switch function using the access control information without forwarding additional ones of the data packets to the centralized service engine; wherein the ingress switch function is implemented in an access layer switch controlling a plurality of virtual machines, and wherein one of the virtual machines comprises the destination, the method further comprising:
executing Security Group Exchange Protocol (“SXP”) at the centralized service engine to obtain security group tag (“SGT”) information for each of the virtual machines; andfor each of the plurality of virtual machines, storing SGT information for the virtual machine in association with the access control information for the virtual machine in the database at the centralized service engine.