Browse Prior Art Database

Solving Asymmetric Routing in a Stretched Data Center Environment Using Firewall Clustering and FabricPath

IP.com Disclosure Number: IPCOM000233937D
Publication Date: 2014-Jan-02
Document File: 2 page(s) / 23K

Publishing Venue

The IP.com Prior Art Database

Abstract

Disclosed is a method to combine firewall clustering with FabricPath to overcome asymmetric routing, ingress path optimization, and Spanning Tree Protocol (STP) problems. This unique design provides a consistent security layer across more than two physical sites working in a stretched data center model.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 51% of the total text.

Page 01 of 2

Solving Asymmetric Routing in a Stretched Data Center Environment Using Firewall Clustering and FabricPath

A stretched data center environment combines multiple physical data centers to create a single virtual data center. A stretched data center environment provides site level disaster recovery and is required by data center applications. A stretched data center imposes certain challenges for a data center network, such as asymmetric routing, ingress path optimization, and a large Spanning Tree Protocol (STP) domain.

In a routed network, ingress and egress traffic can take different network paths. This is called asymmetric routing (ASR) and causes issues for stateful network appliances such as firewall and server load balancers. Possible solutions for the asymmetric routing include enabling asymmetric routing using ASR groups; however, the ASR groups feature is only available for Active/Active (A/A) High Availability (HA) firewalls and is not scalable beyond two firewalls.

Another approach is to disable stateful Transmission Control Protocol (TCP) State Checks. State checks can be disabled for TCP traffic allowing asymmetric routing, but this is applicable only for TCP traffic. In addition, this solution increases the chances of stealth attacks using TCP protocol.

A solution is required that can provide a consistent security layer across all physical sites participating in a stretched data center. The solution needs to be scalable beyond two sites and solve the problems associated with a stretched data center environment.

An existing firewall clustering feature allows up to eight firewalls to be clustered to act
as a single firewall in order to provide scalability, high availability, and high performance.

The novel contribution is a method to combine firewall clustering with FabricPath to overcome asymmetric routing, ingress path optimization, and STP problems. This unique design provides a consistent security layer across more than two physical sites working in a stretched data center model.

Firewall clustering with FabricPath does not require a dedicated network for cluster control traffic, since cluster control traffic uses FabricPath. Cluster control traffic can take the shortest path through the FabricPath network and can reroute in case of link failure. This solution allows up to eight physical sites to be included in a stretched data center. In addition, the solution provides full security checks for both TCP and User...