Scalable flow differentiation for networks with overlapping IP addresses

Abstract

Flows corresponding to an overlapping IP address are differentiated via scalable techniques for appropriate enforcement security policies. Agents deployed to each site of a network (e.g., each VPC or branch router) encapsulate outbound packets with a header that includes an identifier that uniquely identifies the site as the origin of the packets, such as a VPC identifier or branch identifier. A session manager executing on a security appliance receives the encapsulated packets and determines the origin identifier and other packet attributes, including source/destination IP addresses, source/destination ports, and protocol. The session manager creates an N-tuple (e.g., a 6-tuple) comprising the origin identifier and packet attributes and creates a session for the flow with the N-tuple as the session key. The security appliance then enforces a security policy for the packets and subsequent packets that are part of the flow and match to the created session.

CPC Classifications