In the design of distributed crossbar, CPU also adopts distributed design. The main CPU on the equipment main control board is responsible for the whole machine control scheduling, routing table learning and distribution; The service board is mainly responsible for local table lookup, service board status maintenance and security service function processing from CPU. This realizes distributed routing calculation and distributed routing table query, greatly relieves the pressure of the main control board and improves the overall performance of the equipment, which is also an important reason why the local forwarding of the service board can improve the efficiency. This design concept of distributed crossbar and distributed business processing is the development direction of core network equipment design, which ensures that security equipment such as firewall can be deployed to the core position of the network and will not become the bottleneck of the network.
The distributed Crossbar technology above solves the requirements of high performance and scalability, and the backup redundancy design of the main components below solves the requirements of high reliability. As shown in figure 1, not only the switching network board and control module are designed with double redundancy, but also the firewall board, power supply and interface board are designed with double redundancy.
In order to cooperate with the distributed hardware architecture, the software also adopts distributed design. The main operating system runs on the main control board and is responsible for the management configuration, routing learning and configuration distribution of the whole equipment. Business board operating system is responsible for receiving and distributing configuration, business processing and other functions. Due to the distributed architecture design, the firewall system not only realizes the separation of control plane and forwarding plane in hardware, but also realizes the separation of control plane and forwarding plane in software. This can effectively improve the high performance and reliability of the system.
In order to improve the performance of network security products by using distributed processing technology, we must first solve the problem of data flow forwarding between internal networks. In the rack architecture, the main control board is generally used to operate the whole equipment, manage and configure the equipment, and then distribute the configuration to each subsystem to make them work together. The interface board is used to provide users with an interface for equipment to access the network and submit the data stream to the security service board. The security service board completes the functions of access policy control, NAT address translation, IPS defense, antivirus, IPSEC VPN and so on.