Some embodiments provide a novel method for performing services on a host computer that executes several data compute nodes (DCNs). The method receives, at a module executing on the host, a data message associated with a DCN executing on the host. The method supplies the data message to a service virtual machine (SVM) that executes on the host and on which several service containers execute. One or more of the service containers then perform a set of one or more services on the data message. The method then receives an indication from the SVM that the set of services has been performed on the data message.
A system for private networking within a virtual infrastructure is presented. The system includes a virtual machine (VM) in a first host, the VM being associated with a first virtual network interface card (VNIC), a second VM in a second host, the second VM being associated with a second VNIC, the first and second VNICs being members of a fenced group of computers that have exclusive direct access to a private virtual network, wherein VNICs outside the fenced group do not have direct access to packets on the private virtual network, a filter in the first host that encapsulates a packet sent on the private virtual network from the first VNIC, the encapsulation adding to the packet a new header and a fence identifier for the fenced group, and a second filter in the second host that de-encapsulates the packet to extract the new header and the fence identifier.
A novel algorithm for packet classification that is based on a novel search structure for packet classification rules is provided. Addresses from all the containers are merged and maintained in a single Trie. Each entry in the Trie has additional information that can be traced back to the container from where the address originated. This information is used to keep the Trie in sync with the containers when the container definition dynamically changes.
Example methods are provided for a first switch to perform congestion-aware load balancing in a data center network. The method may comprise: receiving probe packets from multiple next-hop second switches that connect the first switch with a third switch via multiple paths. The method may also comprise: processing congestion state information in each probe packet to select a selected next-hop second switch from the multiple next-hop second switches, the selected next-hop second switch being associated with a least congested path from the first switch to the third switch. The method may further comprise: in response to receiving data packets from a fourth switch that are destined for a destination connected with the third switch, sending the data packets to the selected next-hop second switch such that the data packets travel to the third switch along the least congested path.
Some embodiments provide a method for detecting a failure of a layer 2 (L2) bump-in-the-wire service at a device. In some embodiments, the device sends heartbeat signals to a second device connected to L2 service nodes in order to detect failure of the L2 service (e.g., a failure of all the service nodes). In some embodiments, the heartbeat signals are unidirectional heartbeat signals (e.g., a unidirectional bidirectional-forwarding-detection (BFD) session) sent from each device to the other. The heartbeat signals, in some embodiments, use a broadcast MAC address in order to reach the current active L2 service node in the case of a failover (i.e., an active service node failing and a standby service node becoming the new active service node). The unidirectional heartbeat signals are also used, in some embodiments, to decrease the time between a failover and data messages being forwarded to the new active service node.
H04L 43/0805 - Surveillance ou test en fonction de métriques spécifiques, p. ex. la qualité du service [QoS], la consommation d’énergie ou les paramètres environnementaux en vérifiant la disponibilité
H04L 41/0668 - Gestion des fautes, des événements, des alarmes ou des notifications en utilisant la reprise sur incident de réseau par sélection dynamique des éléments du réseau de récupération, p. ex. le remplacement par l’élément le plus approprié après une défaillance
H04L 43/10 - Surveillance active, p. ex. battement de cœur, utilitaire Ping ou trace-route
Some embodiments provide a method for handling failure at one of several peer centralized components of a logical router. At a first one of the peer centralized components of the logical router, the method detects that a second one of the peer centralized components has failed. In response to the detection, the method automatically identifies a network layer address of the failed second peer. The method assumes responsibility for data traffic to the failed peer by broadcasting a message on a logical switch that connects all of the peer centralized components and a distributed component of the logical router. The message instructs recipients to associate the identified network layer address with a data link layer address of the first peer centralized component.
H04L 41/5041 - Gestion des services réseau, p. ex. en assurant une bonne réalisation du service conformément aux accords caractérisée par la relation temporelle entre la création et le déploiement d’un service
H04L 67/63 - Ordonnancement ou organisation du service des demandes d'application, p. ex. demandes de transmission de données d'application en utilisant l'analyse et l'optimisation des ressources réseau requises en acheminant une demande de service en fonction du contenu ou du contexte de la demande
H04L 67/568 - Stockage temporaire des données à un stade intermédiaire, p. ex. par mise en antémémoire
H04L 67/1001 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau pour accéder à un serveur parmi une pluralité de serveurs répliqués
H04L 45/00 - Routage ou recherche de routes de paquets dans les réseaux de commutation de données
H04L 69/326 - Protocoles de communication intra-couche entre entités paires ou définitions d'unité de données de protocole [PDU] dans la couche transport [couche OSI 4]
H04L 69/329 - Protocoles de communication intra-couche entre entités paires ou définitions d'unité de données de protocole [PDU] dans la couche application [couche OSI 7]
H04L 47/19 - Commande de fluxCommande de la congestion au niveau des couches au-dessus de la couche réseau
H04L 45/302 - Détermination de la route basée sur la qualité de service [QoS] demandée
H04L 43/08 - Surveillance ou test en fonction de métriques spécifiques, p. ex. la qualité du service [QoS], la consommation d’énergie ou les paramètres environnementaux
H04L 43/106 - Surveillance active, p. ex. battement de cœur, utilitaire Ping ou trace-route en utilisant des informations liées au temps dans des paquets, p. ex. en ajoutant des horodatages
H04L 49/354 - Interrupteurs spécialement adaptés à des applications spécifiques pour la prise en charge des réseaux locaux virtuels [VLAN]
H04L 67/1038 - Dispositions de répartition de charge pour éviter une seule route à travers un répartiteur de charge
7.
FLOW GENERATION FROM SECOND LEVEL CONTROLLER TO FIRST LEVEL CONTROLLER TO MANAGED SWITCHING ELEMENT
A network system that includes a first set of network hosts in a first domain and a second set of network hosts in a second domain. Within each of the domains, the system includes several edge switching elements (SEs) that each couple to the network hosts and forward network data to and from the set of network hosts. Within the first domain, the system includes (i) an interior SE that couples to a particular edge SE in order to receive network data for forwarding from the edge SE when the edge SE does not recognize a destination location of the network data and (ii) an interconnection SE that couples to the interior SE, the edge SE, and the second domain through an external network. When the edge SE receives network data with a destination address in the second domain, it forwards the network data directly to the interconnection SE.
Exemplary methods, apparatuses, and systems include a central controller receiving a request to generate a new encryption key for a security group to replace a current encryption key for the security group. The security group includes a plurality of hosts that each encrypt and decrypt communications using the current encryption key. In response to receiving the request, the central controller determines that a threshold period following generation of the current encryption key has not expired. In response to determining that the threshold period has not expired, the central controller delays execution of the request until the expiration of the threshold period. In response to the expiration of the threshold period, the central controller executes the request by generating the new encryption key, storing a time of creation of the new encryption key, and transmitting the new encryption key to the plurality of hosts.
H04L 9/12 - Dispositifs de chiffrement d'émission et de réception synchronisés ou initialisés d'une manière particulière
H04L 9/32 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
Some embodiments provide a method for generating a multi-layer network map from network configuration data. The method receives network configuration data that defines network components and connections between the network components for a network that spans one or more datacenters. Based on the received network configuration data, the method generates multiple data layers for a multi-layer interactive map of the network. Different data layers include different network components and connections. The method generates a visual representation of the network for each data layer. Each visual representation includes a map of the network at a different level of hierarchy.
H04L 41/22 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets comprenant des interfaces utilisateur graphiques spécialement adaptées [GUI]
H04L 43/045 - Traitement des données de surveillance capturées, p. ex. pour la génération de fichiers journaux pour la visualisation graphique des données de surveillance
H04L 41/12 - Découverte ou gestion des topologies de réseau
10.
EDGE NODE CLUSTER NETWORK REDUNDANCY AND FAST CONVERGENCE USING AN UNDERLAY ANYCAST VTEP IP
Some embodiments provide a method for providing redundancy and fast convergence for modules operating in a network. The method configures modules to use a same anycast inner IP address, anycast MAC address, and to associate with a same anycast VTEP IP address. In some embodiments, the modules are operating in an active-active mode and all nodes running modules advertise the anycast VTEP IP addresses with equal local preference. In some embodiments, modules are operating in active-standby mode and the node running the active module advertises the anycast VTEP IP address with higher local preference.
H04L 41/0668 - Gestion des fautes, des événements, des alarmes ou des notifications en utilisant la reprise sur incident de réseau par sélection dynamique des éléments du réseau de récupération, p. ex. le remplacement par l’élément le plus approprié après une défaillance
H04L 45/586 - Association de routeurs de routeurs virtuels
H04L 45/28 - Routage ou recherche de routes de paquets dans les réseaux de commutation de données en utilisant la reprise sur incident de routes
H04L 69/40 - Dispositions, protocoles ou services de réseau indépendants de la charge utile de l'application et non couverts dans un des autres groupes de la présente sous-classe pour se remettre d'une défaillance d'une instance de protocole ou d'une entité, p. ex. protocoles de redondance de service, état de redondance de protocole ou redirection de service de protocole
H04L 45/00 - Routage ou recherche de routes de paquets dans les réseaux de commutation de données
In general, the present invention relates to a virtual platform in which one or more distributed virtual switches can be created for use in virtual networking. According to some aspects, the distributed virtual switch according to the invention provides the ability for virtual and physical machines to more readily, securely, and efficiently communicate with each other even if they are not located on the same physical host and/or in the same subnet or VLAN. According other aspects, the distributed virtual switches of the invention can support integration with traditional IP networks and support sophisticated IP technologies including NAT functionality, stateful firewalling, and notifying the IP network of workload migration. According to further aspects, the virtual platform of the invention creates one or more distributed virtual switches which may be allocated to a tenant, application, or other entity requiring isolation and/or independent configuration state. According to still further aspects, the virtual platform of the invention manages and/or uses VLAN or tunnels (e.g, GRE) to create a distributed virtual switch for a network while working with existing switches and routers in the network. The present invention finds utility in both enterprise networks, datacenters and other facilities.
H04L 41/0893 - Affectation de groupes logiques aux éléments de réseau
H04L 41/12 - Découverte ou gestion des topologies de réseau
H04L 41/0896 - Gestion de la bande passante ou de la capacité des réseaux, c.-à-d. augmentation ou diminution automatique des capacités
H04L 45/00 - Routage ou recherche de routes de paquets dans les réseaux de commutation de données
H04L 49/15 - Interconnexion de modules de commutation
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
A novel method of providing virtual private access to a software defined data center (SDDC) is provided. The SDDC uses distributed VPN tunneling to allow external access to application services hosted in the SDDC. The SDDC includes host machines for providing computing and networking resources and a VPN gateway for providing external access to those resources. The host machines that host the VMs running the applications that VPN clients are interested in connecting performs the VPN encryption and decryption. The VPN gateway does not perform any encryption and decryption operations. The packet structure is such that the VPN gateway can read the IP address of the VM without decrypting the packet.
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
13.
METHOD AND SYSTEM OF A CLOUD-BASED MULTIPATH ROUTING PROTOCOL
In one aspect, a computerized system useful for implementing a cloud-based multipath routing protocol to an Internet endpoint includes an edge device that provides an entry point into an entity's core network. The entity's core network includes a set of resources to be reliably accessed. The computerized system includes a cloud-edge device instantiated in a public-cloud computing platform. The cloud-edge device joins a same virtual routing and forwarding table as the edge device. The cloud-edge device receives a set of sources and destinations of network traffic that are permitted to access the edge device and the set of resources
Some embodiments of the invention provide a novel architecture for capturing contextual attributes on host computers that execute one or more machines, and for consuming the captured contextual attributes to perform services on the host computers. The machines are virtual machines (VMs) in some embodiments, containers in other embodiments, or a mix of VMs and containers in still other embodiments. Some embodiments execute a guest-introspection (GI) agent on each machine from which contextual attributes need to be captured. In addition to executing one or more machines on each host computer, these embodiments also execute a context engine and one or more attribute-based service engines on each host computer. Through the GI agents of the machines on a host, the context engine of that host in some embodiments collects contextual attributes associated with network events and/or process events on the machines. The context engine then provides the contextual attributes to the service engines, which, in turn, use these contextual attributes to identify service rules for processing.
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
G06F 9/06 - Dispositions pour la commande par programme, p. ex. unités de commande utilisant des programmes stockés, c.-à-d. utilisant un moyen de stockage interne à l'équipement de traitement de données pour recevoir ou conserver les programmes
H04L 51/214 - Surveillance ou traitement des messages en utilisant le transfert sélectif
G06F 21/50 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
15.
TRACING LOGICAL NETWORK PACKETS THROUGH PHYSICAL NETWORK
Some embodiments provide a method for a network controller that manages several managed forwarding elements. The method receives a request to trace a specified packet having a particular source on a logical switching element. The method generates the packet at the network controller according to the packet specification. The generated packet includes an indicator that the packet is for a trace operation. The method inserts the packet into a managed forwarding element associated with the particular source. The method receives a set of messages from a set of managed forwarding elements that process the packet regarding operations performed on the packet.
Some embodiments provide a method for maintaining a cluster topology for a cluster of application instances operating across several datacenters. On a particular machine at which a particular one of the application instances operates, the method maintains a cluster topology that identifies, for each application instance of the cluster, the datacenter in which the application instance operates. From the particular application instance, the method receives a query request for at least a portion of the cluster topology through a programmatic interface. The method provides the requested portion of the cluster topology to the particular application instance. The particular application instance uses the cluster topology for processing application data based on the locations of a set of application instances within the several datacenters.
A computerized method useful for implementing a Multi-Source Inbound QoS (Quality of Service) process in a computer network includes the step of calculating a current usage rate of a provider entity. The provider entity is classified by a network traffic priority; implementing a fair sharing policy among a set of provider entities. The method includes the step of adjusting any excess bandwidth among a set of provider entities. The method includes the step of implementing link sharing at a provider-entity level.
Some embodiments of the invention provide a method for performing network access filtering and/or categorization through guest introspection (GI) on a device. In some embodiments, this GI method intercepts directly on a device a data message that device is preparing to send, and uses a service appliance to determine whether the data message can be sent. The device in some embodiments is a guest virtual machine (VM) that executes on a multi-VM host computing device along with a service VM (SVM) that is the service appliance that determines whether the data message can be sent based on a set of filtering rules. In some embodiments, the method uses one or more introspectors (e.g., network introspector and/or file introspector) to capture introspection data from the guest VM (GVM) about the data message that the GVM is preparing to send. To perform the network access filtering, the GI method in some embodiments captures contextual information, such as user and application information (e.g., application associated with a particular URL request). Hence, in some embodiments, this method seamlessly processes granular user-aware URL filtering rules (e.g., members of the sales organization can access social networking sites but not other members). This approach requires no additional configuration on networking infrastructure.
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
G06F 16/9535 - Adaptation de la recherche basée sur les profils des utilisateurs et la personnalisation
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
G06F 16/958 - Organisation ou gestion de contenu de sites Web, p. ex. publication, conservation de pages ou liens automatiques
19.
CREATING AND USING REMOTE DEVICE MANAGEMENT ATTRIBUTE RULE DATA STORE
Some embodiments provide novel methods for processing remote-device data messages in a network based on data-message attributes from a remote device management (RDM) system. For instance, the method of some embodiments identifies a set of RDM attributes associated with a data message, and then performs one or more service operations based on identified RDM attribute set.
Some embodiments provide a method for detecting a failure of a layer 2 (L2) bump-in-the-wire service at a device. In some embodiments, the device sends heartbeat signals to a second device connected to L2 service nodes in order to detect failure of the L2 service (e.g., a failure of all the service nodes). In some embodiments, the heartbeat signals are unidirectional heartbeat signals (e.g., a unidirectional bidirectional-forwarding-detection (BFD) session) sent from each device to the other. The heartbeat signals, in some embodiments, use a broadcast MAC address in order to reach the current active L2 service node in the case of a failover (i.e., an active service node failing and a standby service node becoming the new active service node). The unidirectional heartbeat signals are also used, in some embodiments, to decrease the time between a failover and data messages being forwarded to the new active service node.
Traffic engineering refers to a process by which a network administrative program defines specific paths through the network for a series of data message flows. The approaches used to date include MPLS (multiprotocol label switching) techniques that add path descriptive information between layers 2 and 3 headers. Because of this location of the path description, MPLS is commonly referred to as a layer 2.5 protocol. The MPLS techniques, and other previous traffic engineering techniques, however do not readily support encapsulating tenant identifiers. Tying these prior solutions to a tenant will require other policies and multiple encapsulations for the overlay and underlay.
H04L 12/721 - Procédures de routage, p.ex. routage par le chemin le plus court, routage par la source, routage à état de lien ou routage par vecteur de distance
22.
UNIFIED SECURITY POLICIES ACROSS VIRTUAL PRIVATE CLOUDS WITH OVERLAPPING IP ADDRESS BLOCKS
The present disclosure generally relates to applying global unified security policies across a plurality of virtual private clouds of a logical network. The logical network is deployed on a software-defined datacenter that constitute one or more private and/or public datacenters. The plurality of virtual private clouds of the logical network may have one or more overlapping internet protocol address blocks, with each virtual private cloud deploying one or more virtual machines and/or containers. A global unified security policy is disseminated to endpoints throughout the logical network using logical ports of the virtual machines and/or containers.
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
H04L 12/931 - Architecture de matrice de commutation
G06F 21/53 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p. ex. "boîte à sable" ou machine virtuelle sécurisée
23.
PROVIDING NETWORKING AND SECURITY TO WORKLOADS VIA A CONTROL VIRTUAL PRIVATE CLOUD SHARED ACROSS MULTIPLE VIRTUAL PRIVATE CLOUDS
The present disclosure generally relates to deploying a proxy control plane and/or north-south data plane in a control virtual private cloud of a logical network implemented on a software-defined datacenter. The control virtual private cloud is shared by a plurality of compute virtual private clouds of the network. In some embodiments, a proxy control plane is deployed on the control virtual private cloud and disseminates policies directly to endpoints of the logical network. In some embodiments, a north-south data plane is deployed on the control virtual private cloud and directly manages north-south network traffic from endpoints of the logical network. In some embodiments, a proxy control plane and a north-south network data plane are deployed on the control virtual private cloud.
The method for processing interleaved Layers 4, 7 and verb-based rulesets is presented. The method comprises receiving stream data; identifying a packet in the stream; parsing the packet to extract firewall input data; and determining that one or more rules at least partially match the firewall input data. If any of the rules also include additional information not found in the firewall input data, a DPI is performed to determine whether a first portion of the additional information is found in the packet. If no first portion of the additional information is found, a full DPI is performed to determine whether a second portion of the additional information is found in the packet. If the second portion is found, additional input data is extracted from the packet, and added to the firewall input data. The rules are applied to the firewall input data to determine whether to transmit the packet.
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
H04L 12/26 - Dispositions de surveillance; Dispositions de test
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
25.
HIGH AVAILABILITY FOR STATEFUL SERVICES IN PUBLIC CLOUD LOGICAL NETWORKS
Some embodiments provide a method for a network controller that manages a logical network spanning multiple physical locations. For each physical location hosting data compute nodes (DCNs) belonging to the logical network, the method defines a centralized routing component for processing data messages between the DCNs hosted at the physical location and networks external to the logical network, assigns an active instance of the centralized routing component to operate at the physical location, and assigns a standby instance of the centralized routing component to operate at one of the other physical locations.
H04L 12/713 - Prévention ou récupération du défaut de routage, p.ex. reroutage, redondance de route "virtual router redundancy protocol" [VRRP] ou "hot standby router protocol" [HSRP] par redondances de nœud, p.ex. VRRP
H04L 12/931 - Architecture de matrice de commutation
H04L 29/08 - Procédure de commande de la transmission, p.ex. procédure de commande du niveau de la liaison
H04L 12/24 - Dispositions pour la maintenance ou la gestion
H04L 29/12 - Dispositions, appareils, circuits ou systèmes non couverts par un seul des groupes caractérisés par le terminal de données
H04L 12/707 - Prévention ou récupération du défaut de routage, p.ex. reroutage, redondance de route "virtual router redundancy protocol" [VRRP] ou "hot standby router protocol" [HSRP] par redondance des chemins d’accès
H04L 12/703 - Prévention ou récupération du défaut de routage, p.ex. reroutage, redondance de route "virtual router redundancy protocol" [VRRP] ou "hot standby router protocol" [HSRP]
H04L 12/741 - Traitement de l'adressage d’en-tête pour le routage, p.ex. table de correspondance
H04L 12/715 - Routage hiérarchique, p.ex. réseaux en grappe ou routage inter-domaine
In one aspect, a computer-networking method useful for implementing dynamic high- availability (HA) mode based on current wide area network (WAN) connectivity, comprising the steps of: providing a first edge device of a local area network (LAN) with the WAN; providing a second edge device of the LAN with the WAN; and synchronizing a state of plurality of links with the WAN that are connected to the first edge device and the second edge device.
H04L 12/24 - Dispositions pour la maintenance ou la gestion
H04L 12/28 - Réseaux de données à commutation caractérisés par la configuration des liaisons, p. ex. réseaux locaux [LAN Local Area Networks] ou réseaux étendus [WAN Wide Area Networks]
27.
SERVICE OPERATION CHAINING METHODS AND COMPUTER PROGRAMS
For a multi-tenant environment, some embodiments of the invention provide a novel method for forwarding tenant traffic through a set of service machines to perform a set of service operations on the tenant traffic. In some embodiments, the method performs a classification operation on a data message flow of a tenant, in order to identify a set of service operations to perform on the data message flow. For some data message flows, the classification operation selects the identified set of service operations from several candidate sets of service operations that are viable service operation sets for similar data message flows of the tenant. In some embodiments, the classification operation is based on a set of attributes associated with the data message flow (e.g., five tuple identifier, i.e., protocol and source and destination ports and IP addresses).
H04L 29/08 - Procédure de commande de la transmission, p.ex. procédure de commande du niveau de la liaison
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
H04L 12/43 - Réseaux en boucle avec commande décentralisée avec transmission synchrone, p. ex. multiplexage à division de temps [TDM], anneaux à tranches de temps
H04L 12/851 - Actions liées au type de trafic, p.ex. qualité de service ou priorité
H04L 12/701 - Routage ou recherche du chemin de transmission
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
H04L 12/24 - Dispositions pour la maintenance ou la gestion
28.
CREATING VIRTUAL NETWORKS SPANNING MULTIPLE PUBLIC CLOUDS
Some embodiments establish for an entity a virtual network over several public clouds of several public cloud providers and/or in several regions. In some embodiments, the virtual network is an overlay network that spans across several public clouds to interconnect one or more private networks (e.g., networks within branches, divisions, departments of the entity or their associated datacenters), mobile users, and SaaS (Software as a Service) provider machines, and other web applications of the entity. The virtual network in some embodiments can be configured to optimize the routing of the entity's data messages to their destinations for best end-to-end performance, reliability and security, while trying to minimize the routing of this traffic through the Internet. Also, the virtual network in some embodiments can be configured to optimize the layer 4 processing of the data message flows passing through the network.
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
H04L 12/715 - Routage hiérarchique, p.ex. réseaux en grappe ou routage inter-domaine
H04L 12/24 - Dispositions pour la maintenance ou la gestion
H04L 12/28 - Réseaux de données à commutation caractérisés par la configuration des liaisons, p. ex. réseaux locaux [LAN Local Area Networks] ou réseaux étendus [WAN Wide Area Networks]
Some embodiments provide a novel way to insert a service (e.g., a third party service) in the path of a data message flow, between two machines (e.g., two VMs, two containers, etc.) in a public cloud environment. For a particular tenant of the public cloud, some embodiments create an overlay logical network with a logical overlay address space. To perform a service on data messages of a flow between two machines, the logical overlay network passes to the public cloud's underlay network the data messages with their destination address (e.g., destination IP addresses) defined in the logical overlay network. The underlay network (e.g., an underlay default downlink gateway) is configured to pass data messages with such destination addresses (e.g., with logical overlay destination addresses) to a set of one or more service machines. The underlay network (e.g., an underlay default uplink gateway) is also configured to pass to the particular tenant's public cloud gateway the processed data messages that are received from the service machine set and that are addressed to logical overlay destination addresses. The tenant's public cloud gateway is configured to forward such data messages to a logical forwarding element of the logical network, which then handles the forwarding of the data messages to the correct destination machine.
H04L 12/715 - Routage hiérarchique, p.ex. réseaux en grappe ou routage inter-domaine
H04L 12/721 - Procédures de routage, p.ex. routage par le chemin le plus court, routage par la source, routage à état de lien ou routage par vecteur de distance
H04L 12/66 - Dispositions pour la connexion entre des réseaux ayant différents types de systèmes de commutation, p. ex. passerelles
30.
ACCESSING ENDPOINTS IN LOGICAL NETWORKS AND PUBLIC CLOUD SERVICE PROVIDERS NATIVE NETWORKS USING A SINGLE NETWORK INTERFACE AND A SINGLE ROUTING TABLE
A physical host machine of a public cloud system includes a set of processing units for executing instructions stored in non-transitory machine readable media. The physical host machine also includes a physical network interface cars (PNIC) and a non-transitory machine readable medium that stores a data compute node (DCN). The DCN includes first and second applications, first and second logical interfaces, a network stack, and a managed forwarding element (MFE). The first application is connected to the pNIC through the network stack, the first logical interface, and the MFE. The second application is connected to the PNIC through the network stack, the second logical interface, and the MFE.
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
G06F 9/50 - Allocation de ressources, p. ex. de l'unité centrale de traitement [UCT]
H04L 12/721 - Procédures de routage, p.ex. routage par le chemin le plus court, routage par la source, routage à état de lien ou routage par vecteur de distance
H04L 12/741 - Traitement de l'adressage d’en-tête pour le routage, p.ex. table de correspondance
31.
MANAGING NETWORK CONNECTIVITY BETWEEN CLOUD COMPUTING SERVICE ENDPOINTS AND VIRTUAL MACHINES
Described herein are systems, methods, and software to enhance connectivity between cloud computing service endpoints and virtual machines. In one implementation, a method of managing data packet addressing in a first namespace includes receiving a data packet at a first interface for the first namespace, wherein the first interface is paired with a second interface of a second namespace. The method also includes identifying if the packet is destined for a service node in an underlay network outside of an overlay network for the second namespace, and if destined for a service node outside of an overlay network for the second namespace, modifying addressing in the data packet to support the underlay network and transferring the data packet over a virtual network interface for the virtual machine.
H04L 29/12 - Dispositions, appareils, circuits ou systèmes non couverts par un seul des groupes caractérisés par le terminal de données
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
For a managed network implementing at least one logical router having centralized and distributed components, some embodiments provide a method for processing multicast data messages at a first managed forwarding element (MFE) executing on a first host machine that implements a distributed multicast logical router and multiple logical switches logically connected to the logical router in conjunction with a set of additional MFEs executing on additional host machines. The method replicates multicast data messages received from a source data compute node (DCN), operating on the first host machine, that logically connects to a first logical switch of the multiple logical switches. The method replicates the multicast data message to a set of DCNs in the multicast group in the logical network without routing through a centralized local multicast router.
Some embodiments provide a method for a network controller that manages multiple logical networks implemented by multiple managed forwarding elements (MFEs) operating on multiple host machines. The method receives a notification from a particular MFE that an interface corresponding to a logical port of a logical forwarding element has connected to the particular MFE and has a particular logical network address. The method assigns a unique physical network address to the interface. Each of multiple interfaces connected to the particular MFE is assigned a different physical network address. The method provides the assigned unique physical network address to the particular MFE for the particular MFE to convert data messages sent from the particular logical network address to have the unique physical network address.
H04L 29/12 - Dispositions, appareils, circuits ou systèmes non couverts par un seul des groupes caractérisés par le terminal de données
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
The technology disclosed herein enables identification of multi-tiered applications in virtual computing elements. In a particular embodiment, a method provides identifying a plurality of guest elements executing on one or more host computing systems for a virtual computing environment and categorizing each of the plurality of guest elements into a tier group of a plurality of tier groups. The method further provides monitoring communication traffic between the plurality of guest elements and determining a multi-tiered application for each of the plurality of guest elements based on the communication traffic.
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
Example methods are provided for assigning a routing domain identifier in a logical network environment that includes one or more logical distributed routers and one or more logical switches. In one example, the method may comprise obtaining network topology information specifying how the one or more logical distributed routers are connected with the one or more logical switches; and selecting, from the one or more logical switches, a particular logical switch for which routing domain identifier assignment is required. The method may also comprise: identifying a particular logical distributed router that is connected with the particular logical switch based on the network topology information; assigning the particular logical switch with the routing domain identifier that is associated with the particular logical distributed router; and using the routing domain identifier in a communication between a management entity and a host.
H04L 12/721 - Procédures de routage, p.ex. routage par le chemin le plus court, routage par la source, routage à état de lien ou routage par vecteur de distance
H04L 12/751 - Mise à jour ou découverte de la topologie
H04L 12/715 - Routage hiérarchique, p.ex. réseaux en grappe ou routage inter-domaine
A computer system provides a method for processing network packets using unique identifiers associated with source and destination virtual machines (VMs 130). The method includes receiving, from a first VM (130), a request for address information associated with a second VM (130), generating and returning one or more arbitrarily assigned addresses for the second VM (130), mapping a unique identifier of the second VM (130) to the one or more arbitrarily assigned addresses, receiving a packet from the first VM (130) including one or more addresses associated with the first VM (130) and the one or more arbitrarily assigned addresses associated with the second VM (130), replacing the addresses associated with the first VM (130) with a unique identifier of the first VM (130) and the one or more arbitrarily assigned addresses associated with the second VM (130) with the unique identifier of the second VM (130), and transmitting the packet to a host machine (100) associated with the second VM (130).
Some embodiments provide a method that receives a request for information regarding a path between endpoints of a logical network. The method provides, for display, a visualization of the path including (i) a set of logical network components between the endpoints and (ii) a set of physical network components that implement the logical network components. The physical network components and the logical network components are aligned in the display. In some embodiments, the method receives data regarding a packet tracing operation between the endpoints. The method generates a display including (i) a visualization of the path between the endpoints of the logical network and (ii) a representation of the received data regarding the packet tracing operation, with the packet tracing operation data is visually linked to the components of the path.
Certain embodiments described herein are generally directed to allocating security parameter index ("SPI") values to a plurality of endpoints in a network. The SPI values may be derived using an SPI derivation formula and a plurality of parameters. In some embodiments, the SPI values may be derived by an endpoint and in other embodiments by a server. Using the SPI derivation formula and the plurality of parameters enables endpoints and servers to instantaneously derive SPI values without the need for servers to store them.
H04L 9/12 - Dispositifs de chiffrement d'émission et de réception synchronisés ou initialisés d'une manière particulière
H04L 9/16 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité utilisant plusieurs clés ou algorithmes qui sont changés pendant l'opération
39.
MANAGING NETWORK TRAFFIC IN VIRTUAL SWITCHES BASED ON LOGICAL PORT IDENTIFIERS
Described herein are systems, methods, and software to enhance network traffic management. In one implementation, a first host identifies a packet to be transferred from a first virtual machine on the first host to a second virtual machine on a second host. In response to identifying the packet, the first host identifies a source logical port for the first virtual machine, and transferring a communication to the second host, wherein the communication encapsulates the data packet and the source logical port. Once the packet is received by the second host, the second host may use the source logical port to determine a forwarding action for the packet.
H04L 12/721 - Procédures de routage, p.ex. routage par le chemin le plus court, routage par la source, routage à état de lien ou routage par vecteur de distance
H04L 12/715 - Routage hiérarchique, p.ex. réseaux en grappe ou routage inter-domaine
H04L 12/931 - Architecture de matrice de commutation
Some embodiments of the invention provide a novel architecture for capturing contextual attributes on host computers that execute one or more machines, and for consuming the captured contextual attributes to perform services on the host computers. The machines are virtual machines (VMs) in some embodiments, containers in other embodiments, or a mix of VMs and containers in still other embodiments. Some embodiments execute a guest-introspection (GI) agent on each machine from which contextual attributes need to be captured. In addition to executing one or more machines on each host computer, these embodiments also execute a context engine and one or more attribute-based service engines on each host computer. Through the GI agents of the machines on a host, the context engine of that host in some embodiments collects contextual attributes associated with network events and/or process events on the machines. The context engine then provides the contextual attributes to the service engines, which, in turn, use these contextual attributes to identify service rules for processing.
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
An architecture is provided for capturing contextual attributes on host computers that execute one or more containers and/or virtual machines (VM), and for consuming the captured contextual attributes to perform services on the host computers. A guest- introspection (GI) agent on each container or VM is executable from which contextual attributes need to be captured. Embodiments also execute a context engine and one or more attribute-based service engines on each host computer. Through the GI agents on a host, the context engine of that host collects contextual attributes associated with network events and/or process events. The context engine may then provide the contextual attributes to the service engines.
G06F 9/44 - Dispositions pour exécuter des programmes spécifiques
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
H04L 47/24 - Trafic caractérisé par des attributs spécifiques, p. ex. la priorité ou QoS
H04L 51/21 - Surveillance ou traitement des messages
42.
COLLECTING AND PROCESSING CONTEXT ATTRIBUTES ON A HOST
Some embodiments of the invention provide a novel architecture for capturing contextual attributes on host computers that execute one or more machines, and for consuming the captured contextual attributes to perform services on the host computers. The machines are virtual machines (VMs) in some embodiments, containers in other embodiments, or a mix of VMs and containers in still other embodiments. Some embodiments execute a guest-introspection (GI) agent on each machine from which contextual attributes need to be captured. In addition to executing one or more machines on each host computer, these embodiments also execute a context engine and one or more attribute-based service engines on each host computer. Through the GI agents of the machines on a host, the context engine of that host in some embodiments collects contextual attributes associated with network events and/or process events on the machines. The context engine then provides the contextual attributes to the service engines, which, in turn, use these contextual attributes to identify service rules for processing.
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
H04L 12/851 - Actions liées au type de trafic, p.ex. qualité de service ou priorité
The technology disclosed herein enables micro-segmentation of virtual computing elements. In a particular embodiment, a method provides identifying one or more multi-tier applications comprising a plurality of virtual machines. Each application tier of the one or more multi-tier applications comprises at least one of the plurality of virtual machines. The method further provides maintaining information about the one or more multi-tier applications. The information at least indicates a security group for each virtual machine of the plurality of virtual machines. Additionally, the method provides identifying communication traffic flows between virtual machines of the plurality of virtual machines and identifying one or more removable traffic flows of the communication traffic flows based, at least in part, on the information. The method then provides blocking the one or more removable traffic flows.
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
44.
IDENTIFICATION AND ADJUSTMENT OF INEFFECTIVE FIREWALL RULES
Network firewalls operate based on rules that define how a firewall should handle traffic passing through the firewall. At their most basic, firewall rules may indicate that certain network traffic should be denied from passing through a network firewall or indicate that certain network traffic should be allowed to pass through the network firewall. Manners of handling network traffic beyond simply allowing or denying the network traffic may also be defined by the rules. For instance, a rule may indicate that certain network traffic should be routed to a specific system. Thus, if an administrator of a network firewall determines that certain network traffic should be handled in a certain way by a network firewall, the administrator need only implement a firewall rule defining how that network traffic should be handled in the network firewall.
A computer system authenticates a logical port for a virtual machine. A logical network maintains logical network data for a logical switch having the logical port. A virtual switch identifies a logical port authentication request for the virtual machine and transfers the logical port authentication request. A logical port authenticator receives the logical port authentication request and transfers the logical port authentication request for delivery to an authentication database. The logical port authenticator receives a logical port authentication response transferred by the authentication database that grants the logical port authentication request for the virtual machine and transfers authorization data for the logical port. The virtual switch transfers user data for the virtual machine when the virtual machine uses the logical port responsive to the authorization data.
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
G06F 21/44 - Authentification de programme ou de dispositif
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
46.
PERFORMING CONTEXT-RICH ATTRIBUTE-BASED SERVICES ON A HOST
Some embodiments provide a novel method for configuring a set of service one or more nodes on a host to perform context-rich, attribute-based services on the host computer, which executes several data compute nodes (DCNs) in addition to the set of service nodes. The method uses a context-filtering node on the host to collect a first set of attributes associated with service rules processed by the set of service nodes on the host computer. The context filter also collects a second set of attributes associated with at least one data message flow of a DCN (e.g., of a virtual machine (VM) or container) executing on the host. After collecting the first and second sets of attributes, the context filtering node on the host compares the first and second sets of attributes to generate a service tag to represent a subset of the first set of attributes associated with the data message flow. The method associates this service tag with the data message flow. This service tag can then be used to identify the subset of attributes associated with the data message flow when a service node needs to process its attribute-based service rules for the data message flow.
Sorne embodiments provide a rnethod for a first network controller that rnanages a logical network implemented in a datacenter including forwarding elements to which the first network controller does not have access. The method identifies a first data compute node (DCN) in the datacenter configured to execute a second network controller. The method distributes configuration data defining the logical network to the first DCN. The second network controller distributes sets of the configuration data to local agents executing on additional DCNs in the datacenter that send and receive messages through the logical network. Both manaysed forwarding elements and the local agents execute on each of the additional DCNs. Each local agent on a particular DCN is for receiving a set of configuration data from the second network controller and configuring the rnanaged forwarding elernent on the particular DCN to implement the logical network according to the set of configuration data.
A method of defining policy for a network virtualization platform of a data center is provided. The method receives a registration of one or more actions provided by each of a plurality of data center services. The method defines a policy template by receiving the identification of a set of data center resources and a set of actions registered by a set of data center services to be applied to each identified resource. The method instantiates the template into a set of policy instants that each includes an identification of one or more resources and identification of one or more actions identified in the policy template. The policy is then enforced by the set of data center services by applying the actions identified in each policy instance to the resources identified in the policy instance.
Some embodiments provide a method for a first network controller that manages a logical network implemented in a datacenter including forwarding elements to which the first network controller does not have access. The method identifies a first data compute node (DCN) in the datacenter configured to execute a second network controller. The method distributes configuration data defining the logical network to the first DCN. The second network controller distributes sets of the configuration data to local agents executing on additional DCNs in the datacenter that send and receive messages through the logical network. Both managed forwarding elements and the local agents execute on each of the additional DCNs. Each local agent on a particular DCN is for receiving a set of configuration data from the second network controller and configuring the managed forwarding element on the particular DCN to implement the logical network according to the set of configuration data.
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
G06F 9/50 - Allocation de ressources, p. ex. de l'unité centrale de traitement [UCT]
H04L 41/044 - Architectures ou dispositions de gestion de réseau comprenant des structures de gestion hiérarchisées
H04L 41/046 - Architectures ou dispositions de gestion de réseau comprenant des agents de gestion de réseau ou des agents mobiles à cet effet
H04L 41/0806 - Réglages de configuration pour la configuration initiale ou l’approvisionnement, p. ex. prêt à l’emploi [plug-and-play]
H04L 41/0893 - Affectation de groupes logiques aux éléments de réseau
Some embodiments provide a method for a first network controller that rnanages a logical network implemented in a datacenter including forwarding elements to which the first network controller does not have access. The method identifies a first data cornpute node (DCN) in the datacenter configured to execute a second network controller. The method distributes configuration data defining the logical network to the first DCN. The second network controller distributes sets of the configuration data to local agents executing on additional DCNs in the datacenter that send and receive messages through the logical network. Both managed forwarding elements and the local agents execute on each of the additional DCNs. Each local agent on a particular DCN is for receiving a set of configuration data from the second network controller and configuring the managed forwarding element on the particillar DCN to implement the logical network according to the set of configuration data.
Some embodiments provide a method for a first network controller that manages a logical network implemented in a datacenter including forwarding elements to which the first network controller does not have access. The method identifies a first data compute node (DCN) in the datacenter configured to execute a second network controller. The method distributes configuration data defining the logical network to the first DCN. The second network controller distributes sets of the configuration data to local agents executing on additional DCNs in the datacenter that send and receive messages through the logical network. Both managed forwarding elements and the local agents execute on each of the additional DCNs. Each local agent on a particular DCN is for receiving a set of configuration data from the second network controller and configuring the managed forwarding element on the particular DCN to implement the logical network according to the set of configuration data.
H04L 12/24 - Dispositions pour la maintenance ou la gestion
H04L 12/931 - Architecture de matrice de commutation
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
G06F 9/50 - Allocation de ressources, p. ex. de l'unité centrale de traitement [UCT]
H04L 29/08 - Procédure de commande de la transmission, p.ex. procédure de commande du niveau de la liaison
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
H04L 29/12 - Dispositions, appareils, circuits ou systèmes non couverts par un seul des groupes caractérisés par le terminal de données
52.
EDGE NODE CLUSTER NETWORK REDUNDANCY AND FAST CONVERGENCE USING AN UNDERLAY ANYCAST VTEP IP
Some embodiments provide a method for providing redundancy and fast convergence for modules operating in a network. The method configures modules to use a same anycast inner IP address, anycast MAC address, and to associate with a same anycast VTEP IP address. In some embodiments, the modules are operating in an active-active mode and all nodes running modules advertise the anycast VTEP IP addresses with equal local preference. In some embodiments, modules are operating in active- standby mode and the node running the active module advertises the anycast VTEP IP address with higher local preference.
H04L 12/703 - Prévention ou récupération du défaut de routage, p.ex. reroutage, redondance de route "virtual router redundancy protocol" [VRRP] ou "hot standby router protocol" [HSRP]
H04L 12/707 - Prévention ou récupération du défaut de routage, p.ex. reroutage, redondance de route "virtual router redundancy protocol" [VRRP] ou "hot standby router protocol" [HSRP] par redondance des chemins d’accès
H04L 12/713 - Prévention ou récupération du défaut de routage, p.ex. reroutage, redondance de route "virtual router redundancy protocol" [VRRP] ou "hot standby router protocol" [HSRP] par redondances de nœud, p.ex. VRRP
Software-defined networking (SDN) often uses network controllers to configure virtual (logical) networks throughout a datacenter. As SDN becomes more prevalent and datacenters cater to more and more tenants, controllers are expected to perform more operations. Key to this architecture is that the controllers do not become bottlenecks in the configuration process, and that these controllers be able to handle when other elements downstream in the configuration process are bottlenecked (i.e., making sure that if one switch is a bottleneck this does not slow the configuration of other switches). As such, techniques to improve the use of processing resources by network controllers are needed.
Example methods are provided for a source virtual tunnel endpoint (VTEP) to perform congestion-aware load balancing in a data center network. The method may comprise the source VTEP learning congestion state information associated with multiple paths provided by respective multiple intermediate switches connecting the source VTEP with a destination VTEP. The method may also comprise the source VTEP receiving second packets that are sent by a source endpoint and destined for a destination endpoint; and selecting a particular path from multiple paths based on the congestion state information. The method may further comprise the source VTEP generating encapsulated second packets by encapsulating each of the second packets with header information that includes a set of tuples associated with the particular path; and sending the encapsulated second packets to the destination endpoint.
Some embodiments provide a method for determining a realization status of one or more logical entities of a logical network. The method, each time a particular event occurs, increments the value of a realization number and publishes the incremented value to a set of controllers of the logical network. Upon receiving data that specifies the state of a logical entity of the logical network, the method publishes the logical entity state's data to the set of controllers. In some embodiments, the method queries the set of controllers for a realization status of the state data for a set of logical entities that is published to the set of controllers up to a particular point of time. The submitted query, in some embodiments, includes a particular value of the realization number associated with the particular point of time.
Some embodiments provide a method for determining a realization status of one or more logical entities of a logical network. The method, each time a particular event occurs, increments the value of a realization number and publishes the incremented value to a set of controllers of the logical network. Upon receiving data that specifies the state of a logical entity of the logical network, the method publishes the logical entity state's data to the set of controllers. In some embodiments, the method queries the set of controllers for a realization status of the state data for a set of logical entities that is published to the set of controllers up to a particular point of time. The submitted query, in some embodiments, includes a particular value of the realization number associated with the particular point of time.
A novel design of a gateway that handles traffic in and out of a network by using a datapath daemon (1110) is provided. The datapath daemon (1110) is a run-to-completion process that performs various data-plane packet-processing operations at the edge of the network. In some embodiments, the datapath daemon dispatches packets to other processes or processing threads outside of the daemon. In some embodiments, the datapath daemon dispatches packets to a kernel network stack (1190) in order to support packet traffic monitoring.
A novel design of a gateway that handles traffic in and out of a network by using a datapath daemon is provided. The datapath daemon is a run-to-completion process that performs various data- plane packet-processing operations at the edge of the network. The datapath daemon dispatches packets to other processes or processing threads outside of the daemon. The method inserts TLR identifiers as VLAN tags into the dispatched packets from the datapath daemon so that the network stack can deliver them to the correct TLR-specific namespace.
Some embodiments provide a method for a managed forwarding element (MFE). The method receives a packet from a data compute node for which the MFE performs first-hop processing. The data compute node is associated with multiple tunnel endpoints of the MFE. The method determines a destination tunnel endpoint for the packet. The method uses a load balancing algorithm to select one of the multiple tunnel endpoints of the MFE as a source tunnel endpoint for the packet. The method encapsulates the packet in a tunnel using the source and destination tunnel endpoints.
A novel design of a gateway that handles traffic in and out of a network by using a datapath pipeline is provided. The datapath pipeline includes multiple stages for performing various data-plane packet-processing operations at the edge of the network. The processing stages include centralized routing stages and distributed routing stages. The processing stages can include service-providing stages such as NAT and firewall. The gateway caches the result previous packet operations and reapplies the result to subsequent packets that meet certain criteria. For packets that do not have applicable or valid result from previous packet processing operations, the gateway datapath daemon executes the pipelined packet processing stages and records a set of data from each stage of the pipeline and synthesizes those data into a cache entry for subsequent packets.
H04L 12/713 - Prévention ou récupération du défaut de routage, p.ex. reroutage, redondance de route "virtual router redundancy protocol" [VRRP] ou "hot standby router protocol" [HSRP] par redondances de nœud, p.ex. VRRP
H04L 12/715 - Routage hiérarchique, p.ex. réseaux en grappe ou routage inter-domaine
61.
DISTRIBUTING REMOTE DEVICE MANAGEMENT ATTRIBUTES TO SERVICE NODES FOR SERVICE RULE PROCESSING
Some embodiments provide novel methods for processing remote-device data messages in a network based on data-message attributes from a remote device management (RDM) system. For instance, the method of some embodiments identifies a set of RDM attributes associated with a data message, and then performs one or more service operations based on identified RDM attribute set.
Some embodiments provide novel methods for processing remote-device data messages in a network based on data-message attributes from a remote device management (RDM) system. For instance, the method of some embodiments identifies a set of RDM attributes associated with a data message, and then performs one or more service operations based on identified RDM attribute set.
H04L 45/50 - Routage ou recherche de routes de paquets dans les réseaux de commutation de données utilisant l'échange d'étiquettes, p. ex. des commutateurs d'étiquette multi protocole [MPLS]
H04L 45/745 - Recherche de table d'adressesFiltrage d'adresses
H04L 47/125 - Prévention de la congestionRécupération de la congestion en équilibrant la charge, p. ex. par ingénierie de trafic
Some embodiments provide novel methods for processing remote-device data messages in a network based on data-message attributes from a remote device management (RDM) system. For instance, the method of some embodiments identifies a set of RDM attributes associated with a data message, and then performs one or more service operations based on identified RDM attribute set.
H04L 61/4511 - Répertoires de réseauCorrespondance nom-adresse en utilisant des répertoires normalisésRépertoires de réseauCorrespondance nom-adresse en utilisant des protocoles normalisés d'accès aux répertoires en utilisant le système de noms de domaine [DNS]
Some embodiments provide a method for implementing a logical router in a logical network. In some embodiments, the method receives a configuration of a static route for the logical router, which includes several routing components with separate routing tables. The method identifies which of the routing components require addition of a route to a corresponding routing table to implement the configuration of the static route. The method adds the routes to the corresponding separate routing tables of the identified routing components.
Some embodiments provide a method for implementing a logical router in a logical network. In some embodiments, the method receives a configuration of a static route for the logical router, which includes several routing components with separate routing tables. The method identifies which of the routing components require addition of a route to a corresponding routing table to implement the configuration of the static route. The method adds the routes to the corresponding separate routing tables of the identified routing components.
H04L 12/715 - Routage hiérarchique, p.ex. réseaux en grappe ou routage inter-domaine
H04L 12/931 - Architecture de matrice de commutation
H04L 12/721 - Procédures de routage, p.ex. routage par le chemin le plus court, routage par la source, routage à état de lien ou routage par vecteur de distance
Some embodiments provide a method for implementing a logical router in a logical network. In some embodiments, the method receives a configuration of a static route for the logical router, which includes several routing components with separate routing tables. The method identifies which of the routing components require addition of a route to a corresponding routing table to implement the configuration of the static route. The method adds the routes to the corresponding separate routing tables of the identified routing components.
For a network that includes host machines for providing computing and networking resources and a VPN gateway for providing external access to those resources, a novel method that distributes encryption keys to the hosts to encrypt / decrypt the complete payload originating / terminating at those hosts is described. These encryption keys are created or obtained by the VPN gateway based on network security negotiations with the external networks / devices. These negotiated keys are then distributed to the hosts via control plane of the network. In some embodiments, this creates a complete distributed mesh framework for processing crypto payloads.
A system provisions global logical entities that facilitate the operation of logical networks that span two or more datacenters. These global logical entities include global logical switches that provide L2 switching as well as global routers that provide L3 routing among network nodes in multiple datacenters. The global logical entities operate along side local logical entities that are for operating logical networks that are local within a datacenter.
H04L 12/931 - Architecture de matrice de commutation
H04L 12/713 - Prévention ou récupération du défaut de routage, p.ex. reroutage, redondance de route "virtual router redundancy protocol" [VRRP] ou "hot standby router protocol" [HSRP] par redondances de nœud, p.ex. VRRP
69.
INTERMEDIATE LOGICAL INTERFACES IN A VIRTUAL DISTRIBUTED ROUTER ENVIRONMENT
A LRE (logical routing element) that have LIFs that are active in all host machines spanned by the LRE as well as LIFs that are active in only a subset of those spanned host machines is provided. A host machine having an active LIF for a particular L2 segment would perform the L3 routing operations for network traffic related to that L2 segment. A host machine having an inactive LIF for the particular L2 segment would not perform. L3 routing operations for the network traffic of the L2 segment.
H04L 12/721 - Procédures de routage, p.ex. routage par le chemin le plus court, routage par la source, routage à état de lien ou routage par vecteur de distance
H04L 12/713 - Prévention ou récupération du défaut de routage, p.ex. reroutage, redondance de route "virtual router redundancy protocol" [VRRP] ou "hot standby router protocol" [HSRP] par redondances de nœud, p.ex. VRRP
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
Some embodiments provide a method for a first managed forwarding element (MFE). The method receives a data message that includes a logical context tag that identifies a logical port of a particular logical forwarding element. Based on the logical context tag, the method adds a local tag to the data message. The local tag is associated with the particular logical forwarding element, which is one of several logical forwarding elements to which one or more containers operating on a container virtual machine (VM) belong. The container VM connects to the first MFE. The method delivers the data message to the container VM without any logical context. A second MFE operating on the container VM uses the local tag to forward the data message to a correct container of several containers operating on the container VM.
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
H04L 12/713 - Prévention ou récupération du défaut de routage, p.ex. reroutage, redondance de route "virtual router redundancy protocol" [VRRP] ou "hot standby router protocol" [HSRP] par redondances de nœud, p.ex. VRRP
71.
ROUTE SERVER MODE FOR DYNAMIC ROUTING BETWEEN LOGICAL AND PHYSICAL NETWORKS
Some embodiments provide a method for configuring a logical router that interfaces with an external network. The method receives a configuration for a logical network that includes a logical router with several interfaces that connect to at least one physical router external to the logical network. The method selects a separate host machine to host a centralized routing component for each of the interfaces. The method selects a particular one of the host machines for operating a dynamic routing protocol control plane that receives routing protocol data from each of the centralized routing components and updates routing tables of each of the centralized routing components.
[0001] Network services such as load balancer, firewall, IDS, IPS, encryption, decryption, are deployed today in the datacenter to provide a rich service oriented environment for applications and tenants. Typically these services are deployed at fixed points in the datacenter networking topology. Based upon configuration needs, the network services are provisioned to serve the various applications and tenants. As the demand increases and varies, the logistics of maintaining such static placement and provisioning methodology becomes challenging and leads to obfuscated and complex deployment involving hair-pinning traffic, choke point operation and complex configurations. The interdependencies across various apps and tenants often make the management of the network a mangled mess.
A method for implementing a logical router in a network that comprises of receiving a definition of a logical router to serve as an interface between a logical first network and a second network external to the logical first network. To implement the logical router, define a plurality of routing components comprising (1) a distributed routing component and (2) a plurality of centralized routing components. The centralized routing components (1) to forward northbound packet flows from the logical first network to the second network, and (2) toward southbound packet flows from the second network to the logical first network. The distributed routing component to route packets (1) within the logical first network and (2) to and from the centralized routing components. The distributing definitions of the plurality of routing components to the first and second pluralities of computers to implement the distributed and centralized routing components.
H04L 41/0654 - Gestion des fautes, des événements, des alarmes ou des notifications en utilisant la reprise sur incident de réseau
H04L 43/08 - Surveillance ou test en fonction de métriques spécifiques, p. ex. la qualité du service [QoS], la consommation d’énergie ou les paramètres environnementaux
H04L 43/106 - Surveillance active, p. ex. battement de cœur, utilitaire Ping ou trace-route en utilisant des informations liées au temps dans des paquets, p. ex. en ajoutant des horodatages
H04L 45/00 - Routage ou recherche de routes de paquets dans les réseaux de commutation de données
H04L 45/02 - Mise à jour ou découverte de topologie
H04L 45/28 - Routage ou recherche de routes de paquets dans les réseaux de commutation de données en utilisant la reprise sur incident de routes
H04L 49/25 - Routage ou recherche de route dans une matrice de commutation
H04L 49/354 - Interrupteurs spécialement adaptés à des applications spécifiques pour la prise en charge des réseaux locaux virtuels [VLAN]
H04L 67/1001 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau pour accéder à un serveur parmi une pluralité de serveurs répliqués
A method for implementing a logical router in a network that comprises of receiving a definition of a logical router to serve as an interface between a logical first network and a second network external to the logical first network. To implement the logical router, define a plurality of routing components comprising (1) a distributed routing component and (2) a plurality of centralized routing components. The centralized routing components (1) to forward northbound packet flows from the logical first network to the second network, and (2) toward southbound packet flows from the second network to the logical first network. The distributed routing component to route packets (1) within the logical first network and (2) to and from the centralized routing components. The distributing definitions of the plurality of routing components to the first and second pluralities of computers to implement the distributed and centralized routing components.
Some embodiments provide a method for implementing a logical router in a network. The method receives a definition of a logical router for implementation on a set of network elements. The method defines several routing components for the logical router. Each of the defined routing components includes a separate set of routes and separate set of logical interfaces. The method implements the several routing components in the network. In some embodiments, the several routing components include one distributed routing component and several centralized routing components.
H04L 12/713 - Prévention ou récupération du défaut de routage, p.ex. reroutage, redondance de route "virtual router redundancy protocol" [VRRP] ou "hot standby router protocol" [HSRP] par redondances de nœud, p.ex. VRRP
H04L 12/715 - Routage hiérarchique, p.ex. réseaux en grappe ou routage inter-domaine
H04L 12/24 - Dispositions pour la maintenance ou la gestion
H04L 12/703 - Prévention ou récupération du défaut de routage, p.ex. reroutage, redondance de route "virtual router redundancy protocol" [VRRP] ou "hot standby router protocol" [HSRP]
76.
METHOD FOR PROVIDING MULTI-TENANCY SUPPORT FOR RDMA
A method for providing multi-tenancy support for RDMA in a system that includes a plurality of physical hosts. Each each physical host hosts a set of data compute nodes (DCNs). The method, at an RDMA protocol stack of the first host, receives a packet that includes a request from a first DCN hosted on a first host for RDMA data transfer from a second DCN hosted on a second host. The method sends a set of parameters of an overlay network that are associated with the first DCN to an RDMA physical network interface controller of the first host. The set of parameters are used by the RDMA physical NIC to encapsulate the packet with an RDMA data transfer header and an overlay network header by using the set of parameters of the overlay network to transfer the encapsulated packet to the second physical host using the overlay network.
A context-aware distributed firewall scheme is provided. A firewall engine tasked to provide firewall protection for a set of network addresses applies a reduced set of firewall rules that are relevant to the set of addresses associated with the machine. A hypervisor implements a search structure that allows each virtual machine's filter to quickly identify relevant rules from all of the received rules. The search structure is constructed as a binary prefix tree, each node corresponding to an IP CIDR (Classless Inter-Domain Routing) block. A query for relevant rules traverses nodes of the search structure according to a queried IP address and collect all rules that are associated with the traversed nodes.
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
In order to enable dynamic scaling of network services at the edge, novel systems and methods are provided to enable addition of new nodes or removal of existing nodes while retaining the affinity of the flows through the stateful services. The methods provide a cluster of network nodes that can be dynamically resized to handle and process network traffic that utilizes stateful network services. The existing traffic flows through the edge continue to function during and after the changes to membership of the cluster. All nodes in the cluster operate in active-active mode, i.e., they are receiving and processing traffic flows, thereby maximizing the utilization of the available processing power.
H04L 12/721 - Procédures de routage, p.ex. routage par le chemin le plus court, routage par la source, routage à état de lien ou routage par vecteur de distance
G06F 9/50 - Allocation de ressources, p. ex. de l'unité centrale de traitement [UCT]
H04L 29/08 - Procédure de commande de la transmission, p.ex. procédure de commande du niveau de la liaison
H04L 12/715 - Routage hiérarchique, p.ex. réseaux en grappe ou routage inter-domaine
H04L 12/743 - Traitement de l'adressage d’en-tête pour le routage, p.ex. table de correspondance par des techniques de hachage
H04L 12/707 - Prévention ou récupération du défaut de routage, p.ex. reroutage, redondance de route "virtual router redundancy protocol" [VRRP] ou "hot standby router protocol" [HSRP] par redondance des chemins d’accès
Some embodiments provide novel inline switches that distribute data messages from source compute nodes (SCNs) to different groups of destination service compute nodes (DSCNs). In some embodiments, the inline switches are deployed in the source compute nodes datapaths (e.g., egress datapath). The inline switches in some embodiments are service switches that (1) receive data messages from the SCNs, (2) identify service nodes in a service-node cluster for processing the data messages based on service policies that the switches implement, and (3) use tunnels to send the received data messages to their identified service nodes. Alternatively, or conjunctively, the inline service switches of some embodiments (1) identify service-nodes cluster for processing the data messages based on service policies that the switches implement, and (2) use tunnels to send the received data messages to the identified service-node clusters. The service-node clusters can perform the same service or can perform different services in some embodiments. This tunnel-based approach for distributing data messages to service nodes/clusters is advantageous for seamlessly implementing in a datacenter a cloud-based XaaS model (where XaaS stands for X as a service, and X stands for anything), in which any number of services are provided by service providers in the cloud.
The advantage of a logical network implemented with hypervisors is well understood. However, it is still often necessary to provide bridging between a logical network (such as VXLAN) and a physical network (such as VLAN). This is particularly so when customers of network virtualization need L2 centric protocols on hybrid networks where logical networks and physical networks co-exist. Bridging also allows seamlessly transition between L2 centric workloads into VMs on hypervisors.
H04L 12/931 - Architecture de matrice de commutation
H04L 12/721 - Procédures de routage, p.ex. routage par le chemin le plus court, routage par la source, routage à état de lien ou routage par vecteur de distance
Load-balancing data messages are sent by a source node to one or more different groups of destination compute nodes (DCNs). A load -balancer in the source compute node's egress datapath receives each data message sent from the source compute node and determines whether the data message is addressed to one of the DCN groups for which the load-balancer spreads the data traffic. When the received data message is not addressed to one of the load-balanced DCN groups, the load-balancer forwards the received data message to its addressed destination. When the received data message is addressed to one of the load-balancer's DCN groups, the load-balancer identifies a DCN in the addressed DCN group that should receive the data message, and directs the data message t the identified DCN by changing the destination address in the data message from the address of the identified DCN group to the address of the identified DCN.
A system for network virtualization in which physical network resources in different physical contexts are configured to implement one or more distributed logical network elements, at least some of the physical network resources implementing the distributed logical network elements configured according the physical context of those network resources. The local configuration of a physical locale is a version of the logical configuration that is modified specifically for the physical locale. Such modification is based on locale identifiers that are assigned to the physical locales. Some systems use locale-specific information to modify next- hop preference. Some system use locally modified configurations to determine the placement of VMs.
09 - Appareils et instruments scientifiques et électriques
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Graphical user interface (GUI) software; data processing equipment; computer software; application software for cloud computing services; computer interfaces; computer interface software; computer software platforms; apparatus for the collection, transmission, processing and storing of data; software for diagnostics and troubleshooting; computer software to enable the searching of data; software for searching and retrieving information across a computer network; compact discs; CD-Roms; none of the aforesaid relating to the gaming industry. Providing temporary use of non-downloadable graphical user interface (GUI) software, computer software, application software for cloud computing services, computer interfaces, computer interface software, computer software platforms, software for diagnostics and troubleshooting, computer software to enable the searching of data, software for searching and retrieving information across a computer network; development, implementation, and monitoring of graphical user interface (GUI) software, data processing equipment, computer software, application software for cloud computing services, computer interfaces, computer interface software, computer software platforms, apparatus for the collection, transmission, processing and storing of data, software for diagnostics and troubleshooting, computer software to enable the searching of data, software for searching and retrieving information across a computer network; cloud computing services; computer system monitoring services; platform as a Service [PaaS]; hosting platforms on the internet; programming of software for internet platforms; software as a service [SaaS]; design and development of computer software; installation and maintenance of computer software; technological services and research relating to computer software; consulting in the field of cloud computing networks and applications; rental of operating software for accessing and using a cloud computing network; programming of operating software for accessing and using a cloud computing network; providing temporary use of on-line non downloadable operating software for accessing and using a cloud computing network; providing virtual computer systems and virtual computer environments through cloud computing; technical support services, namely, public and private cloud computing solutions; computer services, namely, remote and on-site management of cloud computing systems and applications for others; technical support services, namely, remote and onsite infrastructure management services for monitoring, administration and management of public and private cloud computing IT and application systems; provision of data processing equipment, namely rental and hiring out of data processing equipment; provision of apparatus for the collection, transmission, processing and storing of data, namely rental and hiring out of apparatus for the collection, transmission, processing and storing of data; information, advisory and consultancy services relating to all of the aforesaid; none of the aforesaid relating to the gaming industry.
84.
METHODS AND SYSTEMS TO OFFLOAD OVERLAY NETWORK PACKET ENCAPSULATION TO HARDWARE
A method for offloading packet encapsulation for an overlay network is provided. The method, at a virtualization software of a host, sends a mapping table of the overlay network to a physical network interface controller (NTC) associated with the host. The mapping table maps the identification of each of a set of virtual machine (VM) of a tenant on the host to an identification of a tunnel on the overlay network. The method, at the virtualization software, receives a packet from a VM of the tenant. The method sends the packet to the physical NIC. The method, at the physical NIC, encapsulates the packet for transmission over the overlay network by using the mapping table. The method of claim also tags the packet by the virtualization software as a packet that requires encapsulation for transmission in the overlay network prior to sending the packet to the physical NIC.
H04L 12/24 - Dispositions pour la maintenance ou la gestion
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
A novel method that uses the source port field in the transport or connection layer (L4) header to encode control plane information is provided. Specifically, the method encodes control plane information in UDP or TCP source port field of data plane tunnels in an overlay network such as VXLAN. Network virtualization is implemented by a network controller over an overlay network on the physical fabric. The network controller provides a mapping table to the data plane hosts for mapping the encoded bits in the source port field to semantically richer information. The data plane hosts in turn uses the encoded source bits and the mapping table to infer this semantically richer information. This semantically richer information is used to allow receivers of proxied traffic to learn the address of the original sender. The semantically richer information can also be used to enable ECMP for the transmitted packets.
H04L 12/721 - Procédures de routage, p.ex. routage par le chemin le plus court, routage par la source, routage à état de lien ou routage par vecteur de distance
H04L 12/761 - Routage de diffusion ou de multidiffusion
For a host that executes one or more guest virtual machines (GVMs), some embodiments provide an encryption method for encrypting the data messages sent by the GVMs. The method determines whether it should encrypt a data message based on a set of one or more encryption rules. When the process determines that it should encrypt the received data message, it encrypts the data message and forwards the encrypted data message to its destination; otherwise, the method just forwards the received data message unencrypted to its destination. In some embodiments, the host encrypts differently the data messages for different GVMs that execute on the host. In some embodiments, the method can also encrypt different types of data messages from the same GVM differently. Also, in some embodiments, the method can dynamically enforce encryption rules in response to dynamically detected events, such as malware infections.
A novel algorithm for packet classification that is based on a novel search structure for packet classification rules is provided. Addresses from all the containers are merged and maintained in a single Trie. Each entry in the Trie has additional information that can be traced back to the container from where the address originated. This information is used to keep the Trie in sync with the containers when the container definition dynamically changes.
A novel method for stateful packet classification that uses hardware resources (580) for performing stateless lookups and software resources (520) for performing stateful connection flow handshaking is provided. To classify an incoming packet from a network (590), some embodiments perform stateless look up operations for the incoming packet in hardware (580) and forward the result of the stateless look up to the software (520). The software (520) in turn uses the result of the stateless look up to perform the stateful connection flow handshaking and to determine the result of the stateful packet classification.
A novel method for performing replication of messages in a network that bridges one or more physical networks to an overlay logical network is provided. A physical gateway provides bridging between network nodes of a physical network and virtual machines in the overlay logical network by serving as an endpoint of the overlay logical network. The physical gateway does not replicate messages from the bridged physical network to destination endpoints in the overlay logical network directly, but instead tunnels the message-to-be-replicated to a designated tunnel endpoint in the overlay logical network. The designated tunnel endpoint in turn replicates the message that was tunneled to it to other endpoints in the overlay logical network.
A logical routing element (LRE) having multiple designated instances for routing packets from physical hosts (PH) to a logical network is provided. A PH in a network segment with multiple designated instances can choose among the multiple designated instances for sending network traffic to other network nodes in the logical network according to a load balancing algorithm. Each logical interface (LIF) of an LRE is defined to be addressable by multiple identifiers or addresses, and each LIF identifier or address is assigned to a different designated instance.
H04L 12/707 - Prévention ou récupération du défaut de routage, p.ex. reroutage, redondance de route "virtual router redundancy protocol" [VRRP] ou "hot standby router protocol" [HSRP] par redondance des chemins d’accès
H04L 12/713 - Prévention ou récupération du défaut de routage, p.ex. reroutage, redondance de route "virtual router redundancy protocol" [VRRP] ou "hot standby router protocol" [HSRP] par redondances de nœud, p.ex. VRRP
H04L 12/931 - Architecture de matrice de commutation
91.
DISTRIBUTED NETWORK ADDRESS TRANSLATION FOR CLOUD SERVICE ACCESS
A method for coordinating distributed network address translation (NAT) in a network within which several logical networks are implemented. The logical networks include several tenant logical networks and at least one service logical network that include service virtual machines (VMs) that are accessed by VMs of the tenant logical networks. The method defines a group of replacement IP address and port number pairs. Each pair is used to uniquely identify a VM across all tenant logical networks. The method sends to at least one host that is hosting a VM of a particular tenant logical network, a set of replacement IP address and port number pairs. Each replacement IP address and port number pair can be used by the host to replace a source IP address and a source port number in a packet that is destined from the particular VM to a VM of the particular service logical network.
H04L 29/12 - Dispositions, appareils, circuits ou systèmes non couverts par un seul des groupes caractérisés par le terminal de données
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
Some embodiments provide a method for a network controller that manages a first logical router of a logical network that is implemented across several managed network elements. The method receives input data specifying a first route for a second logical router. Based on a connection between the first logical router and a second logical router in the logical network, the method dynamically generates a second route for the first logical router based on the first route. The method distributes data to implement the first logical router, including the second route, to a set of the managed network elements.
H04L 12/751 - Mise à jour ou découverte de la topologie
H04L 12/24 - Dispositions pour la maintenance ou la gestion
H04L 12/713 - Prévention ou récupération du défaut de routage, p.ex. reroutage, redondance de route "virtual router redundancy protocol" [VRRP] ou "hot standby router protocol" [HSRP] par redondances de nœud, p.ex. VRRP
Some embodiments provide a network system. The network system includes a first set of host machines for hosting virtual machines that connect to each other through a logical network. The first set of host machines includes managed forwarding elements for forwarding data between the host machines. The network system includes a second set of host machines for hosting virtualized containers that operate as gateways for forwarding data between the virtual machines and an external network. At least one of the virtualized containers peers with at least one physical router in the external network in order to advertise addresses of the virtual machines to the physical router.
Methods and systems for discovering a path of network traffic that travels from a source host to a destination host are disclosed. A method involves, at the source host, generating probe packets that have the same load balancing parameters as packets of an application that generates application packets for transmission from the source host to the destination host and a path discovery signature comprised of bits from at least one of the network layer header and the transport layer header. The method also involves transmitting the probe packets from the source host to the destination host. In some embodiments, the steps of the method are performed when program instructions contained in a computer- readable storage medium are executed by one or more processors.
Some embodiments provide a system that includes several host machines for hosting several virtual machines and a physical network for interconnecting the host machines. Each host machine includes a managed physical switching element (MPSE) including several ports for performing link layer forwarding of packets to and from a set of virtual machines running on the host machine. Each port is associated with a unique media access control (MAC) address. Each host machine includes a managed routing element (MPRE) for receiving a data packet from a port of the MPSE and performing network layer routing in order to forward the received data packet from a first virtual machine of a first network segment to a second virtual machine of a second network segment.
H04L 12/713 - Prévention ou récupération du défaut de routage, p.ex. reroutage, redondance de route "virtual router redundancy protocol" [VRRP] ou "hot standby router protocol" [HSRP] par redondances de nœud, p.ex. VRRP
96.
DYNAMICALLY GENERATING ENTRIES IN FLOW TABLES FROM ENTRIES HAVING WILDCARD FIELDS
Some embodiments of the invention provide a switching element that receives a packet and processes the packet by dynamically generating a flow entry with a set of wildcard fields. The switching element then caches the flow entry and processes any subsequent packets that have header values that match the flow entry's non-wildcard match fields. In generating the flow, the switching element initially wildcards some of all of match fields and generates a new flow entry by un-wildcarding each match field that was consulted or examined to generate the flow entry.
H04L 12/721 - Procédures de routage, p.ex. routage par le chemin le plus court, routage par la source, routage à état de lien ou routage par vecteur de distance
H04L 12/741 - Traitement de l'adressage d’en-tête pour le routage, p.ex. table de correspondance
H04L 12/935 - Interfaces de commutation, p.ex. détails de port
97.
PROXY METHODS FOR SUPPRESSING BROADCAST TRAFFIC IN A NETWORK
Some embodiments use proxies on host devices to suppress broadcast traffic in a network. Each host in some embodiments executes one or more virtual machines (VMs). In some embodiments, a proxy operates on each host between each VM and the underlying network. For instance, in some of these embodiments, a VM's proxy operates between the VM and a physical forwarding element executing on the VM's host. The proxy monitors the VM's traffic, and intercepts broadcast packets when it knows how to deal with them. The proxy connects to a set of one or more controllers that provides a directory service that collects and maintains global information of the network. By connecting to the controller cluster, the proxy can obtain information that it can use to resolve broadcast requests. In some embodiments, the connection between the proxy and the controller cluster is encrypted and authenticated, to enhance the security. Also, in some embodiments, the connection is an indirect connection through an agent that executes on the host device and connects the proxies of the host device with the controller cluster.
A process is performed by logical controller 2205 which is at the top of the hierarchy of a controller cluster and which receives trace requests from a user and generates trace packets. A command is received (1) to insert a test packet marked for a trace operation with specified source and destination addresses on a set of logical forwarding elements into the physical network implementing the logical forwarding elements. Next, a packet is generated with the specified source and destination addresses. A tracing operation identifier may uniquely identify the particular trace operation issued by the logical controller. The generated packet is then sent (2) to a physical controller 2210 that manages the edge MFE (managed forwarding element) associated with the source of the packet. The physical controller 2210 identifies MFE 2090 into which to inject the packet. Physical controller 2010 may modify register bits for the packet at the MFE in order to simulate the receiving of the packet through the appropriate physical port of the MFE even though it was received from the physical controller. Processing operations 2240 and 2245 result in the MFE 2290 sending (4), (6) observations to the physical controller 2210. A set of analyses of observation messages is next received (5), (7), (9), (12), (14) from a set of physical controllers 2210, 2215 which manage the MFEs 2090, 2092 through which the trace packet passes (10). Finally, a report is generated based on the received analyses and sent (15) to the requesting user.
Some embodiments provide a method for using headerspace analysis. The method receives several flow entries for distribution to a forwarding element in a network. Each flow entry includes a set of conditions to be matched by a packet header and a set of actions to perform on a packet that matches the set of conditions. The method models each of the flow entries as a function that operates on a representation of a packet header. The method determines a set of packet headers of packets to be received by the forwarding element. The method determines a set of the flow entries that are not matched by a packet header of any packet to be received by the forwarding element by applying the functions to representations of the identified set of packet headers.
H04L 12/851 - Actions liées au type de trafic, p.ex. qualité de service ou priorité
H04L 12/713 - Prévention ou récupération du défaut de routage, p.ex. reroutage, redondance de route "virtual router redundancy protocol" [VRRP] ou "hot standby router protocol" [HSRP] par redondances de nœud, p.ex. VRRP
100.
ENCAPSULATING DATA PACKETS USING AN ADAPTIVE TUNNELLING PROTOCOL
Sonic embodiments of the invention provide a novel met hod of tunneling -data packets. The method establishes a tumiei between a first forwarding element and a second forwarding element. For each data packet directed to the second forwarding element from the first forwarding element, the method encapsulates the data packet with a header that, includes a. tunnel option. The method then sends the data packet from the first forwarding element to the second forwarding element through the established tunnel. In some embodiments, the data packet is encapsulated using a protocol that is adapted to change with different control plane implementations and the implementations' varying needs for metadata.
