Asymmetric connection with external networks

US 10,063,458 B2
Filed: 10/31/2013
Issued: 08/28/2018
Est. Priority Date: 10/13/2013
Status: Active Grant

First Claim

Patent Images

1. A method for managing a network for a network controller the method comprising:

configuring a first managed forwarding element in the network, operating in a host machine that hosts a virtual machine belonging to a particular logical network and connected to the managed network through the first managed forwarding element, to implement a first logical port of a logical router of the particular logical network, the first logical port used only for egress traffic directed outside of the managed network, the first managed forwarding element implementing the first logical port by connecting directly to a physical network element outside of the managed network in order to send egress traffic directly to the physical network element without the egress traffic passing through any intervening managed forwarding elements in the managed network; and

configuring a second managed forwarding element in the managed network to implement a second logical port of the logical router, the second logical port used for both ingress traffic received from outside the managed network and egress traffic directed outside the managed network, wherein the second managed forwarding element receives ingress traffic addressed to the first virtual machine directly from the physical network element and transmits said ingress traffic to the first managed forwarding element.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments provide a system that allows for the use of direct host return ports (abbreviated “DHR ports”) on managed forwarding elements to bypass gateways in managed networks. The DHR ports provide a direct connection from certain managed forwarding elements in the managed network to remote destinations that are external to the managed network. Managed networks can include both a logical abstraction layer and physical machine layer. At the logical abstraction layer, the DHR port is treated as a port on certain logical forwarding elements. The DHR port transmits the packet to the routing tables of the physical layer machine that hosts the logical forwarding element without any intervening transmission to other logical forwarding elements. The routing tables of the physical layer machine then strip any logical context associated with a packet and forwarding the packet to the remote destination without any intervening forwarding to a physical gateway provider.

Citations

21 Claims

1. A method for managing a network for a network controller the method comprising:
- configuring a first managed forwarding element in the network, operating in a host machine that hosts a virtual machine belonging to a particular logical network and connected to the managed network through the first managed forwarding element, to implement a first logical port of a logical router of the particular logical network, the first logical port used only for egress traffic directed outside of the managed network, the first managed forwarding element implementing the first logical port by connecting directly to a physical network element outside of the managed network in order to send egress traffic directly to the physical network element without the egress traffic passing through any intervening managed forwarding elements in the managed network; and
  
  configuring a second managed forwarding element in the managed network to implement a second logical port of the logical router, the second logical port used for both ingress traffic received from outside the managed network and egress traffic directed outside the managed network, wherein the second managed forwarding element receives ingress traffic addressed to the first virtual machine directly from the physical network element and transmits said ingress traffic to the first managed forwarding element.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the second managed forwarding element is a gateway that handles ingress and egress traffic between the managed network and the external network.
  - 3. The method of claim 1, wherein the first managed forwarding element only receives ingress traffic sent by the physical network element and addressed to the first virtual machine from the second managed forwarding element.
  - 4. The method of claim 1, wherein the physical network element is a router.

5. A non-transitory machine readable medium storing a program which when executed by at least one processing unit of a host machine implements a first managed forwarding element to implement a logical network in a managed network, the program comprising sets of instructions for:
- receiving a first packet from a second managed forwarding element, wherein the second managed forwarding element received the first packet from a particular source through a physical network element outside of the managed network and performed logical processing on the first packet as having received the first packet at a first logical port of a logical router, the first logical port used for both ingress traffic received from outside the managed network and egress traffic directed outside the managed network;
  
  transmitting the first packet from the first managed forwarding element to a virtual machine hosted at the host machine;
  
  receiving a second packet from the virtual machine, wherein the second packet has a destination address of the particular source of the first packet;
  
  performing logical processing on the second packet to logically send the packet to a second logical port of the logical router that is used only for egress traffic directed outside of the managed network; and
  
  based on the logical processing, transmitting the second packet directly from the first managed forwarding element to the physical network element via a connection, to which the second logical port of the logical router maps, between the host machine and the physical network element that does not include any intervening managed forwarding elements.
- View Dependent Claims (6, 7, 8, 9, 10, 11)
- - 6. The non-transitory machine readable medium of claim 5, wherein the logical network implemented by the first managed forwarding element comprises a logical switch to which the virtual machine connects and the logical router with two logical ports for traffic between the virtual machine and an external network behind which the particular source is located, wherein the logical network is implemented by managed forwarding elements on several physical host machines.
  - 7. The non-transitory machine readable medium of claim 5, wherein the second managed forwarding element implements a logical gateway of the logical network, wherein the logical gateway acts as a means of egress from the managed network to an external network and a means of ingress to the managed network from the external network.
  - 8. The non-transitory machine readable medium of claim 5, wherein the host machine hosts a plurality of virtual machines connecting to a plurality of different logical networks.
  - 9. The non-transitory machine readable medium of claim 5, wherein the physical network element is a router.
  - 10. The non-transitory machine readable medium of claim 5, wherein the set of instructions for transmitting the second packet directly to the physical network element comprises a set of instructions for sending the second packet from the first managed forwarding element to an IP stack of the host machine, wherein the IP stack comprises a routing table that sends the packet to the physical network element.
  - 11. The non-transitory machine readable medium of claim 10, wherein the routing table is configured with static routes.

12. A method for a managed forwarding element that operates in a host machine to implement a logical network within a managed network, the method comprising:
- at the first managed forwarding element, receiving a first packet from a second managed forwarding element, wherein the second managed forwarding element received the first packet from a particular source through a physical network element outside of the managed network and performed logical processing on the first packet as having received the first packet at a first logical port of a logical router, the first logical port used for both ingress traffic received from outside the managed network and egress traffic directed outside the managed network;
  
  transmitting the first packet from the first managed forwarding element to a virtual machine hosted at a host machine;
  
  at the first managed forwarding element, receiving a second packet from the virtual machine, wherein the second packet has a destination address of the particular source of the first packet;
  
  performing logical processing on the second packet to logically send the packet to a second logical port of the logical router that is used only for egress traffic directed outside of the managed network; and
  
  based on the logical processing, transmitting the second packet directly from the first managed forwarding element to the physical network element via a connection, to which the second logical port of the logical router maps, between the host machine and the physical network element that does not include any intervening managed forwarding elements.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The method of claim 12, wherein the logical network implemented by the first managed forwarding element comprises a logical switch to which the virtual machine connects and the logical router with two logical ports for traffic between the virtual machine and an external network behind which the particular source is located.
  - 14. The method of claim 13, wherein the logical router includes a third logical port to which the logical switch connects.
  - 15. The method of claim 14, wherein the second managed forwarding element performed logical processing on the first packet by identifying the second logical port as a logical ingress port for the first packet and using a destination address of the first packet to identify the third logical port that corresponds to the logical switch as a logical egress port of the logical router for the first packet.
  - 16. The method of claim 14, wherein performing logical processing on the second packet comprises:
    - identifying the third logical port as a logical ingress port of the logical router for the second packet; and
      
      identifying the second logical port as a logical egress port of the logical router for the second packet based on (i) a destination address of the second packet not mapping to any subnet connected to the logical router and (ii) a source address of the second packet matching a set of source addresses that use the second logical port for egress traffic,wherein transmitting the second packet comprises, based on the identification of the logical egress port of the logical router, removing logical information from the second packet and sending the packet to an IP stack that operates on the host machine.
  - 17. The method of claim 16, wherein the IP stack comprises routing tables for routing the second packet to the physical network element.
  - 18. The method of claim 12, wherein the second managed forwarding element operates on a host machine that does not host virtual machines and provides L3 gateways for several logical networks.
  - 19. The method of claim 12, wherein the logical network is implemented by a plurality of managed forwarding elements on a plurality of different host machines that each receive packets from sources outside the managed network via the second managed forwarding element and transmit packets to the sources outside the managed network directly via connections between the host machines and the physical network element.
  - 20. The method of claim 12, wherein communication between the virtual machine and the particular source is initiated by the virtual machine.
  - 21. The method of claim 12, wherein communication between the virtual machine and the particular source is initiated by the particular source.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Zhang, Ronghua, Gross, IV, Jesse E.
Primary Examiner(s)
Rivas, Salvador E

Application Number

US14/068,658
Publication Number

US 20150103838A1
Time in Patent Office

1,762 Days
Field of Search
US Class Current
CPC Class Codes

H04L 12/467   Arrangements for supporting...

H04L 45/04   Interdomain routing, e.g. h...

H04L 45/38   Flow based routing

H04L 45/60   Router architectures

H04L 45/64   using an overlay routing layer

H04L 45/74   Address processing for routing

H04L 49/351   for local area network [LAN...

H04L 63/0236   Filtering by address, proto...

H04L 67/1074   for supporting data block t...

H04Q 11/0005   Switch and router aspects

Asymmetric connection with external networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Asymmetric connection with external networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links