METHOD OF IDENTIFYING DESTINATION IN A VIRTUAL ENVIRONMENT

US 20110255538A1
Filed: 04/16/2010
Published: 10/20/2011
Est. Priority Date: 04/16/2010
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

assigning a port profile to a first port group on a virtual switch executing on a computer server hosting a plurality of virtual machine instances, wherein the port profile includes a network traffic destination rule;

connecting a virtual network interface on each of the virtual machine instance to a port in the first port group; and

forwarding network traffic addressed to one of the virtual network interfaces based on the traffic destination rule.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described for identifying destinations in a virtual network by defining virtual entities such as a port profile as the destination for network policies, such as redirect or span to be a logical set of ports (i.e., ports belonging to a port-profile or a port group) where the members of the set of ports may be added/removed dynamically without requiring any changes to the network policy. Further, a network administrator (or other user) may predefine the destinations for a network policy even before some or all of the destinations are active on a given virtualized system. In such cases, the network policies may go into effect when the required entities become available.

Citations

21 Claims

1. A method, comprising:
- assigning a port profile to a first port group on a virtual switch executing on a computer server hosting a plurality of virtual machine instances, wherein the port profile includes a network traffic destination rule;
  
  connecting a virtual network interface on each of the virtual machine instance to a port in the first port group; and
  
  forwarding network traffic addressed to one of the virtual network interfaces based on the traffic destination rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the traffic destination rule is a redirect rule specifying to redirect network traffic addressed to one of the virtual network interfaces in the first port group to an active port in a second port group.
  - 3. The method of claim 2, wherein the active port in the second port group connects the virtual switch to a virtual machine instance providing at least one of a firewall service, an intrusion prevention system (IPS), or the plurality of virtual machine instances connected to the ports in the first port group.
  - 4. The method of claim 1, wherein the traffic destination rule is a span rule specifying to copy network traffic addressed to one of the virtual network interfaces in the first port group to an active port in a second port group.
  - 5. The method of claim 4, wherein the active port in the second port group connects the virtual switch to a virtual machine instance providing at least one of a firewall service, an intrusion detection system (IDS), and a network traffic monitoring service for the plurality of virtual machine instances connected to the ports in the first port group.
  - 6. The method of claim 1, further comprising:
    - receiving, at the virtual switch, a frame addressed to one of the virtual network interfaces in the first port group;
      
      identifying the network traffic destination rule in the port profile associated with the first port group; and
      
      forwarding, by the virtual switch, the frame addressed to the virtual network interface based on the traffic destination rule.
  - 7. The method of claim 1, further comprising:
    - migrating one of the virtual machine instances from the computer server to a second computer server;
      
      connecting the virtual network interface on the migrated virtual machine instance to a port group on a virtual switch on the second computer server; and
      
      forwarding network traffic addressed to the migrated virtual network interface based on a second traffic destination rule associated the port group on the virtual switch on the second computer server.

8. A computing system, comprising:
- a processor; and
  
  a memory containing a virtualization program configured provide a virtual switch for a plurality of virtual machine instances on the computing system, the program, when executed on the processer, performs an operation comprising;
  
  assigning a port profile to a first port group on the virtual switch executing on the computing system, wherein the computing system hosts a plurality of virtual machine instances, and wherein the port profile includes a network traffic destination rule;
  
  connecting a virtual network interface on each of the virtual machine instance to a port in the first port group; and
  
  forwarding, by the virtual switch, network traffic addressed to one of the virtual network interfaces based on the traffic destination rule.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computing system of claim 8, wherein the traffic destination rule is a redirect rule specifying to redirect network traffic addressed to one of the virtual network interfaces in the first port group to an active port in a second port group.
  - 10. The computing system of claim 9, wherein the active port in the second port group connects the virtual switch to a virtual machine instance providing at least one of a firewall service, an intrusion prevention system (IPS) for the plurality of virtual machine instances connected to the ports in the first port group.
  - 11. The computing system of claim 8, wherein the traffic destination rule is a span rule specifying to copy network traffic addressed to one of the virtual network interfaces in the first port group to an active port in a second port group.
  - 12. The computing system of claim 11, wherein the active port in the second port group connects the virtual switch to a virtual machine instance providing at least one of a firewall service, an intrusion detection system (IDS), and a network traffic monitoring service for the plurality of virtual machine instances connected to the ports in the first port group.
  - 13. The computing system of claim 8, wherein the operation further comprises:
    - receiving, at the virtual switch, a frame addressed to one of the virtual network interfaces in the first port group;
      
      identifying the network traffic destination rule in the port profile associated with the first port group; and
      
      forwarding, by the virtual switch, the frame addressed to the virtual network interface based on the traffic destination rule.
  - 14. The computing system of claim 8, wherein the operation further comprises:
    - migrating one of the virtual machine instances from the computer server to a second computer server;
      
      connecting the virtual network interface on the migrated virtual machine instance to a port group on a virtual switch on the second computer server; and
      
      forwarding network traffic addressed to the migrated virtual network interface based on a second traffic destination rule associated the port group on the virtual switch on the second computer server.

15. A computer-readable storage medium, containing a virtual switch program, which, when executed on a processor, performs an operation, comprising:
- assigning a port profile to a first port group on a virtual switch executing on a computer server hosting a plurality of virtual machine instances, wherein the port profile includes a network traffic destination rule;
  
  connecting a virtual network interface on each of the virtual machine instance to a port in the first port group; and
  
  forwarding network traffic addressed to one of the virtual network interfaces based on the traffic destination rule.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer-readable storage medium of claim 15, wherein the traffic destination rule is a redirect rule specifying to redirect network traffic addressed to one of the virtual network interfaces in the first port group to an active port in a second port group.
  - 17. The computer-readable storage medium of claim 16, wherein the active port in the second port group connects the virtual switch to a virtual machine instance providing at least one of a firewall service, an intrusion prevention system (IPS) for the plurality of virtual machine instances connected to the ports in the first port group.
  - 18. The computer-readable storage medium of claim 15, wherein the traffic destination rule is a span rule specifying to copy network traffic addressed to one of the virtual network interfaces in the first port group to an active port in a second port group.
  - 19. The computer-readable storage medium of claim 18, wherein the active port in the second port group connects the virtual switch to a virtual machine instance providing at least one of a firewall service, an intrusion detection system (IDS), and a network traffic monitoring service for the plurality of virtual machine instances connected to the ports in the first port group.
  - 20. The computer-readable storage medium of claim 15, wherein the operation further comprises:
    - receiving, at the virtual switch, a frame addressed to one of the virtual network interfaces in the first port group;
      
      identifying the network traffic destination rule in the port profile associated with the first port group; and
      
      forwarding, by the virtual switch, the frame addressed to the virtual network interface based on the traffic destination rule.
  - 21. The computer-readable storage medium of claim 15, wherein the operation further comprises:
    - migrating one of the virtual machine instances from the computer server to a second computer server;
      
      connecting the virtual network interface on the migrated virtual machine instance to a port group on a virtual switch on the second computer server; and
      
      forwarding network traffic addressed to the migrated virtual network interface based on a second traffic destination rule associated the port group on the virtual switch on the second computer server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Swaminathan, Joseph Michaelsamy, Swaminathan, Ashwin Deepak, SRINIVASAN, UDAYAKUMAR, Sardar, Srinivas

Granted Patent

US 8,599,854 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/392
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/0895   Configuration of virtualise...

H04L 49/25   Routing or path finding in ...

H04L 49/65   Re-configuration of fast pa...

H04L 49/70   Virtual switches

METHOD OF IDENTIFYING DESTINATION IN A VIRTUAL ENVIRONMENT

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD OF IDENTIFYING DESTINATION IN A VIRTUAL ENVIRONMENT

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links