VIRTUAL GROUP POLICY BASED FILTERING WITHIN AN OVERLAY NETWORK
First Claim
1. A method for managing packet filtering in an overlay network, comprising:
- receiving a data packet at a virtual switch connected to at least one virtual machine of a plurality of virtual machines communicatively connected through an overlay network, each of the plurality of virtual machines configured within a separate one of a plurality of virtual groups in the overlay network, the data packet comprising a packet header comprising at least one address;
receiving, by the virtual switch, a virtual group identifier for the at least one address from at least one address resolution service returning the virtual group identifier and a resolved address for the at least one address, in response to an address resolution request for the at least one address; and
sending the data packet through the virtual switch to the resolved address only if the virtual group identifier is allowed according to a filtering policy applied by the virtual switch for a particular virtual group identified by the virtual group identifier of the plurality of virtual groups.
3 Assignments
0 Petitions
Accused Products
Abstract
A virtual switch connected to at least one virtual machine of multiple virtual machines communicatively connected through an overlay network, receives a data packet, each of the virtual machines configured within a separate one of multiple virtual groups in the overlay network, the data packet comprising a packet header comprising at least one address. The virtual switch receives a virtual group identifier for the at least one address from at least one address resolution service returning the virtual group identifier and a resolved address for the at least one address, in response to an address resolution request for the at least one address. The virtual switch sends the data packet through the virtual switch to the resolved address only if the virtual group identifier is allowed according to a filtering policy applied by the virtual switch for a particular virtual group identified by the virtual group identifier.
85 Citations
20 Claims
-
1. A method for managing packet filtering in an overlay network, comprising:
-
receiving a data packet at a virtual switch connected to at least one virtual machine of a plurality of virtual machines communicatively connected through an overlay network, each of the plurality of virtual machines configured within a separate one of a plurality of virtual groups in the overlay network, the data packet comprising a packet header comprising at least one address; receiving, by the virtual switch, a virtual group identifier for the at least one address from at least one address resolution service returning the virtual group identifier and a resolved address for the at least one address, in response to an address resolution request for the at least one address; and sending the data packet through the virtual switch to the resolved address only if the virtual group identifier is allowed according to a filtering policy applied by the virtual switch for a particular virtual group identified by the virtual group identifier of the plurality of virtual groups. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for managing packet filtering in an overlay network, comprising:
-
one or more processors; a memory coupled to at least one of the processors; a set of computer program instructions stored in the memory and executed by at least one of the processors in order to perform actions of; receiving a data packet at a virtual switch connected to at least one virtual machine of a plurality of virtual machines communicatively connected through an overlay network, each of the plurality of virtual machines configured within a separate one of a plurality of virtual groups in the overlay network, the data packet comprising a packet header comprising at least one address; receiving, by the virtual switch, a virtual group identifier for the at least one address from at least one address resolution service returning the virtual group identifier and a resolved address for the at least one address, in response to an address resolution request for the at least one address; and sending the data packet through the virtual switch to the resolved address only if the virtual group identifier is allowed according to a filtering policy applied by the virtual switch for a particular virtual group identified by the virtual group identifier of the plurality of virtual groups. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A computer program product for managing packet filtering in an overlay network, the computer program product comprising a computer readable storage medium having program code embodied therewith, the program code executable by a computer system to:
-
receive, by a computer system, a data packet at a virtual switch connected to at least one virtual machine of a plurality of virtual machines communicatively connected through an overlay network, each of the plurality of virtual machines configured within a separate one of a plurality of virtual groups in the overlay network, the data packet comprising a packet header comprising at least one address; receive, by the computer system, at the virtual switch, a virtual group identifier for the at least one address from at least one address resolution service returning the virtual group identifier and a resolved address for the at least one address, in response to an address resolution request for the at least one address; and send, by the computer system, the data packet through the virtual switch to the resolved address only if the virtual group identifier is allowed according to a filtering policy applied by the virtual switch for a particular virtual group identified by the virtual group identifier of the plurality of virtual groups. - View Dependent Claims (19, 20)
-
Specification