VIRTUAL GROUP POLICY BASED FILTERING WITHIN AN OVERLAY NETWORK

US 20150195137A1
Filed: 01/06/2014
Published: 07/09/2015
Est. Priority Date: 01/06/2014
Status: Active Grant

First Claim

Patent Images

1. A method for managing packet filtering in an overlay network, comprising:

receiving a data packet at a virtual switch connected to at least one virtual machine of a plurality of virtual machines communicatively connected through an overlay network, each of the plurality of virtual machines configured within a separate one of a plurality of virtual groups in the overlay network, the data packet comprising a packet header comprising at least one address;

receiving, by the virtual switch, a virtual group identifier for the at least one address from at least one address resolution service returning the virtual group identifier and a resolved address for the at least one address, in response to an address resolution request for the at least one address; and

sending the data packet through the virtual switch to the resolved address only if the virtual group identifier is allowed according to a filtering policy applied by the virtual switch for a particular virtual group identified by the virtual group identifier of the plurality of virtual groups.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A virtual switch connected to at least one virtual machine of multiple virtual machines communicatively connected through an overlay network, receives a data packet, each of the virtual machines configured within a separate one of multiple virtual groups in the overlay network, the data packet comprising a packet header comprising at least one address. The virtual switch receives a virtual group identifier for the at least one address from at least one address resolution service returning the virtual group identifier and a resolved address for the at least one address, in response to an address resolution request for the at least one address. The virtual switch sends the data packet through the virtual switch to the resolved address only if the virtual group identifier is allowed according to a filtering policy applied by the virtual switch for a particular virtual group identified by the virtual group identifier.

85 Citations

View as Search Results

20 Claims

1. A method for managing packet filtering in an overlay network, comprising:
- receiving a data packet at a virtual switch connected to at least one virtual machine of a plurality of virtual machines communicatively connected through an overlay network, each of the plurality of virtual machines configured within a separate one of a plurality of virtual groups in the overlay network, the data packet comprising a packet header comprising at least one address;
  
  receiving, by the virtual switch, a virtual group identifier for the at least one address from at least one address resolution service returning the virtual group identifier and a resolved address for the at least one address, in response to an address resolution request for the at least one address; and
  
  sending the data packet through the virtual switch to the resolved address only if the virtual group identifier is allowed according to a filtering policy applied by the virtual switch for a particular virtual group identified by the virtual group identifier of the plurality of virtual groups.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method according to claim 1, wherein receiving a data packet at a virtual switch connected to at least one virtual machine of a plurality of virtual machines communicatively connected through an overlay network, each of the plurality of virtual machines configured within a separate one of a plurality of virtual groups in the overlay network, the data packet comprising a packet header comprising at least one address, further comprises:
    - receiving the data packet at the virtual switch operating within a hypervisor layer of a host machine for managing a selection of the plurality of virtual machines hosted by the host machine.
  - 3. The method according to claim 1, wherein receiving a data packet at a virtual switch connected to at least one virtual machine of a plurality of virtual machines communicatively connected through an overlay network, each of the plurality of virtual machines configured within a separate one of a plurality of virtual groups in the overlay network, the data packet comprising a packet header comprising at least one address, further comprises:
    - receiving the data packet at the virtual switch connected to at least one virtual machine of the plurality of virtual machines communicative connected through the overlay network, wherein a plurality of host machines hosting the plurality of virtual machines pass data packets to one another through a physical infrastructure comprising a plurality of network routes, a plurality of network switches, and the plurality of host machines connected via a plurality of network connections, wherein a distributed policy service of the overlay network manages a plurality of policies for specifying a plurality of logical tunnels each comprising a particular path through a portion of the physical infrastructure between a separate pair of the plurality of virtual machines, wherein each of the host machines sends a data packet through a particular logical tunnel from among the plurality of logical tunnels by encapsulating the data packet with a tunnel header specifying the particular path and by forwarding the data packet through the tunnel header using a tunnel protocol.
  - 4. The method according to claim 1,wherein receiving a data packet at a virtual switch connected to at least one virtual machine of a plurality of virtual machines communicatively connected through an overlay network, each of the plurality of virtual machines configured within a separate one of a plurality of virtual groups in the overlay network, the data packet comprising a packet header comprising at least one address further comprises receiving the data packet as a unicast data packet at the virtual switch from a source virtual machine with the at least one address in the packet header comprising a destination virtual internet protocol address for a particular destination virtual machine;
    - wherein receiving, by the virtual switch, a virtual group identifier for the at least one address from at least one address resolution service returning the virtual group identifier and a resolved address for the at least one address, in response to an address resolution request for the at least one address further comprises receiving the virtual group identifier for the particular destination virtual machine; and
      
      wherein sending the data packet through the virtual switch to the resolved address only if the virtual group identifier is allowed according to a filtering policy applied by the virtual switch for a particular virtual group identified by the virtual group identifier of the plurality of virtual groups further comprises allowing the virtual switch to encapsulate the data packet with a tunnel header with a physical path through a tunnel of a physical infrastructure of the overlay network to a host system hosting the particular destination virtual machine, wherein the host system decapsulates the encapsulated data packet by removing the tunnel header and forwards the data packet to the particular destination virtual machine from among a plurality of virtual machines hosted by the host system.
  - 5. The method according to claim 1,wherein receiving a data packet at a virtual switch connected to at least one virtual machine of a plurality of virtual machines communicatively connected through an overlay network, each of the plurality of virtual machines configured within a separate one of a plurality of virtual groups in the overlay network, the data packet comprising a packet header comprising at least one address further comprises receiving the data packet at the virtual switch as a multicast data packet sent by a source virtual machine with the at least one address in the packet header comprising a destination virtual internet protocol address for a multicast internet protocol address;
    - wherein receiving, by the virtual switch, a virtual group identifier for the at least one address from at least one address resolution service returning the virtual group identifier and a resolved address for the at least one address, in response to an address resolution request for the at least one address further comprises receiving the virtual group identifier for the source virtual machine; and
      
      wherein sending the data packet through the virtual switch to the resolved address only if the virtual group identifier is allowed according to a filtering policy applied by the virtual switch for a particular virtual group identified by the virtual group identifier of the plurality of virtual groups further comprises allowing the virtual switch to forward the data packet to each of a selection of virtual machines from among the plurality of virtual machines associated with a second virtual group from among the plurality of virtual groups, wherein the virtual switch resides on a host system that hosts the selection of virtual machines in the second virtual group.
  - 6. The method according to claim 1, wherein sending the data packet through the virtual switch to the resolved address only if the virtual group identifier is allowed according to a filtering policy applied by the virtual switch for a particular virtual group identified by the virtual group identifier of the plurality of virtual groups further comprises:
    - accessing the filtering policy for communications between the virtual group identifier and a second virtual group identifier assigned to the second virtual group configured through the virtual switch.
  - 7. The method according to claim 1, wherein sending the data packet through the virtual switch to the resolved address only if the virtual group identifier is allowed according to a filtering policy applied by the virtual switch for a particular virtual group identified by the virtual group identifier of the plurality of virtual groups further comprises:
    - sending the data packet through the virtual switch to the resolved address only if the virtual group identifier is allowed and a type of data packet transmission of the data packet is allowed according the filtering policy applied by the virtual switch for the particular group identified by the virtual group identifier, wherein the type of data packet transmission comprises one of a unicast data packet or a multicast data packet, wherein the filtering policy specified a first policy for the virtual group identifier for the unicast data packet and a second policy for the virtual group identifier for the multicast data packet.
  - 8. The method according to claim 1, wherein receiving, by the virtual switch, a virtual group identifier for the at least one address from at least one address resolution service returning the virtual group identifier and a resolved address for the at least one address, in response to an address resolution request for the at least one address further comprises:
    - sending an endpoint and group address resolution request for the at least one address from the virtual switch to a local module comprising an address and group resolution module;
      
      determining, by the address and group resolution module where the at least one address is resolved in a local table stored by the address and group resolution module with entries identifying physical addresses and a virtual group identifier associated with a virtual internet protocol address;
      
      responsive to the address and group resolution module not resolving the at least one address in the local table, sending an overlay address and group resolution request to a distributed policy service that maintains a central address, policy and group table for the overlay network comprising a separate entry for each virtual internet protocol address within the overlay network and associated physical addresses and virtual group identifier; and
      
      responsive to the address and group resolution module not resolving the at least one address through the distributed policy service, sending a multicast address resolution protocol request to resolve the at least one address within the overlay network.
  - 9. The method according to claim 1, further comprising:
    - responsive to the virtual group identifier not being allowed according to the filtering policy applied by the virtual switch for the particular virtual group identified by the virtual group identifier, dropping the data packet.

10. A system for managing packet filtering in an overlay network, comprising:
- one or more processors;
  
  a memory coupled to at least one of the processors;
  
  a set of computer program instructions stored in the memory and executed by at least one of the processors in order to perform actions of;
  
  receiving a data packet at a virtual switch connected to at least one virtual machine of a plurality of virtual machines communicatively connected through an overlay network, each of the plurality of virtual machines configured within a separate one of a plurality of virtual groups in the overlay network, the data packet comprising a packet header comprising at least one address;
  
  receiving, by the virtual switch, a virtual group identifier for the at least one address from at least one address resolution service returning the virtual group identifier and a resolved address for the at least one address, in response to an address resolution request for the at least one address; and
  
  sending the data packet through the virtual switch to the resolved address only if the virtual group identifier is allowed according to a filtering policy applied by the virtual switch for a particular virtual group identified by the virtual group identifier of the plurality of virtual groups.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The system according to claim 10, wherein the processors perform additional actions comprising:
    - receiving the data packet at the virtual switch operating within a hypervisor layer of a host machine for managing a selection of the plurality of virtual machines hosted by the host machine.
  - 12. The system according to claim 10, wherein the processors perform additional actions comprising:
    - receiving the data packet at the virtual switch connected to at least one virtual machine of the plurality of virtual machines communicative connected through the overlay network, wherein a plurality of host machines hosting the plurality of virtual machines pass data packets to one another through a physical infrastructure comprising a plurality of network routes, a plurality of network switches, and the plurality of host machines connected via a plurality of network connections, wherein a distributed policy service of the overlay network manages a plurality of policies for specifying a plurality of logical tunnels each comprising a particular path through a portion of the physical infrastructure between a separate pair of the plurality of virtual machines, wherein each of the host machines sends a data packet through a particular logical tunnel from among the plurality of logical tunnels by encapsulating the data packet with a tunnel header specifying the particular path and by forwarding the data packet through the tunnel header using a tunnel protocol.
  - 13. The system according to claim 10, wherein the processors perform additional actions comprising:
    - wherein receiving a data packet at a virtual switch connected to at least one virtual machine of a plurality of virtual machines communicatively connected through an overlay network, each of the plurality of virtual machines configured within a separate one of a plurality of virtual groups in the overlay network, the data packet comprising a packet header comprising at least one address further comprises receiving the data packet as a unicast data packet at the virtual switch from a source virtual machine with the at least one address in the packet header comprising a destination virtual internet protocol address for a particular destination virtual machine;
      
      wherein receiving, by the virtual switch, a virtual group identifier for the at least one address from at least one address resolution service returning the virtual group identifier and a resolved address for the at least one address, in response to an address resolution request for the at least one address further comprises receiving the virtual group identifier for the particular destination virtual machine; and
      
      wherein sending the data packet through the virtual switch to the resolved address only if the virtual group identifier is allowed according to a filtering policy applied by the virtual switch for a particular virtual group identified by the virtual group identifier of the plurality of virtual groups further comprises allowing the virtual switch to encapsulate the data packet with a tunnel header with a physical path through a tunnel of a physical infrastructure of the overlay network to a host system hosting the particular destination virtual machine, wherein the host system decapsulates the encapsulated data packet by removing the tunnel header and forwards the data packet to the particular destination virtual machine from among a plurality of virtual machines hosted by the host system.
  - 14. The system according to claim 10, wherein the processors perform additional actions comprising:
    - wherein receiving a data packet at a virtual switch connected to at least one virtual machine of a plurality of virtual machines communicatively connected through an overlay network, each of the plurality of virtual machines configured within a separate one of a plurality of virtual groups in the overlay network, the data packet comprising a packet header comprising at least one address further comprises receiving the data packet at the virtual switch as a multicast data packet sent by a source virtual machine with the at least one address in the packet header comprising a destination virtual internet protocol address for a multicast internet protocol address;
      
      wherein receiving, by the virtual switch, a virtual group identifier for the at least one address from at least one address resolution service returning the virtual group identifier and a resolved address for the at least one address, in response to an address resolution request for the at least one address further comprises receiving the virtual group identifier for the source virtual machine; and
      
      wherein sending the data packet through the virtual switch to the resolved address only if the virtual group identifier is allowed according to a filtering policy applied by the virtual switch for a particular virtual group identified by the virtual group identifier of the plurality of virtual groups further comprises allowing the virtual switch to forward the data packet to each of a selection of virtual machines from among the plurality of virtual machines associated with a second virtual group from among the plurality of virtual groups, wherein the virtual switch resides on a host system that hosts the selection of virtual machines in the second virtual group.
  - 15. The system according to claim 10, wherein the processors perform additional actions comprising:
    - accessing the filtering policy for communications between the virtual group identifier and a second virtual group identifier assigned to the second virtual group configured through the virtual switch.
  - 16. The system according to claim 10, wherein the processors perform additional actions comprising:
    - sending the data packet through the virtual switch to the resolved address only if the virtual group identifier is allowed and a type of data packet transmission of the data packet is allowed according the filtering policy applied by the virtual switch for the particular group identified by the virtual group identifier, wherein the type of data packet transmission comprises one of a unicast data packet or a multicast data packet, wherein the filtering policy specified a first policy for the virtual group identifier for the unicast data packet and a second policy for the virtual group identifier for the multicast data packet.
  - 17. The system according to claim 10, wherein the processors perform additional actions comprising:
    - responsive to the virtual group identifier not being allowed according to the filtering policy applied by the virtual switch for the particular virtual group identified by the virtual group identifier, dropping the data packet.

18. A computer program product for managing packet filtering in an overlay network, the computer program product comprising a computer readable storage medium having program code embodied therewith, the program code executable by a computer system to:
- receive, by a computer system, a data packet at a virtual switch connected to at least one virtual machine of a plurality of virtual machines communicatively connected through an overlay network, each of the plurality of virtual machines configured within a separate one of a plurality of virtual groups in the overlay network, the data packet comprising a packet header comprising at least one address;
  
  receive, by the computer system, at the virtual switch, a virtual group identifier for the at least one address from at least one address resolution service returning the virtual group identifier and a resolved address for the at least one address, in response to an address resolution request for the at least one address; and
  
  send, by the computer system, the data packet through the virtual switch to the resolved address only if the virtual group identifier is allowed according to a filtering policy applied by the virtual switch for a particular virtual group identified by the virtual group identifier of the plurality of virtual groups.
- View Dependent Claims (19, 20)
- - 19. The computer program product according to claim 18, further comprising the program code executable by the computer system to:
    - access, by the computer system, the filtering policy for communications between the virtual group identifier and a second virtual group identifier assigned to the second virtual group configured through the virtual switch.
  - 20. The computer program product according to claim 18, further comprising the program code executable by the computer system to:
    - send, by the computer system, the data packet through the virtual switch to the resolved address only if the virtual group identifier is allowed and a type of data packet transmission of the data packet is allowed according the filtering policy applied by the virtual switch for the particular group identified by the virtual group identifier, wherein the type of data packet transmission comprises one of a unicast data packet or a multicast data packet, wherein the filtering policy specified a first policy for the virtual group identifier for the unicast data packet and a second policy for the virtual group identifier for the multicast data packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lenovo Global Technologies International Ltd. (Lenovo Group Ltd.)
Original Assignee
Lenovo Enterprise Solutions (Singapore) Pte., Ltd. (Lenovo Group Ltd.)
Inventors
KASHYAP, VIVEK, SAMUDRALA, SRIDHAR, STEVENS, DAVID L. Jr.

Granted Patent

US 10,135,687 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 12/185   with management of multicas...

H04L 12/1886   with traffic restrictions f...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/0895   Configuration of virtualise...

H04L 45/16   Multipoint routing

H04L 61/103   across network layers, e.g....

H04L 61/5069   for group communication, mu...

VIRTUAL GROUP POLICY BASED FILTERING WITHIN AN OVERLAY NETWORK

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

85 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

VIRTUAL GROUP POLICY BASED FILTERING WITHIN AN OVERLAY NETWORK

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

85 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links