Media access control address translation in virtualized environments

US 9,413,719 B2
Filed: 12/28/2015
Issued: 08/09/2016
Est. Priority Date: 12/11/2009
Status: Active Grant

First Claim

Patent Images

1. A method for transmitting network packets through a network security device, the method comprising:

receiving, by a first virtual firewall (VF) of a first network device, a network packet from a first virtual machine (VM) hosted by the first network device to be sent over a network to a second VM hosted by a second network device, wherein the network comprises the network security device, a first network switch on a first side of the network security device, and a second network switch on a second side of the network security device, and wherein the network packet comprises a first medium access control (MAC) address identifying the first VM and a second MAC address identifying the second VM;

translating, by the first VF, the first MAC address of the network packet to a third MAC address for the first VM hosted by the first network device, wherein the third MAC address belongs to a first network interface connected to the first network switch on the first side of the network security device;

translating, by the first VF, the second MAC address of the network packet to a fourth MAC address for the second VM hosted by the second network device, wherein the fourth MAC address belongs to a second network interface connected to the second network switch on the second side of the network security device; and

transmitting the network packet from the first VF of the first network device over the network through the first network switch, the network security device, and the second network switch to a second VF of the second network device hosting the second VM based on the third MAC address and the fourth MAC address.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and a network device are provided to transmit network packets through a network security device. The method, performed by the network device, receives a request to send a network packet from a first computing device to a second computing device over a network that includes the network device and the network security device. The network packet includes a first network interface identifier for identifying the first computing device and a second network interface identifier for identifying the second computing device. The method identifies third and fourth network interface identifiers that cause the network packet to be transmitted through the network security device. The method transmits the network packet over the network through the network security device using the third and fourth network interface identifiers. The method transmits the network packet to the second computing device using the first and second network interface identifiers.

44 Citations

View as Search Results

19 Claims

1. A method for transmitting network packets through a network security device, the method comprising:
- receiving, by a first virtual firewall (VF) of a first network device, a network packet from a first virtual machine (VM) hosted by the first network device to be sent over a network to a second VM hosted by a second network device, wherein the network comprises the network security device, a first network switch on a first side of the network security device, and a second network switch on a second side of the network security device, and wherein the network packet comprises a first medium access control (MAC) address identifying the first VM and a second MAC address identifying the second VM;
  
  translating, by the first VF, the first MAC address of the network packet to a third MAC address for the first VM hosted by the first network device, wherein the third MAC address belongs to a first network interface connected to the first network switch on the first side of the network security device;
  
  translating, by the first VF, the second MAC address of the network packet to a fourth MAC address for the second VM hosted by the second network device, wherein the fourth MAC address belongs to a second network interface connected to the second network switch on the second side of the network security device; and
  
  transmitting the network packet from the first VF of the first network device over the network through the first network switch, the network security device, and the second network switch to a second VF of the second network device hosting the second VM based on the third MAC address and the fourth MAC address.
- View Dependent Claims (2, 3, 4, 5, 6, 12)
- - 2. The method of claim 1, further comprising requesting, by the first VF and from a VF controller in the network, the third MAC address that belongs to the first network interface connected to the first network switch on the first side of the network security device for the first VM hosted by the first network device, and the fourth MAC address that belongs to the second network interface connected to the second network switch on the second side of the network security device for the second VM hosted by the second network device, wherein the VF controller maintains one MAC address belonging to the first side of the network security device and another MAC address belonging to the second side of the network security device for each VM in the network.
  - 3. The method of claim 1, wherein the first MAC address identifying the first VM comprises a source address of the network packet, and wherein the second MAC address identifying the second VM comprises a destination address of the network packet.
  - 4. The method of claim 1, wherein the first MAC address identifying the first VM belongs to the first network interface and the second MAC address identifying the second VM belongs to a third network interface, both belonging to the first side of the network security device, and wherein the network packet bypasses the network security device when the network packet is transmitted from the first VM hosted by the first network device to the second VM hosted by the second network device based on the first MAC address and the second MAC address.
  - 5. The method of claim 1, wherein the network security device comprises an intrusion prevention system (IPS) device.
  - 6. The method of claim 1, wherein the first network device comprises a first server having the first VF and hosting the first VM, and wherein the second network device comprises a second server having the second VF and hosting the second VM.
  - 12. The network device of claim 6, wherein the network device comprises a first server executing the first VF and hosting the first VM, and wherein the another network device comprises a second server executing the second VF and hosting the second VM.

7. A network device for transmitting network packets through a network security device, the network device comprising:
- a memory; and
  
  at least one processor in communication with the memory and configured to;
  
  host a first virtual machine (VM); and
  
  execute a first virtual firewall (VF), the first VF configured to;
  
  receive a network packet from the first VM to be sent over a network to a second VM hosted by another network device, wherein the network comprises the network security device, a first network switch on a first side of the network security device, and a second network switch on a second side of the network security device, and wherein the network packet comprises a first medium access control (MAC) address identifying the first VM and a second MAC address identifying the second VM,translate the first MAC address of the network packet to a third MAC address for the first VM hosted by the network device, wherein the third MAC address belongs to a first network interface connected to the first network switch on the first side of the network security device,translate the second MAC address of the network packet to a fourth MAC address for the second VM hosted by the another network device, wherein the fourth MAC address belongs to a second network interface connected to the second network switch on the second side of the network security device, andtransmit the network packet over the network through the first network switch, the network security device, and the second network switch to a second VF of the another network device hosting the second VM based on the third MAC address and the fourth MAC address.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The network device of claim 7, wherein the first VF is configured to request, from a VF controller in the network, the third MAC address that belongs to the first network interface connected to the first network switch on the first side of the network security device for the first VM hosted by the network device, and the fourth MAC address that belongs to the second network interface connected to the second network switch on the second side of the network security device for the second VM hosted by the another network device, wherein the VF controller maintains one MAC address belonging to the first side of the network security device and another MAC address belonging to the second side of the network security device for each VM in the network.
  - 9. The network device of claim 7, wherein the first MAC address identifying the first VM comprises a source address of the network packet, and wherein the second MAC address identifying the second VM comprises a destination address of the network packet.
  - 10. The network device of claim 7, wherein the first MAC address identifying the first VM belongs to the first network interface and the second MAC address identifying the second VM belongs to a third network interface, both belonging to the first side of the network security device, and wherein the network packet bypasses the network security device when the network packet is transmitted from the first VM hosted by the network device to the second VM hosted by the another network device based on the first MAC address and the second MAC address.
  - 11. The network device of claim 7, wherein the network security device comprises an intrusion prevention system (IPS) device.

13. A system for transmitting network packets through a network security device, the system comprising:
- the network security device comprising;
  
  a memory and at least one processor;
  
  a first network switch on a first side of the network security device;
  
  a second network switch on a second side of the network security device;
  
  a first network device including a first virtual firewall (VF) and hosting a first virtual machine (VM); and
  
  a second network switch including a second VF and hosting a second VM, wherein the first VF of the first network device is configured to;
  
  receive a network packet from the first VM to be sent over a network to the second VM hosted the second network device, wherein the network packet comprises a first medium access control (MAC) address identifying the first VM and a second MAC address identifying the second VM,translate the first MAC address of the network packet to a third MAC address for the first VM hosted by the first network device, wherein the third MAC address belongs to a first network interface connected to the first network switch on the first side of the network security device,translate the second MAC address of the network packet to a fourth MAC address for the second VM hosted by the another network device, wherein the fourth MAC address belongs to a second network interface connected to the second network switch on the second side of the network security device, andtransmit the network packet over the network through the first network switch, the network security device, and the second network switch to a second VF of the second network device hosting the second VM based on the third MAC address and the fourth MAC address.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The system of claim 13, wherein the second VF of the second network device is configured to:
    - receive the network packet from the first VF of the first network device, wherein the network packet comprises the third MAC address and the fourth MAC address;
      
      translate the third MAC address of the network packet to the first MAC address identifying the first VM hosted by the first network device;
      
      translate the fourth MAC address of the network packet to the second MAC address identifying the second VM hosted by the second network device; and
      
      pass the network packet to the second VM based on the second MAC address.
  - 15. The system of claim 13, further comprising a VF controller configured to maintain one MAC address belonging to the first side of the network security device and another MAC address belonging to the second side of the network security device for each VM in the network, wherein the first VF is configured to:
    - request from the VF controller the third MAC address that belongs to the first network interface connected to the first network switch on the first side of the network security device for the first VM hosted by the first network device; and
      
      request from the VF controller the fourth MAC address that belongs to the second network interface connected to the second network switch on the second side of the network security device for the second VM hosted by the second network device.
  - 16. The system of claim 13, wherein the first MAC address identifying the first VM comprises a source address of the network packet, and wherein the second MAC address identifying the second VM comprises a destination address of the network packet.
  - 17. The system of claim 13, wherein the first MAC address identifying the first VM belongs to the first network interface and the second MAC address identifying the second VM belongs to a third network interface, both belonging to the first side of the network security device, and wherein the network packet bypasses the network security device when the network packet is transmitted from the first VM hosted by the first network device to the second VM hosted by the second network device based on the first MAC address and the second MAC address.
  - 18. The system of claim 13, wherein the network security device comprises an intrusion prevention system (IPS) device.
  - 19. The system of claim 13, wherein the first network device comprises a first server executing the first VF and hosting the first VM, and wherein the second network device comprises a second server executing the second VF and hosting the second VM.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Litvin, Moshe
Primary Examiner(s)
Shepperd, Eric W

Application Number

US14/980,110
Publication Number

US 20160134589A1
Time in Patent Office

225 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 2101/622   Layer-2 addresses, e.g. med...

H04L 45/72   Routing based on the source...

H04L 61/2596   Translation of addresses of...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0272   Virtual private networks

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

Media access control address translation in virtualized environments

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

44 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Media access control address translation in virtualized environments

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others