Media access control address translation in virtualized environments

US 9,894,037 B2
Filed: 08/08/2016
Issued: 02/13/2018
Est. Priority Date: 12/11/2009
Status: Active Grant

First Claim

Patent Images

1. A method for transmitting network packets through a network security device, the method comprising:

receiving, by a first network device, a network packet from a first computing device to be sent over a network to a second computing device connected to a second network device, wherein the network includes the network security device and a network switch, and wherein the network packet includes a first interface identifier that identifies the first computing device as a source of the network packet and a second interface identifier that identifies the second computing device as a destination of the network packet;

translating, by the first network device, the second interface identifier of the network packet to a third interface identifier that identifies an interface connected to the network switch, wherein the network switch is located downstream from the network security device; and

transmitting the network packet from the first network device over the network through the network security device and through the network switch to the interface based on the third interface identifier.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and a network device are provided to transmit network packets through a network security device. The method, performed by the network device, receives a request to send a network packet from a first computing device to a second computing device over a network that includes the network device and the network security device. The network packet includes a first network interface identifier for identifying the first computing device and a second network interface identifier for identifying the second computing device. The method identifies third and fourth network interface identifiers that cause the network packet to be transmitted through the network security device. The method transmits the network packet over the network through the network security device using the third and fourth network interface identifiers. The method transmits the network packet to the second computing device using the first and second network interface identifiers.

46 Citations

18 Claims

1. A method for transmitting network packets through a network security device, the method comprising:
- receiving, by a first network device, a network packet from a first computing device to be sent over a network to a second computing device connected to a second network device, wherein the network includes the network security device and a network switch, and wherein the network packet includes a first interface identifier that identifies the first computing device as a source of the network packet and a second interface identifier that identifies the second computing device as a destination of the network packet;
  
  translating, by the first network device, the second interface identifier of the network packet to a third interface identifier that identifies an interface connected to the network switch, wherein the network switch is located downstream from the network security device; and
  
  transmitting the network packet from the first network device over the network through the network security device and through the network switch to the interface based on the third interface identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the interface comprises an interface of the first network device connected to the network switch, and wherein transmitting the network packet comprises transmitting the network packet from the first network device over the network through the network security device and through the network switch back to the first network device based on the third interface identifier.
  - 3. The method of claim 2, further comprising, after receiving the network packet back from the network security device through the network switch:
    - translating, by the first network device, the third interface identifier of the network packet back to the second interface identifier that identifies the second computing device; and
      
      transmitting the network packet from the first network device over the network to the second computing device based on the second interface identifier.
  - 4. The method of claim 3, wherein the network packet bypasses the network security device when the network packet is transmitted from the first network device to the second computing device based on the second interface identifier.
  - 5. The method of claim 1, wherein the interface comprises an interface of the second network device connected to the network switch, and wherein transmitting the network packet comprises transmitting the network packet from the first network device over the network through the network security device and through the network switch to the second network device based on the third interface identifier.
  - 6. The method of claim 5, further comprising, after receiving the network packet from the network security device through the network switch:
    - translating, by the second network device, the third interface identifier of the network packet to the second interface identifier that identifies the second computing device connected to the second network device; and
      
      transmitting the network packet from the second network device directly to the second computing device based on the second interface identifier.
  - 7. The method of claim 1, further comprising requesting, by the first network device and from a controller in the network, the third interface identifier that identifies the interface connected to the network switch, wherein the controller maintains one or more interface identifiers for each network device in the network.
  - 8. The method of claim 1, wherein the network switch comprises a first network switch, and wherein the interface connected to the network switch comprises a first interface connected to the first network switch, the method further comprising:
    - translating, by the first network device, the first interface identifier of the network packet to a fourth interface identifier that identifies a second interface of the first network device connected to a second network switch; and
      
      transmitting the network packet from the second interface of the first network device over the network through the second network switch, the network security device, and the first network switch to the first interface based on the third and fourth interface identifiers.
  - 9. The method of claim 1, wherein the first network device comprises a first virtual firewall and the first computing device comprises a first virtual machine hosted by the first network device, and wherein the second network device comprises a second virtual firewall and the second computing device comprises a second virtual machine hosted by the second network device.

10. A first network device for transmitting network packets through a network security device, the first network device comprising:
- a memory; and
  
  at least one processor in communication with the memory and configured to;
  
  receive a network packet from a first computing device to be sent over a network to a second computing device connected to a second network device, wherein the network includes the network security device and a network switch, and wherein the network packet includes a first interface identifier that identifies the first computing device as a source of the network packet and a second interface identifier that identifies the second computing device as a destination of the network packet;
  
  translate the second interface identifier of the network packet to a third interface identifier that identifies an interface connected to the network switch, wherein the network switch is located downstream from the network security device; and
  
  transmit the network packet from the first network device over the network through the network security device and through the network switch to the interface based on the third interface identifier.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The first network device of claim 10, wherein the interface comprises an interface of the first network device connected to the network switch, and wherein the at least one processor of the first network device is configured to transmit the network packet from the first network device over the network through the network security device and through the network switch back to the first network device based on the third interface identifier.
  - 12. The first network device of claim 11, wherein the at least one processor is configured to, after receiving the network packet back from the network security device through the network switch:
    - translate the third interface identifier of the network packet back to the second interface identifier that identifies the second computing device; and
      
      transmit the network packet from the first network device over the network to the second computing device based on the second interface identifier.
  - 13. The first network device of claim 12, wherein the network packet bypasses the network security device when the network packet is transmitted from the first network device to the second computing device based on the second interface identifier.
  - 14. The first network device of claim 10, wherein the interface comprises an interface of the second network device connected to the network switch, and wherein the at least one processor of the first network device is configured to transmit the network packet from the first network device over the network through the network security device and through the network switch to the second network device based on the third interface identifier.
  - 15. The first network device of claim 10, wherein the at least one processor is configured to request, from a controller in the network, the third interface identifier that identifies the interface connected to the network switch, wherein the controller maintains one or more interface identifiers for each network device in the network.
  - 16. The first network device of claim 10, wherein the network switch comprises a first network switch, wherein the interface connected to the network switch comprises a first interface connected to the first network switch, and wherein the at least one processor of the first network device is configured to:
    - translate the first interface identifier of the network packet to a fourth interface identifier that identifies a second interface of the first network device connected to a second network switch; and
      
      transmit the network packet from the first interface of the first network device over the network through the second network switch, the network security device, and the first network switch to the first interface based on the third and fourth interface identifiers.
  - 17. The first network device of claim 10, wherein the first network device comprises a first virtual firewall and the first computing device comprises a first virtual machine hosted by the first network device, and wherein the second network device comprises a second virtual firewall and the second computing device comprises a second virtual machine hosted by the second network device.

18. A non-transitory computer-readable medium comprising instructions for transmitting network packets through a network security device that when executed cause at least one processor to:
- receive, by a first network device, a network packet from a first computing device to be sent over a network to a second computing device connected to a second network device, wherein the network includes the network security device and a network switch, and wherein the network packet includes a first interface identifier that identifies the first computing device as a source of the network packet and a second interface identifier that identifies the second computing device as a destination of the network packet;
  
  translate, by the first network device, the second interface identifier of the network packet to a third interface identifier that identifies an interface connected to the network switch, wherein the network switch is located downstream from the network security device; and
  
  transmit the network packet from the first network device over the network through the network security device and through the network switch to the interface based on the third interface identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Litvin, Moshe
Primary Examiner(s)
Shepperd, Eric W

Application Number

US15/231,514
Publication Number

US 20160352684A1
Time in Patent Office

554 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2101/622   Layer-2 addresses, e.g. med...

H04L 45/72   Routing based on the source...

H04L 61/2596   Translation of addresses of...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0272   Virtual private networks

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

Media access control address translation in virtualized environments

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

46 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Media access control address translation in virtualized environments

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links