Private ethernet overlay networks over a shared ethernet in a virtual environment

US 9,900,410 B2
Filed: 11/18/2014
Issued: 02/20/2018
Est. Priority Date: 05/01/2006
Status: Active Grant

First Claim

Patent Images

1. A system for private networking within a virtual infrastructure, the system comprising:

a first virtual machine (VM) in a first host, the first VM being associated with a first virtual network interface card (VNIC);

a second VM in a second host, the second VM being associated with a second VNIC, the first and second VNICs being members of a fenced group of virtual machines that have exclusive direct access to a private virtual network, wherein VNICs outside the fenced group do not have direct access to packets on the private virtual network;

a first filter in the first host that encapsulates a packet sent on the private virtual network from the first VNIC, the packet comprising a first header and a first payload, the encapsulation adding to the packet a second header and fence protocol data to a second payload, the second header consisting of a layer 2 header and the second payload comprising the fence protocol data, the first header, and the first payload, the fence protocol data comprising a fence identifier for the fenced group; and

a second filter in the second host that de-encapsulates the packet to extract the first header and the fence identifier, wherein the second filter delivers the de-encapsulated packet to the second VNIC after validating that a destination address in the packet and the fence identifier correspond to the second VNIC.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for private networking within a virtual infrastructure is presented. The system includes a virtual machine (VM) in a first host, the VM being associated with a first virtual network interface card (VNIC), a second VM in a second host, the second VM being associated with a second VNIC, the first and second VNICs being members of a fenced group of computers that have exclusive direct access to a private virtual network, wherein VNICs outside the fenced group do not have direct access to packets on the private virtual network, a filter in the first host that encapsulates a packet sent on the private virtual network from the first VNIC, the encapsulation adding to the packet a new header and a fence identifier for the fenced group, and a second filter in the second host that de-encapsulates the packet to extract the new header and the fence identifier.

331 Citations

20 Claims

1. A system for private networking within a virtual infrastructure, the system comprising:
- a first virtual machine (VM) in a first host, the first VM being associated with a first virtual network interface card (VNIC);
  
  a second VM in a second host, the second VM being associated with a second VNIC, the first and second VNICs being members of a fenced group of virtual machines that have exclusive direct access to a private virtual network, wherein VNICs outside the fenced group do not have direct access to packets on the private virtual network;
  
  a first filter in the first host that encapsulates a packet sent on the private virtual network from the first VNIC, the packet comprising a first header and a first payload, the encapsulation adding to the packet a second header and fence protocol data to a second payload, the second header consisting of a layer 2 header and the second payload comprising the fence protocol data, the first header, and the first payload, the fence protocol data comprising a fence identifier for the fenced group; and
  
  a second filter in the second host that de-encapsulates the packet to extract the first header and the fence identifier, wherein the second filter delivers the de-encapsulated packet to the second VNIC after validating that a destination address in the packet and the fence identifier correspond to the second VNIC.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system as recited in claim 1, wherein a port in the second VNIC for the second VM is associated with a port fence identifier when a fence identifier for the port and the port fence identifier are the same.
  - 3. The system as recited in claim 2, wherein the second VNIC delivers the packet to the second VM when the port fence identifier is equal to the fence identifier and the port in the second VNIC is associated with the destination address in the packet.
  - 4. The system as recited in claim 1, further comprising:
    - a first distributed virtual switch between the first filter and a first physical NIC in the first host; and
      
      a second distributed virtual switch between the second filter and a second physical NIC in the first host.
  - 5. The system as recited in claim 1, wherein the first VM is associated with a third VNIC, and wherein the third VNIC is not a member of the first fenced group.
  - 6. The system as recited in claim 1, wherein the first VM is a member of more than one fenced group and the first VNIC cannot be a member of more than one fenced group.
  - 7. The system of claim 1, wherein the second VM is a clone of the first VM.

8. A method comprising:
- sending a packet from a first virtual network interface card (VNIC) associated with a first virtual machine (VM) in a first host, the packet comprising a first header and a first payload, the first VNIC and a second VNIC being members of a fenced group of computers that have exclusive direct access to a private virtual network, wherein VNICs outside the fenced group do not have direct access to packets on the private virtual network;
  
  using a first filter in the first host, encapsulating the packet to include a second header and fence protocol data in a second payload, the second header consisting of a layer 2 header and the second payload comprising the fence protocol data, the first header, and the first payload, the fence protocol data comprising a fence identifier for the fenced group; and
  
  using a second filter in the second host, de-encapsulating the packet to extract the second header and the fence identifier, wherein the second filter delivers the de-encapsulated packet to the second VNIC after validating that a destination address in the packet and the fence identifier correspond to the second VNIC.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method as recited in claim 8, wherein a port in the second VNIC for the second VM is associated with a port fence identifier.
  - 10. The method as recited in claim 9, wherein the second VNIC delivers the packet to the second VM when the port fence identifier is equal to the fence identifier and the port in the second VNIC is associated with the destination address in the packet.
  - 11. The method as recited in claim 8, wherein the first VM is associated with a third VNIC, and wherein the third VNIC is a member of a second fenced group.
  - 12. The method as recited in claim 8, wherein a VNIC cannot be a member of more than one fenced group.
  - 13. The system as recited in claim 8, wherein each VNIC is associated with one layer 2 and one layer 3 address.

14. A non-transitory computer-readable storage medium, when executed by one or more processors, cause the one or more processors to perform the steps of:
- sending a packet from a first virtual network interface card (VNIC) associated with a first virtual machine (VM) in a first host, the packet comprising a first header and a first payload, the first VNIC and a second VNIC being members of a fenced group of computers that have exclusive direct access to a private virtual network, wherein VNICs outside the fenced group do not have direct access to packets on the private virtual network;
  
  using a first filter in the first host, encapsulating the packet to include a second header and fence protocol data in a second payload, the second header consisting of a layer 2 header and the second payload comprising the fence protocol data, the first header, and the first payload, the fence protocol data comprising a fence identifier for the fenced group; and
  
  using a second filter in the second host, de-encapsulating the packet to extract the second header and the fence identifier, wherein the second filter delivers the de-encapsulated packet to the second VNIC after validating that a destination address in the packet and the fence identifier correspond to the second VNIC.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The non-transitory computer-readable storage medium as recited in claim 14, wherein a port in the second VNIC for the second VM is associated with a port fence identifier.
  - 16. The non-transitory computer-readable storage medium as recited in claim 15, wherein the second VNIC delivers the packet to the second VM when the port fence identifier is equal to the fence identifier and the port in the second VNIC is associated with the destination address in the packet.
  - 17. The non-transitory computer-readable storage medium as recited in claim 14, wherein the first VM is associated with a third VNIC, and wherein the third VNIC is a member of a second fenced group.
  - 18. The non-transitory computer-readable storage medium as recited in claim 14, wherein a VNIC cannot be a member of more than one fenced group.
  - 19. The non-transitory computer-readable storage medium as recited in claim 14, wherein each VNIC is associated with one layer 2 and one layer 3 address.
  - 20. The non-transitory computer-readable storage medium as recited in claim 14, wherein the second header comprises a new source address and a new destination address having a fence organizationally-unique-identifier, an installation identifier, and a host identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Dalal, Anupam
Primary Examiner(s)
Sciacca, Scott M

Application Number

US14/546,787
Publication Number

US 20150071301A1
Time in Patent Office

1,190 Days
Field of Search
US Class Current
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 45/44   Distributed routing

H04L 45/66   Layer 2 routing, e.g. in Et...

H04L 49/70   Virtual switches

H04L 69/22   Parsing or analysis of headers

Private ethernet overlay networks over a shared ethernet in a virtual environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

331 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Private ethernet overlay networks over a shared ethernet in a virtual environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

331 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others