Private ethernet overlay networks over a shared ethernet in a virtual environment
First Claim
1. A system for private networking within a virtual infrastructure, the system comprising:
- a first virtual machine (VM) in a first host, the first VM being associated with a first virtual network interface card (VNIC);
a second VM in a second host, the second VM being associated with a second VNIC, the first and second VNICs being members of a fenced group of virtual machines that have exclusive direct access to a private virtual network, wherein VNICs outside the fenced group do not have direct access to packets on the private virtual network;
a first filter in the first host that encapsulates a packet sent on the private virtual network from the first VNIC, the packet comprising a first header and a first payload, the encapsulation adding to the packet a second header and fence protocol data to a second payload, the second header consisting of a layer 2 header and the second payload comprising the fence protocol data, the first header, and the first payload, the fence protocol data comprising a fence identifier for the fenced group; and
a second filter in the second host that de-encapsulates the packet to extract the first header and the fence identifier, wherein the second filter delivers the de-encapsulated packet to the second VNIC after validating that a destination address in the packet and the fence identifier correspond to the second VNIC.
1 Assignment
0 Petitions
Accused Products
Abstract
A system for private networking within a virtual infrastructure is presented. The system includes a virtual machine (VM) in a first host, the VM being associated with a first virtual network interface card (VNIC), a second VM in a second host, the second VM being associated with a second VNIC, the first and second VNICs being members of a fenced group of computers that have exclusive direct access to a private virtual network, wherein VNICs outside the fenced group do not have direct access to packets on the private virtual network, a filter in the first host that encapsulates a packet sent on the private virtual network from the first VNIC, the encapsulation adding to the packet a new header and a fence identifier for the fenced group, and a second filter in the second host that de-encapsulates the packet to extract the new header and the fence identifier.
331 Citations
20 Claims
-
1. A system for private networking within a virtual infrastructure, the system comprising:
-
a first virtual machine (VM) in a first host, the first VM being associated with a first virtual network interface card (VNIC); a second VM in a second host, the second VM being associated with a second VNIC, the first and second VNICs being members of a fenced group of virtual machines that have exclusive direct access to a private virtual network, wherein VNICs outside the fenced group do not have direct access to packets on the private virtual network; a first filter in the first host that encapsulates a packet sent on the private virtual network from the first VNIC, the packet comprising a first header and a first payload, the encapsulation adding to the packet a second header and fence protocol data to a second payload, the second header consisting of a layer 2 header and the second payload comprising the fence protocol data, the first header, and the first payload, the fence protocol data comprising a fence identifier for the fenced group; and a second filter in the second host that de-encapsulates the packet to extract the first header and the fence identifier, wherein the second filter delivers the de-encapsulated packet to the second VNIC after validating that a destination address in the packet and the fence identifier correspond to the second VNIC. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method comprising:
-
sending a packet from a first virtual network interface card (VNIC) associated with a first virtual machine (VM) in a first host, the packet comprising a first header and a first payload, the first VNIC and a second VNIC being members of a fenced group of computers that have exclusive direct access to a private virtual network, wherein VNICs outside the fenced group do not have direct access to packets on the private virtual network; using a first filter in the first host, encapsulating the packet to include a second header and fence protocol data in a second payload, the second header consisting of a layer 2 header and the second payload comprising the fence protocol data, the first header, and the first payload, the fence protocol data comprising a fence identifier for the fenced group; and using a second filter in the second host, de-encapsulating the packet to extract the second header and the fence identifier, wherein the second filter delivers the de-encapsulated packet to the second VNIC after validating that a destination address in the packet and the fence identifier correspond to the second VNIC. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A non-transitory computer-readable storage medium, when executed by one or more processors, cause the one or more processors to perform the steps of:
-
sending a packet from a first virtual network interface card (VNIC) associated with a first virtual machine (VM) in a first host, the packet comprising a first header and a first payload, the first VNIC and a second VNIC being members of a fenced group of computers that have exclusive direct access to a private virtual network, wherein VNICs outside the fenced group do not have direct access to packets on the private virtual network; using a first filter in the first host, encapsulating the packet to include a second header and fence protocol data in a second payload, the second header consisting of a layer 2 header and the second payload comprising the fence protocol data, the first header, and the first payload, the fence protocol data comprising a fence identifier for the fenced group; and using a second filter in the second host, de-encapsulating the packet to extract the second header and the fence identifier, wherein the second filter delivers the de-encapsulated packet to the second VNIC after validating that a destination address in the packet and the fence identifier correspond to the second VNIC. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification