公开(公告)号：US11310202B2

公开(公告)日：2022-04-19

申请号：US16352577

申请日：2019-03-13

Applicant: VMware, Inc.

Inventor： Jingmin Zhou ,  David Lorenzo ,  Subrahmanyam Manuguri ,  Anirban Sengupta

IPC: H04L29/06 ,  G06F9/455 ,  G06F16/901

Abstract: In some embodiments, a method receives a packet at an instance of a distributed firewall associated with one of a plurality of workloads running on a hypervisor. Each of the plurality of workloads has an associated instance of the distributed firewall. An index table is accessed for the workload where the index table includes a set of references to a set of rules in a rules table. Each workload in the plurality of workloads is associated with an index table that references rules that are applicable to each respective workload. The method then accesses at least one rule in a set of rules associated with the set of references from the rules table and compares one or more attributes for the packet to information stored for the at least one rule in the set of rules to determine a rule in the set of rules to apply to the packet.

公开(公告)号：US20220038379A1

公开(公告)日：2022-02-03

申请号：US16941462

申请日：2020-07-28

Applicant: VMware, Inc.

Inventor： Sami Boutros ,  Anirban Sengupta ,  Mani Kancherla ,  Jerome Catrouillet ,  Sri Mohana Singamsetty

IPC: H04L12/851 ,  H04L12/24 ,  H04L12/751 ,  H04L29/08 ,  H04L12/781 ,  H04L12/749

Abstract: Some embodiments of the invention provide a novel network architecture for advertising routes in an availability zone (e.g., a datacenter providing a set of hardware resources). The novel network architecture, in some embodiments, also provides a set of distributed services at the edge of a virtual private cloud (VPC) implemented in the availability zone (e.g., using the hardware resources of a datacenter) at a set of host computers in the AZ. The novel network architecture includes a set of route servers for receiving advertisements of network addresses (e.g., internet protocol (IP) addresses) as being available in the availability zone (AZ) from different routers in the AZ. The route servers also advertise the received network addresses to other routers in the AZ. In some embodiments, the other routers include routers executing on host computers in the AZ and gateway devices of the availability zone.

公开(公告)号：US20220030060A1

公开(公告)日：2022-01-27

申请号：US16938733

申请日：2020-07-24

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Anand Parthasarathy ,  Mani Kancherla ,  Anirban Sengupta

IPC: H04L29/08 ,  H04L12/813 ,  H04L29/12 ,  H04L12/46 ,  H04L12/66

Abstract: Some embodiments of the invention provide a method for forwarding data messages between a client and a server (e.g., between client and server machines and/or applications). In some embodiments, the method receives a data message that a load balancer has directed from a particular client to a particular server after selecting the particular server from a set of several candidate servers for the received data message's flow. The method stores an association between an identifier associated with the load balancer and a flow identifier associated with the message flow, and then forwards the received data message to the particular server. The method subsequently uses the load balancer identifier in the stored association to forward to the particular load balancer a data message that is sent by the particular server. The method of some embodiments is implemented by an intervening forwarding element (e.g., a router) between the load balancer set and the server set.

公开(公告)号：US20210218623A1

公开(公告)日：2021-07-15

申请号：US16742663

申请日：2020-01-14

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Mike Parsa ,  Xinhua Hong ,  Subrahmanyam Manuguri ,  Anirban Sengupta

IPC: H04L12/24 ,  H04L12/66 ,  H04L12/947 ,  H04L12/46 ,  H04L29/12

Abstract: Some embodiments of the invention provide novel methods for providing a stateful service at a network edge device (e.g., an NSX edge) that has a plurality of north-facing interfaces (e.g., interfaces to an external network) and a plurality of corresponding south-facing interfaces (e.g., interfaces to a logical network). In some embodiments, each interface associated with a different bridge calls a service engine based on identifiers included in data messages received at the interface. Each data message flow is associated with a particular identifier that is associated with a particular service engine instance that provides the stateful service. In some embodiments, the interface that receives a data message identifies a service engine to provide the stateful service and provides the data message to the identified service engine. After processing the data message, the service engine provides the data message to the egress interface associated with the ingress interface.

公开(公告)号：US11036405B2

公开(公告)日：2021-06-15

申请号：US16124208

申请日：2018-09-07

Applicant: VMware, Inc.

Inventor： Jingmin Zhou ,  Subrahmanyam Manuguri ,  Anirban Sengupta

IPC: G06F3/06 ,  G06F9/455

Abstract: Example methods and systems are provided for a computer system to transfer runtime information between a first kernel module and a second kernel module. In one example, the method may comprise assigning ownership of a memory pool to the first kernel module; and the first kernel module accessing the memory pool to store runtime information associated with one or more operations performed by the first kernel module. The method may also comprise releasing ownership of the memory pool from the first kernel module while maintaining the runtime information in the memory pool; and assigning ownership of the memory pool to the second kernel module. The second kernel module may then access the memory pool to obtain the runtime information stored by the first kernel module.

公开(公告)号：US20200177691A1

公开(公告)日：2020-06-04

申请号：US16207031

申请日：2018-11-30

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Rick Lund ,  Mike Parsa ,  Brenden Blanco ,  Anirban Sengupta

IPC: H04L29/08 ,  H04L29/06 ,  G06F9/455

Abstract: In some embodiments, a first proxy is instantiated on the first computing device and receives packets that are intercepted by a hypervisor. The packets are sent between a workload and another device and the proxy includes a first session between the proxy and the another device and a second session between the proxy and the workload. State information is extracted for the packets that are sent in the first session or the second session at the first proxy and the state information is stored. The first computing device migrates the workload to a second computing device. When the workload is migrated to the second computing device, the state information for the workload is migrated to a second proxy that is instantiated on the second computing device. The second proxy then resumes the first session with the another device and the second session with the proxy using the state information.

公开(公告)号：US10277482B2

公开(公告)日：2019-04-30

申请号：US14945334

申请日：2015-11-18

Applicant: VMware, Inc.

Inventor： Subrahmanyam Manuguri ,  Jayant Jain ,  Anirban Sengupta

IPC: H04L12/26 ,  H04L12/801 ,  H04L29/06 ,  H04L12/24 ,  H04L12/813 ,  H04L12/803

Abstract: Exemplary methods, apparatuses, and systems receive a copy of or make a copy of one or more packets of a flow of packets between a source and a destination. While or after the one or more packets are forwarded to the destination, the content of the packets is compared to a policy to determine if the flow of packets triggers a policy response. A map of devices within a datacenter cluster of devices is maintained and used to select one or more available devices when packet inspection is distributed.

公开(公告)号：US20160087888A1

公开(公告)日：2016-03-24

申请号：US14960441

申请日：2015-12-07

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Anirban Sengupta

IPC: H04L12/741 ,  H04L12/931

CPC classification number: H04L45/74 ,  H04L12/4633 ,  H04L12/4641 ,  H04L45/306 ,  H04L49/20 ,  H04L67/10 ,  H04L2212/00

Abstract: The disclosure herein describes a system, which provides service switching in a datacenter environment. The system can include a service switching gateway, which can identify a service tag associated with a received packet. During operation, the service switching gateway determines a source client, a requested service, or both for the packet based on the service tag, identifies a corresponding service portal based on the service tag, and forwards the packet toward the service portal. The service switching gateway can optionally maintain a mapping between the service tag and one or more of: a source client, a required service, the service portal, and a tunnel encapsulation. The service switching gateway can encapsulate the packet based on an encapsulation mechanism supported by the service portal and forward the packet based on the mapping.

Abstract translation: 本文的公开内容描述了在数据中心环境中提供服务切换的系统。 该系统可以包括服务交换网关，其可以识别与接收的分组相关联的服务标签。 业务交换网关在业务交换网关根据业务标签确定报文的源客户端，请求业务或二者，根据业务标签识别对应的业务门户，并将报文转发给业务门户。 服务交换网关可以选择性地维护业务标签与源客户端，所需业务，业务门户和隧道封装中的一个或多个的映射关系。 业务交换网关可以根据业务门户支持的封装机制封装报文，并根据映射转发报文。

公开(公告)号：US09225638B2

公开(公告)日：2015-12-29

申请号：US13891025

申请日：2013-05-09

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Anirban Sengupta

IPC: H04L12/28 ,  H04L12/741 ,  H04L12/725 ,  H04L29/08 ,  H04L12/46

CPC classification number: H04L45/74 ,  H04L12/4633 ,  H04L12/4641 ,  H04L45/306 ,  H04L49/20 ,  H04L67/10 ,  H04L2212/00

Abstract: The disclosure herein describes a system, which provides service switching in a datacenter environment. The system can include a service switching gateway, which can identify a service tag associated with a received packet. During operation, the service switching gateway determines a source client, a requested service, or both for the packet based on the service tag, identifies a corresponding service portal based on the service tag, and forwards the packet toward the service portal. The service switching gateway can optionally maintain a mapping between the service tag and one or more of: a source client, a required service, the service portal, and a tunnel encapsulation. The service switching gateway can encapsulate the packet based on an encapsulation mechanism supported by the service portal and forward the packet based on the mapping.

Abstract translation: 本文的公开内容描述了在数据中心环境中提供服务切换的系统。 该系统可以包括服务交换网关，其可以识别与接收的分组相关联的服务标签。 业务交换网关在业务交换网关根据业务标签确定报文的源客户端，请求业务或二者，根据业务标签识别对应的业务门户，并将报文转发给业务门户。 服务交换网关可以选择性地维护业务标签与源客户端，所需业务，业务门户和隧道封装中的一个或多个的映射关系。 业务交换网关可以根据业务门户支持的封装机制封装报文，并根据映射转发报文。

公开(公告)号：US09215177B2

公开(公告)日：2015-12-15

申请号：US13925483

申请日：2013-06-24

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Anirban Sengupta ,  Debashis Basak ,  Serge Maskalik ,  Weiqing Wu ,  Aravind Srinivasan ,  Todd Sabin

IPC: H04L29/12 ,  H04L29/06 ,  H04L12/813 ,  H04L29/08

CPC classification number: H04L47/20 ,  H04L61/2514 ,  H04L63/0218 ,  H04L63/0263 ,  H04L67/1002

Abstract: The disclosure herein describes an edge device of a network for distributed policy enforcement. During operation, the edge device receives an initial packet for an outgoing traffic flow, and identifies a policy being triggered by the initial packet. The edge device performs a reverse lookup to identify at least an intermediate node that is previously traversed by the initial packet and traffic parameters associated with the initial packet at the identified intermediate node. The edge device translates the policy based on the traffic parameters at the intermediate node, and forwards the translated policy to the intermediate node, thus facilitating the intermediate node in applying the policy to the traffic flow.

Abstract translation: 本文的公开内容描述了用于分布式策略实施的网络的边缘设备。 在操作期间，边缘设备接收用于出站业务流的初始分组，并且识别由初始分组触发的策略。 边缘设备执行反向查找以识别先前由初始分组穿过的中间节点和与所识别的中间节点处的初始分组相关联的业务参数。 边缘设备根据中间节点的流量参数转换策略，并将转换的策略转发到中间节点，从而便于中间节点将策略应用于业务流。