公开(公告)号：US11677645B2

公开(公告)日：2023-06-13

申请号：US17507449

申请日：2021-10-21

Applicant: VMware, Inc.

Inventor： Xi Cheng ,  Caixia Jiang ,  Dongrui Mo ,  Jingchun Jason Jiang ,  Xiaoyan Jin ,  Qiong Wang ,  Donghai Han

IPC: H04L43/028 ,  H04L43/10 ,  H04L43/04 ,  H04L47/41 ,  H04L47/2483

CPC classification number: H04L43/028 ,  H04L43/04 ,  H04L43/10 ,  H04L47/2483 ,  H04L47/41

Abstract: Some embodiments provide a method of aggregating and providing packet metrics collected during a live packet monitoring session performed for packets matching a specified set of characteristics. The method receives, from one or more computing devices that process packets during the live packet monitoring session, multiple metrics associated with a set of packets matching the specified set of characteristics. Metrics associated with each packet in the set are accompanied by a packet identifier (ID) used to tag the packet by an initial computing device that processed the packet. The method uses the accompanying packet IDs to aggregate the received plurality of metrics. The method provides (i) an aggregated set of session metrics for the set of packets matching the specified set of characteristics during the live packet monitoring session and (ii) individual packet metrics using the packet IDs for at least one packet in the set of packets.

公开(公告)号：US11671400B2

公开(公告)日：2023-06-06

申请号：US16897695

申请日：2020-06-10

Applicant: VMware, Inc.

Inventor： Zhengsheng Zhou ,  Abhishek Raut ,  Jianjun Shen ,  Donghai Han

IPC: H04L61/50 ,  H04L49/00 ,  H04L61/103 ,  H04L12/66 ,  H04L45/42 ,  G06F9/455 ,  G06F9/50 ,  G06F9/54 ,  H04L9/40 ,  H04L41/0893 ,  H04L41/18 ,  H04L41/5041 ,  H04L41/50 ,  H04L67/10 ,  H04L12/46 ,  H04L67/1001 ,  H04L45/586

CPC classification number: H04L61/50 ,  G06F9/45558 ,  G06F9/5083 ,  G06F9/54 ,  G06F9/547 ,  H04L12/4641 ,  H04L12/66 ,  H04L41/0893 ,  H04L41/18 ,  H04L41/5048 ,  H04L41/5077 ,  H04L45/42 ,  H04L45/586 ,  H04L49/70 ,  H04L61/103 ,  H04L63/0209 ,  H04L63/0218 ,  H04L63/0263 ,  H04L63/0272 ,  H04L63/20 ,  H04L67/10 ,  H04L67/1001 ,  G06F9/5077 ,  G06F2009/4557 ,  G06F2009/45562 ,  G06F2009/45595

Abstract: Some embodiments of the invention provide a method for deploying network elements for a set of machines in a set of one or more datacenters. The datacenter set is part of one availability zone in some embodiments. The method receives intent-based API (Application Programming Interface) requests, and parses these API requests to identify a set of network elements to connect and/or perform services for the set of machines. In some embodiments, the API is a hierarchical document that can specify multiple different compute and/or network elements at different levels of compute and/or network element hierarchy. The method performs automated processes to define a virtual private cloud (VPC) to connect the set of machines to a logical network that segregates the set of machines from other machines in the datacenter set. In some embodiments, the set of machines include virtual machines and containers, the VPC is defined with a supervisor cluster namespace, and the API requests are provided as YAML, files.

公开(公告)号：US20230171291A1

公开(公告)日：2023-06-01

申请号：US17570354

申请日：2022-01-06

Applicant: VMware, Inc.

Inventor： Abhishek Raut ,  Yang Ding ,  Kai Su ,  Donghai Han ,  Zhengsheng Zhou ,  Wenfeng Liu

IPC: H04L9/40

CPC classification number: H04L63/20

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for managing access to network security policies. One of the methods includes determining, for a policy access request i) received from a device and ii) that requests access to a network security policy that defines a rule for controlling network traffic, whether there is an entitlement for the network security policy, wherein the entitlement indicates one or more types of operations that a subset of user accounts can perform on the network security policy; in response to determining that there is an entitlement, determining, using a mapping for the entitlement that identifies the subset of user accounts that have access to the network security policy, whether a user account for the device is included in the subset of user accounts; and selectively allowing or denying the policy access request using the entitlement and a result of the determination.

公开(公告)号：US20230087454A1

公开(公告)日：2023-03-23

申请号：US17507453

申请日：2021-10-21

Applicant: VMware, Inc.

Inventor： Xi Cheng ,  Caixia Jiang ,  Dongrui Mo ,  Jingchun Jason Jiang ,  Xiaoyan Jin ,  Qiong Wang ,  Donghai Han

IPC: H04L12/26 ,  H04L12/851 ,  H04L29/06 ,  G06F9/455

Abstract: Some embodiments provide a method for performing data traffic monitoring. The method processes a packet through a packet processing pipeline that includes multiple stages. At a filtering stage, the method tags the packet with a set of monitoring actions for subsequent stages to perform on the packet based on a determination that the packet matches a particular filter. For each stage of a set of packet processing stages subsequent to the filtering stage, the method (i) executes any monitoring actions specified for the stage to perform on the packet and (ii) sends the packet to a next stage in the packet processing pipeline.

公开(公告)号：US11606254B2

公开(公告)日：2023-03-14

申请号：US17389305

申请日：2021-07-29

Applicant: VMware, Inc.

Inventor： Danting Liu ,  Jianjun Shen ,  Wenfeng Liu ,  Rui Cao ,  Ran Gu ,  Donghai Han

IPC: H04L41/08 ,  H04L12/46

Abstract: The method of some embodiments allocates a secondary network interface for a pod, which has a primary network interface, in a container network operating on an underlying logical network. The method receives an ND that designates a network segment. The method receives the pod, wherein the pod includes an identifier of the ND. The method then creates a secondary network interface for the pod and connects the secondary network interface to the network segment. In some embodiments, the pods include multiple ND identifiers that each identify a network segment. The method of such embodiments creates multiple secondary network interfaces and attaches the multiple network segments to the multiple secondary network interfaces.

公开(公告)号：US11509686B2

公开(公告)日：2022-11-22

申请号：US16442841

申请日：2019-06-17

Applicant: VMware, Inc.

Inventor： Ye Luo ,  Qi Wu ,  Donghai Han

IPC: H04L9/40 ,  G06F9/455 ,  H04L61/5014 ,  H04L61/5076

Abstract: In an embodiment, a computer-implemented method for DHCP-communications monitoring by a network controller in software defined networks is disclosed. A method comprises detecting that a virtualized compute instance is instantiated on a host computer; generating, and transmitting to a port manager executing on the host computer, instructions to set a BLOCK-EXCEPT-DHCP status on a port assigned to the virtualized compute instance; determining whether an IP address has been assigned to the port by a DHCP service; and if it has: generating, and transmitting to the port manager, instructions to set a NORMAL status on the port; generating, and transmitting to the port manager, a SpoofGuard configured with the IP address assigned to the port; based on notifications received from the SpoofGuard, determining whether the IP address assigned to the port of the virtualized compute instance has been misused, expired or spoofed; and if it has, transmitting instructions to set the BLOCK-EXCEPT-DHCP status on the port.

公开(公告)号：US11470071B2

公开(公告)日：2022-10-11

申请号：US16852553

申请日：2020-04-20

Applicant: VMware, Inc.

Inventor： Ye Luo ,  Jinjun Gao ,  Qi Wu ,  Donghai Han

IPC: H04L9/40 ,  G06F9/455

Abstract: Example methods and systems for authentication for logical overlay network traffic are described. In one example, a first computer system may detect an inner packet and generate authentication information associated with the inner packet based on control information from a management entity. The authentication information may indicate that the inner packet originates from a trusted zone. The first computer system may further generate an encapsulated packet by encapsulating the inner packet with an outer header that specifies the authentication information, and send the encapsulated packet towards the second virtualized computing instance to cause a second computer system to verify that the inner packet originates from the trusted zone based on the authentication information.

公开(公告)号：US11356362B2

公开(公告)日：2022-06-07

申请号：US16294945

申请日：2019-03-07

Applicant: VMware, Inc.

Inventor： Ming Shu ,  Wenyu Zhang ,  Qiong Wang ,  Donghai Han

IPC: H04L45/00 ,  H04L43/0894 ,  H04L47/283 ,  G06F9/455 ,  H04L45/64

Abstract: Example methods and systems for a network management entity to perform adaptive packet flow monitoring. One example method may comprise receiving a request to monitor a packet flow between a first virtualized computing instance supported by a first host and a second virtualized computing instance supported by a second host. The method may also comprise activating a first set of checkpoints by instructing the first host and/or the second host to monitor the packet flow using the first set of checkpoints. The method may further comprise: in response to detecting a predetermined event based on first performance metric information associated with the packet flow, activating a second set of checkpoints by instructing the first host and/or the second host to monitor the packet flow using the second set of checkpoints.

公开(公告)号：US11340916B2

公开(公告)日：2022-05-24

申请号：US17069132

申请日：2020-10-13

Applicant: VMware, Inc.

Inventor： Ziyou Wang ,  Donghai Han ,  Chaitanya Kodeboyina ,  Wu Qi ,  Qiong Wang ,  Wenfeng Liu

IPC: G06F9/445 ,  G06Q10/10 ,  G06F8/61

Abstract: The disclosure provides an approach for providing an extendable system health management framework in a network. Embodiments include receiving, by a manager, a system health plugin. Embodiments include determining, by the manager, an association between the system health plugin and a host in the network based on the host satisfying one or more conditions. Embodiments include providing, by the manager, the system health plugin to the host for installation in a system health agent on the host. Embodiments include receiving, by the manager, from the host, status information for the system health plugin.

公开(公告)号：US20220107825A1

公开(公告)日：2022-04-07

申请号：US16482244

申请日：2019-07-11

Applicant: VMware, Inc.

Inventor： Weiqiang Tang ,  Wenfeng Liu ,  Mengdie Song ,  Donghai Han ,  Wenying Dong ,  Rui Cao ,  Qi Wu

IPC: G06F9/455 ,  G06F9/50

Abstract: Techniques for measuring the memory usage of Java programs are provided. In one set of embodiments, a Java agent can detect that a Java Virtual Machine (JVM) is loading a Java class used by a Java program. The Java agent can further determine a class name of the Java class and determine that the class name matches an entry in a first list included in a user-defined configuration file. The Java agent can then dynamically insert bytecode into a constructor of the Java class, where the inserted bytecode includes logic for registering a memory reference to an object created via the constructor.