摘要:
A method includes managing a virtual machine (VM) in a cloud extension, where the VM is part of a distributed virtual switch (DVS) of an enterprise network, abstracting an interface that is transparent to a cloud infrastructure of the cloud extension, and intercepting network traffic from the VM, where the VM can communicate securely with the enterprise network. The cloud extension comprises a nested VM container (NVC) that includes an emulator configured to enable abstracting the interface, and dual transmission control protocol/Internet Protocol stacks for supporting a first routing domain for communication with the cloud extension, and a second routing domain for communication with the enterprise network. The NVC may be agnostic with respect to operating systems running on the VM. The method further includes migrating the VM from the enterprise network to the cloud extension through suitable methods.
摘要:
A sense of location is provided for distributed virtual switch components into the service provisioning scheme to reduce latency observed in conducting policy evaluations across a network in a hybrid cloud environment. A management application in a first virtual network subscribes to virtual network services provided by a second virtual network. A first message is sent to the second virtual network, the first message comprising information configured to start a virtual switch in the second virtual network that switches network traffic for one or more virtual machines in the second virtual network that are configured to extend services provided by the first virtual network into the second virtual network. A second message is sent to the second virtual network, the second message comprising information configured to start a virtual service node in the second virtual network that provides network traffic services for the one or more virtual machines.
摘要:
Techniques are provided for implementing a zone-based firewall policy. At a virtual network device, information is defined and stored that represents a security management zone for a virtual firewall policy comprising one or more common attributes of applications associated with the security zone. Information representing a firewall rule for the security zone is defined and comprises first conditions for matching common attributes of applications associated with the security zone and an action to be performed on application traffic. Parameters associated with the application traffic are received that are associated with properly provisioned virtual machines. A determination is made whether the application traffic parameters satisfy the conditions of the firewall rule and in response to determining that the conditions are satisfied, the action is performed.
摘要:
Techniques for multi-stage multi-core processing of network packets are described herein. In one embodiment, work units are received within a network element, each work unit representing a packet of different flows to be processed in multiple processing stages. Each work unit is identified by a work unit identifier that uniquely identifies a flow in which the associated packet belongs and a processing stage that the associated packet is to be processed. The work units are then dispatched to multiple core logic, such that packets of different flows can be processed concurrently by multiple core logic and packets of an identical flow in different processing stages can be processed concurrently by multiple core logic, in order to determine whether the packets should be transmitted to one or more application servers of a datacenter. Other methods and apparatuses are also described.
摘要:
The present invention provides a packet processing device and method. A parsing processor provides instruction-driven content inspection of network packets at 10-Gbps and above with a parsing engine that executes parsing instructions. A flow state unit maintains statefulness of packet flows to allow content inspection across several related network packets. A state-graph unit traces state-graph nodes to keyword indications and/or parsing instructions. The parsing instructions can be derived from a high-level application to emulate user-friendly parsing logic. The parsing processor sends parsed packets to a network processor unit for further processing.
摘要:
Techniques for building and managing network policies for accessing resources of a datacenter are described herein. In one embodiment, events are captured within a network element pertaining to certain activities of accessing certain resources of a datacenter, wherein the network element operates as an application service gateway to the datacenter. A new rule/policy is provisioned based on attributes extracted from the captured events, where the attributes includes at least one of user attribute, environment attribute, and a resource attribute. A simulation is performed on the new rule/policy under a real time network traffic condition, generating a simulation result. The new rule/policy is committed if the simulation result satisfies a predetermined condition, wherein the new rule/policy is enforced within the network element to determine whether a particular client is eligible to access a particular resource of the datacenter. Other methods and apparatuses are also described.
摘要:
An apparatus and method of using same for associating a tag with each packet in an ATM switch to eliminate the need for an OVC table, thus saving both egress processing time and memory resources. The tag includes both a type of switching identifier and a per-logical-interface or per-external-VC information field. A packet received by the egress packet processing engine has associated with it (by the control plane) a frame control word containing a new cell header (NCH) corresponding to the OVC on which the packet was received from the fabric. This NCH contains the tag used to expedite egress processing. In one embodiment of the present invention, the tag value is provided in two fields, a tag type and a tag parameter. The tag type represents a code for different data path applications. The tag parameter takes on multiple values based on the tag type. The present invention efficiently uses the OVC to NCH mapping to map many OVCs to a small set of tags coded within the switch's NCH so that, rather than having to do an extra look-up in the egress engine in a large and non-scaleable OVC table, the egress engine has only to look in a small, fully-scaleable tag table. In fact, in one embodiment, no egress look-up is required at all.
摘要:
A load-balancing approach for scaling Secure Sockets Layer (SSL) performance is disclosed. During a handshake phase of establishing a SSL connection among a client and server, a processor card identifier value, processor identifier value, and session index value are encoded in a session identifier value that is sent to a client. When the client subsequently resumes the SSL session, it provides the session identifier value, and the encoded values are used for routing the session to an SSL processor that has the negotiated security parameters for the session. In one embodiment, a load balancer distributes the SSL sessions across multiple SSL termination engines that actually carry out SSL processing, based on the card identifier value and the processor identifier. If one of the SSL termination engine cards fails, the load balancer card routes all sessions destined for the failed card to other cards that are operating. The SSL processor that receives such session data determines that it does not have a session table entry matching the session identifier, creates a new session identifier and gives the new session identifier to the client.
摘要:
Techniques for building and managing network policies for accessing resources of a datacenter are described herein. In one embodiment, events are captured within a network element pertaining to certain activities of accessing certain resources of a datacenter, wherein the network element operates as an application service gateway to the datacenter. A new rule/policy is provisioned based on attributes extracted from the captured events, where the attributes includes at least one of user attribute, environment attribute, and a resource attribute. A simulation is performed on the new rule/policy under a real time network traffic condition, generating a simulation result. The new rule/policy is committed if the simulation result satisfies a predetermined condition, wherein the new rule/policy is enforced within the network element to determine whether a particular client is eligible to access a particular resource of the datacenter. Other methods and apparatuses are also described.
摘要:
A method includes simulating network resources of a portion of a cloud in a simulated cloud within a enterprise network, the cloud being communicable with the enterprise network over a first communication channel, which may be external to the enterprise network. The method can also include simulating network behavior of the first communication channel in a second communication channel within the enterprise network, and validating application performance in the simulated cloud. Simulating network resources includes providing a cloud resources abstraction layer in the enterprise network, and allocating enterprise network resources in the enterprise network to the simulated cloud by the cloud resources abstraction layer. The method further includes adding a virtual network service appliance to the simulated cloud, and determining a change to a network topology of the enterprise network to accommodate the virtual appliance without materially impacting application performance.