METHOD AND APPARATUS FOR IMPLEMENTING AND MANAGING VIRTUAL SWITCHES
    1.
    发明申请
    METHOD AND APPARATUS FOR IMPLEMENTING AND MANAGING VIRTUAL SWITCHES 有权
    用于实施和管理虚拟开关的方法和装置

    公开(公告)号:US20100257263A1

    公开(公告)日:2010-10-07

    申请号:US12753044

    申请日:2010-04-01

    IPC分类号: G06F9/455 G06F15/173

    摘要: In general, the present invention relates to a virtual platform in which one or more distributed virtual switches can be created for use in virtual networking. According to some aspects, the distributed virtual switch according to the invention provides the ability for virtual and physical machines to more readily, securely, and efficiently communicate with each other even if they are not located on the same physical host and/or in the same subnet or VLAN. According other aspects, the distributed virtual switches of the invention can support integration with traditional IP networks and support sophisticated IP technologies including NAT functionality, stateful firewalling, and notifying the IP network of workload migration. According to further aspects, the virtual platform of the invention creates one or more distributed virtual switches which may be allocated to a tenant, application, or other entity requiring isolation and/or independent configuration state. According to still further aspects, the virtual platform of the invention manages and/or uses VLAN or tunnels (e.g, GRE) to create a distributed virtual switch for a network while working with existing switches and routers in the network. The present invention finds utility in both enterprise networks, datacenters and other facilities.

    摘要翻译: 通常,本发明涉及一种虚拟平台,其中可以创建一个或多个分布式虚拟交换机用于虚拟网络中。 根据一些方面,根据本发明的分布式虚拟交换机提供虚拟和物理机器更容易,安全并且有效地彼此通信的能力,即使它们不位于相同的物理主机上和/或相同 子网或VLAN。 根据其他方面,本发明的分布式虚拟交换机可以支持与传统IP网络的集成,并支持复杂的IP技术,包括NAT功能,状态防火墙,以及通知IP网络的工作负载迁移。 根据另外的方面,本发明的虚拟平台创建一个或多个分配的虚拟交换机,其可以被分配给需要隔离和/或独立配置状态的租户,应用或其他实体。 根据另外的方面,本发明的虚拟平台管理和/或使用VLAN或隧道(例如,GRE)来在网络中与现有交换机和路由器协同工作时为网络创建分布式虚拟交换机。 本发明可用于企业网络,数据中心和其他设施。

    Network operating system for managing and securing networks
    2.
    发明申请
    Network operating system for managing and securing networks 有权
    用于管理和保护网络的网络操作系统

    公开(公告)号:US20090138577A1

    公开(公告)日:2009-05-28

    申请号:US12286098

    申请日:2008-09-26

    IPC分类号: G06F15/177 G06F15/173

    摘要: Systems and methods for managing a network are described. A view of current state of the network is maintained where the current state of the network characterizes network topology and network constituents, including network entities and network elements residing in or on the network. Events are announced that correspond to changes in the state of the network and one or more network elements can be configured accordingly. Methods for managing network traffic are described that ensure forwarding and other actions taken by network elements implement globally declared network policy and refer to high-level names, independently of network topology and the location of network constituents. Methods for discovering network constituents are described, whereby are automatically configured. Routing may be performed using ACL and packets can be intercepted to permit host to continue in sleep mode. The methods are applicable to virtual environments.

    摘要翻译: 描述用于管理网络的系统和方法。 维持网络当前状态的视图,其中网络的当前状态表征网络拓扑和网络成分,包括驻留在网络中或网络上的网络实体和网络元素。 公布对应于网络状态的变化的事件,并且可以相应地配置一个或多个网络元件。 描述了用于管理网络流量的方法,其确保网元采取的转发和其他动作实现全球声明的网络策略,并且独立于网络拓扑和网络组成部分的位置来参考高级别名称。 描述了用于发现网络组件的方法,由此被自动配置。 可以使用ACL执行路由,并且可以拦截数据包以允许主机在睡眠模式下继续。 这些方法适用于虚拟环境。

    NETWORK VIRTUALIZATION
    4.
    发明申请
    NETWORK VIRTUALIZATION 有权
    网络虚拟化

    公开(公告)号:US20130060940A1

    公开(公告)日:2013-03-07

    申请号:US13177536

    申请日:2011-07-06

    IPC分类号: G06F15/16

    摘要: Some embodiments of the invention provide a robust scaling-out of network functionality by providing a software layer, called the network hypervisor, that sits between the network forwarding functions (i.e., the forwarding plane) and the network control interfaces (i.e., the control plane). The network hypervisor of some embodiments provides a logical abstraction of the network's forwarding functionality, so that network operators make their control decisions in terms of this abstraction, independent of the details of the underlying networking hardware. The network hypervisor of some embodiments may then “compile” commands placed against this abstraction into configurations of the underlying hardware. Accordingly, in some embodiments, there are two design challenges: (1) the choice of the network abstraction, and (2) the technology needed to compile the logical “abstract” controls into low-level configurations.

    摘要翻译: 本发明的一些实施例通过提供位于网络转发功能(即,转发平面)和网络控制接口(即,控制平面)之间的软件层(称为网络管理程序)来提供网络功能的鲁棒扩展 )。 一些实施例的网络管理程序提供了网络的转发功能的逻辑抽象,使得网络运营商根据该抽象而进行控制决策,而与底层网络硬件的细节无关。 一些实施例的网络管理程序可以随后将针对该抽象设置的命令编译成底层硬件的配置。 因此,在一些实施例中,存在两个设计挑战:(1)网络抽象的选择,以及(2)将逻辑抽象控制编译成低级配置所需的技术。

    DEPLOYMENT OF HIERARCHICAL MANAGED SWITCHING ELEMENTS
    6.
    发明申请
    DEPLOYMENT OF HIERARCHICAL MANAGED SWITCHING ELEMENTS 有权
    分配管理的开关元件的部署

    公开(公告)号:US20130058331A1

    公开(公告)日:2013-03-07

    申请号:US13288023

    申请日:2011-11-02

    IPC分类号: H04L12/56

    摘要: Some embodiments provide a method that identifies several higher level switching elements for facilitating lower level switching elements to forward packets among network hosts. The method establishes a set of tunnels among the lower level switching elements and the higher level switching elements. At least one tunnel is established between a lower level switching element and a higher level switching element. For each higher level switching element in the several higher level switching elements, the method identifies a first set of forwarding data that specifies forwarding of packets between the higher level switching element and the several lower level switching elements. For each lower level switching element in the several lower level switching elements, the method identifies a second set of forwarding data that specifies forwarding of packets between the lower level switching element, the several of network hosts, and the several higher level switching elements.

    摘要翻译: 一些实施例提供了一种识别多个更高级别的交换元件以促进下层交换元件在网络主机之间转发分组的方法。 该方法在较低级别的开关元件和较高级别的开关元件之间建立一组隧道。 在较低级别的开关元件和较高级别的开关元件之间建立至少一个通道。 对于多个较高级别的交换单元中的每个较高级别的交换单元,该方法识别第一组转发数据,该第一组转发数据指定在较高级别的开关元件和多个较低级别的开关元件之间转发分组。 对于多个下层交换单元中的每个下级交换单元,该方法识别第二组转发数据,该第二组转发数据指定在下层交换单元,若干网络主机与多个较高级别的交换单元之间转发分组。

    Method and apparatus for implementing and managing distributed virtual switches in several hosts and physical forwarding elements
    7.
    发明授权
    Method and apparatus for implementing and managing distributed virtual switches in several hosts and physical forwarding elements 有权
    用于在几个主机和物理转发元件中实现和管理分布式虚拟交换机的方法和装置

    公开(公告)号:US08966035B2

    公开(公告)日:2015-02-24

    申请号:US12753044

    申请日:2010-04-01

    摘要: In general, the present invention relates to a virtual platform in which one or more distributed virtual switches can be created for use in virtual networking. According to some aspects, the distributed virtual switch according to the invention provides the ability for virtual and physical machines to more readily, securely, and efficiently communicate with each other even if they are not located on the same physical host and/or in the same subnet or VLAN. According other aspects, the distributed virtual switches of the invention can support integration with traditional IP networks and support sophisticated IP technologies including NAT functionality, stateful firewalling, and notifying the IP network of workload migration. According to further aspects, the virtual platform of the invention creates one or more distributed virtual switches which may be allocated to a tenant, application, or other entity requiring isolation and/or independent configuration state. According to still further aspects, the virtual platform of the invention manages and/or uses VLAN or tunnels (e.g, GRE) to create a distributed virtual switch for a network while working with existing switches and routers in the network. The present invention finds utility in both enterprise networks, datacenters and other facilities.

    摘要翻译: 通常,本发明涉及一种虚拟平台,其中可以创建一个或多个分布式虚拟交换机用于虚拟网络中。 根据一些方面,根据本发明的分布式虚拟交换机提供虚拟和物理机器更容易,安全并且有效地彼此通信的能力,即使它们不位于相同的物理主机上和/或相同 子网或VLAN。 根据其他方面,本发明的分布式虚拟交换机可以支持与传统IP网络的集成,并支持复杂的IP技术,包括NAT功能,状态防火墙,以及通知IP网络的工作负载迁移。 根据另外的方面,本发明的虚拟平台创建一个或多个分配的虚拟交换机,其可以被分配给需要隔离和/或独立配置状态的租户,应用或其他实体。 根据另外的方面,本发明的虚拟平台管理和/或使用VLAN或隧道(例如,GRE)来在网络中与现有交换机和路由器协同工作时为网络创建分布式虚拟交换机。 本发明可用于企业网络,数据中心和其他设施。

    Network control apparatus and method with port security controls
    9.
    发明授权
    Network control apparatus and method with port security controls 有权
    具有端口安全控制的网络控制装置和方法

    公开(公告)号:US08958292B2

    公开(公告)日:2015-02-17

    申请号:US13177546

    申请日:2011-07-06

    摘要: Port security in some embodiments is a technique to apply to a particular port of a logical switching element such that the network data entering and existing the logical switching element through the particular logical port have certain addresses that the switching element has restricted the logical port to use. For instance, a logical switching element may restrict a particular logical port to one or more certain network addresses To enable a logical port of a logical switch for port security, the control application of some embodiments receives user inputs that designate a particular logical port and a logical switch to which the particular logical port belongs. The control application in some embodiments formats the user inputs into logical control plane data specifying the designation. The control application in some embodiments then converts the logical control plane data into logical forwarding data that specify port security functions.

    摘要翻译: 一些实施例中的端口安全性是应用于逻辑交换元件的特定端口的技术,使得通过特定逻辑端口进入和存在逻辑交换元件的网络数据具有某些地址,交换元件已经限制了要使用的逻辑端口 。 例如,逻辑交换单元可以将特定的逻辑端口限制到一个或多个特定的网络地址。为了实现用于端口安全的逻辑交换机的逻辑端口,一些实施例的控制应用接收指定特定逻辑端口的用户输入和 特定逻辑端口所属的逻辑交换机。 在一些实施例中,控制应用将用户输入格式化成指定指定的逻辑控制平面数据。 一些实施例中的控制应用随后将逻辑控制平面数据转换为指定端口安全功能的逻辑转发数据。

    NETWORK CONTROL APPARATUS AND METHOD WITH PORT SECURITY CONTROLS
    10.
    发明申请
    NETWORK CONTROL APPARATUS AND METHOD WITH PORT SECURITY CONTROLS 有权
    网络控制装置和方法与端口安全控制

    公开(公告)号:US20130058341A1

    公开(公告)日:2013-03-07

    申请号:US13177546

    申请日:2011-07-06

    IPC分类号: H04L12/56

    摘要: Port security in some embodiments is a technique to apply to a particular port of a logical switching element such that the network data entering and existing the logical switching element through the particular logical port have certain addresses that the switching element has restricted the logical port to use. For instance, a logical switching element may restrict a particular logical port to one or more certain network addresses. To enable a logical port of a logical switch for port security, the control application of some embodiments receives user inputs that designate a particular logical port and a logical switch to which the particular logical port belongs. The control application in some embodiments formats the user inputs into logical control plane data specifying the designation. The control application in some embodiments then converts the logical control plane data into logical forwarding data that specify port security functions.

    摘要翻译: 一些实施例中的端口安全性是应用于逻辑交换元件的特定端口的技术,使得通过特定逻辑端口进入和存在逻辑交换元件的网络数据具有某些地址,交换元件已经限制了要使用的逻辑端口 。 例如,逻辑交换单元可以将特定逻辑端口限制为一个或多个特定网络地址。 为了启用用于端口安全性的逻辑交换机的逻辑端口,一些实施例的控制应用接收指定特定逻辑端口和特定逻辑端口所属的逻辑交换机的用户输入。 在一些实施例中,控制应用将用户输入格式化成指定指定的逻辑控制平面数据。 一些实施例中的控制应用随后将逻辑控制平面数据转换为指定端口安全功能的逻辑转发数据。