TREA

Method and system of establishing a virtual private network in a cloud service for branch networking

Follow

Information

  • Patent Grant
  • 10805272
  • Patent Number
    10,805,272
  • Date Filed
    Friday, November 2, 2018
    6 years ago
  • Date Issued
    Tuesday, October 13, 2020
    4 years ago
Information
Abstract
In one aspect, a computerized system useful for implementing a virtual private network (VPN) including an edge device that automatically establishes an Internet Protocol Security (IPsec) tunnel alongside an unsecure Multipath Protocol (MP) tunnel with a gateway device in preparation for a transmission of a secure traffic communication. The edge device has a list of local subnets. The edge device sends the list of local subnets to the gateway during an initial MP tunnel establishment handshake message exchange between the edge device and the gateway device. Each subnet includes an indication of whether the subnet is reachable over the VPN. A gateway device that automatically establishes the IPsec tunnel alongside the unsecure MP tunnel with the edge device. An enterprise datacenter server that comprises an orchestrator module that receives a toggle the VPN command and enables the VPN on the orchestrator. The orchestrator informs the edge device the list of subnets is accessible over the VPN causing the edge device to update the gateway device with a new list of subnets of the edge device that accessible over the VPN.
Description
FIELD OF THE INVENTION

This application relates generally to computer networking, and more specifically to a system, article of manufacture and method of establishing a virtual private network in a cloud service for branch networking.


DESCRIPTION OF THE RELATED ART

Employees working in branch offices of an Enterprises typically need to access resources that are located in another branch office. In some cases, these are located in the Enterprise Data Center, which is a central location for resources. Access to these resources is typically obtained by using a site-to-site VPN, which establishes a secure connection over a public network (e.g. the Internet, etc.). There may be dedicated computer equipment in the branch office, the other branch office and/or Data Center which establishes and maintains the secure connection. These types of site-to-site VPNs need to be setup one at a time and can be resource intensive to set up and maintain.


BRIEF SUMMARY OF THE INVENTION

In one aspect, a computerized system useful for implementing a virtual private network (VPN) including an edge device that automatically establishes an Internet Protocol Security (IPsec) tunnel alongside an unsecure Multipath Protocol (MP) tunnel with a gateway device in preparation for a transmission of a secure traffic communication. The edge device has a list of local subnets. The edge device sends the list of local subnets to the gateway during an initial MP tunnel establishment handshake message exchange between the edge device and the gateway device. Each subnet includes an indication of whether the subnet is reachable over the VPN. A gateway device that automatically establishes the IPsec tunnel alongside the unsecure MP tunnel with the edge device. An enterprise datacenter server that comprises an orchestrator module that receives a toggle the VPN command and enables the VPN on the orchestrator. The orchestrator informs the edge device the list of subnets is accessible over the VPN causing the edge device to update the gateway device with a new list of subnets of the edge device that accessible over the VPN.





BRIEF DESCRIPTION OF THE DRAWINGS


FIG. 1 illustrates an example self-healing network with redundant gateways, according to some embodiments.



FIG. 2 illustrates an example system that includes autonomous gateways, according to some embodiments



FIG. 3 illustrates an example of a system of an instant VPN, according to some embodiments.



FIG. 4 illustrates another example of a system of an instant VPN, according to some embodiments.



FIGS. 5 A-B illustrates an example of a system of a cloud multipath to an Internet endpoint, according to some embodiments.



FIG. 6 illustrates an example process of an application aware routing, according to some embodiments.



FIG. 7 illustrates another example process of an application aware routing, according to some embodiments.



FIG. 8 depicts an exemplary computing system that can be configured to perform any one of the processes provided herein.





The Figures described above are a representative set, and are not exhaustive with respect to embodying the invention.


DESCRIPTION

Disclosed are a system, method, and article of manufacture for establishing a virtual private network in a cloud service for branch networking. The following description is presented to enable a person of ordinary skill in the art to make and use the various embodiments. Descriptions of specific devices, techniques, and applications are provided only as examples. Various modifications to the examples described herein can be readily apparent to those of ordinary skill in the art, and the general principles defined herein may be applied to other examples and applications without departing from the spirit and scope of the various embodiments.


Reference throughout this specification to “one embodiment,” “an embodiment,” ‘one example,’ or similar language means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, appearances of the phrases “in one embodiment,” “in an embodiment,” and similar language throughout this specification may, but do not necessarily, all refer to the same embodiment.


Furthermore, the described features, structures, or characteristics of the invention may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided, such as examples of programming, software modules, user selections, network transactions, database queries, database structures, hardware modules, hardware circuits, hardware chips, etc., to provide a thorough understanding of embodiments of the invention. One skilled in the relevant art can recognize, however, that the invention may be practiced without one or more of the specific details, or with other methods, components, materials, and so forth. In other instances, well-known structures, materials, or operations are not shown or described in detail to avoid obscuring aspects of the invention.


The schematic flow chart diagrams included herein are generally set forth as logical flow chart diagrams. As such, the depicted order and labeled steps are indicative of one embodiment of the presented method. Other steps and methods may be conceived that are equivalent in function, logic, or effect to one or more steps, or portions thereof, of the illustrated method. Additionally, the format and symbols employed are provided to explain the logical steps of the method and are understood not to limit the scope of the method. Although various arrow types and line types may be employed in the flow chart diagrams, and they are understood not to limit the scope of the corresponding method. Indeed, some arrows or other connectors may be used to indicate only the logical flow of the method. For instance, an arrow may indicate a waiting or monitoring period of unspecified duration between enumerated steps of the depicted method. Additionally, the order in which a particular method occurs may or may not strictly adhere to the order of the corresponding steps shown.


DEFINITIONS

Example definitions for some embodiments are now provided.


Cloud computing can involve deploying groups of remote servers and/or software networks that allow centralized data storage and online access to computer services or resources. These groups of remote serves and/or software networks can be a collection of remote computing services.


Cloud Edge (CE) can include a cloud multipath to an Internet endpoint.


Customer-premises equipment (CPE) can be any terminal and associated equipment located at a subscriber's premises and connected with a carrier's telecommunication channel at the demarcation point.


Edge device can be a device that provides an entry point into enterprise or service provider core networks. An edge device can be software running in a virtual machine (VM) located in a branch office and/or customer premises.


Flow can be a grouping of packets that match a five (5) tuple which is a combination of Source IP Address (SIP), Destination IP Address (DIP), L4 Source Port (SPORT) and L4 Destination Port (DPORT) and the L4 protocol (PROTO).


Forward error correction (FEC) (e.g. channel coding) can be a technique used for controlling errors in data transmission over unreliable or noisy communication channels.


Deep learning can be a type of machine learning based on a set of algorithms that attempt to model high-level abstractions in data by using model architectures, with complex structures or otherwise, composed of multiple non-linear transformations


Deep Packet Inspection (DPI) can be the ability to analyze the different layers of a packet on the network.


Gateway can be a node (e.g. a router) on a computer network that serves as an access point to another network.


Internet Protocol Security (IPsec) can be a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session.


Multiprotocol Label Switching (MPLS) can be a mechanism in telecommunications networks that directs data from one network node to the next based on short path labels rather than long network addresses, thus avoiding complex lookups in a routing table.


Orchestrator can include a software component that provides multi-tenant and role based centralized configuration management and visibility.


Quality of Service (QoS) can include the ability to define a guaranteed set of actions such as routing, resource constraints (e.g. bandwidth, latency etc.).


Software as a service (SaaS) can be a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted.


Tunneling protocol can allow a network user to access or provide a network service that the underlying network does not support or provide directly.


Virtual Desktop Infrastructure (VDI) is a desktop-oriented service that hosts user desktop environments on remote servers and/or blade PCs. Users access the desktops over a network using a remote display protocol.


Virtual private network (VPN) can extend a private network across a public network, such as the Internet. It can enable users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network, and thus benefit from the functionality, security and management policies of the private network.


Voice over IP (VoIP) can a methodology and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet.


Additional example definitions are provided herein.


Scalable, Self-Healing Network Cloud Service for Branch Networking



FIG. 1 illustrates an example self-healing network 100 with redundant gateways, according to some embodiments. In network 100, data traffic can be routed to different gateways for different purposes. Multiple gateways can serve the same destination utilizing dynamic routing protocol. As services (e.g. SaaS 102) in the Internet (e.g. computer networks 104) may not centrally located. The combination of the Internet's wide distribution of services and/or changes in the transport quality across can lead to the use of different egress points to access different destinations. This is accomplished by deploying multiple gateways (e.g. gateways A-B 106-108) in stand-alone or redundant configurations.


An orchestrator can inform each edge device (e.g. VCE 110) of a list of gateways it has been assigned. Additionally, routes and/or services can be assigned a subset of the gateway list that can be used for communication with a specific destination. The edge device can then perform a static determination by metrics assigned to each gateway. For example, each gateway can be assigned a metric based on geographic distance from the edge and/or a dynamic determination based on empirically measured loss, latency and/or jitter to the gateway across the Internet.


In the redundant configuration of FIG. 1, gateways A-B 106-108 can support dynamic routing protocols on the non-edge device side. This can ensure that the gateway chosen for traffic destined from the edge to the gateway is also advertised from the gateway upstream as the route with the lowest cost for return traffic. Various attributes of gateways are now discussed.



FIG. 2 illustrates an example system 200 that includes autonomous gateways, according to some embodiments. Gateway High Availability (HA) and horizontal scalability can be inherent as configuration is edge-driven and not configured on gateway 204. Edge tunnel initialization can configure, gateway 204. Edge devices 208 A-B can communicate QoS information to gateway 204 so they have information on how to treat network traffic. Implementing versioning in the flow header can ensures that gateway 204 have the correct QoS information. This is accomplished by creating flows with a version number of 1 on the edge and incrementing this version every time a policy change is enacted on the edge. If the gateway receives a message with a higher than expected version number in the header, it will request the edge to send the updated policy information.


It is noted that each individual gateway is a self-contained autonomous entity. This is accomplished by driving configuration of gateway 204 through the edge devices 208 A-B rather than gateway 204 being directly configured by the Orchestrator. In the initial negotiation, edge devices 208 A-B can send an MP_INIT message (e.g. an initial MP tunnel establishment handshake message exchange between the edge device and the gateway device) which contains all the information needed to identify the edge device and serve as a secure and unsecure gateway for edge device traffic. This can include a logical identifier for the enterprise which is used for virtual routing and/or forwarding. The logical identifier can also be used for subnets that are routable behind edge devices 208 A-B.


If edge devices 208 A-B is the first edge device belonging to the enterprise to connect to gateway 204, a new virtual routing and forwarding (VRF) table can be created for the enterprise. Edge devices 208 A-B's subnets can be inserted into the enterprise VRF. If edge devices 208 A-B are not the first from an enterprise to connect, the enterprise logical identifier can be used to index into the existing VRF and edge devices 208 A-B's subnets can be added to the existing table.


In another example, when a new flow is created on an edge device, the parameters used to perform QoS and/or routing on the flow can be transmitted along with the first packet to any of the gateway 204 that are handling the flow. In this manner gateway 204 can be inherently highly available. If the gateway service is removed and replaced with a new gateway service instance, edge devices 208 A-B can send a new MP_INIT which can recreate the VRF and then continue sending data traffic uninterrupted through the gateway.


By this same token, gateway 204 can be highly available because the edge can switch between gateways without interrupting customer traffic. For example, when an orchestrator inserts an additional gateway in a gateway list that can be assigned an edge device. The edge device can then connect and begin using the gateway seamlessly without any requirement for orchestrator to gateway communication. This removes the need for the orchestrator to synchronize configuration changes on the edge device and the gateway as the edge device is used as the intermediary.


In another example, a gateway need not be a single gateway instance but the Internet Protocol (IP) address may be the external facing IP address of a gateway load balancer. The gateway load balancer can start and stop individual gateway instances. If the gateway load balancers detects that an instance is near its CPU and/or throughput capacity, it can shift traffic to an alternate gateway transparently and/or create a new gateway and begin steering connections to it. When gateway reboots, upgrades or maintenance are required, the gateway load balancer can steer traffic away from those instances that require maintenance to make these operations transparent to the end user.



FIG. 3 illustrates an example of a system 300 of an instant VPN, according to some embodiments. The edge device and gateway can automatically negotiate IPsec tunnels alongside their unsecure Velocloud Multipath Protocol (VCMP) tunnels in preparation for the transmission of secure traffic. This can be performed irrespective of whether or not a VPN has been enabled on the device. In this manner, the network can be prepared to transmit secure traffic at any time. Leveraging this, an “Instant VPN” can be delivered by toggling VPN on or off on the orchestrator. Each edge device has a list of local subnets that are sent to the gateway during MP_INIT. Each subnet is can include an indication of whether or not it is reachable over VPN. When VPN is enabled on the orchestrator, each edge device can be informed that its subnets are reachable over VPN and each edge device can update its gateways with this information. When VPN is disabled on the orchestrator, each edge device can be informed that its subnets are not reachable over VPN. The edge device can update the gateway accordingly.


Between each edge device and its associated gateways can be a routing protocol. The routing protocol can relay state information to peers that are one hop away. For example, edge device A can have a subnet A. Edge device B can have subnet B. When the user enables VPN on the orchestrator, edge device A and edge device B can inform the gateways that their local subnets A and B are reachable over VPN. The gateway(s) can then inform peers in the enterprise VRF. In this way, a message can be sent to edge device B instructing it that subnet A is now reachable through it. A message can also be sent to edge device A instructing it that subnet B is now reachable through it. When an edge device loses connectivity to a gateway, the gateway can relay to peers in the VRF that the subnet is no longer reachable and the edge device updates it route table to mark all routes via that unreachable gateway. In this way, gateways can be added or removed, and/or routes added and removed, without restarts and/or loss of connectivity assuming at least one gateway is connected at all times.


In some examples, “Always on” IPsec tunnels can be provided. Enable/disable VPN operations can include the insertion and/or removal of routes for the appropriate VPN zone. VRF can include enterprise logical identifier on gateway ensuring multi-tenancy.



FIG. 4 illustrates another example of a system 400 of an instant VPN, according to some embodiments. A special edge device called a Datacenter Edge (DCE) can be deployed as customer premise equipment. The DCE can subsume some of the functionality of the gateway, including this route protocol management. A typical use case for this deployment can be in a pure MPLS network in which there are no public internet links and thus no public internet gateways. In one example, route propagation can occur the same as described supra except that the VRF and routing protocol messages are managed by the DCE.



FIGS. 5 A-B illustrate an example of a system 500 of a cloud multipath to an Internet endpoint (branch) (e.g. a cloud edge 512), according to some embodiments. An edge and gateway multipath solution can deliver a reliable connection across the public internet for outbound connections initiated from the edge (e.g. edge devices 506) through the gateway 510, as well as for their return traffic. An alternate use case can include when the network traffic needs to be initiated from outside. For example, the network traffic can be initiated from the Internet to a server in the branch office behind the edge device. In an example deployment, this can be implemented by enabling inbound firewall rules to allow the traffic in one or more of the wide area network (WAN) links attached to the edge device. Such an inbound connection will be able to use only a single link. This may not provide the same reliability that is afforded to outbound connections. For instance, a session established on link A may fail if link A fails, and similarly for link B. Therefore there is a desire to be able to support inbound connections reliably without compromising the security of the deployment.


This can be achieved by a Cloud Edge (CE). The CE can sit in the cloud and joins the same VRF as that of the edge(s) with resources (e.g. a server) that are to be reliably accessed. This can be set to deny inbound traffic by default. However, it can allow the user to specify sources and destinations of traffic that are permitted. For example, a rule could be created that allows the public IP address of the client to reach the server via a public IP address that is assigned to the “LAN” side of the CE. The user can then connect to this public IP address in the cloud rather than the IP address of one of the links at the site directly, and securely connect over VPN to the server inside the network. The CE can be located anywhere in the Public Internet. In one example, the CE can be located in any of the public Cloud Service Providers (CSPs) like Amazon EC2®.


Intelligent Edge Device


An intelligent edge device can provide intelligent QoS. For example, applications may respond differently to key network parameters like latency, jitter, bandwidth, packet loss and processing capabilities such as available CPU cycles. For example, a VoIP application may use low bandwidth and may be sensitive to jitter, packet loss. The VoIP application may also consume a large number of CPU cycles despite the low throughput (e.g. because of smaller packet sizes). In contrast, VDI may use high bandwidth and low latency but may not very sensitive to jitter. Accordingly, a network stack can implement a suite of link optimization and remediation technologies to achieve the dual goal of optimal network resource utilization and remediating adverse network events, such as, inter alia: FEC to compensate for packet loss; jitter buffering to counter jitter; and per-packet load balancing to aggregate bandwidth usage and ensure the lowest latency path.


Smart QoS can map application flow into a traffic class and priority queue. A combination of the traffic class and priority queue can then decide the optimal routing, load balancing and remediation to be used for that flow given the prevailing network conditions at that point of time. The network stack can use the following innovations to adapt to dynamic network conditions:


In an intelligent default, the distributed management plane (e.g. an orchestrator) sets up the edge device with a set of default QoS settings for each application. Each application can then be tagged with an SLA. The SLA can indicate a hint to the edge device for the prioritization and/or sensitivity for that particular application.


In an intelligent preemption, a multi-tenant, geo-diverse, network transport agnostic overlay network can be implemented. This can create a situation where the network can pre-empt adverse and/or localized network events by statistical and heuristics based analysis of the network monitoring data that is collected at the orchestrator. This can remediate certain network conditions that are not addressed by adaptive QoS (e.g. tail drops which result in large number of packets dropped indiscriminately in the core of a service provider network) due to time taken to adapt and the fact that such a loss cannot be really compensated. In a geo-localized region, in the event of constant tail drops for a network service provider, the service can proactively turn on aggressive FEC (e.g. ‘always-on FEC’) for sensitive applications in both the specific geo-location. In one example, a slightly larger geography for sites that are using the same provider can be used in lieu of the specific geo-location. The ‘always-on FEC’ can also be configured at the orchestrator in order to pre-empt network errors and react faster to network errors.


Adaptive QoS can be implemented by monitoring and/or instrumenting network paths. For example, adaptive QoS can be implemented to remediate a network condition that may not conform to the configured SLA for that application. To offset the overheads as a result of the continuous monitoring, the QoE (e.g. user responsiveness) can be periodically or constantly computed to reduce/augment the network monitoring.


Smart QoS can utilize deep learning methods. In addition to responding to dynamic network conditions, the smart QoS can work in tandem with application performance monitoring (APM) to adjust traffic priority based on L7 data. When the DPI engine fails to identify the application, the network stack can utilize statistical parameters (e.g. packet arrival rate, throughput) and heuristics (e.g. User Datagram Protocol (UDP) can be used by real-time applications) to identify the right set of technologies to provide the best performance.


Slow Learning with Crowdsourcing Examples


Slow learning (e.g. application aware routing) with crowdsourcing methods can include generating a prepopulated list of well-known applications augmented by mid-flow detected data from DPI engine. This can enable determination of application with the first packet. Prepopulated data is automatically validated by DPI engine and any changes are fed back locally as well as communicated to the orchestrator. Some or all data can be shared to other edges/enterprises via the orchestrator. In one example, L3, L4 network information can be used to create a composite application-routing database. The application-routing database can be populated by three different types of learning/sources. The first source of information built into the database can include a pre-populated map of DIP/DPORT (Destination Internet Protocol Address/Destination Port Number) to application types (e.g. termed fast learning). A second source of information can include a map of DIP/DPORT to applications that is learned from ‘mid-flow’ application detection by the DPI engine (e.g. slow learning). The third source of information can also include a map of DIP/DPORT to application names. This can include crowd-sourced (e.g. DIP/DPORT to application name mapping) information that is anonymized and aggregated at the orchestrator. This mapping can then be shared across different enterprises (e.g. crowd-sourced learning).


Various methods of populating, updating and recovering the application-routing database are now provided. The application-routing database can be pre-populated with the set of known applications that can be identified by the DIP/DPORT and/or packaged as a part of the CPE. Alternatively, it can be downloaded from the orchestrator. Additionally, an IT Administrator may enter customised DIP/DPORT to application mappings which can be added to the application routing database in the edge device via the orchestrator. This method can be a component of fast learning.


The application-routing database can also be updated by ‘mid-flow’ DPI detection data as a result of slow learning methods on the edge device. In addition to this, the fast learning data and slow learning updates from different enterprises can be anonymized and/or aggregated at the orchestrator. It can be sent down to all the edge device(s) under the management of the orchestrator. These updates can be part of the crowd-sourced learning methods.


An example application-routing database recovery method is now provided. When an edge device first communicates with the orchestrator, it can receive the data for pre-population of the application-routing database. This information can include any updates. Updates from slow learning and/or crowd-sourced learning can be synchronised to shared memory areas in the edge device. The updates can be recovered from service outages.



FIG. 6 illustrates an example process 600 of an application aware routing, according to some embodiments. In step 602, the L3, L4 information is extracted and matched against the application routing database (e.g. database in FIG. 6). In step 604, if this flow does not find a match in the database, then process 600 moves to step 608. If ‘yes’, then process 600 moves to step 606. In step 606, the matched application is used to look-up and apply the application specific routing policies. In step 608, on failure to find a match in the database, the flow is passed over to the DPI engine. The classification from the DPI engine is used to populate the database for future flows. The current flow may obtain some default routing policies as well. In this way, when the same application flow is encountered again, it can find a successful match in database. The application specific routing policy can then be applied for that application flow. A worst case guarantee of application routing from the second flow can be provided in some examples.



FIG. 7 illustrates another example process 700 of an application aware routing, according to some embodiments. For example, in an alternative step 608, the L3, L4 information can be communicated to an application routing lookup service (e.g. can be a local service synchronized with an aggregated crowd source updated remote service running in the orchestrator like DNS). This can return the application match for the flow with a higher probability even on the first flow. In this incarnation, the application-routing database can reside in the orchestrator. The edge-device queries the application-routing database via the application routing lookup service. The edge-device can cache the responses from the lookup. Optionally, the cached entries can be expired using a TTL (Time-to-Live) value. More specifically, process 700 illustrates an example packet flow illustration.


In step 702, the L3, L4 information can extracted from a packet and a query is made to the local application routing cache (e.g. cache lookup). In step 704, it can be determined if step 702 is successful. If ‘yes’, then process 700 can proceed to step 706. If ‘no’ then process 700 can proceed to step 708. In step 708, process 700 can perform a remote query (e.g. lookup) to the orchestrator's application routing service to match the DIP/DPORT/PROTOCOL. In step 710, it can be determined if a successful lookup was implemented in step 708. If ‘yes’, then process 700 can proceed to step 706. If ‘no’, then process 700 can proceed to step 712. In step 712, process 700 can use the default routing policy and continue to step 716 where the flow is passed over to the DPI Engine and the classification from the DPI Engine is used to populate the local application routing cache and inform the Orchestrator for future flows. In step 706, the application name that was matched is used to make a routing decision. In step 714, process 700 can continue to test the flow with the DPI engine for the veracity of the application type. In case of a mismatch, process 700 can send a message to the orchestrator (e.g. with an update operation), thus informing of the mismatch. The orchestrator can then decides on whether or not to change the corresponding entry based similar updates from other crowd-sourced participants.


Additional Exemplary Computer Architecture and Systems



FIG. 8 depicts an exemplary computing system 800 that can be configured to perform any one of the processes provided herein. In this context, computing system 800 may include, for example, a processor, memory, storage, and I/O devices (e.g., monitor, keyboard, disk drive, Internet connection, etc.). However, computing system 800 may include circuitry or other specialized hardware for carrying out some or all aspects of the processes. In some operational settings, computing system 800 may be configured as a system that includes one or more units, each of which is configured to carry out some aspects of the processes either in software, hardware, or some combination thereof.



FIG. 8 depicts computing system 800 with a number of components that may be used to perform any of the processes described herein. The main system 802 includes a motherboard 804 having an I/O section 806, one or more central processing units (CPU) 808, and a memory section 810, which may have a flash memory card 812 related to it. The I/O section 806 can be connected to a display 814, a keyboard and/or other user input (not shown), a disk storage unit 816, and a media drive unit 818. The media drive unit 818 can read/write a computer-readable medium 820, which can contain programs 822 and/or data. Computing system 800 can include a web browser. Moreover, it is noted that computing system 800 can be configured to include additional systems in order to fulfill various functionalities. Computing system 800 can communicate with other computing devices based on various computer communication protocols such a Wi-Fi, Bluetooth® (and/or other standards for exchanging data over short distances includes those using short-wavelength radio transmissions), USB, Ethernet, cellular, an ultrasonic local area communication protocol, etc.


CONCLUSION

Although the present embodiments have been described with reference to specific example embodiments, various modifications and changes can be made to these embodiments without departing from the broader spirit and scope of the various embodiments. For example, the various devices, modules, etc. described herein can be enabled and operated using hardware circuitry, firmware, software or any combination of hardware, firmware, and software (e.g., embodied in a machine-readable medium).


In addition, it can be appreciated that the various operations, processes, and methods disclosed herein can be embodied in a machine-readable medium and/or a machine accessible medium compatible with a data processing system (e.g., a computer system), and can be performed in any order (e.g., including using means for achieving the various operations). Accordingly, the specification and drawings are to be regarded in an illustrative rather than a restrictive sense. In some embodiments, the machine-readable medium can be a non-transitory form of machine-readable medium.

Claims
  • 1. A method for implementing a virtual private network (VPN) between a cloud gateway node and a network comprising a plurality of subnets, the method comprising: at an edge device connecting the network to at least one external network: receiving a plurality of subnet VPN statuses for the plurality of subnets, each subnet VPN status specifying whether a particular subnet of the network is accessible over the VPN;forwarding the plurality of subnet VPN statuses to the cloud gateway node in a public cloud connected to the edge device through an external network, wherein the cloud gateway node uses the plurality of subnet VPN statuses to determine whether received traffic for a subnet should be sent over the VPN; andreceiving, over the VPN, traffic from the cloud gateway node for subnets determined to be VPN-accessible.
  • 2. The method of claim 1, wherein receiving the traffic over the VPN comprises, when a subnet VPN status indicates that a particular subnet is accessible over the VPN, receiving traffic for the particular subnet using at least one secure Internet Protocol Security (IPSec) tunnel between the edge device and the cloud gateway node.
  • 3. The method of claim 1 further comprising: when a subnet VPN status indicates that a particular subnet is not accessible over the VPN, receiving, at the edge device, traffic for the particular subnet from the cloud gateway node through a set of unsecure tunnels between the edge device and the cloud gateway node.
  • 4. The method of claim 3, wherein edge device is connected to the cloud gateway node by a plurality of multipath protocol tunnels which comprise the set of unsecure tunnels.
  • 5. The method of claim 4, wherein the plurality of multipath protocol tunnels spans a plurality of network links, the plurality of network links comprising at least two of a DSL link, a fiber link, a broadband cable link, and a cellular network link.
  • 6. The method of claim 1 further comprising: when a subnet VPN status indicates that a particular subnet is accessible over the VPN, forwarding traffic from the particular subnet to the cloud gateway node over the VPN through at least one secure Internet Protocol Security (IPSec) tunnel between the edge device and the cloud gateway node; andwhen a subnet VPN status indicates that a particular subnet is not accessible over the VPN, forwarding traffic from the particular subnet to the cloud gateway node through a set of unsecure tunnels between the edge device and the cloud gateway node.
  • 7. The method of claim 1, wherein the network is a first network, the edge device is a first edge device, and the particular subnet is a first subnet, wherein: receiving traffic for the particular subnet over the VPN comprises receiving traffic from a second network comprising a second edge device connecting the second network to an external network; andthe second edge device sends traffic from the second network to one of the same cloud gateway node and another cloud gateway node through at least one IPSec tunnel implementing the VPN.
  • 8. The method of claim 7, wherein the first network is an enterprise datacenter of a particular enterprise and the second network is one of a client of the particular enterprise and a branch office belonging to the particular enterprise.
  • 9. The method of claim 1, wherein: receiving the plurality of subnet VPN statuses comprises receiving a set of gateway configuration data;forwarding the plurality of subnet VPN statuses comprises forwarding the set of gateway configuration data to the cloud gateway node; andthe edge device and the cloud gateway node use the gateway configuration data to configure between the edge device and the cloud gateway node a plurality of multipath protocol tunnels and at least one secure Internet Protocol Security (IPSec) tunnel for implementing the VPN.
  • 10. The method of claim 9, wherein the edge device and cloud gateway node maintain the IPSec tunnel even when none of the subnets of the network are available over the VPN.
  • 11. The method of claim 9, wherein: the cloud gateway node uses the gateway configuration data to configure a virtual routing and forwarding (VRF) table comprising an entry for each subnet of the network and stores the forwarded subnet VPN statuses in their corresponding subnet entries in the VRF table; andusing the subnet VPN statuses to determine whether received traffic for a subnet should be sent over the VPN comprises searching the VRF table for a subnet VPN status.
  • 12. The method of claim 1, wherein the cloud gateway node comprises a virtual routing and forwarding (VRF) table comprising an entry for each subnet of the network and stores the forwarded subnet VPN statuses in their corresponding subnet entries in the VRF table.
  • 13. A non-transitory machine readable medium storing a program that when executed by a set of processing units at an edge device implements a virtual private network (VPN) between a cloud gateway node and a network of the edge device which comprises a plurality of subnets, the program comprising sets of instructions for: at the edge device connecting the network to at least one external network: receiving a plurality of subnet VPN statuses for the plurality of subnets, each subnet VPN status specifying whether a particular subnet of the network is accessible over the VPN;forwarding the plurality of subnet VPN statuses to the cloud gateway node in a public cloud connected to the edge device through an external network, wherein the cloud gateway node uses the plurality of subnet VPN statuses to determine whether received traffic for a subnet should be sent over the VPN; andreceiving, over the VPN, traffic from the cloud gateway node for subnets determined to be VPN-accessible.
  • 14. The non-transitory machine readable medium of claim 13, wherein the set of instructions for receiving the traffic over the VPN comprises a set of instructions for, when a subnet VPN status indicates that a particular subnet is accessible over the VPN, receiving traffic for the particular subnet using at least one secure Internet Protocol Security (IPSec) tunnel between the edge device and the cloud gateway node.
  • 15. The non-transitory machine readable medium of claim 13, wherein the program further comprises sets of instructions for: when a subnet VPN status indicates that a particular subnet is not accessible over the VPN, receiving traffic for the particular subnet from the cloud gateway node through a set of unsecure tunnels between the edge device and the cloud gateway node.
  • 16. The non-transitory machine readable medium of claim 15, wherein edge device is connected to the cloud gateway node by a plurality of multipath protocol tunnels which comprise the set of unsecure tunnels.
  • 17. The non-transitory machine readable medium of claim 16, wherein the plurality of multipath protocol tunnels spans a plurality of network links, the plurality of network links comprising at least two of a DSL link, a fiber link, a broadband cable link, and a cellular network link.
  • 18. The non-transitory machine readable medium of claim 13, wherein the program further comprises sets of instructions for: when a subnet VPN status indicates that a particular subnet is accessible over the VPN, forwarding traffic from the particular subnet to the cloud gateway node over the VPN through at least one secure Internet Protocol Security (IPSec) tunnel between the edge device and the cloud gateway node; andwhen a subnet VPN status indicates that a particular subnet is not accessible over the VPN, forwarding traffic from the particular subnet to the cloud gateway node through a set of unsecure tunnels between the edge device and the cloud gateway node.
  • 19. The non-transitory machine readable medium of claim 13, wherein: the set of instruction for receiving the plurality of subnet VPN statuses comprises a set of instructions for receiving a set of gateway configuration data;the set of instructions for forwarding the plurality of subnet VPN statuses comprises a set of instructions for forwarding the set of gateway configuration data to the cloud gateway node; andthe program further comprises sets of instructions for, with the cloud gateway node, using the gateway configuration data to configure between the edge device and the cloud gateway node a plurality of multipath protocol tunnels and at least one secure Internet Protocol Security (IPSec) tunnel for implementing the VPN.
  • 20. The non-transitory machine readable medium of claim 19, wherein the program further comprises sets of instructions for maintaining the IPSec tunnel with the cloud gateway node even when none of the subnets of the network are available over the VPN.
CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is a continuation of U.S. patent application Ser. No. 15/097,282, filed Apr. 12, 2016, now issued as U.S. Pat. No. 10,135,789. U.S. patent application Ser. No. 15/097,282 claims priority from U.S. Provisional Patent Application 62/146,786, filed 13 Apr. 2015. U.S. patent application Ser. No. 15/097,282, now issued as U.S. Pat. No. 10,135,789, and U.S. Provisional Patent Application 62/146,786 are hereby incorporated by reference in their entirety.

US Referenced Citations (273)
Number Name Date Kind
5652751 Sharony Jul 1997 A
6154465 Pickett Nov 2000 A
6445682 Weitz Sep 2002 B1
7003481 Banka Feb 2006 B2
7320017 Kurapati et al. Jan 2008 B1
7680925 Sathyanarayana et al. Mar 2010 B2
7962458 Holenstein et al. Jun 2011 B2
8111692 Ray Feb 2012 B2
8224971 Miller et al. Jul 2012 B1
8228928 Parandekar et al. Jul 2012 B2
8243589 Trost et al. Aug 2012 B1
8259566 Chen et al. Sep 2012 B2
8566452 Goodwin, III Oct 2013 B1
8724456 Hong et al. May 2014 B1
8804745 Sinn Aug 2014 B1
8806482 Nagargadde et al. Aug 2014 B1
8856339 Mestery et al. Oct 2014 B2
8964548 Keralapura et al. Feb 2015 B1
9009217 Nagargadde et al. Apr 2015 B1
9055000 Ghosh et al. Jun 2015 B1
9060025 Xu Jun 2015 B2
9071607 Twitchell, Jr. Jun 2015 B2
9075771 Gawali et al. Jul 2015 B1
9154327 Marino et al. Oct 2015 B1
9306949 Richard et al. Apr 2016 B1
9336040 Dong et al. May 2016 B2
9354983 Yenamandra et al. May 2016 B1
9413724 Xu Aug 2016 B2
9432245 Sorenson et al. Aug 2016 B1
9450817 Bahadur et al. Sep 2016 B1
9450852 Chen et al. Sep 2016 B1
9462010 Stevenson Oct 2016 B1
9525564 Lee Dec 2016 B2
9608962 Chang Mar 2017 B1
9665432 Kruse et al. May 2017 B2
9686127 Ramachandran et al. Jun 2017 B2
9715401 Devine et al. Jul 2017 B2
9722815 Mukundan et al. Aug 2017 B2
9787559 Schroeder Oct 2017 B1
9825822 Holland Nov 2017 B1
9825992 Xu Nov 2017 B2
9906401 Rao Feb 2018 B1
10057183 Salle et al. Aug 2018 B2
10057294 Xu Aug 2018 B2
10135789 Mayya et al. Nov 2018 B2
10178032 Freitas Jan 2019 B1
10187289 Chen et al. Jan 2019 B1
10229017 Zou et al. Mar 2019 B1
10237123 Dubey et al. Mar 2019 B2
10320664 Nainar et al. Jun 2019 B2
10326830 Singh Jun 2019 B1
10348767 Lee et al. Jul 2019 B1
10425382 Mayya et al. Sep 2019 B2
10454714 Mayya et al. Oct 2019 B2
10498652 Mayya et al. Dec 2019 B2
10523539 Mayya et al. Dec 2019 B2
10574528 Mayya et al. Feb 2020 B2
10594516 Cidon et al. Mar 2020 B2
10608844 Cidon et al. Mar 2020 B2
20020198840 Banka Dec 2002 A1
20030088697 Matsuhira May 2003 A1
20030112808 Solomon Jun 2003 A1
20030126468 Markham Jul 2003 A1
20030161313 Jinmei et al. Aug 2003 A1
20030202506 Perkins et al. Oct 2003 A1
20030219030 Gubbi Nov 2003 A1
20040059831 Chu Mar 2004 A1
20040068668 Lor Apr 2004 A1
20040224771 Chen et al. Nov 2004 A1
20050078690 DeLangis Apr 2005 A1
20060002291 Alicherry et al. Jan 2006 A1
20060114838 Mandavilli Jun 2006 A1
20060171365 Borella Aug 2006 A1
20060182034 Klinker et al. Aug 2006 A1
20060193247 Naseh et al. Aug 2006 A1
20070064604 Chen et al. Mar 2007 A1
20070091794 Filsfils et al. Apr 2007 A1
20070121486 Guichard May 2007 A1
20070177511 Das et al. Aug 2007 A1
20070260746 Mirtorabi Nov 2007 A1
20080049621 McGuire Feb 2008 A1
20080080509 Khanna Apr 2008 A1
20080095187 Jung et al. Apr 2008 A1
20080219276 Shah Sep 2008 A1
20080240121 Xiong Oct 2008 A1
20090013210 McIntosh et al. Jan 2009 A1
20090125617 Klessig May 2009 A1
20090154463 Hines Jun 2009 A1
20090247204 Sennett et al. Oct 2009 A1
20100008361 Guichard Jan 2010 A1
20100088440 Banks et al. Apr 2010 A1
20100118727 Draves et al. May 2010 A1
20100191884 Holenstein et al. Jul 2010 A1
20100223621 Joshi et al. Sep 2010 A1
20100332657 Elyashev et al. Dec 2010 A1
20110032939 Nozaki et al. Feb 2011 A1
20110040814 Higgins Feb 2011 A1
20110075674 Li et al. Mar 2011 A1
20110110370 Moreno et al. May 2011 A1
20110153909 Dong Jun 2011 A1
20120008630 Ould-Brahim Jan 2012 A1
20120027013 Napierala Feb 2012 A1
20120157068 Eichen et al. Jun 2012 A1
20120173919 Patel et al. Jul 2012 A1
20120221955 Raleigh et al. Aug 2012 A1
20120250682 Vincent et al. Oct 2012 A1
20120250686 Vincent et al. Oct 2012 A1
20120300615 Kempf et al. Nov 2012 A1
20120317291 Wolfe Dec 2012 A1
20130019005 Hui et al. Jan 2013 A1
20130021968 Reznik et al. Jan 2013 A1
20130044764 Casado et al. Feb 2013 A1
20130051399 Zhang et al. Feb 2013 A1
20130054763 Merwe et al. Feb 2013 A1
20130103834 Dzerve et al. Apr 2013 A1
20130124718 Griffith et al. May 2013 A1
20130124911 Griffith et al. May 2013 A1
20130124912 Griffith et al. May 2013 A1
20130128889 Mathur et al. May 2013 A1
20130142201 Kim et al. Jun 2013 A1
20130173788 Song Jul 2013 A1
20130182712 Aguayo Jul 2013 A1
20130238782 Zhao et al. Sep 2013 A1
20130242718 Zhang Sep 2013 A1
20130254599 Katkar et al. Sep 2013 A1
20130258839 Wang et al. Oct 2013 A1
20130283364 Chang et al. Oct 2013 A1
20130301642 Radhakrishnan et al. Nov 2013 A1
20130315243 Huang Nov 2013 A1
20130329548 Nakil et al. Dec 2013 A1
20140019604 Twitchell, Jr. Jan 2014 A1
20140092907 Sridhar et al. Apr 2014 A1
20140108665 Arora et al. Apr 2014 A1
20140156818 Hunt Jun 2014 A1
20140156823 Liu et al. Jun 2014 A1
20140164560 Ko et al. Jun 2014 A1
20140173113 Vemuri et al. Jun 2014 A1
20140173331 Martin et al. Jun 2014 A1
20140219135 Li Aug 2014 A1
20140223507 Xu Aug 2014 A1
20140244851 Lee Aug 2014 A1
20140279862 Dietz Sep 2014 A1
20140317440 Biermayr et al. Oct 2014 A1
20140337500 Lee Nov 2014 A1
20140341109 Cartmell Nov 2014 A1
20150016249 Mukundan et al. Jan 2015 A1
20150029864 Raileanu et al. Jan 2015 A1
20150046572 Cheng et al. Feb 2015 A1
20150052247 Threefoot et al. Feb 2015 A1
20150058917 Xu Feb 2015 A1
20150088942 Shah Mar 2015 A1
20150089628 Lang Mar 2015 A1
20150092603 Aguayo Apr 2015 A1
20150096011 Watt Apr 2015 A1
20150146539 Mehta et al. May 2015 A1
20150172121 Farkas et al. Jun 2015 A1
20150188823 Williams et al. Jul 2015 A1
20150201036 Nishiki et al. Jul 2015 A1
20150222543 Song Aug 2015 A1
20150236962 Veres et al. Aug 2015 A1
20150249644 Xu Sep 2015 A1
20150334696 Gu Nov 2015 A1
20150350907 Timariu et al. Dec 2015 A1
20150363733 Brown Dec 2015 A1
20150372943 Hasan et al. Dec 2015 A1
20150381493 Bansal et al. Dec 2015 A1
20160035183 Buchholz et al. Feb 2016 A1
20160036924 Koppolu et al. Feb 2016 A1
20160072669 Saavedra Mar 2016 A1
20160105471 Nunes et al. Apr 2016 A1
20160134528 Lin et al. May 2016 A1
20160142373 Ossipov May 2016 A1
20160164832 Bellagamba et al. Jun 2016 A1
20160164914 Madhav et al. Jun 2016 A1
20160173338 Wolting Jun 2016 A1
20160191363 Haraszti et al. Jun 2016 A1
20160191374 Singh Jun 2016 A1
20160197834 Luft Jul 2016 A1
20160197835 Luft Jul 2016 A1
20160198003 Luft Jul 2016 A1
20160210209 Verkaik et al. Jul 2016 A1
20160218947 Hughes et al. Jul 2016 A1
20160255169 Kovvuri et al. Sep 2016 A1
20160261639 Xu Sep 2016 A1
20160269926 Sundaram Sep 2016 A1
20160315912 Mayya et al. Oct 2016 A1
20160352588 Subbarayan et al. Dec 2016 A1
20160359738 Sullenberger et al. Dec 2016 A1
20160380886 Blair et al. Dec 2016 A1
20170012870 Blair et al. Jan 2017 A1
20170026283 Williams et al. Jan 2017 A1
20170034129 Sawant et al. Feb 2017 A1
20170053258 Carney et al. Feb 2017 A1
20170055131 Kong et al. Feb 2017 A1
20170063782 Jain et al. Mar 2017 A1
20170064005 Lee Mar 2017 A1
20170093625 Pera et al. Mar 2017 A1
20170097841 Chang et al. Apr 2017 A1
20170104755 Arregoces et al. Apr 2017 A1
20170118173 Arramreddy et al. Apr 2017 A1
20170123939 Maheshwari et al. May 2017 A1
20170126564 Mayya May 2017 A1
20170134186 Mukundan et al. May 2017 A1
20170163473 Sadana et al. Jun 2017 A1
20170181210 Nadella et al. Jun 2017 A1
20170195169 Mills et al. Jul 2017 A1
20170201585 Doraiswamy et al. Jul 2017 A1
20170207976 Rovner et al. Jul 2017 A1
20170214545 Cheng et al. Jul 2017 A1
20170214701 Hasan Jul 2017 A1
20170223117 Messerli et al. Aug 2017 A1
20170237710 Mayya et al. Aug 2017 A1
20170257260 Govindan et al. Sep 2017 A1
20170257309 Appanna Sep 2017 A1
20170264496 Ao et al. Sep 2017 A1
20170279717 Bethers et al. Sep 2017 A1
20170310691 Vasseur et al. Oct 2017 A1
20170317974 Masurekar et al. Nov 2017 A1
20170337086 Zhu et al. Nov 2017 A1
20170339070 Chang et al. Nov 2017 A1
20170364419 Lo Dec 2017 A1
20180014051 Phillips et al. Jan 2018 A1
20180034668 Mayya et al. Feb 2018 A1
20180041425 Zhang Feb 2018 A1
20180069924 Tumuluru et al. Mar 2018 A1
20180074909 Bishop et al. Mar 2018 A1
20180077081 Lauer et al. Mar 2018 A1
20180077202 Xu Mar 2018 A1
20180084081 Kuchibhotla et al. Mar 2018 A1
20180131720 Hobson et al. May 2018 A1
20180145899 Rao May 2018 A1
20180167378 Kostyukov et al. Jun 2018 A1
20180176082 Katz et al. Jun 2018 A1
20180176130 Banerjee et al. Jun 2018 A1
20180213472 Ishii et al. Jul 2018 A1
20180234300 Mayya et al. Aug 2018 A1
20180260125 Botes et al. Sep 2018 A1
20180270104 Zheng Sep 2018 A1
20180278541 Wu et al. Sep 2018 A1
20180295529 Jen et al. Oct 2018 A1
20180302286 Mayya et al. Oct 2018 A1
20180351855 Sood et al. Dec 2018 A1
20180373558 Chang et al. Dec 2018 A1
20180375744 Mayya et al. Dec 2018 A1
20180375824 Mayya et al. Dec 2018 A1
20190020588 Twitchell, Jr. Jan 2019 A1
20190028552 Johnson et al. Jan 2019 A1
20190046056 Khachaturian et al. Feb 2019 A1
20190058709 Kempf et al. Feb 2019 A1
20190068470 Mirsky Feb 2019 A1
20190068500 Hira Feb 2019 A1
20190103990 Cidon et al. Apr 2019 A1
20190103991 Cidon et al. Apr 2019 A1
20190103992 Cidon et al. Apr 2019 A1
20190103993 Cidon et al. Apr 2019 A1
20190104035 Cidon et al. Apr 2019 A1
20190104049 Cidon et al. Apr 2019 A1
20190104050 Cidon et al. Apr 2019 A1
20190104051 Cidon et al. Apr 2019 A1
20190104052 Cidon et al. Apr 2019 A1
20190104053 Cidon et al. Apr 2019 A1
20190104063 Cidon et al. Apr 2019 A1
20190104064 Cidon et al. Apr 2019 A1
20190104109 Cidon et al. Apr 2019 A1
20190104111 Cidon et al. Apr 2019 A1
20190104413 Cidon et al. Apr 2019 A1
20190140889 Mayya et al. May 2019 A1
20190140890 Mayya et al. May 2019 A1
20190158605 Markuze et al. May 2019 A1
20190268421 Markuze et al. Aug 2019 A1
20190313907 Khachaturian et al. Oct 2019 A1
20200014661 Mayya et al. Jan 2020 A1
20200106706 Mayya et al. Apr 2020 A1
Foreign Referenced Citations (6)
Number Date Country
1912381 Apr 2008 EP
3041178 Jul 2016 EP
2012167184 Dec 2012 WO
2017083975 May 2017 WO
2019070611 Apr 2019 WO
2019094522 May 2019 WO
Non-Patent Literature Citations (21)
Entry
Non-Published commonly Owned U.S. Appl. No. 15/701,115, filed Sep. 11, 2017, 21 pages, Nicira, Inc.
Non-Published commonly Owned U.S. Appl. No. 15/784,404, filed Oct. 16, 2017, 21 pages, Nicira, Inc.
Non-Published commonly Owned U.S. Appl. No. 15/838,052, filed Dec. 11, 2017, 28 pages, Nicira, Inc.
Non-Published commonly Owned U.S. Appl. No. 15/838,355, filed Dec. 12, 2017, 30 pages, Nicira, Inc.
Non-Published commonly Owned U.S. Appl. No. 15/972,083, filed May 4, 2018, 93 pages, Nicira, Inc.
Non-Published commonly Owned U.S. Appl. No. 15/972,086, filed May 4, 2018, 93 pages, Nicira, Inc.
Non-Published commonly Owned U.S. Appl. No. 15/972,088, filed May 4, 2018, 94 pages, Nicira, Inc.
Non-Published commonly Owned U.S. Appl. No. 15/972,090, filed May 4, 2018, 93 pages, Nicira, Inc.
Non-Published commonly Owned U.S. Appl. No. 15/972,091, filed May 4, 2018, 94 pages, Nicira, Inc.
Non-Published commonly Owned U.S. Appl. No. 15/972,093, filed May 4, 2018, 93 pages, Nicira, Inc.
Non-Published commonly Owned U.S. Appl. No. 15/972,095, filed May 4, 2018, 93 pages, Nicira, Inc.
Non-Published commonly Owned U.S. Appl. No. 15/972,098, filed May 4, 2018, 94 pages, Nicira, Inc.
Non-Published commonly Owned U.S. Appl. No. 15/972,100, filed May 4, 2018, 93 pages, Nicira, Inc.
Non-Published commonly Owned U.S. Appl. No. 15/972,102, filed May 4, 2018, 93 pages, Nicira, Inc.
Non-Published commonly Owned U.S. Appl. No. 15/972,103, filed May 4, 2018, 93 pages, Nicira, Inc.
Non-Published commonly Owned U.S. Appl. No. 15/972,104, filed May 4, 2018, 93 pages, Nicira, Inc.
Petition for Post-Grant Review of U.S. Pat. No. 9,722,815, filed May 1, 2018, 106 pages.
Non-published Commonly Owned U.S. Appl. No. 16/576,751, filed Sep. 19, 2019, 42 pages, Nicira, Inc.
Non-published Commonly Owned U.S. Appl. No. 16/656,555, filed Oct. 17, 2019, 40 pages, Nicira, Inc.
Non-published Commonly Owned U.S. Appl. No. 16/699,719, filed Dec. 1, 2019, 42 pages, Nicira, Inc.
Mudigonda, Jayaram, et al., “NetLord: A Scalable Multi-Tenant Network Architecture for Virtualized Datacenters,” Proceedings of the ACM SIGCOMM 2011 Conference, Aug. 15-19, 2011, 12 pages, ACM, Toronto, Canada.
Related Publications (1)
Number Date Country
20190075083 A1 Mar 2019 US
Provisional Applications (1)
Number Date Country
62146786 Apr 2015 US
Continuations (1)
Number Date Country
Parent 15097282 Apr 2016 US
Child 16179675 US