Datacenters today provide edge services for multiple different types of traffic. Edge services for different types of traffic have, in the past, used different mechanisms to perform service classification. New use cases for edge services require yet more mechanisms for providing edge services. In order to simplify the provision of edge services for the multiple types of traffic there is a need in the art for a new approach to the provision of edge services.
Some virtualized computing environments provide edge forwarding elements that sit between an external network and internal networks (e.g., logical networks). The virtualized computing environment, in some embodiments, provides additional edge forwarding elements (and edge services) for subnetworks within the virtualized computing environment. For example, different logical networks, each with their own edge device may be implemented within a datacenter (e.g., by a provider network) that provides an edge forwarding element between an external network and the networks internal to the datacenter. Each logical network (e.g., tenant network, or provider network) includes at least one edge forwarding element, in some embodiments, that executes on either an edge host or as an edge compute node to provide the logical network with access to an external network and vice versa. In some embodiments, the edge forwarding elements provide a set of services (e.g., edge services) for traffic processed by the edge forwarding elements.
Some embodiments provide novel methods for providing different types of services for a logical network associated with an edge forwarding element acting between the logical network and an external network. The edge forwarding element receives data messages for forwarding and performs a service classification operation to select a set of services of a particular type for the data message. The particular type of service is one of multiple different types of services that use different transport mechanisms to forward the data to a set of service nodes (e.g., service virtual machines, or service appliances, etc.) that provide the service. The edge forwarding element then receives the data message after the selected set of services has been performed and performs a forwarding operation to forward the data message. In some embodiments, the method is also performed by edge forwarding elements that are at the edges of logical network segments within the logical network.
The transport mechanisms, in some embodiments, include a logical service forwarding plane (implemented as a logical service forwarding element) that connects the edge forwarding element to a set of service nodes that each provide a service in the set of services. In selecting the set of services, the service classification operation of some embodiments identifies a chain of multiple service operations that has to be performed on the data message. The service classification operation, in some embodiments, includes selecting, for the identified chain of services, a service path to provide the multiple services. After selecting the service path, the data message is sent along the selected service path to have the services provided. Once the services have been provided, the data message is returned to the edge forwarding element by a last service node in the service path that performs the last service operation and the edge forwarding element performs next hop forwarding on the data message or a forwarding operation to forward the data message.
Some embodiments provide stateful services in the chain of services identified for some data messages. To support stateful services in service chains, some embodiments generate connection tracking records in a connection tracker storage used by the edge forwarding element to track service insertion decisions made for multiple data message flows requiring multiple different sets of services (i.e., service chains). The edge forwarding element (e.g., a router) receives a data message at a particular interface of the edge forwarding element that is traversing the edge forwarding element in a forward direction between two machines. The data message, in some embodiments, is a first data message in a forward data message flow (e.g., a set of data messages sharing a same set of attributes) that together with a reverse data message flow between the two machines makes up a bidirectional flow.
The edge forwarding element identifies (1) a set of stateful services for the received data message and (2) a next hop associated with the identified set of stateful services in the forward direction and a next hop associated with the identified set of stateful services in the reverse direction. Based on the identified set of services and the next hops for the forward and reverse directions, the edge forwarding element generates and stores first and second connection tracking records for the forward and reverse data message flows, respectively. The first and second connection tracking records include the next hop identified for the forward and reverse direction data message flows, respectively. The edge forwarding element forwards the received data message to the next hop identified for the forward direction and, for subsequent data messages of the forward and reverse data message flows received by the edge forwarding element, uses the stored connection tracking records to identify the next hop for forwarding.
Some embodiments configure the edge forwarding element to perform service insertion operations to identify stateful services to perform for data messages received for forwarding by the edge forwarding element at multiple virtual interfaces of the edge forwarding element. The service insertion operation, in some embodiments, includes applying a set of service insertion rules. The service insertion rules (1) specify a set of criteria and a corresponding action to take for data messages matching the criteria (e.g., a redirection action and a redirection destination) and (2) are associated with a set of interfaces to which the service insertion rules are applied. In some embodiments, the action is specified using a universally unique identifier (UUID) that is then used as a matching criteria for a subsequent policy lookup that identifies a type of service insertion and a set of next hop data. The edge forwarding element is configured to apply, for each virtual interface, a set of relevant service insertion rules to data messages received at the virtual interface (i.e., to make a service insertion decision).
As described above, the edge forwarding element is configured with a connection tracker storage that stores connection tracking records for data message flows based on the result of a service insertion operation performed for a first data message in the data message flows. In some embodiments, the connection tracker storage is a universal storage for all interfaces of the edge forwarding element and each connection tracking record includes an identifier of a service insertion rule that is used to identify the set of stateful services and the next hop for a data message flow corresponding to the connection tracking record.
The service insertion operation, in some embodiments, includes a first lookup in the connection tracker storage to identify a connection tracking record for a data message received at an interface if it exists. If the connection tracking record exists, all connection tracking data records that include a set of data message attributes (e.g., a data message flow identifier) that match data message attributes of the received data message are identified as a set of possible connection records for the data message. Based on the service insertion rule identifiers and an interface on which the data message was received, a connection tracking record in the set of possible connection records storing an identifier for a service insertion rule applied to the interface is identified as storing the action for the received data message. If a connection tracking record for the received data message is identified, the edge forwarding element forwards the data message based on the action stored in the connection tracking record. If a connection tracking record is not identified (e.g., the data message is a first data message in a data message flow), the edge forwarding element identifies the action for the data message using the service insertion rules and generates connection tracking record and stores the connection tracking record in the connection tracker storage.
Some embodiments provide a method of performing stateful services that keeps track of changes to states of service nodes to update connection tracker records when necessary. At least one global state value indicating a state of the service nodes is maintained at the edge device. In some embodiments, different global state values are maintained for service chain service nodes (SCSNs) and layer 2 bump-in-the-wire service nodes (L2 SNs). The method generates a record in a connection tracker storage including the current global state value as a flow state value for a first data message in a data message flow. Each time a data message is received for the data message flow, the stored state value (i.e., a flow state value) is compared to the relevant global state value (e.g., SCSN state value or L2 SN state value) to determine if the stored action may have been updated.
After a change in the global state value relevant to the flow, the global state value and the flow state value do not match and the method examines a flow programming table to determine if the flow has been affected by the flow programming instruction(s) that caused the global state value to change (e.g., increment). The instructions stored in the flow programming table, in some embodiments, include a data message flow identifier and an updated action (e.g., drop, allow, update selected service path, update a next hop address). If the data message flow identifiers stored in the flow programming table do not match the current data message flow identifier, the flow state value is updated to the current global state value and the action stored in the connection tracker record is used to process the data message. However, if at least one of the data message flow identifiers stored in the flow programming table matches the current data message flow identifier, the flow state value is updated to the current global state value and the action stored in the connection tracker record is updated to reflect the execution of the instructions with a matching flow identifier stored in the flow programming table and the updated action is used to process the data message.
An edge forwarding element is configured, in some embodiments, to provide services using the service logical forwarding element as a transport mechanism. The edge forwarding element is configured to connect different sets of virtual interfaces of the edge forwarding element to different network elements of the logical network using different transport mechanisms. For example, a first set of virtual interfaces is configured to connect to a set of forwarding elements internal to the logical network using a set of logical forwarding elements connecting source and destination machines of traffic for the logical network. Traffic received on the first set of interfaces is forwarded to a next hop towards the destination by the edge forwarding element without being returned to the forwarding element from which it was received, in some embodiments. A second set of virtual interfaces is configured to connect to a set of service nodes to provide services for data messages received at the edge forwarding element.
Each connection made for the second set of virtual interfaces may use different transport mechanisms such as a service logical forwarding element, a tunneling mechanism, and a bump-in-the-wire mechanism, and in some embodiments, some or all of the transport mechanisms are used to provide data messages to the service nodes. Each virtual interface in a third set of virtual interfaces is configured to connect to a service logical forwarding element connecting the edge forwarding element to at least one internal forwarding element in the set of internal forwarding elements. The virtual interfaces are configured to be used (1) to receive data messages from the at least one internal forwarding element to be provided a service by at least one service node in the set of service nodes and (2) to return the serviced data message to the internal forwarding element network.
Some embodiments facilitate the provision of a service reachable at a virtual internet protocol (VIP) address. The VIP address is used by clients to access a set of service nodes in the logical network. In some embodiments, data messages from client machines to the VIP are directed to an edge forwarding element at which the data messages are redirected to a load balancer that load balances among the set of service nodes to select a service node to provide a service requested by the client machine. The load balancer, in some embodiments, does not change the source IP address of the data message received from the client machine so that the service node receives a data message to be serviced that identifies the client machine IP address as a source IP address. The service node services the data message and sends the serviced data message to the client machine using the IP address of the service node as a source IP address and the IP address of the client node as the destination IP address. Because the client sent the original address to the VIP address, the client will not recognize the source IP address of the serviced data message as being a response to the request sent to the VIP address and the serviced data message will not be processed appropriately (e.g., it will be dropped, or not associated with the original request).
Facilitating the provision of the service, in some embodiments, includes returning the serviced data message to the load balancer to track the state of the connection using the service logical forwarding element. To use the service logical forwarding element, some embodiments configure an egress data path of the service nodes to intercept the serviced data message before being forwarded to a logical forwarding element in the datapath from the client to the service node, and determine if the serviced data message requires routing by the routing service provided as a service by the edge forwarding element. If the data message requires routing by the routing service (e.g., for serviced data messages), the serviced data message is forwarded to the edge forwarding element over the service logical forwarding element. In some embodiments, the serviced data message is provided to the edge forwarding element along with the VIP associated with the service, in other embodiments, the edge forwarding element determines the VIP based on a port used to send the data message over the service logical forwarding element. The VIP is used by the edge forwarding element to identify the load balancer associated with the serviced data message. The serviced data message is then forwarded to the load balancer for the load balancer to maintain state information for the connection to which the data message belongs and modify the data message to identify the VIP as the source address for forwarding to the client.
The transport mechanisms, in some embodiments, include a tunneling mechanism (e.g. a virtual private network (VPN), internet protocol security (IPSec), etc.) that connects the edge forwarding element to at least one service node through a corresponding set of virtual tunnel interfaces (VTIs). In addition to the VTIs used to connect the edge forwarding element to the service nodes, the edge forwarding element uses other VTIs to connect to other network elements for which it provides forwarding operations. At least one VTI used to connect the edge forwarding element to other (i.e., non-service node) network elements is identified to perform a service classification operation and is configured to perform the service classification operation for data messages received at the VTI for forwarding. The VTIs connecting the edge forwarding element to the service nodes, in some embodiments, are not configured to perform a service classification operation and are instead configured to mark data messages returned to the edge forwarding element as having been serviced. In other embodiments, VTIs connecting the edge forwarding element to the service nodes are configured to perform limited service classification operations using a single default rule that is applied at the VTI that marks data messages returned to the edge forwarding element as having been serviced.
For traffic exiting a logical network through a particular VTI, some embodiments perform a service classification operation for different data messages to identify different VTIs that connect the edge forwarding element to a service node to provide services required by the data messages. Each data message, in some embodiments, is then forwarded to the identified VTI to receive the required service (e.g., from the service node connected to the edge forwarding element through the VTI). The identified VTI does not perform a service classification operation and merely allows the data message to reach the service node. The service node then returns the serviced data message to the edge forwarding element. In some embodiments, the VTI is not configured to perform the service classification operation and is instead configured to mark all traffic directed to the edge forwarding element from the service node as having been serviced. The marked serviced data message is then received at the edge forwarding element and is forwarded to a destination of the data message through the particular VTI. In some embodiments, the particular VTI does not perform additional service insertion operations because the data message is marked as having been serviced.
The preceding Summary is intended to serve as a brief introduction to some embodiments of the invention. It is not meant to be an introduction or overview of all inventive subject matter disclosed in this document. The Detailed Description that follows and the Drawings that are referred to in the Detailed Description will further describe the embodiments described in the Summary as well as other embodiments. Accordingly, to understand all the embodiments described by this document, a full review of the Summary, Detailed Description, the Drawings, and the Claims is needed. Moreover, the claimed subject matters are not to be limited by the illustrative details in the Summary, Detailed Description, and the Drawings.
The novel features of the invention are set forth in the appended claims. However, for purposes of explanation, several embodiments of the invention are set forth in the following figures.
In the following detailed description of the invention, numerous details, examples, and embodiments of the invention are set forth and described. However, it will be clear and apparent to one skilled in the art that the invention is not limited to the embodiments set forth and that the invention may be practiced without some of the specific details and examples discussed.
Some virtualized computing environments/logical networks provide edge forwarding elements that sit between an external network and internal networks (e.g., logical networks). The virtualized computing environment, in some embodiments, provides additional edge forwarding elements (or edge services) for subnetworks within the virtualized computing environment. For example, different logical networks, each with their own edge device may be implemented within a datacenter (e.g., by a provider network) that provides an edge forwarding element between an external network and the networks internal to the datacenter. Each logical network (e.g., tenant network, or provider network) includes at least one edge forwarding elements, in some embodiments, that executes in either an edge host or as an edge compute node to provide the logical network with access to an external network and vice versa. In some embodiments, the edge forwarding elements provide a set of services (e.g., middlebox services) for traffic processed by the edge forwarding elements.
As used in this document, data messages refer to a collection of bits in a particular format sent across a network. One of ordinary skill in the art will recognize that the term data message is used in this document to refer to various formatted collections of bits that are sent across a network. The formatting of these bits can be specified by standardized protocols or non-standardized protocols. Examples of data messages following standardized protocols include Ethernet frames, IP packets, TCP segments, UDP datagrams, etc. Also, as used in this document, references to L2, L3, L4, and L7 layers (or layer 2, layer 3, layer 4, and layer 7) are references respectively to the second data link layer, the third network layer, the fourth transport layer, and the seventh application layer of the OSI (Open System Interconnection) layer model.
Also, in this example, each logical forwarding element is a distributed forwarding element that is implemented by configuring multiple software forwarding elements (SFEs) (i.e., managed forwarding elements) on multiple host computers. To do this, each SFE or a module associated with the SFE in some embodiments is configured to encapsulate the data messages of the LFE with an overlay network header that contains a virtual network identifier (VNI) associated with the overlay network. As such, the LFEs are said to be overlay network constructs that span multiple host computers in the discussion below.
The LFEs also span in some embodiments configured hardware forwarding elements (e.g., top of rack switches). In some embodiments, each LFE is a logical switch that is implemented by configuring multiple software switches (called virtual switches or vswitches) or related modules on multiple host computers. In other embodiments, the LFEs can be other types of forwarding elements (e.g., logical routers), or any combination of forwarding elements (e.g., logical switches and/or logical routers) that form logical networks or portions thereof. Many examples of LFEs, logical switches, logical routers and logical networks exist today, including those provided by VMware's NSX network and service virtualization platform.
Some embodiments provide novel methods for providing different types of services for a logical network associated with an edge forwarding element executed by an edge device acting between the logical network and an external network. The edge device receives data messages for forwarding and performs a service classification operation to select a set of services of a particular type for the data message.
In some embodiments, the process is performed as part of an edge datapath that, for data messages coming in to the network precedes a routing operation. The process, in some embodiments, is performed by a network interface card (NIC) that is designed or programmed to perform the service classification operation. In some embodiments, process 100 is additionally, or alternatively, performed by the edge device as part of logical processing at multiple virtual interfaces of a logical edge forwarding element including a set of virtual tunnel interfaces (VTIs) used to connect the edge forwarding element to compute nodes outside of the datacenter. In some embodiments, particular interfaces are configured to perform the service classification operation (e.g., by toggling a service classification tag to “1”) while other interfaces are not configured to perform a service classification operation (e.g., if the service classification tag is set to “0”). In some embodiments, a centralized (e.g. service) router calls a set of service insertion and service transport layer modules (such as modules in element 735 of
Process 100 begins by receiving (at 110) a data message at an interface (e.g., the NIC, a VTI) connected to an external network (e.g., a router outside of a datacenter implementing the logical network). The data message, in some embodiments, is received from the external network as part of a communication between a client in the external network and a compute node (e.g. a server, or service node) in the logical network (or vice versa). In some embodiments, the data message is a data message between two compute nodes in the external network that receives services at the edge of logical network.
The process 100 continues by determining (at 120) if a connection tracker record is stored in a connection tracker for the data message flow to which the data message belongs.
If at least one matching connection tracker record is found in the connection tracker storage the process 200 determines (at 222) if a tag (e.g., a flag bit) identifying whether the record was created as part of a service classification operation or as part of a different stateful processing (e.g., an independent firewall operation). In some embodiments, the tag is compared to a value stored in a buffer associated with the data message that is used during the logical processing to store data beyond that which is normally included in a data message (e.g., context data, interface on which the data message was received, etc.). If the tag of the record(s) with a matching flow identifier does not indicate that it is relevant to a service classification operation, the process 200 produces a “no” at operation 120 of process 100.
However, if at least one record includes both a matching flow identifier (at 221) and a matching service classification operation tag (at 222), the process identifies (at 223) interfaces at which a service insertion rule that was used to generate each potentially matching record is applied (i.e., interfaces in the “applied_to” field of the rule that was hit by a first data message of the potentially matching record). In some embodiments, a rule identifier is stored in the connection tracker record and the rule identifier is associated with (e.g., points to) a data storage (e.g., a container) that stores a list of interfaces at which it is applied. In such embodiments, identifying the interfaces at which a rule that was used to generate each potentially matching record is applied includes identifying the interfaces stored in the data storage associated with the rule.
The process 200 then determines (at 224) if any interfaces at which a rule is applied is the interface at which the current data message was received. In some embodiments, data messages of a same data message flow are received at different interfaces based on a load balancing operation (e.g., equal cost multipathing (ECMP)) performed by a forwarding element (e.g., a router) in an external network. Additionally, some data messages are necessarily received at multiple interfaces at which different service rules are applied as part of a processing pipeline. For example, a data message that is received at a first VTI at which a particular service rule applies identifies a second VTI to which to redirect the data message for providing a service required by the data message. The second VTI is connected to a service node that provides the required service and, after the data message is serviced, the data message is returned to the second VTI. The flow identifier matches the connection tracker record for the original data message, but, the service insertion rule identified in the connection tracker record is not applied to data messages received at the second VTI (e.g., the applied_to field of the service insertion rule does not include the second VTI) such that the data message is not redirected to the second VTI to be serviced again.
In some embodiments, the interface is identified by a UUID (e.g., a 64-bit or 128-bit identifier) that is too large to store in the connection tracker record. The UUIDs (or other identifiers) of interfaces identified (at 223) are compared to the UUID of the interface on which the data message was received which, as described above, is stored in a buffer associated with the data message in some embodiments. If no interfaces at which a rule (of a potentially matching connection tracker record) is applied match the interface at which the data message was received, the process 200 produces a “no” at operation 120 of process 100. If, however, a connection tracker record is associated with the interface at which the data message was received (i.e., a rule that was used to generate the connection tracker record is applied at the interface at which the data message was received), the process 200 produces a “yes” at operation 120 of process 100). In some embodiments, a further state value associated with service node state is checked as will be discussed in relation to
If the process 100 determines (at 120) that the data message belongs to a flow that has a connection tracker record, the process 100 retrieves (at 125) a service action based on the information in the connection tracker record. The service action, in some embodiments, includes a service type and a set of forwarding information stored in the connection tracker record. Additional details of retrieving the service action are described in relation to
If the process 100 determines (at 120) that no connection tracker storage entry exists for the received data message for any of the reasons identified in process 200, the process 100 performs (at 130) a first service classification lookup for a set of service insertion rules to find a highest priority rule that is defined for data messages with a set of attributes shared by the received data message. The set of data message attributes, in some embodiments, in a particular service insertion rule may include any of: header values at layer 2, layer 3, or layer 4, or a hash value based on any of the header values, and may include wildcard values for certain attributes (e.g., fields) that allow for any value of the attribute. The service insertion rule, in the embodiment described in relation to process 100, identifies a universally unique identifier (UUID) that is associated with a set of actions for data messages matching the service insertion rule. In other embodiments, service insertion rules include a set of actions (e.g., redirect to a particular address using a particular transport mechanism) to perform for the received data message. In some embodiments, a lowest-priority (e.g., default) rule that applies to all data messages (e.g., that specifies all wildcard values) is included in the set of service insertion rules and will be identified if no other service insertion rule with higher priority is identified. The default rule, in some embodiments, will specify a no-op that causes the data message to be provided to the routing function of the edge forwarding element to be routed without any services being performed on the data message. In other embodiments, the default rule will cause the data message to be provided to the routing function along with an indication that the data message does not require further service classification operations.
After identifying (at 130) the UUID associated with the service insertion rule (and data message), the process 100 performs (at 140) a policy lookup based on the UUID identified (at 130) based on the service insertion rule. In some embodiments, the separation of service insertion rule lookup and UUID (policy) lookup is used to simplify the updating of policies for multiple service insertion rules by changing a policy associated with a single UUID rather than having to update each service insertion rule. The UUID lookup is used to identify a set of forwarding information and to identify a particular service type (e.g., a service using a particular transport mechanism). For example, for different data messages, the UUID lookups may identify any one of a next hop IP address (for a tunneling mechanism), a dummy next hop IP address (for a bump-in-the-wire mechanism), or a set of forwarding data including at least a service path ID, a service index, and a next hop layer 2 (e.g., MAC) address (for a mechanism using a service logical forwarding element). In some embodiments, the type of transport mechanism is inferred from the type of forwarding information identified for the data message. Some embodiments using a service logical forwarding element identify the next hop using a layer 3 (e.g., IP) address. In such embodiments, it may be necessary to include a service type identifier.
In using the UUID to identify a set of forwarding information and to identify a particular service type, some embodiments perform a load balancing operation to select among multiple next hops to provide an identified service. In some embodiments, the identified next hops are service nodes that provide different services. The service nodes, in some embodiments, include at least one of service virtual machines and service appliances. The load balancing operation, in some embodiments, are based on any of: a round robin mechanism, a load-based selection operation (e.g., selecting a service node with a lowest current load), or a distance-based selection operation (e.g., selecting a closest service node as measured by a selected metric).
After the service action and forwarding information are determined (at 140), data message flow identifiers and forwarding information are identified (at 150) for a reverse direction flow. Data message flow identifiers for reverse direction flows are, in many cases, are based on a same set of header values as a forward direction data message flow with source and destination addresses switched. Forwarding information for reverse data message flows for certain types of service insertion (i.e., particular types of transport mechanisms) is different for forward direction flows and reverse direction flows. For some types of service insertion (i.e., transport mechanisms), the forwarding information for a reverse direction flow identifies a next hop for the reverse direction flow that is a last hop for the forward direction flow. For other types of service insertion (e.g., a tunneling mechanism) the reverse direction forwarding information identifies the same next hop (e.g., the next hop IP address of the tunnel endpoint). In some embodiments, operation 150 is skipped as a connection tracker record for the reverse direction is not necessary. For example, some rules specify that they only apply to data messages in a particular direction.
Based on the data message flow identifiers and forwarding information identified for the forward and reverse direction flows, a set of connection tracker records is generated (at 160) for the forward and reverse direction data message flows with the state information (e.g., data message identifiers and forwarding information) for the forward and reverse direction data message flows respectively. In some embodiments, generating the connection tracker records includes querying a flow programming table for a state value stored in the flow programming table that reflects a current state version of a set of service node types associated with the service type identified for the data message. In some embodiments, a flow ID for forward and reverse direction data message flows are the same except for a directionality bit that indicates whether it is a forward or reverse direction data message.
The reverse flow identifier, in some embodiments, is different from a reverse flow identifier that would be generated based on the data message received in the forward direction. For example, a naïve reverse direction identifier generation operation would switch the source and destination IP (L3) and MAC (L2) addresses and generate the identifier based on the switched header values, but if the service node performs a NAT operation, a data message received in the reverse direction would generate a reverse flow identifier based on the translated address and not based on the original (forward direction) data message header addresses. In some embodiments, the return data message with a different set of flow identifiers (e.g., header values, etc.) will be considered a new flow and a new connection tracker record for forward and reverse directions of the data message flow associated with the reverse direction data message flow of the original data message.
Additional details about the connection tracker records and flow programming table are discussed below in relation to
The process 300 determines (at 320) a service insertion type associated with the received data message. In some embodiments, the determination is made based on the service type information received from the service classification operation. In other embodiments, the determination is made implicitly based on the type of forwarding information received from the service classification operation. For example, an IP address provided as forwarding information for a particular data message that is for a virtual tunnel interface (VTI) indicates that the transport mechanism is a tunneling mechanism. Alternatively, a dummy IP address provided as the forwarding information indicates that the transport mechanism is a layer 2, bump-in-the-wire mechanism. If the forwarding information includes a service path identifier and a next hop MAC address, the transport mechanism is understood to be a logical service forwarding plane for a service chain.
If the process 300 determines (at 320) that the service type uses a tunneling transport mechanism, the process 300 identifies (at 332) an egress interface based on an IP address provided by the service classification operation. In some embodiments, the egress interface is identified by a routing function associated with a service transport layer module. Based on the identified egress interface, the data message is provided (at 342) to the VTI which encapsulates the data message for delivery over a virtual private network (VPN) tunnel to a service node to provide the service. In some embodiments, the tunnel uses an internet protocol security (IPsec) protocol to tunnel the data message to the service node. In some embodiments using a secure VPN (e.g., IPsec), the data message is encrypted before being encapsulated for forwarding using the tunneling mechanism. In some embodiments, the encryption and encapsulation is performed as part of a datapath of the virtual tunnel interface used to connect to the service node (e.g., referred to as an L3 service node below).
The encapsulated (and encrypted) data message is then sent to the L3 service node over the VPN for the L3 service node to provide the service and return the serviced data message to the edge forwarding element. After the service node provides the service, the serviced data message is received (at 352) at the edge forwarding element (e.g., the service transport layer module), and the data message is provided (at 380) to a routing function (e.g., the routing function implemented by the edge forwarding element) for forwarding to the destination. In some embodiments, the routing is based on an original destination IP address associated with the data message that is maintained in a memory buffer of the edge device associated with the data message that, in some embodiments, stores additional metadata such as the interface on which the data message was received and for data associated with features of the edge forwarding element such as IP fragmentation, IPsec, access control lists (ACL), etc.
If the process 300 determines (at 320) that the service type uses a layer 2, bump-in-the-wire transport mechanism, the process 300 identifies (at 334) source and destination interfaces based on a set of next hop dummy IP addresses provided by the service classification operation. The next hop dummy IP addresses are used to identify source and destination layer 2 (e.g., MAC) addresses associated with a bump-in-the-wire service node (i.e., a service node that does not change the source and destination layer 2 (e.g., MAC) addresses of the data message). In some embodiments, the set of next hop dummy IP addresses include a set of source and destination dummy IP addresses that are resolved into source and destination layer 2 (e.g., MAC) addresses associated with different interfaces of the edge forwarding element. In some embodiments, the different interfaces are identified by a routing function associated with a service transport layer module. The different interfaces are used, in some embodiments, to differentiate data messages traversing the edge device (e.g., the edge forwarding element) in different directions (e.g., north to south traffic vs. south to north traffic) such that data messages going in one direction (e.g., from within the logical network to the external network) use a first interface as the source and a second interface as a destination, and data messages going in the opposite direction (e.g., from the external network to the logical network) use the second interface as a source and the first interface as a destination.
The data message is then sent (at 344) to the destination interface from the source interface using the identified source and destination layer 2 addresses. After the data message is sent (at 344) to the service node using the identified interfaces, the edge forwarding element receives (at 354) the serviced data message from the service node at the destination interface. The serviced data message is then provided (at 380) to a routing function (e.g., the routing function implemented by the edge forwarding element) for forwarding to the destination. In some embodiments, the routing is based on an original destination IP address associated with the data message that is maintained throughout the processing of the data message. In other embodiments, the original destination IP address is maintained in a memory buffer of the edge device associated with the data message that, in some embodiments, stores additional metadata such as the interface on which the data message was received and for data associated with features of the edge forwarding element such as IP fragmentation, IPsec, access control lists (ACL), etc.
If the process 300 determines (at 320) that the service type uses a service logical forwarding element transport mechanism, the process 300 identifies (at 336) an interface associated with the service logical forwarding element based on a table that stores associations between logical forwarding elements (e.g., an edge forwarding element implemented as a virtual routing forwarding (VRF) context) and interfaces of the logical forwarding elements that connect to a service logical forwarding plane. In some embodiments the table is a global table supplied by a network management or control compute node and includes information for all logical forwarding elements in the logical network that connect to any of a set of service logical forwarding elements. In some embodiments, an interface associated with the logical service forwarding element is identified based on the forwarding information (e.g., based on a service path identifier or service virtual network identifier provided as part of the forwarding information).
The data message is then sent (at 346) to the identified interface (or a logical service plane data message processor) along with service path information and service metadata (SMD) to be encapsulated with a logical network identifier (LNI) for delivery to a first service node in the service path identified in the service path information. In some embodiments, the service path information provided as part of the forwarding information includes (1) a service path identifier (SPI) that is used by the logical forwarding element and each service node to identify a next hop service node, (2) a service index (SI) indicating the location of the hop in the service path, and, in some embodiments, (3) a time to live. In some embodiments, the LNI is a service virtual network identifier (SVNI). Additional details of the use of service forwarding planes can be found in U.S. patent application Ser. No. 16/444,826, filed on Jun. 18, 2019, now issued as U.S. Pat. 11,042,397, which is hereby incorporated by reference.
After being serviced by the service nodes in the service path, the data message is received (at 356) at the edge forwarding element. In some embodiments, the edge forwarding element receives the data message as a routing service node that is identified as a last hop in the service path identified for the data message. In such embodiments, the service router implements a service proxy to receive the data message in accordance with a standard protocol for service chaining using service paths. The edge forwarding element, in some embodiments, receives the serviced data message along with service metadata that identifies the original source and destination addresses to be used to forward the data message to its destination. In some embodiments, the service metadata also includes any flow programming instructions sent by service nodes or service insertion proxies on the service path. The flow programming instructions, in some embodiments, include instructions for modifying how the service classification operation selects service chains, service paths, and/or forwards data message flows along service paths. In other embodiments, this flow programming involves other modifications to how a data message flow is processed by the service plane. Flow programming will be further described below.
The process 300 then determines (at 366) whether the received serviced data message includes flow programming instructions. If the process 300 determines that flow programming instructions are included with the serviced data message, a flow programming table is updated (at 375) by adding the flow programming instructions to the table to be used in processing subsequent data messages in the data message flow. In some embodiments, the flow programming instructions identify the flow that the flow programming instruction relates to and a new service action (e.g., a pf_value) for the identified flow. A new service action, in some embodiments, is an instruction to skip a particular service node (e.g., a firewall service node) for a next data message, or for all subsequent data messages in a data message flow (e.g., if the firewall service node determines that the data message flow is allowed), or to drop all subsequent data messages of the data message flow (e.g., if the firewall service node determines that the data message flow is not allowed).
In some embodiments, the connection tracker record for the flow identified in the flow programming instruction is updated during the processing of the next data message in the data message flow. For example, each time a flow programming instruction is added to the flow programming table, in some embodiments, a flow programming version value (e.g., flow_program_gen) is updated (e.g., incremented) to indicate that a flow programming instruction has been received and that state information generated using a previous flow programming version value may be out of date. Upon identifying a connection tracker record for a particular data message, if the flow programming version value is not equal to the current value, the flow programming table is consulted to see if the connection tracker record must be updated based on a flow programming instruction contained in the flow programming table. The use of the flow programming version value is discussed in more detail in relation to
If the process 300 determines (at 366) that there are no flow programming instructions or after updating the flow programming table, the data message is then provided (at 380) to a routing function (e.g., the routing function implemented by the edge forwarding element) for forwarding to the destination. In some embodiments, the original set of data message headers are carried through the service path in service metadata. In other embodiments, the original set of header values are stored in a buffer at the edge device and are restored after the data message is received from the last hop in the service path. One of ordinary skill in the art will appreciate that operations 366 and 375, in some embodiments, are performed in parallel with operation 380 as they do not depend on each other.
The service classification operations are provided, in some embodiments, in a virtualized networking environment. The virtualized networking environment, in some embodiments, is comparable to the virtualized networking environment described in U.S. Pat. No. 9,787,605, which is hereby incorporated by reference. A basic introduction to the virtualized networking environment is presented here, with additional details provided in the above-referenced Patent.
In some embodiments, any number of VPCGs may be attached to an AZG such as the AZG 405. Some datacenters may have only a single AZG to which all VPCGs implemented in the datacenter attach, whereas other datacenters may have numerous AZGs. For instance, a large datacenter may want to use different AZG policies for different VPCs, or may have too many different VPCs to attach all of the VPCGs to a single AZG. Part of the routing table for an AZG includes routes for all of the logical switch domains of its VPCGs, so attaching numerous VPCGs to an AZG creates several routes for each VPCG just based on the subnets attached to the VPCG. The AZG 405, as shown in the figure, provides a connection to the external physical network 435; some embodiments only allow the AZG to provide such a connection, so that the datacenter (e.g., availability zone) provider can manage this connection. Each of the separate VPCGs 410-420, though part of the logical network 400, are configured independently (although a single tenant could have multiple VPCGs if they so choose).
The partially centralized implementation of the VPCG 410, illustrated in
The above figure illustrates the management plane view of logical routers of some embodiments. In some embodiments, an administrator or other user provides the logical topology (as well as other configuration information) through an API. This data is provided to a management plane, which defines the implementation of the logical network topology (e.g., by defining the DRs, SRs, transit logical switches, etc.). In addition, in some embodiments a user associates each logical router (e.g., each AZG or VPCG) with a set of physical machines (e.g., a pre-defined group of machines in the datacenter) for deployment. For purely distributed routers, the set of physical machines is not important, as the DR is implemented across the managed forwarding elements that reside on hosts along with the data compute nodes that connect to the logical network. However, if the logical router implementation includes SRs, then these SRs will each be deployed on specific physical machines. In some embodiments, the group of physical machines is a set of machines designated for the purpose of hosting SRs (as opposed to user VMs or other data compute nodes that attach to logical switches). In other embodiments, the SRs are deployed on machines alongside the user data compute nodes.
In some embodiments, the user definition of a logical router includes a particular number of uplinks. Described herein, an uplink is a northbound interface of a logical router in the logical topology. For a VPCG, its uplinks connect to an AZG (all of the uplinks connect to the same AZG, generally). For an AZG, its uplinks connect to external routers. Some embodiments require all of the uplinks of an AZG to have the same external router connectivity, while other embodiments allow the uplinks to connect to different sets of external routers. Once the user selects a group of machines for the logical router, if SRs are required for the logical router, the management plane assigns each of the uplinks of the logical router to a physical machine in the selected group of machines. The management plane then creates an SR on each of the machines to which an uplink is assigned. Some embodiments allow multiple uplinks to be assigned to the same machine, in which case the SR on the machine has multiple northbound interfaces.
As mentioned above, in some embodiments the SR may be implemented as a virtual machine or other container, or as a VRF context (e.g., in the case of DPDK-based SR implementations). In some embodiments, the choice for the implementation of an SR may be based on the services chosen for the logical router and which type of SR best provides those services.
In addition, the management plane of some embodiments creates the transit logical switches. For each transit logical switch, the management plane assigns a unique VNI to the logical switch, creates a port on each SR and DR that connects to the transit logical switch, and allocates an IP address for any SRs and the DR that connect to the logical switch. Some embodiments require that the subnet assigned to each transit logical switch is unique within a logical L3 network topology having numerous VPCGs (e.g., the network topology 400), each of which may have its own transit logical switch. That is, in
Some embodiments place various restrictions on the connection of logical routers in a multi-tier configuration. For instance, while some embodiments allow any number of tiers of logical routers (e.g., an AZG tier that connects to the external network, along with numerous tiers of VPCGs), other embodiments only allow a two-tier topology (one tier of VPCGs that connect to the AZG). In addition, some embodiments allow each VPCG to connect to only one AZG, and each logical switch created by a user (i.e., not a transit logical switch) is only allowed to connect to one AZG or one VPCG. Some embodiments also add the restriction that southbound ports of a logical router must each be in different subnets. Thus, two logical switches may not have the same subnet if connecting to the same logical router. Lastly, some embodiments require that different uplinks of an AZG must be present on different gateway machines. It should be understood that some embodiments include none of these requirements, or may include various different combinations of the requirements.
This figure assumes that there are two VMs attached to each of the two logical switches 425 and 430, which reside on the four physical host machines 605-620. Each of these host machines includes a managed forwarding element (MFE) 625. These MFEs may be flow-based forwarding elements (e.g., Open vSwitch) or code-based forwarding elements (e.g., ESX), or a combination of the two, in various different embodiments. These different types of forwarding elements implement the various logical forwarding elements differently, but in each case, they execute a pipeline for each logical forwarding element that may be required to process a packet.
Thus, as shown in
In addition, the physical implementation shown in
This figure shows the SRs as separate from the MFEs 650 that operate on the gateway machines. As indicated above, different embodiments may implement the SRs differently. Some embodiments implement the SRs as VMs (e.g., when the MFE is a virtual switch integrated into the virtualization software of the gateway machine), in which case the SR processing is performed outside of the MFE. On the other hand, some embodiments implement the SRs as VRFs within the MFE datapath (when the MFE uses DPDK for the datapath processing). In either case, the MFE treats the SR as part of the datapath, but in the case of the SR being a VM (or other data compute node), sends the packet to the separate SR for processing by the SR pipeline (which may include the performance of various services). As with the MFEs 625 on the host machines, the MFEs 650 of some embodiments are configured to perform all of the distributed processing components of the logical network.
Service insertion layer and service transport layer modules 735 include a service insertion pre-processor 720, a connection tracker 721, a service layer transport module 722, a logical switch service plane processor 723, a service plane layer 2 interface 724, a service routing function 725, bump-in-the-wire (BIW) pair interfaces 726, a virtual tunnel interface 727, a service insertion post-processor 728, and a flow programming table 729. Service insertion pre-processor 720, in some embodiments, performs the process 100 to determine service type and forwarding information for a received data message. Service transport layer module 722, in some embodiments, performs the process 300 to direct the data message to the appropriate service nodes to have required services performed and to return the data message to the T0 SR 730 for routing to a destination of the data message.
The function of the modules of the service insertion layer and service transport layer 735 are described in more detail in relation to
In some embodiments, interfaces connected to service nodes are configured to mark data messages being returned to the edge forwarding element as serviced so that they are not provided to the SI pre-processor 720 again. After the service classification operations are performed by the SI pre-processor 720 the result of the classification operation is passed to the service transport layer module 722 to be used to forward the data message to a set of service nodes that provides a required set of services.
After the service node(s) process the data message the serviced data message is returned to the service transport layer module 722 for post-processing at SI post-processor 728 before being returned to the T0 SR 730 for routing. The T0 SR 730 routes the data message and provides the data message to the T0 DR 740. In some embodiments the T0 SR 730 is connected to the T0 DR 740 through a transit logical switch (not shown) as described above in relation to
In some embodiments, edge datapath 710 also includes logical processing stages for T1 SR and T1 DR operations as well as the T0 SR 730 and T0 DR 740. Some embodiments insert a second service classification operation performed by a set of service insertion layer and service transport layer modules called by a T1 SR. The SI pre-processor called by the VPCG applies service classification rules (e.g., service insertion rules) defined for the VPCG (e.g., service insertion rules for a particular VPC logical network behind the VPCG). The VPCG-specific service classification rules, in some embodiments, are included in a same set of rules as the AZG-specific service classification rules and are distinguished by a logical forwarding element identifier. In other embodiments, the VPCG-specific service classification rules are stored in a separate service classification rule storage or database used by the SI pre-processor called by the VPCG.
The SI pre-processor called by the VPCG performs the same operations as the SI pre-processor 720 to identify data messages that require a set of services and the forwarding information and service type for the identified data messages. As for SI pre-processor 720, the SI pre-processor performs the service classification operations and after the services are provided, the data message is returned to the logical processing stage for the T1 SR. The T1 SR routes the data message and provides the data message to the T1 DR. In some embodiments, the T1 SR is connected to the T1 DR through a transit logical switch (not shown) as described above in relation to
For outgoing messages the edge datapath is similar but, in some embodiments, will include T1 and T0 DR components only if the source compute node is executing on the edge device 700 or the T1 SR executes on the edge device 700 respectively. Otherwise the host of the source node (or the edge device that executes the T1 SR) will perform the logical routing associated with the T1/T0 DR. Additionally, for outgoing data messages, data messages are logically routed by SRs (e.g., T0 SR 730) before calling the service insertion layer and service transport layer modules. The function of the service insertion layer and service transport layer modules is similar to the forward direction (e.g., the incoming data messages discussed above) and will be discussed in more detail below. For data messages requiring services, the serviced data message is returned to the SR (e.g., T0 SR 730) to be sent over the interface identified by the logical routing processing.
The encapsulated data message is then unencapsulated by encapsulation processor 842 and provided to port 816 for delivery to the SVM 806 through its STL module 826 and SI proxy 814. A return data message traverses the modules in the reverse order. The operations of STL module 826 and SI proxy 814 are discussed in more detail in U.S. patent application Ser. No. 16/444,826.
An edge forwarding element is configured, in some embodiments, to provide services using the service logical forwarding element as a transport mechanism as described in relation to
Each connection made for the second set of virtual interfaces may use different transport mechanisms such as a service logical forwarding element, a tunneling mechanism, and a bump-in-the-wire mechanism, and in some embodiments, some or all of the transport mechanisms are used to provide data messages to the service nodes as discussed below in relation to
The transport mechanisms, in some embodiments, include a logical service forwarding element that connects the edge forwarding element to a set of service nodes that each provide a service in the set of services. In selecting the set of services, the service classification operation of some embodiments identifies a chain of multiple service operations that has to be performed on the data message. The service classification operation, in some embodiments, includes selecting, for the identified chain of services, a service path to provide the multiple services. After selecting the service path, the data message is sent along the selected service path to have the services provided. Once the services have been provided the data message is returned to the edge forwarding element by a last service node in the service path that performs the last service operation and the edge forwarding element performs a forwarding operation to forward the data message as will be discussed further in relation to
Data message 1110 is received at the edge device and provided to the edge TX SR 1130. In some embodiments, the TX SR 1130 receives the data message at an uplink interface or at a virtual tunnel interface of the TX SR 1130. In some embodiments, the SI Pre-processor 1120 is called at different processing operations for an uplink interface and a virtual tunnel interface (VTI). In some embodiments, the calls for data messages received at an uplink interface and a virtual tunnel interface are implemented by different components of the edge device. For example, the SI pre-processor 1120 is called for data messages received at the uplink interface, in some embodiments, by a NIC driver as part of a standard data message pipeline, while the SI pre-processor 1120 is called for data messages received at a VTI is called after (before) a decapsulation and decryption (encryption and encapsulation) operation as part of a separate VTI processing pipeline. In some embodiments implementing the SI pre-processor 1120 differently for uplinks and VTIs, a same connection tracker is used to maintain a consistent state for each data message even if it traverses a VTI and an uplink.
The SI pre-processor 1120 performs a set of operations similar to the operations of process 100. The SI pre-processor 1120 performs a lookup in connection tracker storage 1121 to determine if a connection tracker record exists for the data message flow to which the data message belongs. As discussed above, the determination is based on a flow identifier including, or derived from, flow attributes (e.g., header values, contextual data, or values derived from the header values and, alternatively or conjunctively, the contextual data). In the illustrated example, the data message 1110 is a first data message in a data message flow and no connection tracker record is identified for the data message flow to which data message 1110 belongs. The connection tracker storage lookup is equivalent to operation 120 of process 100, and if an up-to-date connection tracker record had been found, the SI pre-processor 1120 would have forwarded the information in the identified connection tracker record to the LR-SR as in operations 120, 125, and 170 of process 100.
Since, in this example, no connection tracker record is found, SI pre-processor 1120 performs a lookup in a service insertion rule storage 1136 to determine if any service insertion (service classification) rules apply to the data message. In some embodiments, the SI rules for different interfaces are stored in the SI rule storage 1136 as separate rule sets that are queried based on an incoming interface identifier (e.g., an incoming interface UUID stored as metadata in a buffer of the edge device). In other embodiments, the SI rules for different interfaces are stored as a single rule set with potential matching rules examined to see if they apply to the interface on which the data message was received. As will be discussed below, the SI rule set(s) are received from a controller that generates the rule sets based on policies defined at a network manager (by an administrator or by the system). The SI rules 1145 in the SI rule storage 1136, in some embodiments, are specified in terms of flow attributes that identify data message flows to which the rule applies and a service action. In the illustrated example, the service action is a redirection to a UUID that is used to identify the service type and forwarding information.
Assuming that the lookup in the SI rule storage 1136 results in identifying a service insertion rule that applies to the data message 1110, the process uses the UUID identified from the service applicable insertion rule to query a policy table 1137. In some embodiments, the UUID is used to simplify the management of service insertion such that each individual rule specifying a same service node set does not need to be updated if a particular service node in the service node set fails and instead the set of service nodes associated with the UUID can be updated, or a selection (e.g., load balancing) operation can be updated for the UUID. The current example illustrates a UUID that identifies a service chain identifier associated with multiple service paths identified by multiple service path identifiers (SPIs) and a set of selection metrics. The selection metrics can be selection metrics for a load balancing operation that is any of: a round robin mechanism, a load-based selection operation (e.g., selecting a service node with a lowest current load), or a distance-based selection operation (e.g., selecting a closest service node as measured by a selected metric). The set of service paths, in some embodiments, is a subset of all the possible service paths for the service chain. In some embodiments, the subset is selected by a controller that assigns different service paths to different edge devices. The assignment of service paths to different edge devices, in some embodiments, provides a first level of load balancing over the service nodes.
Once a service path is selected, the SI pre-processor 1120 identifies forwarding information associated with the selected service path by performing a lookup in forwarding table 1138. The forwarding table 1138 stores forwarding information for the service path (e.g., a MAC address for a first hop in the service path). In some embodiments, the forwarding information includes a service index that indicates a service path length (i.e., the number of service nodes included in the service path). In some embodiments, the forwarding information also includes a time to live (TTL) value that indicates the number of service nodes in the service path. The next hop MAC address, service index, and TTL values, in other embodiments, are stored with the SPI in the policy table 1137 and the forwarding table 1138 is unnecessary.
In some embodiments, selecting a service path for a forward direction data message flow includes selecting a corresponding service path for a reverse direction data message flow. In such embodiments, forwarding information for each direction is determined at this point. The service path for the reverse direction data message flow, in some embodiments, includes the same service nodes as the service path for the forward direction data message flow but traverses the service nodes in the opposite order. In some embodiments, the service path for the reverse direction data message flow traverses the service nodes in the opposite order when at least one service node modifies the data message. The service path for the reverse direction data message flow, for some data message flows, is the same service path as for the forward direction flow. In some embodiments, the SR is made available as a service node to provide an L3 routing service and is identified as a last hop for each service path. The SR L3 routing service node, in some embodiments, is also a first hop for each service path to ensure that traversing the service path in the opposite order will end at the SR, and the SR performs the first hop processing of the service path as a service node.
Once the service path has been selected and the forwarding information has been identified, connection tracker records are created for the forward and reverse direction flows and are provided to the connection tracker storage 1121. In some embodiments, a service insertion post-processor 1128 is queried for a state value (e.g., a flow programming version value “flow_prog_gen”) that indicates a current state of a set of service nodes (e.g., a set of service nodes associated with the identified service type). As discussed below, the connection tracker records includes the forwarding information (e.g., the SPI, the service index, a next hop MAC address, and a service insertion rule identifier for the service insertion rule that was identified as matching the attributes of data message 1110) used to process subsequent data messages in the forward and reverse data message flows. In some embodiments, the connection tracker record also includes the flow programming version value to indicate a current flow programming version value at the time the connection tracker record is created for comparison to then-current values for subsequent data messages in the data message flow for which the record is created.
The data message 1152 along with the forwarding information 1151 are then provided to the STL module 1122. The forwarding information, in this example, for a data message requiring services provided by a service chain includes service metadata (SMD) that includes, in some embodiments include any or all of a service chain identifier (SCI), a SPI, a service index, a TTL value, and a direction value. The forwarding information, in some embodiments, also includes a MAC address for a next hop and a service insertion type identifier to identify the data message as using a logical service forwarding element transport mechanism.
The STL module 1122, as shown, provides the data message 1153 along with an encapsulating header 1154 that includes, in some embodiments, the SMD and liveness attributes that indicate that the L3 routing service node is still operational to a layer 2 service plane processor 1123 that prepares the data message for sending to the service plane L2 interface 1124 based on the information included in the encapsulating header 1154. In some embodiments, instead of an encapsulating header, the forwarding information is sent or stored as separate metadata that includes, in some embodiments, the SMD and liveness attributes that indicate that the L3 routing service node is still operational. The logical switch service plane processor 1123 functions similarly to a port proxy described in U.S. patent application Ser. No. 16/444,826 filed on Jun. 18, 2019. As shown, the logical switch service plane processor 1123 removes the header 1154 and records the SMD and next hop information. The data message is then provided to service plane L2 interface 1124 (e.g., a software switch port associated with the logical service forwarding element).
The data message is then encapsulated for delivery to a first service node in the service path by an interface (e.g., a port or virtual tunnel endpoint (VTEP)) of the software forwarding element to produce 1157. In some embodiments, the SMD is a modified set of SMD that enables the original data 1110 message to be reconstructed when the serviced data message is returned to the logical switch service plane processor 1123. In some embodiments, the encapsulation is only necessary when the next hop service node executes on another device so that the encapsulated data message 1157 can traverse an intervening network fabric.
The encapsulation, in some embodiments, encapsulates the data message with an overlay header to produce data message 1157. In some embodiments, the overlay header is a Geneve header that stores the SMD and STL attributes in one or more of its TLVs. As mentioned above, the SMD attributes in some embodiments include the SCI value, the SPI value, the SI value, and the service direction. Other encapsulation headers are described in U.S. patent application Ser. No. 16/444,826 filed on Jun. 18, 2019. The illustrated datapath for data message 1110 assumes that the first service node in the service path is on an external host (a host machine that is not the edge device). If, instead, the edge device is hosting the next service node in the service path, the data message will not require encapsulation and instead will be sent to the next service node over the logical service forwarding plane using the SVNI associated with the logical service plane and the MAC address of the next hop service node.
If flow programming instructions are included in encapsulation header 1158, the flow programming instructions 1159 are provided to a flow programming table 1129 and a flow programming version value is updated (e.g., incremented). The flow programming instruction in the flow programming table 1129, in some embodiments, includes a new action (e.g., pf_value) that indicates that subsequent data messages should be dropped, allowed, or a new service path is identified to skip a particular service node (e.g., a firewall that has determined that the connection is allowed) while traversing the other service nodes in the original service path. The use of the flow programming version value will be discussed further in relation to
Data message 1210 is received at the edge device and provided to the edge TX SR 1130. In some embodiments, the TX SR 1130 receives the data message at an uplink interface or at a virtual tunnel interface of the TX SR 1130. In some embodiments, the SI Pre-processor 1120 is called at different processing operations for an uplink interface and a virtual tunnel interface (VTI). In some embodiments, the calls for data messages received at an uplink interface and a virtual tunnel interface are implemented by different components of the edge device. For example, the SI pre-processor 1120 is called for data messages received at the uplink interface, in some embodiments, by a NIC driver as part of a standard data message pipeline, while the SI pre-processor 1120 is called for data messages received at a VTI is called after (before) a decapsulation and decryption (encryption and encapsulation) operation as part of a separate VTI processing pipeline. In some embodiments implementing the SI pre-processor 1120 differently for uplinks and VTIs, a same connection tracker is used to maintain a consistent state for each data message even if it traverses a VTI and an uplink.
The SI pre-processor 1120 performs a set of operations similar to the operations of process 100. The SI pre-processor 1120 performs a lookup in connection tracker storage 1121 to determine if a connection tracker record exists for the data message flow to which the data message belongs. As discussed above, the determination is based on a flow identifier including, or derived from, flow attributes (e.g., header values, contextual data, or values derived from the header values and, alternatively or conjunctively, the contextual data). In the illustrated example, the data message 1210 is a data message in a data message flow that has a connection tracker record in the connection tracker storage 1121. The connection tracker storage lookup begins with operation 120 of process 100.
Some embodiments provide a method of performing stateful services that keeps track of changes to states of service nodes to update connection tracker records when necessary. At least one global state value indicating a state of the service nodes is maintained at the edge device. In some embodiments, different global state values are maintained for service chain service nodes (SCSNs) and layer 2 bump-in-the-wire service nodes (L2 SNs). The method generates a record in a connection tracker storage including the current global state value as a flow state value for a first data message in a data message flow. Each time a data message is received for the data message flow, the stored state value (i.e., a flow state value) is compared to the relevant global state value (e.g., SCSN state value or L2 SN state value) to determine if the stored action may have been updated.
After a change in the global state value relevant to the flow, the global state value and the flow state value do not match and the method examines a flow programming table to determine if the flow has been affected by the flow programming instruction(s) that caused the global state value to change (e.g., increment). The instructions stored in the flow programming table, in some embodiments, include a data message flow identifier and an updated action (e.g., drop, allow, update selected service path, update a next hop address). If the data message flow identifiers stored in the flow programming table do not match the current data message flow identifier, the flow state value is updated to the current global state value and the action stored in the connection tracker record is used to process the data message. However, if at least one of the data message flow identifiers stored in the flow programming table matches the current data message flow identifier, the flow state value is updated to the current global state value and the action stored in the connection tracker record is updated to reflect the execution of the instructions with a matching flow identifier stored in the flow programming table and the updated action is used to process the data message.
For some data message flows, a previous data message in the data message flow will have been received that includes a set of flow programming instructions. The data message, in some embodiments, is a serviced data message that has been serviced by a set of service nodes in a service path and the set of flow programming instructions is based on flow programming instruction from a set of service nodes in the service path. The set of flow programming instructions, in some embodiments, includes a flow programming instruction for both a forward direction data message flow and a reverse direction data message flow that are affected by the flow programming instruction. In some embodiments, the forward and reverse flow ID are the same and a direction bit distinguishes between forward and reverse data message flows in the connection tracker record.
The set of flow programming instructions are recorded in a flow programming table and a flow programming version value is updated (incremented) at the flow programming table to reflect that flow programming instructions have been received that may require information in at least one connection tracker record to be updated. The flow programming instructions, in some embodiments, are based on any of the following events: the failure of a service node, an identification of a service node that is no longer required to be part of the service path, a decision to drop a particular data message in a data message flow, or a decision to drop a particular data message flow. Based on the event, the flow programming instruction includes forwarding information that specifies a different service path than was previously selected (based on service node failure or the identification of a service node that is no longer required) or a new action (e.g., pf_value) for a next data message (based on a decision to drop a particular data message in a data message flow) or for the data message flow (based on a decision to drop a particular data message flow). The flow programming table, in some embodiments, stores records relevant to individual flows and a record of failed service nodes (or the service paths that they belong to) used to determine available service paths during service path selection operations. Records stored for individual flows, persist until they are executed, which, in some embodiments, occurs upon receiving the next data message for the data message flow as will be discussed below.
The process 1300 then determines (at 1320) whether the flow programming generation value is current (i.e., is not equal to the flow programming version value stored by the flow programming table). In the described embodiment, determining (at 1320) whether the flow programming version value (e.g., flow_prog_gen or BFD_gen) is current includes a query to the flow programming table 1129 including only the flow programming version value to perform a simple query operation to determine whether a further, more complicated query must be performed. If the flow programming version value is current the action stored in the connection tracker record can be used to forward the data message to service nodes to provide the required services and the process ends.
If the process 1300 determines (at 1320) that the flow programming version value is not current, the process 1300 then determines (at 1330) whether there is a flow programming instruction that applies to the received data message (i.e., the data message flow to which the data message belongs). In some embodiments, this second determination is made using a query (e.g., 1271) that includes a flow ID that is used as a key to identify a flow programming record stored in the flow programming table. In some embodiments, the query also includes a service path identifier (SPI) that can be used to determine whether the service path has failed. The flow programming generation value is not current, in some embodiments, because a flow programming instruction has been received that causes the flow programming version value to update (e.g., increment). The flow programming instruction, in some embodiments, is relevant to the data message flow, while in other embodiments, the flow programming instruction is relevant to a different data message flow or a failed service node.
If the process 1300 determines (at 1330) that there is no relevant flow programming instruction for the received data message, the flow programming version value stored in the connection tracker record is updated (at 1340) to reflect the flow programming version value returned from the flow programming table. The data message is then processed (at 1345) based on the action stored in the connection tracker record and the process ends. If, however, the process 1300 determines (at 1330) that there is a relevant flow programming instruction for the received data message, the action in the flow programming table is used (at 1350) to process the data message. In some embodiments, the determination that there is a relevant flow programming instruction for the received data message is based on receiving a non-empty response (e.g., 1272) to the query. The connection tracker record is then updated (at 1360) based on the query response to update the service action and the flow programming version value and the process ends. One of ordinary skill in the art will appreciate that operations 1350 and 1360 are performed together or in a different order without affecting the functionality.
Processing the data message according to the forwarding information based on the flow programming record and connection tracker record, for some data messages, includes forwarding the data message to the service transport layer module 1122 that forwards the data message along the service path identified in the forwarding information. For other data messages, processing the data message according to the forwarding information includes dropping (or allowing) the data message based on the flow programming instruction. A similar process is performed for L2 BIW service nodes based on a bidirectional forwarding detection (BFD) version value (e.g., BFD_gen) that is a state value associated with failures of service nodes connected by a L2 BIW transport mechanism and is stored in a connection tracker record at creation.
After the data message is processed through SI post-processor 1128, serviced data message 1162 is provided to the TX SR 1130 marked (e.g., using a tag, or metadata associated with the data message) as having been serviced so that SI pre-processor is not called a second time to classify the data message. TX SR 1130 then forwards the data message 1163 to the next hop. In some embodiments, the marking as serviced is maintained in forwarding the data message, while in some other embodiments, the marking is removed as part of the logical routing operation of the TX SR 1130. In some embodiments, metadata is stored for the data message that indicates that the data message has been serviced.
Connection tracker record set 1410 is a set of connection tracker records for a forward and reverse direction data message flow that use a logical service plane (e.g., logical service forwarding element) transport mechanism. Connection tracker record set 1410, in some embodiments, includes a connection tracker record 1411 for a forward direction data message flow and a connection tracker record 1412 for a reverse direction data message flow. Each connection tracker record 1411 and 1412, includes a flow identifier (e.g., Flow ID or Flow ID′), a set of service metadata, a flow programming version value (e.g., flow_program_gen), an action identifier (e.g., pf_value), and a rule ID identifying a service rule that was used to create the connection tracker record. The flow ID for the forward and reverse direction data message flows, in some embodiments, are different flow IDs that are based on the switching of the source and destination addresses (e.g., IP and MAC addresses). The different flow IDs for the forward and reverse direction data message flows, in other embodiments, is based on different values for source and destination addresses that are the result of a network address translation provided by a service node in the set of service nodes. In some embodiments, the forward and reverse flow IDs are the same except for a bit that indicates the directionality. In some embodiments, the directionality bit is stored in a separate field and forward and reverse flow IDs are the same.
In some embodiments, the service metadata (SMD) includes a service path ID (e.g., SPI 1 and SPI 1′), a service index (e.g., SI which should be the same for the forward and reverse direction data message flows), a time to live (TTL), and a next hop MAC address (e.g., hop1mac and hopMmac). The use of the SMD in processing data messages has been described above in relation to
The rule ID, in some embodiments, is used (as described in operation 223) to identify a set of interfaces at which the rule is applied by using the rule ID as a key in an applied to storage 1401 that stores records including a rule ID field 1402 identifying the rule ID and an applied_to field 1403 containing a list of interfaces at which the identified rule is applied. In some embodiments, the interfaces are logical interfaces of the service router identified by a UUID. The applied_to storage 1401, in some embodiments, is configured by a controller that is aware of the service insertion rules, service policies, and interface identifiers.
Connection tracker record set 1420 is a set of connection tracker records for a forward and reverse direction data message flow that use a layer 2 bump-in-the-wire (BIW) transport mechanism. Connection tracker record set 1420, in some embodiments, includes a connection tracker record 1421 for a forward direction data message flow and a connection tracker record 1422 for a reverse direction data message flow. Each connection tracker record 1421 and 1422, includes a flow identifier (e.g., Flow ID or Flow ID′), an IP address (e.g., a dummy IP address associated with an interface connected to an L2 service node), a bidirectional forwarding detection (BFD) version value (e.g., BFD_gen) that is a state value associated with failures of service nodes connected to an LR-SR (e.g., an AZG-SR or VPCG-SR) by a L2 BIW transport mechanism, an action identifier (e.g., pf_value), and a rule ID identifying a service rule that was used to create the connection tracker record. The flow ID for the forward and reverse direction data message flows is the same as that described for connection tracker record 1410. In some embodiments, the pf_value is a value that identifies whether a flow should be allowed or dropped, bypassing the service node.
Connection tracker record set 1430 is a set of connection tracker records for a forward and reverse direction data message flow that use a layer 3 tunneling transport mechanism. Connection tracker record set 1430, in some embodiments, includes a connection tracker record 1431 for a forward direction data message flow and a connection tracker record 1432 for a reverse direction data message flow. Each connection tracker record 1431 and 1432, includes a flow identifier (e.g., Flow ID or Flow ID′), an IP address (e.g., an IP address of the virtual tunnel interface connecting the LR-SR to the service node), an action identifier (e.g., pf_value), and a rule ID identifying a service rule that was used to create the connection tracker record. The flow ID for the forward and reverse direction data message flows is the same as that described for connection tracker record 1410. In some embodiments, the pf_value is a value that identifies whether a flow should be allowed or dropped, bypassing the service node.
The flow programming table 1129, in some embodiments, stores state values 1440-1470. The state value “flow_program_gen” 1440 is a flow programming state value that is used to identify a state of changes to a flow programming table. As described above, the flow_program_gen value is used to determine whether a flow programming table should be consulted (e.g., if a connection tracker record stores an out-of-date flow_program_gen value) to determine forwarding information for a data message, or if the forwarding information stored in the connection tracker record is current (e.g., the connection tracker record stores a current flow_program_gen value).
The state value “BFD_gen” 1450 is a liveness state value that is used to identify a state of changes to liveness values of service nodes connected using the L2 BIW transport mechanism. Similarly to the flow_program_gen value, the BFD_gen value is used to determine whether a BFD_gen value stored in a connection tracker record is a current BFD_gen value and the forwarding information is still valid, or whether the BFD_gen value stored in the connection tracker is out-of-date and the SI pre-processor needs to determine if the forwarding information is still valid (e.g., to determine if a service node corresponding to the stored IP address is still operational). In some embodiments, a separate storage structure stores a list of failed service nodes using BFD (e.g., L2 BIW service nodes) to detect failure that is consulted when a BFD_gen value stored in a connection tracker record does not match a global BFD_gen value.
The state value “SPI_fail_gen” 1460 is a liveness state value that is used to identify a state of changes to liveness values of service paths (i.e., ordered sets of service nodes) connected to an LR-SR using the logical service plane (e.g., logical service forwarding element) transport mechanism. In some embodiments, the SPI_fail_gen value is provided from a controller implementing a central control plane that is aware of service node failures and updates the SPI_fail_gen value upon service node failure detection. Similarly to the BFD_gen value, the SPI_fail_gen is used to determine whether a SPI_fail_gen value associated with a service path identifier that is associated with a UUID in a policy storage is up-to-date. If the SPI_fail_gen value is not up-to-date, a determination must be made as to whether a service path currently enumerated as a possible service path is still functional. In some embodiments, a separate storage structure stores a list of failed service paths that is consulted when a SPI_fail_gen value is not up-to-date (i.e., does not match the stored SPI_fail_gen state value 1460).
The state value “SN_gen” 1470 is a liveness state value that is used to identify a state of changes to liveness values of service nodes connected using the L3 tunneling transport mechanism. Similarly to the flow_program_gen value, the SN_gen value is used to determine whether a SN_gen value stored in a connection tracker record is a current SN_gen value and the forwarding information is still valid, or whether the SN_gen value stored in the connection tracker is out-of-date and the SI pre-processor needs to determine if the forwarding information is still valid (e.g., to determine if a service node corresponding to the stored IP address is still operational). In some embodiments, a separate storage structure stores a list of failed L3 service nodes that is consulted when a SN_gen value stored in a connection tracker record does not match a global SN_gen value.
Flow programming table 1129 also stores sets of flow programming instructions. In some embodiments, a single flow programming instruction received from a service node (through its service proxy) generates a flow programming record for each of a forward and reverse direction data message flow. Flow programming record set 1480 illustrates a flow programming record that updates a pf_value for a forward direction data message flow identified by Flow ID 1 (1481) and a reverse direction data message flow identified by Flow ID 1′ (1482). Flow ID 1 and flow ID 1′, in some embodiments are identical except for a bit that identifies the flow ID as a forward or reverse data message flow. In some embodiments, the pf_value′ included in the flow programming table record 1480 is an action value that specifies that the data messages for the data message flow should be dropped or allowed.
In some embodiments, the flow programming instruction is indicated by a flow programming tag that can specify the following operations (1) NONE when no action is required (which causes no flow programming operation to be performed), (2) DROP when no further data messages of this flow should be forwarded along the service chain and instead should be dropped at the LR-SI classifier, and (3) ACCEPT when no further data messages of this flow should be forwarded along the service chain and instead the flow should be forwarded to the destination by the LR-SR. In some embodiments, the flow programming tag can also specify DROP_MESSAGE. The DROP_MESSAGE is used when the service node needs to communicate with the proxy (e.g. to respond to a ping request) and wants the user data message (if any) to be dropped, even though no flow programming at the source is desired.
In some embodiments, an additional action is available for the service proxies to internally communicate failure of their SVMs. This action would direct the SI pre-processor in some embodiments to select another service path (e.g., another SPI) for the data message's flow. This action in some embodiments is carried in-band with a user data message by setting an appropriate metadata field in some embodiments. For instance, as further described below, the service proxies communicate with the SI post-processor (or a controller computer responsible for generating and maintaining lists of available service paths) through OAM (Operation, Administration, and Maintenance) metadata of the NSH attributes through in-band data message traffic over the data plane. Given that by design flow programming actions are affected by signaling delays and are subject to loss, an SVM or service proxy might still see data messages belonging to a flow that was expected to be dropped, accepted or re-directed at the source for some time after communicating the flow programming action to the proxy. In this case, the service plane should continue to set the action to drop, allow, or redirect at the LR-SI classifier (or the connection tracker record).
Flow programming record set 1480 illustrates a flow programming record that updates a set of service metadata for a forward direction data message flow identified by Flow ID 2 (1481) and a reverse direction data message flow identified by Flow ID 2′ (1482). The updated SPI (e.g., SPI 2 or SPI 2′) in some embodiments represents a different set of service nodes. As discussed above, the updated service path may be based on a service node failure or based on a determination that a particular service node is no longer necessary (e.g., a service node that provides a firewall decision to allow the data message that applies to all subsequent data messages).
Additional details relating to service chain and service path creation and management are discussed in relation to
In some embodiments, a service manager object 1502 can be created before or after the creation of a service object 1504. An administrator or a service management system can invoke service manager APIs to create a service manager. A service manager 1502 can be associated with a service at any point of time. In some embodiments, the service manager 1502 includes service manager information, such as the vendor name, vendor identifier, restUrl (for callbacks) and authentication/certificate information.
As mentioned above, the service plane does not require the presence or use of a service manager as service nodes can operate in zero-awareness mode (i.e., have zero awareness of the service plane). In some embodiments, zero-awareness mode only allows basic operations (e.g., redirecting traffic towards the service's SVMs). In some such embodiments, no integration is provided to distribute object information (such as service chain information, service profiles, etc.) to the service manager servers. Instead, these servers can poll the network manager for objects of interest.
A service object 1504 represents a type of service that is provided by a service node. The service object has a transport type attribute, which specifies its mechanism (e.g., NSH, GRE, QinQ, etc.) for receiving service metadata. Each service object also has a state attribute (which can be enabled or disabled) as returned by service manager, and a reference to a service manager that may be used for exposing REST API endpoints to communicate events and perform API calls. It also includes a reference to an OVA/OVF attribute used to deploy instances of the service.
Vendor template objects 1507 include one or more service profile objects 1506. In some embodiments, service managers can register vendor templates, and the service profiles can be defined on a per service basis and based on a vendor template with potentially specialized parameters. In some embodiments, a vendor template object 1507 is created for a L3 routing service that can be used to represent the LR-SR components with an attribute that can be used to distinguish LR-SR components of different edge forwarding elements. A service chain can be defined by reference to one or more service profiles. In some embodiments, service profiles are not assigned tags and are not identified explicitly on the wire. In order to determine which function to apply to traffic, service nodes perform a look up (e.g., based on service chain identifier, service index and the service direction, as mentioned above) in order to identify the applicable service profile. The mapping for this lookup is provided by the management plane to service managers whenever a service chain is created or modified.
A service profile object 1506 in some embodiments includes (1) a vendor template attribute to identify its associated vendor template, (2) one or more custom attributes when the template exposes configurable values through the service profile, and (3) an action attribute, such as a forward action, or a copy-and-redirect, which respectively direct the service proxies to either forward the received data messages to their service nodes, or to forward a copy of the received data messages to their service nodes while forwarding the received data message to the next service hop or back to the original source GVM when their service node is the last hop.
The service attachment object 1508 represents the service plane (i.e., is a representation of the service plane of a perspective of a user, such as tenant's network administrator in a multi-tenant datacenter, or the network administrator in a private datacenter). This service attachment object is an abstraction that support any number of different implementations of the service plane (e.g., logical L2 overlay, logical L3 overlay, logical network overlay etc.). In some embodiments, each endpoint (on a service instance runtime (SIR) or a GVM) that communicates over the service plane specifies a service attachment. The service attachment is a communication domain. As such, services or GVMs outside a service attachment may not be able to communicate with one another.
In some embodiments, service attachments can be used to create multiple service planes with hard isolation between them. A service attachment has the following attributes (1) logical identifier (e.g., SVNI for a logical switch) that identifies a logical network or logical forwarding element that carries traffic for the service attachment, (2) a type of service attachment (e.g., L2 attachment, L3 attachment, etc.), and (3) an applied_To identifier that specifies a scope of the service attachment (e.g., Transport node 0 and Transport node 1 for north-south operations and a cluster or set of hosts for East-West operations). In some embodiments, the control plane (e.g., a central control plane) converts the service attachment representation that it receives from the management plane to a particular LFE or logical network deployment based on parameters specified by a network administrator (e.g., a datacenter administrator of a private or public cloud, or network virtualization provider in a public cloud).
A service instance object 1510 represents an actual deployed instance for a service. Hence, each such object is associated with one service object 1504 through a service deployment object 1513 that specifies the relationship between the service object 1504 and the service instance object 1510. The deployed service instance can be a standalone service node (e.g., standalone SVM) or it can be a high availability (HA) service node cluster. In some embodiments, the service deployment object 1513 describes the service instance type, e.g., standalone or HA. As described below, the service deployment object's API can be used in some embodiments to deploy several service instances for a service.
The service instance runtime (SIR) object 1512 represents an actual runtime service node that operates in a standalone mode, or an actual runtime service node of an HA cluster. The service instance object in some embodiments includes the following attributes (1) a deployment mode attribute that specifies whether the service instance is operating in a standalone mode, an active/standby mode, or an active/active model, (2) a state attribute that specifies whether the instance is enabled or disabled, and (3) a deployed to attribute that in the case of north-south operations includes a reference to a service attachment identifier.
In some embodiments, SVM provisioning is initiated manually. To this end, the management plane provides, in some embodiments, APIs for (1) creating a service instance of an existing service, (2) deleting a service instance, (3) growing a service instance that is already configured as a high availability cluster by adding additional SIRs, and (4) shrinking a service instance by removing one of its SIRs. When creating a service instance of an existing service, the service instance may be created in some embodiments on the basis of a template contained in the service. The caller can pick between a stand-alone instance or an HA cluster, in which case all the VMs in the HA cluster are provisioned. Again, in some embodiments, the API for the service instance deployment allows multiple service instances (e.g., for an HA cluster) to be deployed through just one API call.
In some embodiments, an API that creates one or more SVMs specifies one or more logical locations (e.g. clusters, host, resource pool) in which the SVMs should be placed. In some embodiments, the management plane tries to place SVMs belonging to the same service instance on different hosts whenever possible. Anti-affinity rules may also be configured as appropriate to maintain the distribution of SVMs across migration events (such as VMotion events supported by Dynamic Resource Scheduler of VMware, Inc.). Similarly, the management plane may configure affinity rules with specific hosts (or groups of hosts) when available or the user provisioning the service instance may explicitly pick a host or a cluster.
As mentioned above, a service instance runtime object 1512 represents an actual SVM running on a host to implement a service. In embodiments in which LR-SRs provide an L3 routing service, the service instance runtime object 1512 also represents the edge forwarding element. An SIR is part of a service instance. Each SIR can have one or more traffic interfaces completely dedicated to service plane traffic. In some embodiments, at least one service proxy instance runs per SIR to handle data plane signaling and data message format conversion for the SIR as needed. When a service instance is deployed, the SIRs are created for every SVM associated with the service instance in some embodiments. The network manager also creates an instance endpoint for every service instance in an east-west service insertion. Each SIR object 1512 has the following attributes in some embodiments (1) a state attribute which is active for SVMs that can process traffic and inactive for all others, regardless of reason, and (2) a runtime state that specifies whether the data plane liveness detection detects that the SIR is up or down.
The instance runtime interface 1516 is the per-endpoint version of the service instance endpoint 1514. In some embodiments, the instance runtime interface 1516 is used to identify an interface for an SIR or GVM that can be the source or sink service plane traffic. In East-West service insertion, the lifecycle of an instance runtime interface in some embodiments is linked to the lifecycle of the service instance runtime. In some embodiments, no user action is required to configure an instance runtime interface.
In some embodiments, the instance runtime interface 1516 has the following attributes: an endpoint identifier, a type, a reference to a service attachment, and a location. The endpoint identifier is a data plane identifier for the SIR VNIC. The endpoint identifier is generated when the SIR or GVM is registered with the service transport layer, and may be a MAC address or part of a MAC address. The type attribute can be shared or dedicated. SIR VNICs are dedicated, meaning that only service plane traffic is able to reach them, while GVM VNICs are shared, meaning they will receive and transmit both service plane and regular traffic. The service-attachment reference is a reference to the service attachment that implements the service plane used to transmit and receive service plane traffic. This reference in some embodiments is to the SVNI of the service plane. The location attribute in some embodiments specifies the location of the instance runtime interface, which is the UUID of the host on which the instance runtime interface is currently located.
In some embodiments, a user defines a service chain object 1518 in terms of an ordered list of service profiles 1506. In some embodiments, each service chain conceptually provides separate paths for forward and reverse traffic directions, but if only one direction is provided at creation time, the other one is generated automatically by reversing service profile order. Either direction of the service chain (and even both directions) can be empty, meaning no services will process traffic in that direction. In some embodiments, the data plane will perform a lookup even for an empty service chain.
Service chains are abstract concepts. They do not point to a specific set of service nodes. Rather, the network controllers that are part of the service plane platform automatically generate service paths that point to sequences of service nodes for the service chain and direct messages/flows along the generated service paths. In some embodiments, a service chain is identified in the management plane or control plane by its UUID, a unique identifier of the service chain. Service nodes are provided with the meaning of service chain IDs through management plane APIs received through their service managers. Further details are described in U.S. patent application Ser. No. 16/444,826 filed on Jun. 18, 2019.
A service chain tag in some embodiments may be used to identify a service chain in the dataplane because UUIDs are too long to be carried in encapsulating headers. A service chain ID in some embodiments is an unsigned integer like rule ID. Each data message redirected to a service carries the service chain tag for the service chain it is traversing. The management plane advertises UUID to service chain tag mappings when a service chain is created or modified. Service chain tags have a 1 to 1 mapping with service chain UUIDs, whereas a single service chain can have 0 to many service path indexes.
In addition to a service chain ID, a service chain in some embodiments has the following attributes: (1) references to all computed service paths, (2) failure policies, and (3) references to service profiles. References to computed service paths were described above. The failure policy is applied when a service path selected for a service chain cannot be traversed. In some embodiments, the failure policies may be PASS (forward traffic) and FAIL (drop traffic). The references to service profiles of the service chain may include an egress list of service profiles that egress traffic (e.g., data messages traveling from a GVM to a switch) must traverse, and an ingress list of service profiles that ingress traffic (e.g., data messages traveling from the switch to a GVM) must traverse. In some embodiments, the ingress list is initialized by default as the reverse of the egress list.
Different techniques can be used in some embodiments to define the service paths for the service chain. For instance, in some embodiments, a service chain can have an associated load balancing strategy, which can be one of the following strategies. The load balancing strategy is responsible for load balancing traffic across different service paths of a service chain. According to an ANY strategy, the service framework is free to redirect the traffic to any service path regardless of any load balancing consideration or flow pinning. Another strategy is a LOCAL strategy, which specifies that local service instances (e.g., SVMs executing on the same host computer as the source GVM) are to be preferred over remote service instances (e.g., SVMs executing on other host computers or external service appliances).
Some embodiments generate scores for service paths based on how many SIRs are local and the highest score is selected regardless of load. Another strategy is the cluster strategy, which specifies that service instances implemented by VMs that are co-located on the same host are preferred, whether that host is the local one or a different one. A ROUND_ROBIN strategy directs that all active service paths are hit with equal probability or based on probabilities that are specified by a set of weight values.
An SI rule object 1520 associates a set of data message attributes with a service chain represented by the service chain object 1518. The service chain is implemented by one or more service paths, each of which is defined by a service path object 1522. Each service path has one or more service hops, which are represented by one or more service path hop objects 1524 with each hop being associated with one instance runtime interface 1516. Each service hop also refers to an associated service profile, an associated service path, and a next hop SIR endpoint identifier in some embodiments.
In some embodiments, a service path object has several attributes, some of which may be updated by the management or control plane when underlying conditions change. These properties include a service path index, a state (e.g., enabled or disabled), an administrative mode (e.g., enabled or disabled) used when a service path must be manually disabled (e.g., for debugging reasons), a host crossing count (indicating how many times a data message traversing the service path crosses hosts), a locality count (indicating how many of the SIRs along this path are located on the local host), a list of backup service paths, a length of the service path, a reverse path (listing the same set of SIRs in the reverse order), and a maintenance mode indicator (in some embodiments a bit indicating true if any hop in the service path is in maintenance mode).
The host crossing count is an integer and indicates how many times a data message going through the service path must be sent out of a PNIC. In some embodiments, a local or central control plane uses this metric to determine preferred paths when multiple available alternatives exist. This value is populated by the management plane or control plane and is the same for each host using the service path. The locality count in some embodiments is not initialized by the management plane or the control plane but rather computed by the local control plane when a service path is created or updated. Each LCP may potentially compute a different number. This value is used by the local control plane to identify preferred paths when multiple available alternatives exist. The service path length is one parameter that is used by the service plane to set the initial service index.
In some embodiments, the list of backup service paths is a pointer to a sorted list of all service paths for the same service chain. It lists all possible alternatives to be tried when a specific SIR along the path is down. This list may contain a service path for all possible permutations of SVMs in each HA cluster traversed by the service path. In some embodiments, the list will not contain SIRs belonging to different HA clusters.
In some embodiments a service path is disabled when at least one service hop is inactive. Such a condition is temporary and is triggered by service liveness detection failures. A service path can be disabled in this manner at any time. In some embodiments, a service path is also disabled when at least one service hop has no matching SIR. The service hop enters this condition when an SIR it is referring to disappears, but the service path still exists in the object model.
The service plane must be able to uniquely identify each SPI. In some embodiments, the control plane generated UUIDs are sent for each service path. Due to data message header limitations in the service plane, a large ID is not sent with each data message in some embodiments. In some embodiments, when the control plane generates a UUID for each service path, it also generates a small unique ID for it and this ID is sent with each data message in these embodiments.
To support using LR-SRs as service plane traffic sinks, in some embodiments, the network manager or controller generates an internal service representing the edge forwarding element and creates a vendor template representing L3 routing with a configurable setting representing the LR-SR. For each LR-SR, the network manager or controller, in some embodiments, creates (1) a service profile specializing the L3 routing vendor template, (2) service instances, and (3) service instance endpoints. The network manager or controller then allows the service profile in service chains and configures failure policies for the service paths including the LR-SR. A service link connected to the logical service plane is then provisioned for the LR-SR and the data plane is configured to inject service plane traffic into the regular routing pipeline of the LR-SR.
Through a service partner interface 1602 (e.g., a set of APIs or a partner user interface (UI) portal), the service registrator 1604 receives vendor templates 1605 that specify services that different service partners perform. These templates define the partner services in terms of one or more service descriptors, including service profiles. The registrator 1604 stores the service profiles in a profile storage 1607 for the service chain creator 1606 to use to define service chains.
Specifically, through a user interface 1618 (e.g., a set of APIs or a UI portal), the service chain creator 1606 receives from a network administrator (e.g., a datacenter administrator, a tenant administrator, etc.) one or more service chain definitions. In some embodiments, each service chain definition associates a service chain identifier, which identified the service chain, with an ordered sequence of one or more service profiles. Each service profile in a defined service chain is associated with a service operation that needs to be performed by a service node. The service chain creator 1606 stores the definition of each service chain in the service chain storage 1620.
Through the user interface 1618 (e.g., a set of APIs or a UI portal), the service rule creator 1608 receives from a network administrator (e.g., a datacenter administrator, a tenant administrator, etc.) one or more service insertion rules. In some embodiments, each service insertion rule associates a set of data message flow attributes with a service chain identifier. The flow attributes in some embodiments are flow header attributes, like L2 attributes or L3/L4 attributes (e.g., five tuple attributes). In these or other embodiments, the flow attributes are contextual attributes (e.g., AppID, process ID, active directory ID, etc.). Numerous techniques for capturing and using contextual attributes for performing forwarding and service operations are described in U.S. patent application Ser. No. 15/650,251, now published as U.S. Patent Publication 2018/0181423, which is incorporated herein. Any of these techniques can be used in conjunction with the embodiments described herein.
The service rule creator 1608 generates one or more service insertion rules and stores these rules in the SI rule storage 1622. In some embodiments, each service insertion rule has a rule identifier and a service chain identifier. The rule identifier in some embodiments can be defined in terms of flow identifiers (e.g., header attributes, contextual attributes, etc.) that identify data message flow(s) to which the SI rule is applicable. The service chain identifier of each SI rule, on the other hand, identifies the service chain that has to be performed by the service plane for any data message flow that matches the rule identifier of the SI rule.
For each service chain that is part of a service rule, the service path generator 1612 generates one or more service paths, with each path identifying one or more service instance endpoints for one or more service nodes to perform the service operations specified by the chain's sequence of service profiles. In some embodiments, the process that generates the service paths for a service chain accounts for one or more criteria, such as (1) the data message processing load on the service nodes (e.g., SVMs) that are candidate service nodes for the service paths, (2) the number of host computers crossed by the data messages of a flow as they traverse each candidate service path, etc.
The generation of these service paths is further described in U.S. patent application Ser. No. 16/282,802, now issued as U.S. Pat. No. 11,012,351, which is incorporated herein by reference. As described in this patent application, some embodiments identify the service paths to use for a particular GVM on a particular host based on one or more metrics, such as host crossing count (indicating how many times a data message traversing the service path crosses hosts), a locality count (indicating how many of the SIRs along this path are located on the local host), etc. Other embodiments identify service paths (i.e., select service nodes for service paths) based on other metrics, such as financial and licensing metrics.
The service path generator 1612 stores the identity of the generated service paths in the service path storage 1624. This storage in some embodiments associates each service chain identifier to one or more service path identifiers, and for each service path (i.e., each SPI) it provides a list of service instance endpoints that define the service path. Some embodiments store the service path definitions in one data storage, while storing the association between the service chain and its service paths in another data storage.
The service rule generator 1610 then generates rules for service insertion, next service hop forwarding, and service processing from the rules stored in storages 1620, 1622 and 1624, and stores these rules in rule storages 1626, 1628 and 1630, from where the rule distributor 1614 can retrieve these rules and distribute them to the SI pre-processors, service proxies and service nodes. The distributor 1614 also distributes in some embodiments the path definitions from the service path storage 1624. The path definitions in some embodiments includes the first hop network address (e.g., MAC address) of the first hop along each path. In some embodiments, the service rule generator 1610 and/or the rule distributor 1614 specify and distribute different sets of service paths for the same service chain to different host computers, as different sets of service paths are optimal or preferred for different host computers.
In some embodiments, the SI classification rules that are stored in the rule storage 1626 associate flow identifiers with service chain identifiers. Hence, in some embodiments, the rule generator 1610 retrieves these rules from the storage 1622 and stores them in the classification rule storage 1626. In some embodiments, the rule distributor 1614 directly retrieves the classification rules from the SI rule storage 1622. For these embodiments, the depiction of the SI classification rule storage 1626 is more of a conceptual illustration to highlight the three types of the distributed rules, along with the next-hop forwarding rules and the service node rules.
In some embodiments, the service rule generator 1610 generates the next hop forwarding rules for each hop service proxy of each service path for each service chain. As mentioned above, each service proxy's forwarding table in some embodiments has a forwarding rule that identifies the next hop network address for each service path on which the proxy's associated service node resides. Each such forwarding rule maps the current SPI/SI values to the next hop network address. The service rule generator 1610 generates these rules. For the embodiments in which the SI pre-processor has to look-up the first hop network address, the service rule generator also generates the first hop look-up rule for the SI pre-processor.
Also, in some embodiments, the service rule generator 1610 generates for the service nodes service rules that map service chain identifier, service index values and service directions to service profiles of the service nodes. To do this, the service rule generator uses the service chain and service path definitions from the storages 1620 and 1624, as well as the service profile definitions from the service profile storage 1607. In some embodiments, the rule distributor forwards the service node rules to a service node through a service manager of the service node when such a service manager exists. The service profile definitions are also distributed by the distributor 1614 to the host computers (e.g., to their LCPs) in some embodiments, so that these host computers (e.g., the LCPs) can use these service profiles to configure their service proxies, e.g., to configure the service proxies to forward received data messages to their service nodes, or to copy the received data messages and forward the copies to their service nodes, while forwarding the original received data messages to their next service node hops or back to their source GVMs when they are the last hops.
In some embodiments, the management and control plane dynamically modify the service paths for a service chain, based on the status of the service nodes of the service paths and the data message processing loads on these service nodes as described in U.S. patent application Ser. No. 16/444,826 filed on Jun. 18, 2019. The components of
For the identified logical forwarding element, a set of services available at the identified logical forwarding element is identified (at 1720). The set of services available at the logical forwarding element, in some embodiments, is defined by an administrator or the controller computer based on service insertion rules applicable at the logical forwarding element. The set of services, in some embodiments, defines a set of service nodes (e.g., service instances) that are connected to the logical service forwarding plane to provide the set of services.
Once the set of services are identified (at 1720), the process 1700 identifies (at 1730) a logical service forwarding plane to connect the logical forwarding element and the service nodes to provide the identified set of services. The logical service forwarding element, in some embodiments, is identified by a service virtual network identifier (SVNI) that is selected from multiple SVNIs used in the logical network. In some embodiments, a set of the service nodes providing the identified services are connected to multiple logical service forwarding planes identified by multiple SVNIs. The different SVNIs, in some embodiments, are used to distinguish traffic for different tenants.
The process 1700 then generates (at 1740) configuration data to configure the logical forwarding element to connect to the identified logical service forwarding plane. In some embodiments, the configuration data includes an interface mapping table that maps logical forwarding elements (e.g., VRF contexts) to interfaces of logical service forwarding planes. The interface mapping table, in some embodiments, is used by the logical forwarding elements to identify an interface to use to forward data messages to service nodes connected to the logical service forwarding plane.
The process 1700 then determines (at 1750) if additional logical forwarding elements need to be configured to connect to a logical service forwarding plane. If an additional logical forwarding element needs to be required, the process 1700 returns to operation 1710 to identify a next logical forward element that requires connection to a logical service forwarding element. If no additional logical forwarding element needs to be configured, the process 1700 provides (at 1760) the configuration data to a set of edge devices on which the set of identified logical forwarding elements (e.g., edge forwarding elements) is implemented. In some embodiments, the configuration data includes service-insertion data for configuring the logical forwarding element as described above and also includes service forwarding data for configuring logical software forwarding elements that implements logical service forwarding planes associated with the logical forwarding elements implemented by the set of edge devices.
Once a service node is selected, the process identifies forwarding information associated with the selected service node by performing a lookup in forwarding table 1138. The forwarding table 1138 stores forwarding information for the service node (e.g., an IP address of the VTI). The IP address associated with the selected service node, in other embodiments, are stored with the VTI or service node identifier in the policy table 1137 and the forwarding table 1138 is unnecessary.
In some embodiments, selecting a service node for a forward direction data message flow includes selecting the same service node for a reverse direction data message flow. In such embodiments, forwarding information (e.g., the IP address of the selected service node) for each direction is determined at this point. Once the service node has been selected and the forwarding information has been identified, connection tracker records are created for the forward and reverse direction flows and are provided to the connection tracker storage 1121. As discussed below, the connection tracker record includes the forwarding information (e.g., the IP address for the interface), a service action (if a service action is defined for the data message flow), and a service insertion rule identifier for the service insertion rule that was identified as matching the attributes of data message 1810. In some embodiments, the connection tracker record includes a service insertion type identifier. In some embodiments a service node state value (e.g., SN_gen) is included in the connection tracker record as described above in relation to
The data message 1822 along with the forwarding information 1821 are then provided to the STL module 1122. The forwarding information, in this example, for a data message requiring services provided by a service node accessed through a VPN includes, in some embodiments, a next hop IP address for the virtual tunnel interface and a service insertion type identifier to identify the data message as using a tunneling transport mechanism.
The service routing processor 1125 as shown routes the data message to the VTI based on the IP address identified by the SI pre-processor 1120. In some embodiments, the data message 1831 is provided to the VTI with the original source and destination IP addresses as well as an original data message source and destination port. In other embodiments, the destination IP address is changed to the IP address of the VTI with the original destination IP address stored in a metadata storage of the edge forwarding element to be used by the edge forwarding element to restore the destination IP address of the serviced data message after it is received from the service node. The VTI receives data message 1831 and the processing pipeline, in some embodiments, encrypts and encapsulates the data message to be delivered over the VPN as data message 1851. A return data message is then received at the VTI and processed as described above for the return data message of
Once a service node is selected, the process identifies forwarding information associated with the selected service node by performing a lookup in forwarding table 1138. The forwarding table 1138 stores forwarding information for the service node (e.g., a set of dummy IP addresses of interfaces of the TX SR 1130). The dummy IP addresses in some embodiments, are a set of source and destination IP addresses that are associated with first and second virtual interfaces (VIs) of the BIW pair interfaces 1126 that are each connected to the same service node. The dummy IP addresses associated with the selected service node, in other embodiments, are stored with the service node identifier in the policy table 1137 and the forwarding table 1138 is unnecessary.
In some embodiments, selecting a service node for a forward direction data message flow includes selecting the same service node for a reverse direction data message flow. For L2 BIW, the forwarding information for a forward direction data message flow, in some embodiments, identifies the same dummy IP addresses as for the forward direction data message flow but identifies the source IP address for the forward direction data message as a destination IP address for a reverse direction data message and a destination IP address as a source IP address. Once the service node has been selected and the forwarding information has been identified, connection tracker records are created for the forward and reverse direction flows and are provided to the connection tracker storage 1121. As discussed below, the connection tracker record includes the forwarding information (e.g., the dummy IP address for the destination interface), a service action (if a service action is defined for the data message flow), and a service insertion rule identifier for the service insertion rule that was identified as matching the attributes of data message 1910. In some embodiments, the connection tracker record includes a service insertion type identifier. In some embodiments a service node state value (e.g., BFD_gen) is included in the connection tracker record as described above in relation to
The data message 1922 along with the forwarding information 1921 are then provided to the STL module 1122. The forwarding information, in this example, for a data message requiring services provided by a service node accessed through a L2 BIW connection includes, in some embodiments, a set of next hop dummy IP addresses for the virtual interfaces and a service insertion type identifier to identify the data message as using a L2 BIW transport mechanism.
The STL module 1122 as shown provides the data message to the interface in the BIW paired interfaces 1126 identified as a source interface based on the dummy IP address identified by the SI pre-processor 1120. In some embodiments, the data message 1932 is provided to source interface (associated with MAC address MAC 1) in the BIW interface pair 1126 with the original source and destination IP addresses but with source and destination MAC addresses of the BIW interface pair 1126 associated with the L2 BIW service node. The data message is then processed by the L2 service node that returns the serviced data message to the interface in the BIW interface pair identified as the destination interface (associated with MAC address MAC 2). The returned data message is then processed as described above for the return data message of
As discussed above, the transport mechanisms, in some embodiments, include a tunneling mechanism (e.g. a virtual private network (VPN), internet protocol security (IPSec), etc.) that connects the edge forwarding element to at least one service node through a corresponding set of virtual tunnel interfaces (VTIs). In addition to the VTIs used to connect the edge forwarding element to the service nodes, the edge forwarding element uses other VTIs to connect to other network elements for which it provides forwarding operations. At least one VTI used to connect the edge forwarding element to other (i.e., non-service node) network elements is identified to perform a service classification operation and is configured to perform the service classification operation for data messages received at the VTI for forwarding. The VTIs connecting the edge forwarding element to the service nodes, in some embodiments, are not configured to perform a service classification operation and are instead configured to mark data messages returned to the edge forwarding element as having been serviced. In other embodiments, VTIs connecting the edge forwarding element to the service nodes are configured to perform limited service classification operations using a single default rule that is applied at the VTI that marks data messages returned to the edge forwarding element as having been serviced.
For traffic exiting a logical network through a particular VTI, some embodiments perform a service classification operation for different data messages to identify different VTIs that connect the edge forwarding element to a service node to provide services required by the data messages. Each data message, in some embodiments, is then forwarded to the identified VTI to receive the required service (e.g., from the service node connected to the edge forwarding element through the VTI). The identified VTI does not perform a service classification operation and merely allows the data message to reach the service node. The service node then returns the serviced data message to the edge forwarding element. In some embodiments, the VTI is not configured to perform the service classification operation and is instead configured to mark all traffic directed to the edge forwarding element from the service node as having been serviced. The marked serviced data message is then received at the edge forwarding element and is forwarded to a destination of the data message through the particular VTI. In some embodiments, the particular VTI does not perform additional service insertion operations because the data message is marked as having been serviced.
In some embodiments, the service classification operation is implemented separately from a service classification operation for non-tunneled traffic received at an uplink interface of the edge forwarding element. The different implementation, in some embodiments, is due to the fact that the tunneled data messages are received at the uplink interface in an encapsulated and encrypted format that, if processed by the uplink service classification operation would result in an incorrect service classification (e.g., an incorrect identification of a necessary set of services and forwarding information for the underlying (encapsulated) data message flow). Therefore, some embodiments, implement a service classification operation as part of the VTI datapath after an incoming data message has been decapsulated (and decrypted, if necessary) or for outgoing data messages before encryption and encapsulation.
The communication from compute node 2060 to 2080 begins with standard logical processing through the elements of logical network 2003. Accordingly, the compute node 2060 provides the data message to tenant distributed router 2040 using logical switch 2050. In some embodiments, both the logical switch 2050 and the tenant distributed router 2040 are implemented by a local managed forwarding element on a same host as compute node 2060. VPC distributed router 2040 in turn routes the data message to VPC service router 2030 using, in some embodiments, a transit logical switch (not shown) as described in relation to
The availability zone service router 2010 then routes the data message to the VTI as the next hop for the data message. As part of the VTI processing pipeline, an SI classifier 2007 (e.g., a VTI-SI classifier) performs a service classification operation before encryption and encapsulation that, based on a service insertion rule applied at the VTI, identifies that the data message requires a service that is provided by L3 service node 2070 that sits outside of the logical network 2003. The SI classifier identifies the VTI associated with VPN 2006 as the next hop towards the L3 service node 2070 and sends the data message for processing. The SI classifier sitting between the availability zone service router 2010 and VPN 2006 does not perform service classification operations on service insertion traffic and the data message arrives at the L3 service node 2070 which performs a service on the data message.
The SI classifier 2007 determines that, based on a service insertion rule applied at the VTI, the data message requires a service that is provided by L3 service node 2070. The SI classifier identifies the VTI associated with VPN 2006 as the next hop towards the L3 service node 2070 and sends the data message for processing. The SI classifier sitting between the availability zone service router 2010 and VPN 2006 does not perform service classification operations on service insertion traffic and the data message arrives at the L3 service node 2070 which performs a service on the data message.
The service classification operation, in the illustrated embodiment is provided before a routing operation of the availability zone service router 2010. Based on the identified forwarding information, the availability zone service router 2010 provides the data message to service chain service node 2270a to provide a first service to the data message and pass the data message along to a next hop in a service path (i.e., service chain service node 2270b). In some embodiments, the availability zone service router 2010 identifies a service chain service node functionality provided by the availability zone service router 2010 as a first hop that then routes the data message to the service chain service node 2270a. In either embodiment, after receiving the data message from service chain service node 2270a, service chain service node 2270b provides a next service in the service chain and provides the data message to service chain service node 2270c to provide an additional service and to identify the service chain service node functionality provided by the availability zone service router 2010 as the last hop in the service path. Each data message sent between service chain service nodes (e.g., SVMs) uses the logical service forwarding element 2209 and, in some embodiments, involves service proxies and service transport layer modules not shown here for the sake of clarity. The use of service proxies and service transport layer modules are described in more detail above in relation to
The serviced data message is then routed to a destination in the external network 2004 by the availability zone service router 2010. The routing identifies a second uplink interface with the external network 2004 and provides the serviced data message with a tag or metadata identifying the data message as a serviced data message. Based on the identification, the service classifier at the second uplink interface does not provide an additional service classification operation, and the data message is forwarded to the destination. As discussed above, in some embodiments using a tag to identify the data message as a serviced data message, the tag is removed before the data message is sent over the uplink interface.
Prior to being routed by VPC service router 2030, SI classifier 2007 associated with the VPC service router 2030 performs a service classification operation that determines, based on a service insertion rule that applies to the data message received at the VPC service router 2030 uplink interface, that a set of services is required and identifies forwarding information (e.g., SPI, next hop MAC, etc. as described above) to access the required set of services. The data message is provided to the VPC service router 2030 which uses the forwarding information to provide the data message to service chain service node 2270c which returns the serviced data message to the VPC service router 2030. The VPC service router 2030 then routes the serviced data message to the destination compute node 2060.
The service classification operation determines (at 2820) that the data message requires a service provided at the availability zone service router. In some embodiments, the service classification operation performs the operations of process 100 to determine that the data message requires the service and to identify (at 2830) forwarding data for the data message. The forwarding information identified for the data message, in some embodiments, includes service metadata (SMD) used to send the data message over a logical service forwarding plane to the availability zone service router and additional service metadata for directing the availability zone service router to redirect the data message to a particular service node or set of service nodes. In some embodiments, the additional service metadata takes the form of arguments of a function call to a function exposed at the availability zone service router.
The data message is then sent (at 2840) to the availability zone service router over the logical service forwarding plane along with the service metadata identifying the required additional services.
Once the data message is received by the availability zone service router, the availability zone service router determines (at 2920) that the data message requires a routing service to at least one additional service node. In some embodiments, the determination is made based on the additional metadata provided by the VPC service router, while in other embodiments, the determination is made based on an argument of a function call to a function (e.g., an API) made available at the availability zone service router.
Once the determination that the data message requires a routing service to at least one additional service node is made (at 2920), the availability zone service router provides (at 2930) the service based on the received metadata. In some embodiments, the service is provided by the service node functionality of the service router and the service is provided without redirection. In other embodiments, the service is provided by a set of service nodes reachable through one of the transport mechanisms described above and the data message is redirected to the service node using the appropriate transport mechanism. Once the data message is redirected to the service node, the process proceeds much like the process of
The serviced data message is received at the availability zone service router (at 2940) and is marked as a serviced data message. As mentioned above, in this embodiment, an identification of the data message as being serviced must be carried through the availability zone service router and distributed router so that the SI classifier of the VPC service router does not apply the same service insertion rule and redirect the data message to the same destination and get stuck in a loop. In embodiments in which the availability zone service router and the VPC service router are implemented in a same edge device, metadata identifying the data message as serviced is stored in a shared metadata storage that is used by the VPC service router SI classifier to identify a data message as serviced.
The data message is then routed (at 2950) to the destination. In some embodiments, the data message is routed to an external destination or a VPC service router that is different than the VPC service router without being returned to the VPC service router that sent the data message to the availability zone service router. In other embodiments, for data messages that were originally destined to a compute node in the network segment reached through the VPC service router (e.g., a southbound data message) the data message is routed to the VPC service router from which the data message was received. After routing the data message, the process 2900 ends. In an embodiment in which the data message is routed towards the VPC service router from which the data message was received, the process 2800 receives (at 2850) the serviced data message identified as a serviced data message and the SI classifier does not perform a service classification operation based on the marking. The data message is then received at the VPC service router and is routed to the data message's destination.
In some embodiments, sending the data message to the availability zone service router 2010 using the logical service forwarding plane includes sending the data message through a layer 2 interface 3005 of a software switch executing on the same device as the service router. The software switch is used to implement the logical service forwarding element (e.g., LSFE 801) represented by LSP 3009. In some embodiments, the connection to the AZG service router 2010 is mediated by a service proxy implemented by the AZG service router 2010 to comply with industry standard service insertion protocols.
Some embodiments facilitate the provision of a service reachable at a virtual internet protocol (VIP) address. The VIP address is used by clients to access a set of service nodes in the logical network. In some embodiments, data messages from client machines to the VIP are directed to an edge forwarding element at which the data messages are redirected to a load balancer that load balances among the set of service nodes to select a service node to provide a service requested by the client machine. The load balancer, in some embodiments, does not change the source IP address of the data message received from the client machine so that the service node receives a data message to be serviced that identifies the client machine IP address as a source IP address. The service node services the data message and sends the serviced data message to the client machine using the IP address of the service node as a source IP address and the IP address of the client node as the destination IP address. Because the client sent the original address to the VIP address, the client will not recognize the source IP address of the serviced data message as being a response to the request sent to the VIP address and the serviced data message will not be processed appropriately (e.g., it will be dropped, or not associated with the original request).
Facilitating the provision of the service, in some embodiments, includes returning the serviced data message to the load balancer to track the state of the connection using the service logical forwarding element. To use the service logical forwarding element, some embodiments configure an egress datapath of the service nodes to intercept the serviced data message before being forwarded to a logical forwarding element in the datapath from the client to the service node, and determine if the serviced data message requires routing by the routing service provided as a service by the edge forwarding element. If the data message requires routing by the routing service (e.g., for serviced data messages), the serviced data message is forwarded to the edge forwarding element over the service logical forwarding element. In some embodiments, the serviced data message is provided to the edge forwarding element along with the VIP associated with the service, in other embodiments, the edge forwarding element determines the VIP based on a port used to send the data message over the service logical forwarding element. The VIP is used by the edge forwarding element to identify the load balancer associated with the serviced data message. The serviced data message is then forwarded to the load balancer for the load balancer to maintain state information for the connection to which the data message belongs and modify the data message to identify the VIP as the source address for forwarding to the client.
Many of the above-described features and applications are implemented as software processes that are specified as a set of instructions recorded on a computer readable storage medium (also referred to as computer readable medium). When these instructions are executed by one or more processing unit(s) (e.g., one or more processors, cores of processors, or other processing units), they cause the processing unit(s) to perform the actions indicated in the instructions. Examples of computer readable media include, but are not limited to, CD-ROMs, flash drives, RAM chips, hard drives, EPROMs, etc. The computer readable media does not include carrier waves and electronic signals passing wirelessly or over wired connections.
In this specification, the term “software” is meant to include firmware residing in read-only memory or applications stored in magnetic storage, which can be read into memory for processing by a processor. Also, in some embodiments, multiple software inventions can be implemented as sub-parts of a larger program while remaining distinct software inventions. In some embodiments, multiple software inventions can also be implemented as separate programs. Finally, any combination of separate programs that together implement a software invention described here is within the scope of the invention. In some embodiments, the software programs, when installed to operate on one or more electronic systems, define one or more specific machine implementations that execute and perform the operations of the software programs.
The bus 3305 collectively represents all system, peripheral, and chipset buses that communicatively connect the numerous internal devices of the computer system 3300. For instance, the bus 3305 communicatively connects the processing unit(s) 3310 with the read-only memory 3330, the system memory 3325, and the permanent storage device 3335.
From these various memory units, the processing unit(s) 3310 retrieve instructions to execute and data to process in order to execute the processes of the invention. The processing unit(s) may be a single processor or a multi-core processor in different embodiments. The read-only-memory (ROM) 3330 stores static data and instructions that are needed by the processing unit(s) 3310 and other modules of the computer system. The permanent storage device 3335, on the other hand, is a read-and-write memory device. This device is a non-volatile memory unit that stores instructions and data even when the computer system 3300 is off. Some embodiments of the invention use a mass-storage device (such as a magnetic or optical disk and its corresponding disk drive) as the permanent storage device 3335.
Other embodiments use a removable storage device (such as a flash drive, etc.) as the permanent storage device. Like the permanent storage device 3335, the system memory 3325 is a read-and-write memory device. However, unlike storage device 3335, the system memory is a volatile read-and-write memory, such a random access memory. The system memory stores some of the instructions and data that the processor needs at runtime. In some embodiments, the invention's processes are stored in the system memory 3325, the permanent storage device 3335, and/or the read-only memory 3330. From these various memory units, the processing unit(s) 3310 retrieve instructions to execute and data to process in order to execute the processes of some embodiments.
The bus 3305 also connects to the input and output devices 3340 and 3345. The input devices enable the user to communicate information and select commands to the computer system. The input devices 3340 include alphanumeric keyboards and pointing devices (also called “cursor control devices”). The output devices 3345 display images generated by the computer system. The output devices include printers and display devices, such as cathode ray tubes (CRT) or liquid crystal displays (LCD). Some embodiments include devices such as a touchscreen that function as both input and output devices.
Finally, as shown in
Some embodiments include electronic components, such as microprocessors, storage and memory that store computer program instructions in a machine-readable or computer-readable medium (alternatively referred to as computer-readable storage media, machine-readable media, or machine-readable storage media). Some examples of such computer-readable media include RAM, ROM, read-only compact discs (CD-ROM), recordable compact discs (CD-R), rewritable compact discs (CD-RW), read-only digital versatile discs (e.g., DVD-ROM, dual-layer DVD-ROM), a variety of recordable/rewritable DVDs (e.g., DVD-RAM, DVD-RW, DVD+RW, etc.), flash memory (e.g., SD cards, mini-SD cards, micro-SD cards, etc.), magnetic and/or solid state hard drives, read-only and recordable Blu-Ray® discs, ultra-density optical discs, and any other optical or magnetic media. The computer-readable media may store a computer program that is executable by at least one processing unit and includes sets of instructions for performing various operations. Examples of computer programs or computer code include machine code, such as is produced by a compiler, and files including higher-level code that are executed by a computer, an electronic component, or a microprocessor using an interpreter.
While the above discussion primarily refers to microprocessor or multi-core processors that execute software, some embodiments are performed by one or more integrated circuits, such as application specific integrated circuits (ASICs) or field programmable gate arrays (FPGAs). In some embodiments, such integrated circuits execute instructions that are stored on the circuit itself.
As used in this specification, the terms “computer”, “server”, “processor”, and “memory” all refer to electronic or other technological devices. These terms exclude people or groups of people. For the purposes of the specification, the terms display or displaying means displaying on an electronic device. As used in this specification, the terms “computer readable medium,” “computer readable media,” and “machine readable medium” are entirely restricted to tangible, physical objects that store information in a form that is readable by a computer. These terms exclude any wireless signals, wired download signals, and any other ephemeral or transitory signals.
While the invention has been described with reference to numerous specific details, one of ordinary skill in the art will recognize that the invention can be embodied in other specific forms without departing from the spirit of the invention. For instance, several figures conceptually illustrate processes. The specific operations of these processes may not be performed in the exact order shown and described. The specific operations may not be performed in one continuous series of operations, and different specific operations may be performed in different embodiments. Furthermore, the process could be implemented using several sub-processes, or as part of a larger macro process.
Even though the service insertion rules in several of the above-described examples provide service chain identifiers, some of the inventions described herein can be implemented by having a service insertion rule provide the service identifiers (e.g., SPIs) of the different services specified by the service insertion rule. Similarly, several of the above-described embodiments perform distributed service routing that relies at each service hop identifying a next service hop by performing an exact match based on the SPI/SI values. However, some of the inventions described herein can be implemented by having the service insertion pre-processor embed all the service hop identifiers (e.g., service hop MAC addresses) as the data message's service attribute set and/or in the data message's encapsulating service header.
In addition, some embodiments decrement the SI value differently (e.g., at different times) than the approaches described above. Also, instead of performing the next hop lookup just based on the SPI and SI values, some embodiments perform this lookup based on the SPI, SI and service direction values as these embodiments use a common SPI value for both the forward and reverse directions of data messages flowing between two machines.
The above-described methodology is used in some embodiments to express path information in single tenant environments. Thus, one of ordinary skill will realize that some embodiments of the invention are equally applicable to single tenant datacenters. Conversely, in some embodiments, the above-described methodology is used to carry path information across different datacenters of different datacenter providers when one entity (e.g., one corporation) is a tenant in multiple different datacenters of different providers. In these embodiments, the tenant identifiers that are embedded in the tunnel headers have to be unique across the datacenters, or have to be translated when they traverse from one datacenter to the next. Thus, one of ordinary skill in the art would understand that the invention is not to be limited by the foregoing illustrative details, but rather is to be defined by the appended claims
Number | Date | Country | Kind |
---|---|---|---|
202041015116 | Apr 2020 | IN | national |
Number | Name | Date | Kind |
---|---|---|---|
6006264 | Colby et al. | Dec 1999 | A |
6104700 | Haddock et al. | Aug 2000 | A |
6154448 | Petersen et al. | Nov 2000 | A |
6772211 | Lu et al. | Aug 2004 | B2 |
6779030 | Dugan et al. | Aug 2004 | B1 |
6826694 | Dutta et al. | Nov 2004 | B1 |
6880089 | Bommareddy et al. | Apr 2005 | B1 |
6985956 | Luke et al. | Jan 2006 | B2 |
7013389 | Srivastava et al. | Mar 2006 | B1 |
7209977 | Acharya et al. | Apr 2007 | B2 |
7239639 | Cox et al. | Jul 2007 | B2 |
7379465 | Aysan et al. | May 2008 | B2 |
7406540 | Acharya et al. | Jul 2008 | B2 |
7447775 | Zhu et al. | Nov 2008 | B1 |
7480737 | Chauffour et al. | Jan 2009 | B2 |
7487250 | Siegel | Feb 2009 | B2 |
7499463 | Droux et al. | Mar 2009 | B1 |
7649890 | Mizutani et al. | Jan 2010 | B2 |
7698458 | Liu et al. | Apr 2010 | B1 |
7818452 | Matthews et al. | Oct 2010 | B2 |
7898959 | Arad | Mar 2011 | B1 |
7948986 | Ghosh et al. | May 2011 | B1 |
8078903 | Parthasarathy et al. | Dec 2011 | B1 |
8094575 | Vadlakonda et al. | Jan 2012 | B1 |
8175863 | Ostermeyer et al. | May 2012 | B1 |
8190767 | Maufer et al. | May 2012 | B1 |
8201219 | Jones | Jun 2012 | B2 |
8223634 | Tanaka et al. | Jul 2012 | B2 |
8224885 | Doucette et al. | Jul 2012 | B1 |
8230493 | Davidson et al. | Jul 2012 | B2 |
8266261 | Akagi | Sep 2012 | B2 |
8339959 | Moisand et al. | Dec 2012 | B1 |
8451735 | Li | May 2013 | B2 |
8484348 | Subramanian et al. | Jul 2013 | B2 |
8488577 | Macpherson | Jul 2013 | B1 |
8521879 | Pena et al. | Aug 2013 | B1 |
8615009 | Ramamoorthi et al. | Dec 2013 | B1 |
8707383 | Bade et al. | Apr 2014 | B2 |
8743885 | Khan et al. | Jun 2014 | B2 |
8804720 | Rainovic et al. | Aug 2014 | B1 |
8804746 | Wu et al. | Aug 2014 | B2 |
8811412 | Shippy | Aug 2014 | B2 |
8830834 | Sharma et al. | Sep 2014 | B2 |
8832683 | Heim | Sep 2014 | B2 |
8849746 | Candea et al. | Sep 2014 | B2 |
8856518 | Sridharan et al. | Oct 2014 | B2 |
8862883 | Cherukuri et al. | Oct 2014 | B2 |
8868711 | Skjolsvold et al. | Oct 2014 | B2 |
8873399 | Bothos et al. | Oct 2014 | B2 |
8874789 | Zhu | Oct 2014 | B1 |
8892706 | Dalal | Nov 2014 | B1 |
8913611 | Koponen et al. | Dec 2014 | B2 |
8914406 | Haugsnes et al. | Dec 2014 | B1 |
8966024 | Koponen et al. | Feb 2015 | B2 |
8966029 | Zhang et al. | Feb 2015 | B2 |
8971345 | McCanne et al. | Mar 2015 | B1 |
8989192 | Foo et al. | Mar 2015 | B2 |
8996610 | Sureshchandra et al. | Mar 2015 | B1 |
9009289 | Jacob | Apr 2015 | B1 |
9015823 | Koponen et al. | Apr 2015 | B2 |
9094464 | Scharber et al. | Jul 2015 | B1 |
9104497 | Mortazavi | Aug 2015 | B2 |
9148367 | Kandaswamy et al. | Sep 2015 | B2 |
9172603 | Padmanabhan et al. | Oct 2015 | B2 |
9178709 | Higashida et al. | Nov 2015 | B2 |
9191293 | Iovene et al. | Nov 2015 | B2 |
9195491 | Zhang et al. | Nov 2015 | B2 |
9203748 | Jiang et al. | Dec 2015 | B2 |
9225638 | Jain et al. | Dec 2015 | B2 |
9225659 | McCanne et al. | Dec 2015 | B2 |
9232342 | Seed et al. | Jan 2016 | B2 |
9256467 | Singh et al. | Feb 2016 | B1 |
9258742 | Pianigiani et al. | Feb 2016 | B1 |
9264313 | Manuguri et al. | Feb 2016 | B1 |
9277412 | Freda et al. | Mar 2016 | B2 |
9344337 | Kumar et al. | May 2016 | B2 |
9363183 | Kumar et al. | Jun 2016 | B2 |
9397946 | Yadav | Jul 2016 | B1 |
9407540 | Kumar et al. | Aug 2016 | B2 |
9407599 | Koponen et al. | Aug 2016 | B2 |
9419897 | Cherian et al. | Aug 2016 | B2 |
9442752 | Roth et al. | Sep 2016 | B1 |
9467382 | Kumar et al. | Oct 2016 | B2 |
9479358 | Klosowski et al. | Oct 2016 | B2 |
9503530 | Niedzielski | Nov 2016 | B1 |
9531590 | Jain et al. | Dec 2016 | B2 |
9577845 | Thakkar et al. | Feb 2017 | B2 |
9602380 | Strassner | Mar 2017 | B2 |
9608896 | Kumar et al. | Mar 2017 | B2 |
9660905 | Dunbar et al. | May 2017 | B2 |
9686192 | Sengupta et al. | Jun 2017 | B2 |
9686200 | Pettit et al. | Jun 2017 | B2 |
9705702 | Foo et al. | Jul 2017 | B2 |
9705775 | Zhang et al. | Jul 2017 | B2 |
9749229 | Previdi et al. | Aug 2017 | B2 |
9755898 | Jain et al. | Sep 2017 | B2 |
9755971 | Wang et al. | Sep 2017 | B2 |
9774537 | Jain et al. | Sep 2017 | B2 |
9787559 | Schroeder | Oct 2017 | B1 |
9787605 | Zhang et al. | Oct 2017 | B2 |
9804797 | Ng et al. | Oct 2017 | B1 |
9825810 | Jain et al. | Nov 2017 | B2 |
9860079 | Cohn et al. | Jan 2018 | B2 |
9900410 | Dalal | Feb 2018 | B2 |
9935827 | Jain et al. | Apr 2018 | B2 |
9979641 | Jain et al. | May 2018 | B2 |
9985896 | Koponen et al. | May 2018 | B2 |
9996380 | Singh et al. | Jun 2018 | B2 |
10013276 | Fahs et al. | Jul 2018 | B2 |
10042722 | Chigurupati et al. | Aug 2018 | B1 |
10075470 | Vaidya et al. | Sep 2018 | B2 |
10079779 | Zhang et al. | Sep 2018 | B2 |
10084703 | Kumar et al. | Sep 2018 | B2 |
10089127 | Padmanabhan et al. | Oct 2018 | B2 |
10091276 | Bloomquist et al. | Oct 2018 | B2 |
10104169 | Moniz et al. | Oct 2018 | B1 |
10129077 | Jain et al. | Nov 2018 | B2 |
10129180 | Zhang et al. | Nov 2018 | B2 |
10135636 | Jiang et al. | Nov 2018 | B2 |
10135737 | Jain et al. | Nov 2018 | B2 |
10158573 | Lee et al. | Dec 2018 | B1 |
10187306 | Nainar et al. | Jan 2019 | B2 |
10200493 | Bendapudi et al. | Feb 2019 | B2 |
10212071 | Kancherla et al. | Feb 2019 | B2 |
10225137 | Jain et al. | Mar 2019 | B2 |
10237379 | Kumar et al. | Mar 2019 | B2 |
10250501 | Ni | Apr 2019 | B2 |
10257095 | Jain et al. | Apr 2019 | B2 |
10284390 | Kumar et al. | May 2019 | B2 |
10320679 | Jain et al. | Jun 2019 | B2 |
10333822 | Jeuk et al. | Jun 2019 | B1 |
10341233 | Jain et al. | Jul 2019 | B2 |
10341427 | Jalan et al. | Jul 2019 | B2 |
10375155 | Cai et al. | Aug 2019 | B1 |
10390285 | Zhou | Aug 2019 | B2 |
10397275 | Jain et al. | Aug 2019 | B2 |
10445509 | Thota et al. | Oct 2019 | B2 |
10484334 | Lee et al. | Nov 2019 | B1 |
10514941 | Zhang et al. | Dec 2019 | B2 |
10516568 | Jain et al. | Dec 2019 | B2 |
10547508 | Kanakarajan | Jan 2020 | B1 |
10547692 | Salgueiro et al. | Jan 2020 | B2 |
10554484 | Chanda et al. | Feb 2020 | B2 |
10594743 | Hong et al. | Mar 2020 | B2 |
10609091 | Hong et al. | Mar 2020 | B2 |
10609122 | Argenti et al. | Mar 2020 | B1 |
10623309 | Gampel et al. | Apr 2020 | B1 |
10637750 | Bollineni et al. | Apr 2020 | B1 |
10645060 | Ao et al. | May 2020 | B2 |
10645201 | Mishra et al. | May 2020 | B2 |
10659252 | Boutros et al. | May 2020 | B2 |
10693782 | Jain et al. | Jun 2020 | B2 |
10700891 | Hao et al. | Jun 2020 | B2 |
10708229 | Sevinc et al. | Jul 2020 | B2 |
10728174 | Boutros et al. | Jul 2020 | B2 |
10735311 | Li | Aug 2020 | B2 |
10742544 | Roeland et al. | Aug 2020 | B2 |
10757077 | Rajahalme et al. | Aug 2020 | B2 |
10797910 | Boutros et al. | Oct 2020 | B2 |
10797966 | Boutros et al. | Oct 2020 | B2 |
10802858 | Gunda | Oct 2020 | B2 |
10805181 | Boutros et al. | Oct 2020 | B2 |
10805192 | Boutros et al. | Oct 2020 | B2 |
10812378 | Nainar et al. | Oct 2020 | B2 |
10826835 | Ruckstuhl et al. | Nov 2020 | B2 |
10834004 | Yigit et al. | Nov 2020 | B2 |
10853111 | Gupta et al. | Dec 2020 | B1 |
10929171 | Gokhale et al. | Feb 2021 | B2 |
10931793 | Kumar et al. | Feb 2021 | B2 |
10938668 | Zulak et al. | Mar 2021 | B1 |
10938716 | Chin et al. | Mar 2021 | B1 |
10944673 | Naveen et al. | Mar 2021 | B2 |
10949244 | Naveen et al. | Mar 2021 | B2 |
10997177 | Howes et al. | May 2021 | B1 |
11003482 | Rolando et al. | May 2021 | B2 |
11012420 | Sevinc et al. | May 2021 | B2 |
11036538 | Lecuyer et al. | Jun 2021 | B2 |
11038782 | Boutros et al. | Jun 2021 | B2 |
11042397 | Mishra et al. | Jun 2021 | B2 |
11055273 | Meduri et al. | Jul 2021 | B1 |
11074097 | Naveen et al. | Jul 2021 | B2 |
11075839 | Zhuang et al. | Jul 2021 | B2 |
11075842 | Jain et al. | Jul 2021 | B2 |
11086654 | Rolando et al. | Aug 2021 | B2 |
11119804 | Gokhale et al. | Sep 2021 | B2 |
11140218 | Tidemann et al. | Oct 2021 | B2 |
11153190 | Mahajan et al. | Oct 2021 | B1 |
11153406 | Sawant et al. | Oct 2021 | B2 |
11157304 | Watt, Jr. et al. | Oct 2021 | B2 |
11184397 | Annadata et al. | Nov 2021 | B2 |
11194610 | Mundaragi et al. | Dec 2021 | B2 |
11212356 | Rolando et al. | Dec 2021 | B2 |
11223494 | Mishra et al. | Jan 2022 | B2 |
11249784 | Chalvadi et al. | Feb 2022 | B2 |
11265187 | Boutros et al. | Mar 2022 | B2 |
11277331 | Rolando et al. | Mar 2022 | B2 |
11283717 | Tidemann et al. | Mar 2022 | B2 |
11288088 | Rolando et al. | Mar 2022 | B2 |
11294703 | Rolando et al. | Apr 2022 | B2 |
11296930 | Jain | Apr 2022 | B2 |
11301281 | Rolando et al. | Apr 2022 | B2 |
11316900 | Schottland | Apr 2022 | B1 |
11321113 | Feng et al. | May 2022 | B2 |
11354148 | Rolando et al. | Jun 2022 | B2 |
11360796 | Mishra et al. | Jun 2022 | B2 |
11368387 | Rolando et al. | Jun 2022 | B2 |
11398983 | Wijnands | Jul 2022 | B2 |
20020010783 | Primak et al. | Jan 2002 | A1 |
20020078370 | Tahan | Jun 2002 | A1 |
20020097724 | Halme et al. | Jul 2002 | A1 |
20020194350 | Lu et al. | Dec 2002 | A1 |
20030065711 | Acharya et al. | Apr 2003 | A1 |
20030093481 | Mitchell et al. | May 2003 | A1 |
20030097429 | Wu et al. | May 2003 | A1 |
20030105812 | Flowers et al. | Jun 2003 | A1 |
20030188026 | Denton et al. | Oct 2003 | A1 |
20030236813 | Abjanic | Dec 2003 | A1 |
20040066769 | Ahmavaara et al. | Apr 2004 | A1 |
20040210670 | Anerousis et al. | Oct 2004 | A1 |
20040215703 | Song et al. | Oct 2004 | A1 |
20050021713 | Dugan et al. | Jan 2005 | A1 |
20050089327 | Ovadia et al. | Apr 2005 | A1 |
20050091396 | Nilakantan et al. | Apr 2005 | A1 |
20050114429 | Caccavale | May 2005 | A1 |
20050114648 | Akundi et al. | May 2005 | A1 |
20050132030 | Hopen et al. | Jun 2005 | A1 |
20050198200 | Subramanian et al. | Sep 2005 | A1 |
20050249199 | Albert et al. | Nov 2005 | A1 |
20060069776 | Shim et al. | Mar 2006 | A1 |
20060112297 | Davidson | May 2006 | A1 |
20060130133 | Andreev et al. | Jun 2006 | A1 |
20060155862 | Kathi et al. | Jul 2006 | A1 |
20060195896 | Fulp et al. | Aug 2006 | A1 |
20060233155 | Srivastava | Oct 2006 | A1 |
20070061492 | Riel | Mar 2007 | A1 |
20070121615 | Weill et al. | May 2007 | A1 |
20070153782 | Fletcher et al. | Jul 2007 | A1 |
20070214282 | Sen | Sep 2007 | A1 |
20070248091 | Khalid et al. | Oct 2007 | A1 |
20070260750 | Feied et al. | Nov 2007 | A1 |
20070288615 | Keohane et al. | Dec 2007 | A1 |
20070291773 | Khan et al. | Dec 2007 | A1 |
20080005293 | Bhargava et al. | Jan 2008 | A1 |
20080031263 | Ervin et al. | Feb 2008 | A1 |
20080046400 | Shi et al. | Feb 2008 | A1 |
20080049614 | Briscoe et al. | Feb 2008 | A1 |
20080049619 | Twiss | Feb 2008 | A1 |
20080049786 | Ram et al. | Feb 2008 | A1 |
20080072305 | Casado et al. | Mar 2008 | A1 |
20080084819 | Parizhsky et al. | Apr 2008 | A1 |
20080095153 | Fukunaga et al. | Apr 2008 | A1 |
20080104608 | Hyser et al. | May 2008 | A1 |
20080195755 | Lu et al. | Aug 2008 | A1 |
20080225714 | Denis | Sep 2008 | A1 |
20080239991 | Applegate et al. | Oct 2008 | A1 |
20080247396 | Hazard | Oct 2008 | A1 |
20080276085 | Davidson et al. | Nov 2008 | A1 |
20080279196 | Friskney et al. | Nov 2008 | A1 |
20090003349 | Havemann et al. | Jan 2009 | A1 |
20090003364 | Fendick et al. | Jan 2009 | A1 |
20090003375 | Havemann et al. | Jan 2009 | A1 |
20090019135 | Eswaran et al. | Jan 2009 | A1 |
20090037713 | Khalid et al. | Feb 2009 | A1 |
20090063706 | Goldman et al. | Mar 2009 | A1 |
20090129271 | Ramankutty et al. | May 2009 | A1 |
20090172666 | Yahalom et al. | Jul 2009 | A1 |
20090199268 | Ahmavaara et al. | Aug 2009 | A1 |
20090235325 | Dimitrakos et al. | Sep 2009 | A1 |
20090238084 | Nadeau et al. | Sep 2009 | A1 |
20090249472 | Litvin et al. | Oct 2009 | A1 |
20090265467 | Peles et al. | Oct 2009 | A1 |
20090271586 | Shaath | Oct 2009 | A1 |
20090299791 | Blake et al. | Dec 2009 | A1 |
20090300210 | Ferris | Dec 2009 | A1 |
20090303880 | Maltz et al. | Dec 2009 | A1 |
20090307334 | Maltz et al. | Dec 2009 | A1 |
20090327464 | Archer et al. | Dec 2009 | A1 |
20100031360 | Seshadri et al. | Feb 2010 | A1 |
20100036903 | Ahmad et al. | Feb 2010 | A1 |
20100100616 | Bryson et al. | Apr 2010 | A1 |
20100131638 | Kondamuru | May 2010 | A1 |
20100165985 | Sharma et al. | Jul 2010 | A1 |
20100223364 | Wei | Sep 2010 | A1 |
20100223621 | Joshi et al. | Sep 2010 | A1 |
20100235915 | Memon et al. | Sep 2010 | A1 |
20100254385 | Sharma et al. | Oct 2010 | A1 |
20100257278 | Gunturu | Oct 2010 | A1 |
20100265824 | Chao et al. | Oct 2010 | A1 |
20100281482 | Pike et al. | Nov 2010 | A1 |
20100332595 | Fullagar et al. | Dec 2010 | A1 |
20110010578 | Dominguez et al. | Jan 2011 | A1 |
20110016348 | Pace et al. | Jan 2011 | A1 |
20110022695 | Dalal et al. | Jan 2011 | A1 |
20110022812 | Van Der Linden et al. | Jan 2011 | A1 |
20110035494 | Pandey et al. | Feb 2011 | A1 |
20110040893 | Karaoguz et al. | Feb 2011 | A1 |
20110055845 | Nandagopal et al. | Mar 2011 | A1 |
20110058563 | Saraph et al. | Mar 2011 | A1 |
20110090912 | Shippy | Apr 2011 | A1 |
20110164504 | Bothos et al. | Jul 2011 | A1 |
20110194563 | Shen et al. | Aug 2011 | A1 |
20110211463 | Matityahu et al. | Sep 2011 | A1 |
20110225293 | Rathod | Sep 2011 | A1 |
20110235508 | Goel et al. | Sep 2011 | A1 |
20110261811 | Battestilli et al. | Oct 2011 | A1 |
20110268118 | Schlansker et al. | Nov 2011 | A1 |
20110271007 | Wang et al. | Nov 2011 | A1 |
20110276695 | Maldaner | Nov 2011 | A1 |
20110283013 | Grosser et al. | Nov 2011 | A1 |
20110295991 | Aida | Dec 2011 | A1 |
20110317708 | Clark | Dec 2011 | A1 |
20120005265 | Ushioda et al. | Jan 2012 | A1 |
20120011281 | Hamada et al. | Jan 2012 | A1 |
20120014386 | Xiong et al. | Jan 2012 | A1 |
20120023231 | Ueno | Jan 2012 | A1 |
20120054266 | Kazerani et al. | Mar 2012 | A1 |
20120089664 | Igelka | Apr 2012 | A1 |
20120137004 | Smith | May 2012 | A1 |
20120140719 | Hui et al. | Jun 2012 | A1 |
20120144014 | Natham et al. | Jun 2012 | A1 |
20120147894 | Mulligan et al. | Jun 2012 | A1 |
20120155266 | Patel et al. | Jun 2012 | A1 |
20120176932 | Wu et al. | Jul 2012 | A1 |
20120185588 | Error | Jul 2012 | A1 |
20120195196 | Ghai et al. | Aug 2012 | A1 |
20120207174 | Shieh | Aug 2012 | A1 |
20120213074 | Goldfarb et al. | Aug 2012 | A1 |
20120230187 | Tremblay et al. | Sep 2012 | A1 |
20120239804 | Liu et al. | Sep 2012 | A1 |
20120246637 | Kreeger et al. | Sep 2012 | A1 |
20120266252 | Spiers et al. | Oct 2012 | A1 |
20120281540 | Khan et al. | Nov 2012 | A1 |
20120287789 | Aybay et al. | Nov 2012 | A1 |
20120303784 | Zisapel et al. | Nov 2012 | A1 |
20120303809 | Patel et al. | Nov 2012 | A1 |
20120311568 | Jansen | Dec 2012 | A1 |
20120317260 | Husain et al. | Dec 2012 | A1 |
20120317570 | Dalcher et al. | Dec 2012 | A1 |
20120331188 | Riordan et al. | Dec 2012 | A1 |
20130003735 | Chao et al. | Jan 2013 | A1 |
20130021942 | Bacthu et al. | Jan 2013 | A1 |
20130031544 | Sridharan et al. | Jan 2013 | A1 |
20130039218 | Narasimhan et al. | Feb 2013 | A1 |
20130044636 | Koponen et al. | Feb 2013 | A1 |
20130058346 | Sridharan et al. | Mar 2013 | A1 |
20130073743 | Ramasamy et al. | Mar 2013 | A1 |
20130100851 | Bacthu et al. | Apr 2013 | A1 |
20130125120 | Zhang et al. | May 2013 | A1 |
20130136126 | Wang et al. | May 2013 | A1 |
20130142048 | Gross, IV et al. | Jun 2013 | A1 |
20130148505 | Koponen et al. | Jun 2013 | A1 |
20130151661 | Koponen et al. | Jun 2013 | A1 |
20130159487 | Patel et al. | Jun 2013 | A1 |
20130160024 | Shtilman et al. | Jun 2013 | A1 |
20130163594 | Sharma et al. | Jun 2013 | A1 |
20130166703 | Hammer et al. | Jun 2013 | A1 |
20130170501 | Egi et al. | Jul 2013 | A1 |
20130201989 | Hu et al. | Aug 2013 | A1 |
20130227097 | Yasuda et al. | Aug 2013 | A1 |
20130227550 | Weinstein et al. | Aug 2013 | A1 |
20130287026 | Davie | Oct 2013 | A1 |
20130291088 | Shieh et al. | Oct 2013 | A1 |
20130297798 | Arisoylu et al. | Nov 2013 | A1 |
20130301472 | Allan | Nov 2013 | A1 |
20130311637 | Kamath et al. | Nov 2013 | A1 |
20130318219 | Kancherla | Nov 2013 | A1 |
20130332983 | Koorevaar et al. | Dec 2013 | A1 |
20130336319 | Liu et al. | Dec 2013 | A1 |
20130343174 | Guichard et al. | Dec 2013 | A1 |
20130343378 | Veteikis et al. | Dec 2013 | A1 |
20140003232 | Guichard et al. | Jan 2014 | A1 |
20140003422 | Mogul et al. | Jan 2014 | A1 |
20140010085 | Kavunder et al. | Jan 2014 | A1 |
20140029447 | Schrum, Jr. | Jan 2014 | A1 |
20140046997 | Dain et al. | Feb 2014 | A1 |
20140046998 | Dain et al. | Feb 2014 | A1 |
20140050223 | Foo et al. | Feb 2014 | A1 |
20140052844 | Nayak et al. | Feb 2014 | A1 |
20140059204 | Nguyen et al. | Feb 2014 | A1 |
20140059544 | Koganty et al. | Feb 2014 | A1 |
20140068602 | Gember et al. | Mar 2014 | A1 |
20140092738 | Grandhi et al. | Apr 2014 | A1 |
20140092906 | Kandaswamy et al. | Apr 2014 | A1 |
20140092914 | Kondapalli | Apr 2014 | A1 |
20140096183 | Jain et al. | Apr 2014 | A1 |
20140101226 | Khandekar et al. | Apr 2014 | A1 |
20140101656 | Zhu et al. | Apr 2014 | A1 |
20140108665 | Arora et al. | Apr 2014 | A1 |
20140115578 | Cooper et al. | Apr 2014 | A1 |
20140129715 | Mortazavi | May 2014 | A1 |
20140149696 | Frenkel et al. | May 2014 | A1 |
20140164477 | Springer et al. | Jun 2014 | A1 |
20140169168 | Jalan et al. | Jun 2014 | A1 |
20140169375 | Khan et al. | Jun 2014 | A1 |
20140195666 | Dumitriu et al. | Jul 2014 | A1 |
20140207968 | Kumar et al. | Jul 2014 | A1 |
20140254374 | Janakiraman et al. | Sep 2014 | A1 |
20140254591 | Mahadevan et al. | Sep 2014 | A1 |
20140269487 | Kalkunte | Sep 2014 | A1 |
20140269717 | Thubert et al. | Sep 2014 | A1 |
20140269724 | Mehler et al. | Sep 2014 | A1 |
20140280896 | Papakostas et al. | Sep 2014 | A1 |
20140281029 | Danforth | Sep 2014 | A1 |
20140282526 | Basavaiah et al. | Sep 2014 | A1 |
20140301388 | Jagadish et al. | Oct 2014 | A1 |
20140304231 | Kamath et al. | Oct 2014 | A1 |
20140307744 | Dunbar et al. | Oct 2014 | A1 |
20140310391 | Sorenson et al. | Oct 2014 | A1 |
20140310418 | Sorenson et al. | Oct 2014 | A1 |
20140317677 | Vaidya et al. | Oct 2014 | A1 |
20140321459 | Kumar et al. | Oct 2014 | A1 |
20140330983 | Zisapel et al. | Nov 2014 | A1 |
20140334485 | Jain et al. | Nov 2014 | A1 |
20140334488 | Guichard et al. | Nov 2014 | A1 |
20140341029 | Allan et al. | Nov 2014 | A1 |
20140351452 | Bosch et al. | Nov 2014 | A1 |
20140362682 | Guichard et al. | Dec 2014 | A1 |
20140362705 | Pan | Dec 2014 | A1 |
20140369204 | Anand et al. | Dec 2014 | A1 |
20140372567 | Ganesh et al. | Dec 2014 | A1 |
20140372616 | Arisoylu et al. | Dec 2014 | A1 |
20140372702 | Subramanyam et al. | Dec 2014 | A1 |
20150003453 | Sengupta et al. | Jan 2015 | A1 |
20150003455 | Haddad et al. | Jan 2015 | A1 |
20150009995 | Gross, IV et al. | Jan 2015 | A1 |
20150016279 | Zhang et al. | Jan 2015 | A1 |
20150023354 | Li et al. | Jan 2015 | A1 |
20150026345 | Ravinoothala et al. | Jan 2015 | A1 |
20150026362 | Guichard et al. | Jan 2015 | A1 |
20150030024 | Venkataswami et al. | Jan 2015 | A1 |
20150052262 | Chanda et al. | Feb 2015 | A1 |
20150052522 | Chanda et al. | Feb 2015 | A1 |
20150063102 | Mestery et al. | Mar 2015 | A1 |
20150063364 | Thakkar et al. | Mar 2015 | A1 |
20150071285 | Kumar et al. | Mar 2015 | A1 |
20150071301 | Dalal | Mar 2015 | A1 |
20150073967 | Katsuyama et al. | Mar 2015 | A1 |
20150078384 | Jackson et al. | Mar 2015 | A1 |
20150092551 | Moisand | Apr 2015 | A1 |
20150092564 | Aldrin | Apr 2015 | A1 |
20150103645 | Shen et al. | Apr 2015 | A1 |
20150103679 | Tessmer et al. | Apr 2015 | A1 |
20150103827 | Quinn et al. | Apr 2015 | A1 |
20150109901 | Tan et al. | Apr 2015 | A1 |
20150124608 | Agarwal et al. | May 2015 | A1 |
20150124622 | Kovvali et al. | May 2015 | A1 |
20150124840 | Bergeron | May 2015 | A1 |
20150138973 | Kumar et al. | May 2015 | A1 |
20150139041 | Bosch et al. | May 2015 | A1 |
20150146539 | Mehta et al. | May 2015 | A1 |
20150156035 | Foo et al. | Jun 2015 | A1 |
20150188770 | Naiksatam et al. | Jul 2015 | A1 |
20150195197 | Yong et al. | Jul 2015 | A1 |
20150213087 | Sikri | Jul 2015 | A1 |
20150215819 | Bosch et al. | Jul 2015 | A1 |
20150222640 | Kumar et al. | Aug 2015 | A1 |
20150236948 | Dunbar et al. | Aug 2015 | A1 |
20150237013 | Bansal et al. | Aug 2015 | A1 |
20150242197 | Alfonso et al. | Aug 2015 | A1 |
20150244617 | Nakil et al. | Aug 2015 | A1 |
20150263901 | Kumar et al. | Sep 2015 | A1 |
20150263946 | Tubaltsev et al. | Sep 2015 | A1 |
20150271102 | Antich | Sep 2015 | A1 |
20150280959 | Vincent | Oct 2015 | A1 |
20150281089 | Marchetti | Oct 2015 | A1 |
20150281098 | Pettit et al. | Oct 2015 | A1 |
20150281125 | Koponen et al. | Oct 2015 | A1 |
20150281179 | Raman et al. | Oct 2015 | A1 |
20150281180 | Raman et al. | Oct 2015 | A1 |
20150288671 | Chan et al. | Oct 2015 | A1 |
20150288679 | Ben-Nun et al. | Oct 2015 | A1 |
20150295831 | Kumar et al. | Oct 2015 | A1 |
20150319078 | Lee et al. | Nov 2015 | A1 |
20150319096 | Yip et al. | Nov 2015 | A1 |
20150358235 | Zhang et al. | Dec 2015 | A1 |
20150358294 | Kancharla et al. | Dec 2015 | A1 |
20150365322 | Shalzkamer et al. | Dec 2015 | A1 |
20150370586 | Cooper et al. | Dec 2015 | A1 |
20150370596 | Fahs et al. | Dec 2015 | A1 |
20150372840 | Benny et al. | Dec 2015 | A1 |
20150372911 | Yabusaki et al. | Dec 2015 | A1 |
20150379277 | Thota et al. | Dec 2015 | A1 |
20150381493 | Bansal et al. | Dec 2015 | A1 |
20150381494 | Cherian et al. | Dec 2015 | A1 |
20150381495 | Cherian et al. | Dec 2015 | A1 |
20160006654 | Fernando et al. | Jan 2016 | A1 |
20160028640 | Zhang et al. | Jan 2016 | A1 |
20160043901 | Sankar et al. | Feb 2016 | A1 |
20160043952 | Zhang et al. | Feb 2016 | A1 |
20160057050 | Ostrom et al. | Feb 2016 | A1 |
20160057687 | Horn et al. | Feb 2016 | A1 |
20160065503 | Yohe et al. | Mar 2016 | A1 |
20160080253 | Wang et al. | Mar 2016 | A1 |
20160087888 | Jain et al. | Mar 2016 | A1 |
20160094384 | Jain et al. | Mar 2016 | A1 |
20160094389 | Jain et al. | Mar 2016 | A1 |
20160094451 | Jain et al. | Mar 2016 | A1 |
20160094452 | Jain et al. | Mar 2016 | A1 |
20160094453 | Jain et al. | Mar 2016 | A1 |
20160094454 | Jain et al. | Mar 2016 | A1 |
20160094455 | Jain et al. | Mar 2016 | A1 |
20160094456 | Jain et al. | Mar 2016 | A1 |
20160094457 | Jain et al. | Mar 2016 | A1 |
20160094631 | Jain et al. | Mar 2016 | A1 |
20160094632 | Jain et al. | Mar 2016 | A1 |
20160094633 | Jain et al. | Mar 2016 | A1 |
20160094642 | Jain et al. | Mar 2016 | A1 |
20160094643 | Jain et al. | Mar 2016 | A1 |
20160094661 | Jain et al. | Mar 2016 | A1 |
20160099948 | Ott et al. | Apr 2016 | A1 |
20160105333 | Lenglet et al. | Apr 2016 | A1 |
20160119226 | Guichard et al. | Apr 2016 | A1 |
20160127306 | Wang et al. | May 2016 | A1 |
20160127564 | Sharma et al. | May 2016 | A1 |
20160134528 | Lin et al. | May 2016 | A1 |
20160149784 | Zhang | May 2016 | A1 |
20160149816 | Roach et al. | May 2016 | A1 |
20160149828 | Vijayan et al. | May 2016 | A1 |
20160162320 | Singh et al. | Jun 2016 | A1 |
20160164776 | Biancaniello | Jun 2016 | A1 |
20160164787 | Roach et al. | Jun 2016 | A1 |
20160164826 | Riedel et al. | Jun 2016 | A1 |
20160173373 | Guichard et al. | Jun 2016 | A1 |
20160182684 | Connor et al. | Jun 2016 | A1 |
20160197831 | Foy et al. | Jul 2016 | A1 |
20160197839 | Li et al. | Jul 2016 | A1 |
20160205015 | Halligan et al. | Jul 2016 | A1 |
20160212048 | Kaempfer et al. | Jul 2016 | A1 |
20160212237 | Nishijima | Jul 2016 | A1 |
20160218918 | Chu | Jul 2016 | A1 |
20160226700 | Zhang et al. | Aug 2016 | A1 |
20160226754 | Zhang et al. | Aug 2016 | A1 |
20160226762 | Zhang et al. | Aug 2016 | A1 |
20160248685 | Pignataro et al. | Aug 2016 | A1 |
20160277210 | Lin et al. | Sep 2016 | A1 |
20160277294 | Akiyoshi | Sep 2016 | A1 |
20160294612 | Ravinoothala et al. | Oct 2016 | A1 |
20160294933 | Hong et al. | Oct 2016 | A1 |
20160294935 | Hong et al. | Oct 2016 | A1 |
20160308758 | Li et al. | Oct 2016 | A1 |
20160308961 | Rao | Oct 2016 | A1 |
20160337189 | Liebhart et al. | Nov 2016 | A1 |
20160337249 | Zhang et al. | Nov 2016 | A1 |
20160337317 | Hwang et al. | Nov 2016 | A1 |
20160344565 | Batz et al. | Nov 2016 | A1 |
20160344621 | Roeland et al. | Nov 2016 | A1 |
20160344803 | Batz et al. | Nov 2016 | A1 |
20160352866 | Gupta et al. | Dec 2016 | A1 |
20160366046 | Anantharam et al. | Dec 2016 | A1 |
20160373364 | Yokota | Dec 2016 | A1 |
20160378537 | Zou | Dec 2016 | A1 |
20160380812 | Chanda et al. | Dec 2016 | A1 |
20170005920 | Previdi et al. | Jan 2017 | A1 |
20170005923 | Babakian | Jan 2017 | A1 |
20170005988 | Bansal et al. | Jan 2017 | A1 |
20170019329 | Kozat et al. | Jan 2017 | A1 |
20170019331 | Yong | Jan 2017 | A1 |
20170019341 | Huang et al. | Jan 2017 | A1 |
20170026417 | Ermagan et al. | Jan 2017 | A1 |
20170033939 | Bragg et al. | Feb 2017 | A1 |
20170063683 | Li et al. | Mar 2017 | A1 |
20170063928 | Jain et al. | Mar 2017 | A1 |
20170064048 | Pettit et al. | Mar 2017 | A1 |
20170064749 | Jain et al. | Mar 2017 | A1 |
20170078176 | Lakshmikantha et al. | Mar 2017 | A1 |
20170078961 | Rabii et al. | Mar 2017 | A1 |
20170093698 | Farmanbar | Mar 2017 | A1 |
20170093758 | Chanda | Mar 2017 | A1 |
20170099194 | Wei | Apr 2017 | A1 |
20170126497 | Dubey et al. | May 2017 | A1 |
20170126522 | McCann et al. | May 2017 | A1 |
20170126726 | Han | May 2017 | A1 |
20170134538 | Mahkonen et al. | May 2017 | A1 |
20170142012 | Thakkar et al. | May 2017 | A1 |
20170147399 | Cropper et al. | May 2017 | A1 |
20170149582 | Cohn et al. | May 2017 | A1 |
20170149675 | Yang | May 2017 | A1 |
20170149680 | Liu et al. | May 2017 | A1 |
20170163531 | Kumar et al. | Jun 2017 | A1 |
20170163724 | Puri et al. | Jun 2017 | A1 |
20170171159 | Kumar et al. | Jun 2017 | A1 |
20170180240 | Kern | Jun 2017 | A1 |
20170195255 | Pham et al. | Jul 2017 | A1 |
20170208000 | Bosch et al. | Jul 2017 | A1 |
20170208011 | Bosch et al. | Jul 2017 | A1 |
20170208532 | Zhou | Jul 2017 | A1 |
20170214627 | Zhang et al. | Jul 2017 | A1 |
20170220306 | Price et al. | Aug 2017 | A1 |
20170230333 | Glazemakers et al. | Aug 2017 | A1 |
20170230467 | Salgueiro et al. | Aug 2017 | A1 |
20170237656 | Gage | Aug 2017 | A1 |
20170250869 | Voellmy | Aug 2017 | A1 |
20170250902 | Rasanen et al. | Aug 2017 | A1 |
20170250917 | Ruckstuhl et al. | Aug 2017 | A1 |
20170251065 | Furr et al. | Aug 2017 | A1 |
20170257432 | Fu et al. | Sep 2017 | A1 |
20170264677 | Li | Sep 2017 | A1 |
20170273099 | Zhang et al. | Sep 2017 | A1 |
20170279938 | You et al. | Sep 2017 | A1 |
20170295021 | Gutiérrez et al. | Oct 2017 | A1 |
20170295033 | Cherian et al. | Oct 2017 | A1 |
20170295100 | Hira et al. | Oct 2017 | A1 |
20170310588 | Zuo | Oct 2017 | A1 |
20170310611 | Kumar et al. | Oct 2017 | A1 |
20170317887 | Dwaraki et al. | Nov 2017 | A1 |
20170317926 | Penno et al. | Nov 2017 | A1 |
20170317936 | Swaminathan et al. | Nov 2017 | A1 |
20170317954 | Masurekar et al. | Nov 2017 | A1 |
20170318081 | Hopen et al. | Nov 2017 | A1 |
20170318097 | Drew et al. | Nov 2017 | A1 |
20170324651 | Penno et al. | Nov 2017 | A1 |
20170324654 | Previdi et al. | Nov 2017 | A1 |
20170331672 | Fedyk et al. | Nov 2017 | A1 |
20170339110 | Ni | Nov 2017 | A1 |
20170339600 | Roeland et al. | Nov 2017 | A1 |
20170346764 | Tan et al. | Nov 2017 | A1 |
20170353387 | Kwak et al. | Dec 2017 | A1 |
20170359252 | Kumar et al. | Dec 2017 | A1 |
20170364794 | Mahkonen et al. | Dec 2017 | A1 |
20170366605 | Chang et al. | Dec 2017 | A1 |
20170373990 | Jeuk et al. | Dec 2017 | A1 |
20180004954 | Liguori et al. | Jan 2018 | A1 |
20180006935 | Mutnuru et al. | Jan 2018 | A1 |
20180026911 | Anholt et al. | Jan 2018 | A1 |
20180027101 | Kumar et al. | Jan 2018 | A1 |
20180041425 | Zhang | Feb 2018 | A1 |
20180041470 | Schultz | Feb 2018 | A1 |
20180041524 | Reddy et al. | Feb 2018 | A1 |
20180063018 | Bosch et al. | Mar 2018 | A1 |
20180063087 | Hira et al. | Mar 2018 | A1 |
20180091420 | Drake et al. | Mar 2018 | A1 |
20180102919 | Hao et al. | Apr 2018 | A1 |
20180102965 | Hari et al. | Apr 2018 | A1 |
20180115471 | Curcio et al. | Apr 2018 | A1 |
20180123950 | Garg et al. | May 2018 | A1 |
20180124061 | Raman et al. | May 2018 | A1 |
20180139098 | Sunavala et al. | May 2018 | A1 |
20180145899 | Rao | May 2018 | A1 |
20180159733 | Poon et al. | Jun 2018 | A1 |
20180159801 | Rajan et al. | Jun 2018 | A1 |
20180159943 | Poon et al. | Jun 2018 | A1 |
20180176177 | Bichot et al. | Jun 2018 | A1 |
20180176294 | Vacaro et al. | Jun 2018 | A1 |
20180183764 | Gunda | Jun 2018 | A1 |
20180184281 | Tamagawa et al. | Jun 2018 | A1 |
20180191600 | Hecker et al. | Jul 2018 | A1 |
20180198692 | Ansari et al. | Jul 2018 | A1 |
20180198705 | Wang et al. | Jul 2018 | A1 |
20180198791 | Desai et al. | Jul 2018 | A1 |
20180203736 | Vyas et al. | Jul 2018 | A1 |
20180205637 | Li | Jul 2018 | A1 |
20180213040 | Pak et al. | Jul 2018 | A1 |
20180219762 | Wang et al. | Aug 2018 | A1 |
20180227216 | Hughes | Aug 2018 | A1 |
20180234360 | Narayana et al. | Aug 2018 | A1 |
20180247082 | Durham et al. | Aug 2018 | A1 |
20180248713 | Zanier et al. | Aug 2018 | A1 |
20180248755 | Hecker et al. | Aug 2018 | A1 |
20180248790 | Tan et al. | Aug 2018 | A1 |
20180248986 | Dalal | Aug 2018 | A1 |
20180262427 | Jain et al. | Sep 2018 | A1 |
20180262434 | Koponen et al. | Sep 2018 | A1 |
20180278530 | Connor et al. | Sep 2018 | A1 |
20180288129 | Joshi et al. | Oct 2018 | A1 |
20180295036 | Krishnamurthy et al. | Oct 2018 | A1 |
20180295053 | Leung et al. | Oct 2018 | A1 |
20180302242 | Hao et al. | Oct 2018 | A1 |
20180337849 | Sharma et al. | Nov 2018 | A1 |
20180349212 | Liu et al. | Dec 2018 | A1 |
20180351874 | Abhigyan et al. | Dec 2018 | A1 |
20190007382 | Nirwal et al. | Jan 2019 | A1 |
20190020580 | Boutros et al. | Jan 2019 | A1 |
20190020600 | Zhang et al. | Jan 2019 | A1 |
20190020684 | Qian et al. | Jan 2019 | A1 |
20190028347 | Johnston et al. | Jan 2019 | A1 |
20190028384 | Penno et al. | Jan 2019 | A1 |
20190028577 | D?Souza et al. | Jan 2019 | A1 |
20190036819 | Kancherla et al. | Jan 2019 | A1 |
20190068500 | Hira | Feb 2019 | A1 |
20190089679 | Kahalon et al. | Mar 2019 | A1 |
20190097838 | Sahoo et al. | Mar 2019 | A1 |
20190102280 | Caldato et al. | Apr 2019 | A1 |
20190108049 | Singh et al. | Apr 2019 | A1 |
20190121961 | Coleman et al. | Apr 2019 | A1 |
20190124096 | Ahuja et al. | Apr 2019 | A1 |
20190132220 | Boutros et al. | May 2019 | A1 |
20190132221 | Boutros et al. | May 2019 | A1 |
20190140863 | Nainar et al. | May 2019 | A1 |
20190140947 | Zhuang et al. | May 2019 | A1 |
20190140950 | Zhuang et al. | May 2019 | A1 |
20190149512 | Sevinc et al. | May 2019 | A1 |
20190149516 | Rajahalme et al. | May 2019 | A1 |
20190149518 | Sevinc et al. | May 2019 | A1 |
20190166045 | Peng et al. | May 2019 | A1 |
20190173778 | Faseela et al. | Jun 2019 | A1 |
20190173850 | Jain et al. | Jun 2019 | A1 |
20190173851 | Jain et al. | Jun 2019 | A1 |
20190222538 | Yang et al. | Jul 2019 | A1 |
20190229937 | Nagarajan et al. | Jul 2019 | A1 |
20190230126 | Kumar et al. | Jul 2019 | A1 |
20190238363 | Boutros et al. | Aug 2019 | A1 |
20190238364 | Boutros et al. | Aug 2019 | A1 |
20190268384 | Hu et al. | Aug 2019 | A1 |
20190286475 | Mani | Sep 2019 | A1 |
20190288915 | Denyer et al. | Sep 2019 | A1 |
20190288947 | Jain et al. | Sep 2019 | A1 |
20190306036 | Boutros et al. | Oct 2019 | A1 |
20190306086 | Boutros et al. | Oct 2019 | A1 |
20190342175 | Wan et al. | Nov 2019 | A1 |
20190377604 | Cybulski | Dec 2019 | A1 |
20190379578 | Mishra et al. | Dec 2019 | A1 |
20190379579 | Mishra et al. | Dec 2019 | A1 |
20200007388 | Johnston et al. | Jan 2020 | A1 |
20200036629 | Roeland et al. | Jan 2020 | A1 |
20200059761 | Li et al. | Feb 2020 | A1 |
20200067828 | Liu et al. | Feb 2020 | A1 |
20200073739 | Rungta et al. | Mar 2020 | A1 |
20200076684 | Naveen et al. | Mar 2020 | A1 |
20200076734 | Naveen et al. | Mar 2020 | A1 |
20200084141 | Bengough et al. | Mar 2020 | A1 |
20200136960 | Jeuk et al. | Apr 2020 | A1 |
20200145331 | Bhandari et al. | May 2020 | A1 |
20200162318 | Patil et al. | May 2020 | A1 |
20200162352 | Jorgenson et al. | May 2020 | A1 |
20200183724 | Shevade et al. | Jun 2020 | A1 |
20200195711 | Abhigyan et al. | Jun 2020 | A1 |
20200204492 | Sarva et al. | Jun 2020 | A1 |
20200213366 | Hong et al. | Jul 2020 | A1 |
20200220805 | Dhanabalan | Jul 2020 | A1 |
20200272493 | Lecuyer et al. | Aug 2020 | A1 |
20200272494 | Gokhale et al. | Aug 2020 | A1 |
20200272495 | Rolando et al. | Aug 2020 | A1 |
20200272496 | Mundaragi et al. | Aug 2020 | A1 |
20200272497 | Kavathia et al. | Aug 2020 | A1 |
20200272498 | Mishra et al. | Aug 2020 | A1 |
20200272499 | Feng et al. | Aug 2020 | A1 |
20200272500 | Feng et al. | Aug 2020 | A1 |
20200272501 | Chalvadi et al. | Aug 2020 | A1 |
20200274757 | Rolando et al. | Aug 2020 | A1 |
20200274769 | Naveen et al. | Aug 2020 | A1 |
20200274778 | Lecuyer et al. | Aug 2020 | A1 |
20200274779 | Rolando et al. | Aug 2020 | A1 |
20200274795 | Rolando et al. | Aug 2020 | A1 |
20200274801 | Feng et al. | Aug 2020 | A1 |
20200274808 | Mundaragi et al. | Aug 2020 | A1 |
20200274809 | Rolando et al. | Aug 2020 | A1 |
20200274810 | Gokhale et al. | Aug 2020 | A1 |
20200274826 | Mishra et al. | Aug 2020 | A1 |
20200274944 | Naveen et al. | Aug 2020 | A1 |
20200274945 | Rolando et al. | Aug 2020 | A1 |
20200287962 | Mishra et al. | Sep 2020 | A1 |
20200322271 | Jain et al. | Oct 2020 | A1 |
20200344088 | Selvaraj et al. | Oct 2020 | A1 |
20200358696 | Hu et al. | Nov 2020 | A1 |
20200364074 | Gunda et al. | Nov 2020 | A1 |
20200366526 | Boutros et al. | Nov 2020 | A1 |
20200366584 | Boutros et al. | Nov 2020 | A1 |
20200382412 | Chandrappa et al. | Dec 2020 | A1 |
20200382420 | Suryanarayana et al. | Dec 2020 | A1 |
20200389401 | Enguehard et al. | Dec 2020 | A1 |
20210004245 | Kamath et al. | Jan 2021 | A1 |
20210011812 | Mitkar et al. | Jan 2021 | A1 |
20210011816 | Mitkar et al. | Jan 2021 | A1 |
20210029088 | Mayya et al. | Jan 2021 | A1 |
20210044502 | Boutros et al. | Feb 2021 | A1 |
20210073736 | Alawi et al. | Mar 2021 | A1 |
20210117217 | Croteau et al. | Apr 2021 | A1 |
20210120080 | Mishra et al. | Apr 2021 | A1 |
20210135992 | Tidemann et al. | May 2021 | A1 |
20210136140 | Tidemann et al. | May 2021 | A1 |
20210136141 | Tidemann et al. | May 2021 | A1 |
20210136147 | Giassa et al. | May 2021 | A1 |
20210218587 | Mishra et al. | Jul 2021 | A1 |
20210227041 | Sawant et al. | Jul 2021 | A1 |
20210227042 | Sawant et al. | Jul 2021 | A1 |
20210240734 | Shah et al. | Aug 2021 | A1 |
20210266295 | Stroz | Aug 2021 | A1 |
20210271565 | Bhavanarushi et al. | Sep 2021 | A1 |
20210306240 | Boutros et al. | Sep 2021 | A1 |
20210311758 | Cao et al. | Oct 2021 | A1 |
20210311772 | Mishra et al. | Oct 2021 | A1 |
20210314248 | Rolando et al. | Oct 2021 | A1 |
20210314253 | Rolando et al. | Oct 2021 | A1 |
20210314268 | Rolando et al. | Oct 2021 | A1 |
20210314277 | Rolando et al. | Oct 2021 | A1 |
20210314310 | Cao et al. | Oct 2021 | A1 |
20210314415 | Rolando et al. | Oct 2021 | A1 |
20210314423 | Rolando et al. | Oct 2021 | A1 |
20210328913 | Nainar et al. | Oct 2021 | A1 |
20210349767 | Asayag et al. | Nov 2021 | A1 |
20210359945 | Jain et al. | Nov 2021 | A1 |
20210377160 | Faseela | Dec 2021 | A1 |
20220019698 | Durham et al. | Jan 2022 | A1 |
20220030058 | Tidemann et al. | Jan 2022 | A1 |
20220060467 | Montgomery et al. | Feb 2022 | A1 |
20220078037 | Mishra et al. | Mar 2022 | A1 |
20220188140 | Jain et al. | Jun 2022 | A1 |
20220191304 | Jain et al. | Jun 2022 | A1 |
Number | Date | Country |
---|---|---|
3034809 | Mar 2018 | CA |
1689369 | Oct 2005 | CN |
101594358 | Dec 2009 | CN |
101729412 | Jun 2010 | CN |
103516807 | Jan 2014 | CN |
103795805 | May 2014 | CN |
104471899 | Mar 2015 | CN |
104521195 | Apr 2015 | CN |
107078950 | Aug 2017 | CN |
107204941 | Sep 2017 | CN |
109213573 | Jan 2019 | CN |
112181632 | Jan 2021 | CN |
2426956 | Mar 2012 | EP |
2466985 | Jun 2012 | EP |
3210345 | Aug 2017 | EP |
3300319 | Mar 2018 | EP |
2005311863 | Nov 2005 | JP |
9918534 | Apr 1999 | WO |
2008095010 | Aug 2008 | WO |
2014069978 | May 2014 | WO |
2014182529 | Nov 2014 | WO |
2016053373 | Apr 2016 | WO |
2016054272 | Apr 2016 | WO |
2019084066 | May 2019 | WO |
2019147316 | Aug 2019 | WO |
2019157955 | Aug 2019 | WO |
2019168532 | Sep 2019 | WO |
2019226327 | Nov 2019 | WO |
2020046686 | Mar 2020 | WO |
2020171937 | Aug 2020 | WO |
2021041440 | Mar 2021 | WO |
2021086462 | May 2021 | WO |
2021206789 | Oct 2021 | WO |
2022132308 | Jun 2022 | WO |
Entry |
---|
Non-Published Commonly Owned U.S. Appl. No. 17/385,809, filed Jul. 26, 2021, 74 pages, Nicira, Inc. |
Halpern, J., et al., “Service Function Chaining (SFC) Architecture,” RFC 7665, Oct. 2015, 32 pages, IETF Trust. |
Non-Published Commonly Owned U.S. Appl. No. 17/528,094, filed Nov. 16, 2021, 38 pages, VMware, Inc. |
Xiong, Gang, et al., “A Mechanism for Configurable Network Service Chaining and Its Implementation,” KSII Transactions on Internet and Information Systems, Aug. 2016, 27 pages, vol. 10, No. 8, KSII. |
Author Unknown, “Datagram,” Jun. 22, 2012, 2 pages, retrieved from https://web.archive.org/web/20120622031055/https://en.wikipedia.org/wiki/datagram. |
Author Unknown, “AppLogic Features,” Jul. 2007, 2 pages. 3TERA, Inc. |
Author Unknown, “Enabling Service Chaining on Cisco Nexus 1000V Series,” Month Unknown, 2012, 25 pages, Cisco. |
Casado, Martin, et al., “Virtualizing the Network Forwarding Plane,” Dec. 2010, 6 pages. |
Dixon, Colin, et al., “An End to the Middle,” Proceedings of the 12th Conference on Hot Topics in Operating Systems, May 2009, 5 pages, USENIX Association, Berkeley, CA, USA. |
Dumitriu, Dan Mihai, et al., (U.S. Appl. No. 61/514,990), filed Aug. 4, 2011, 31 pages. |
Greenberg, Albert, et al., “VL2: A Scalable and Flexible Data Center Network,” SIGCOMM '09, Aug. 17-21, 2009, 12 pages, ACM, Barcelona, Spain. |
Guichard, J., et al., “Network Service Chaining Problem Statement,” Network Working Group, Jun. 13, 2013, 14 pages, Cisco Systems, Inc. |
Halpern, J., et al., “Service Function Chaining (SFC) Architecture,” draft-ietf-sfc-architecture-02, Sep. 20, 2014, 26 pages, IETF. |
Joseph, Dilip Anthony, et al., “A Policy-aware Switching Layer for Data Centers,” Jun. 24, 2008, 26 pages, Electrical Engineering and Computer Sciences, University of California, Berkeley, CA, USA. |
Karakus, Murat, et al., “Quality of Service (QoS) in Software Defined Networking (SDN): A Survey,” Journal of Network and Computer Applications, Dec. 9, 2016, 19 pages, vol. 80, Elsevier, Ltd. |
Kumar, S., et al., “Service Function Chaining Use Cases in Data Centers,” draft-ietf-sfc-dc-use-cases-01, Jul. 21, 2014, 23 pages, IETF. |
Liu, W., et al., “Service Function Chaining (SFC) Use Cases,” draft-liu-sfc-use-cases-02, Feb. 13, 2014, 17 pages, IETF. |
Non-Published Commonly Owned U.S. Patent Application 16/668,477, filed Oct. 30, 2019, 31 pages, VMware, Inc. |
Non-Published Commonly Owned U.S. Appl. No. 16/668,485, filed Oct. 30, 2019, 55 pages, VMware, Inc. |
Non-Published Commonly Owned U.S. Appl. No. 16/668,505, filed Oct. 30, 2019, 39 pages, VMware, Inc. |
Non-Published Commonly Owned U.S. Appl. No. 16/741,544, filed Jan. 13, 2020, 31 pages, VMware, Inc. |
Non-Published Commonly Owned U.S. Appl. No. 16/785,674, filed Feb. 10, 2020, 29 pages, VMware, Inc. |
Non-Published Commonly Owned U.S. Appl. No. 16/843,913, filed Apr. 9, 2020, 119 pages, VMware, Inc. |
Non-Published Commonly Owned U.S. Appl. No. 16/843,919, filed Apr. 9, 2020, 123 pages, VMware, Inc. |
Non-Published Commonly Owned Related U.S. Appl. No. 16/904,377 with similar specification, filed Jun. 17, 2020, 120 pages, VMware, Inc. |
Non-Published Commonly Owned Related U.S. Appl. No. 16/904,390 with similar specification, filed Jun. 17, 2020, 121 pages, VMware, Inc. |
Non-Published Commonly Owned Related U.S. Appl. No. 16/904,399 with similar specification, filed Jun. 17, 2020, 121 pages, VMware, Inc. |
Non-Published Commonly Owned Related U.S. Appl. No. 16/904,430 with similar specification, filed Jun. 17, 2020, 120 pages, VMware, Inc. |
Non-Published Commonly Owned Related U.S. Appl. No. 16/904,442 with similar specification, filed Jun. 17, 2020, 121 pages, VMware, Inc. |
Non-Published Commonly Owned Related U.S. Appl. No. 16/904,446 with similar specification, filed Jun. 17, 2020, 121 pages, VMware, Inc. |
Non-Published Commonly Owned U.S. Appl. No. 16/905,909, filed Jun. 18, 2020, 36 pages, Nicira, Inc. |
Mon-Published Commonly Owned U.S. Appl. No. 16/945,675, filed Jul. 31, 2020, 51 pages, Nicira, Inc. |
Non-Published Commonly Owned U.S. Appl. No. 16/945,868, filed Aug. 1, 2020, 48 pages, Nicira, Inc. |
Salsano, Stefano, et al., “Generalized Virtual Networking: An Enabler for Service Centric Networking and Network Function Virtualization,” 2014 16th International Telecommunications Network Strategy and Planning Symposium, Sep. 17-19, 2014, 7 pages, IEEE, Funchal, Portugal. |
Sekar, Vyas, et al., “Design and Implementation of a Consolidated Middlebox Architecture,” 9th USENIX Symposium on Networked Systems Design and Implementation, Apr. 25-27, 2012, 14 pages, USENIX, San Jose, CA, USA. |
Sherry, Justine, et al., “Making Middleboxes Someone Else's Problem: Network Processing as a Cloud Service,” In Proc. of SIGCOMM '12, Aug. 13-17, 2012, 12 pages, Helsinki, Finland. |
Lin, Po-Ching, et al., “Balanced Service Chaining in Software-Defined Networks with Network Function Virtualization,” Computer: Research Feature, Nov. 2016, 9 pages, vol. 49, No. 11, IEEE. |
Non-Published Commonly Owned U.S. Appl. No. 17/346,255, filed Jun. 13, 2021, 49 pages, Nicira, Inc. |
Non-Published Commonly Owned U S U.S. Appl. No. 17/352,298, filed Jun. 19, 2021, 132 pages, VMware, Inc. |
PCT International Search Report and Written Opinion of commonly owned International Patent Application PCT/JS2021/016117, dated May 27, 2021, 10 pages, International Searching Authority (EPO). |
Non-Published Commonly Owned U.S. Appl. No. 17/067,635, filed Oct. 9, 2020, 65 pages, Nicira, Inc. |
Siasi, N., et al., “Container-Based Service Function Chain Mapping,” 2019 SoutheastCon, Apr. 11-14, 2019, 6 pages, IEEE, Huntsville, AL, USA. |
Author Unknown, “MPLS,” Mar. 3, 2008, 47 pages. |
Cianfrani, Antonio, et al., “Translating Traffic Engineering Outcome into Segment Routing Paths: the Encoding Problem,” 2016 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS): GI 2016: 9th IEEE Global Internet Symposium, Apr. 10-14, 2016, 6 pages, IEEE, San Francisco, CA, USA. |
Number | Date | Country | |
---|---|---|---|
20210314252 A1 | Oct 2021 | US |