Patent Application
20120131662
The present disclosure relates generally to virtual local area networks (VLANs) in a virtual machine environment.
Virtualization is a technology which allows one computer to do the job of multiple computers by sharing resources of a single computer across multiple systems. Through the use of virtualization, multiple operating systems and applications can run on the same computer at the same time, thereby increasing utilization and flexibility of hardware. For example, virtualization allows servers to be decoupled from underlying hardware, thus resulting in multiple virtual machines sharing the same physical server hardware. Connectivity between the virtual machines and external network is provided by a virtual switch. The virtual machines may be connected to the virtual switch via an access port and each virtual machine can be part of a different virtual local area network.
Corresponding reference characters indicate corresponding parts throughout the several views of the drawings.
In one embodiment, a method generally comprises identifying virtual machines operating at a network device and virtual local area networks associated with the virtual machines, creating an allowed list of virtual local area networks at the network device based on the virtual machines operating at the network device, and updating the allowed list in response to changes in the virtual machines at the network device. The network device is configured to forward traffic received from the virtual local area networks on the allowed list to a virtual switch at the network device, and drop traffic received from a virtual local area network not on the allowed list.
In another embodiment, an apparatus generally comprises a processor for creating an allowed list of virtual local area networks based on virtual machines operating at the apparatus and virtual local area networks associated with the virtual machines, and updating the allowed list in response to changes in the virtual machines. The apparatus further includes a network interface for forwarding traffic received from the virtual local area networks on the allowed list to a virtual switch at the apparatus, and dropping traffic received from a virtual local area network not on the allowed list, and memory for storing the allowed list of virtual local area networks.
The following description is presented to enable one of ordinary skill in the art to make and use the embodiments. Descriptions of specific embodiments and applications are provided only as examples and various modifications will be readily apparent to those skilled in the art. The general principles described herein may be applied to other embodiments and applications. Thus, the embodiments are not to be limited to those shown, but are to be accorded the widest scope consistent with the principles and features described herein. For purpose of clarity, features relating to technical material that is known in the technical fields related to the embodiments have not been described in detail.
Virtualization allows one computer to do the job of multiple computers by sharing the resources of a single computer across multiple systems. Software is used to virtualize hardware resources of a computer, including, for example, CPU (central processing unit), RAM (random access memory), hard disk, and network controller, to create a virtual machine that can run its own operating system and applications. Multiple virtual machines share hardware resources without interfering with each other so that several operating systems and applications can be run at the same time on a single computer. Virtual machines may be used, for example, in a virtual infrastructure to dynamically map physical resources to business needs.
In a virtual environment, virtual switches provide networking connectivity between virtual machines and physical interfaces on a server. Each virtual machine may be part of a different virtual local area network (VLAN). The virtual local area networks allow multiple logical local area networks (LANs) to exist within a single physical LAN. The dynamic nature of virtual machines can effectively change the VLANs that are active at a server at any time. The embodiments described herein dynamically alter an allowed list of VLANs at a network device (e.g., server) based upon the active list of VLANs used by the virtual machines and hypervisor access ports at the server. The allowed list of VLANs on a trunk connecting the server to an upstream switch is thus dynamically changed to keep up with changes to the virtual machines. This allows for unwanted traffic to be dropped by a physical adapter (e.g., network interface card (MC)) at the server, rather than having to be processed within the virtual switch. The embodiments also provide the benefit of only having to maintain data structures for VLANs that are actually in use at each server.
The embodiments described herein operate in the context of a data communications network including multiple network elements. Some of the elements in the network may be network devices such as servers, switches, routers, appliances, and the like. The network device may be implemented on a general purpose network machine such as described below with respect to
Referring now to the drawings, and first to
The switches 12 are programmed to receive and transmit traffic for all VLANs that the servers 30A, 30B, 30C may use. The switches 12 may use VLAN trunk protocol (VTP), in which VLAN lists are maintained in an automated fashion throughout the switched network. As described below, the VLAN list at each server 30A, 30B, 30C is updated based on the virtual machines operating on the server.
Each server 30A, 30B, 30C includes a virtual switch (also referred to herein as a virtual Ethernet module (VEM)) 34, and one or more virtual machines (VM A, VM B, VM C, VM D, VM E) 36. In the example of
Each virtual machine 36 is associated with a virtual local area network (e.g., configured with a VLAN ID). The virtual machine 36 is configured to specify the virtual local area network that the virtual machine will use for network communications. As described in detail below, an allowed list of VLANs is created for each server based on the VLANs associated with the virtual machines active on that server.
The servers 30A, 30B, 30C are also in communication with a virtual supervisor module (VSM) 28. The VSM 28 may be located in a network device (e.g., physical appliance) in communication with the servers 30A, 30B, 30C and management station 32 via physical switches 12. The virtual supervisor module 28 may also be a virtual appliance (e.g., virtual machine) installed at one of the servers 30A, 30B, 30C or the VSM may be installed at one of the switches 12.
The virtual supervisor module 28 is configured to provide control/management plane functionality for the virtual machines 36 and control multiple virtual switches 34. The virtual switch 34 provides switching capability at the server 30A, 30B, 30C and operates as a data plane associated with the control plane of the VSM 28. In one embodiment, the virtual supervisor module 28 and virtual Ethernet module 34 operate together to form a distributed virtual switch (e.g., NEXUS 1000V series switch, available from Cisco Systems, Inc. of San Jose, Calif.).
The virtual switch 34 switches traffic between the virtual machines 36 and a physical network interface card (NIC) at each server 30A, 30B, 30C. The server 30A, 30B, 30C includes an Ethernet port for each physical network interface card. The Ethernet ports may be aggregated in a port channel. The virtual switches 34 are in communication with the network via the physical Ethernet interfaces.
The physical interfaces at the servers 30A, 30B, 30C are connected to the switches 12 or other network devices via a trunk that allows multiple VLANs to share the connection between the physical network adapters at the servers and the physical network. The trunk may refer to a network link or aggregated links. The physical network adapter at each server supports multiple VLANs.
As described in detail below, the virtual switch (e.g., virtual Ethernet module 34, virtual supervisor module 28, or a combination of the VEM and VSM) creates an allowed list of VLANs at the server 30A, 30B, 30C, based on the virtual machines 36 active at the server, and programs a physical network adapter (e.g., network interface card) at the server so that only packets from an allowed VLAN are received and processed at the virtual switch 34. All other VLAN traffic is dropped at the network interface card.
It is to be understood that the network shown in
An example of a network device 40 that may be used to implement embodiments described herein is shown in
The network device 40 includes one or more processors 42, memory 44, and one or more network interfaces 46. Memory 44 may be a volatile memory or non-volatile storage, which stores various applications, modules, and data for execution and use by the processor 42. An allowed VLAN list 48 may be stored in memory 44.
Logic may be encoded in one or more tangible media for execution by the processor 42. For example, the processor 42 may execute codes stored in a computer-readable medium such as memory 44. The computer-readable medium may be, for example, electronic (e.g., RAM (random access memory), ROM (read-only memory), EPROM (erasable programmable read-only memory)), magnetic, optical (e.g., CD (compact disc), DVD (digital video disc)), electromagnetic, semiconductor technology, or any other suitable medium.
The network interface 46 may comprise one or more interfaces (e.g., cards, adapters, ports) for receiving data, transmitting data to other network devices, and forwarding received data to internal components (e.g., virtual switch 34).
It is to be understood that the network device 40 shown in
In the example shown in
The allowed list of VLANs 48 at each server is updated based upon the virtual local area networks that are used at the server according to the virtual machines currently operating on the server. If a new virtual local area network is needed due to Vmotion of a virtual machine 36 or other configuration change, the allowed list of VLANs is updated to accept the new virtual local area network. For example, as virtual machines 36 are started or migrated onto a server, VLANs that are associated with the virtual machines and not already on the list, are added to the allowed VLAN list 48. As virtual machines 36 are stopped or migrated off a server, any VLANs that are unique to the virtual machines are removed from the allowed list. In the example shown in
VLAN list at server 30A.
The virtual local area networks may be identified in the list 48 using any identifier (e.g., name, number, label, tag, etc.). Frames may be tagged with VLAN information (e.g., tag header on Ethernet frame) or a field in the frame may identify the VLAN (e.g., internal tag field or encapsulated header). The VLAN information in a packet is used to determine if the packet was received from a virtual local area network in the allowed VLAN list 48.
In one embodiment, port profiles may be used so that the allowed VLAN settings on a trunk can be administered as a policy for the servers. The port profiles define a common set of configuration policies (attributes) for multiple interfaces. The port profiles can be applied to any number of ports and can inherit policies from other port profiles. The port profiles are associated with port configuration policies defined by the network administrator and applied automatically to a large number of ports as they come online in a virtual environment. The port profiles are ‘live’ thus, editing an enabled port profile causes configuration changes to propagate to all interfaces using that port profile. A specification of the allowed VLANs on a trunk may be associated with an ‘inherited’ setting, which is processed so that the allowed list of VLANs is based upon the current list of running virtual machines and hypervisor access ports at the server.
Steps 68-74 illustrate how traffic is processed at the network adapter (e.g., network interface card) at the network device. Traffic is received at the network device at step 68. If the traffic is from an allowed VLAN, it is forwarded to the virtual switch 34 at the network device (steps 70 and 72). If the traffic is from a VLAN that is not included in the allowed list, the traffic is dropped at the network device, before reaching the virtual switch 34 (steps 70 and 74).
It is to be understood that the process shown in
Although the method and apparatus have been described in accordance with the embodiments shown, one of ordinary skill in the art will readily recognize that there could be variations made to the embodiments without departing from the scope of the embodiments. Accordingly, it is intended that all matter contained in the above description and shown in the accompanying drawings shall be interpreted as illustrative and not in a limiting sense.
