P
USRE49033EActiveUtilityPatentIndex 59

Enabling virtual workloads using overlay technologies to interoperate with physical network services

Assignee: CISCO TECH INCPriority: Dec 13, 2012Filed: Jan 17, 2020Granted: Apr 12, 2022
Est. expiryDec 13, 2032(~6.4 yrs left)· nominal 20-yr term from priority
Inventors:RAJENDRAN SARAVANKUMARSANZGIRI AJIT
H04L 12/4675H04L 41/0894H04L 41/0895H04L 41/0806H04L 12/28H04L 12/4641H04L 41/5041H04L 49/70H04L 45/64H04L 41/0823H04L 41/0893H04L 12/66
59
PatentIndex Score
0
Cited by
23
References
47
Claims

Abstract

A solution is provided to enable cloud service provider customers/users to offer physical network services to virtualized workloads that use overlay technologies, such as a Virtual Extensible Local Area Network (VXLAN). For a virtual workload that uses an overlay technology, an identifier is received of a logical network to which the virtual workload connects and a policy for the logical network. Based on the identifier of the logical network and the policy, a gateway is configured to connect traffic for the virtual workload on the logical network to a particular virtual local area network (VLAN) interface of the physical network service equipment on which the policy is configured.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method comprising:
 receiving an identifier of a logical network to which a virtual workload connects and a policy for the logical network, wherein the virtual workload is associated with an overlay technology; and 
 configuring, based on the identifier of the logical network and the policy, a gateway to connect traffic for the virtual workload on the logical network to a particular virtual local area network (VLAN) interface of physical network service equipment on which the policy is configured, wherein the physical network service equipment is provisioned with a service context for each of a plurality of tenants. 
 
     
     
       2. The method of  claim 1 , wherein receiving comprises receiving an identifier for a Virtual Extensible Local Area Network (VXLAN) segment associated with the virtual workload, and wherein configuring comprises configuring a VXLAN/VLAN gateway to connect traffic for the VXLAN segment to the particular VLAN. 
     
     
       3. The method of  claim 2 , wherein the physical network service equipment is preconfigured with one or more policies, each with a corresponding context and VLAN identifier, and further comprising:
 publishing information pertaining to the policies preconfigured on the physical network service equipment and corresponding VLAN identifiers to a cloud management platform; 
 configuring a pool of VXLAN-based networks for each tenant in the cloud management platform; and 
 selecting a policy when a network is allocated from a particular tenant's pool of networks and generating information comprising a VXLAN segment identifier and a policy identifier; 
 wherein configuring the gateway is based on the VXLAN segment identifier and the policy identifier. 
 
     
     
       4. The method of  claim 2 , further comprising:
 creating a tenant context on the physical network service equipment when a tenant is provisioned in a cloud management platform; 
 configuring a pool of VXLAN-based networks for each tenant in the cloud management platform; 
 generating information comprising a policy, VXLAN segment identifier and tenant identifier based on the pool of VXLAN-based networks configured; 
 allocating a VLAN for a newly instantiated tenant network and creating a VLAN interface on the physical network service equipment; 
 configuring the policy obtained from the cloud management platform on the VLAN interface in the physical network service equipment within a tenant context based on the tenant identifier; and 
 wherein configuring the gateway comprises configuring a VXLAN/VLAN gateway to connect the VXLAN-based tenant network to the VLAN interface on the physical network service equipment based on the VXLAN segment identifier. 
 
     
     
       5. The method of  claim 1 , further comprising:
 provisioning the physical network service equipment with the service context for each tenant; and 
 configuring the physical network service equipment with multiple policies, each policy within a service context for a particular tenant and having a policy identifier, and one VLAN being associated with each policy. 
 
     
     
       6. The method of  claim 5 , further comprising, through a cloud management platform, defining a policy for each logical network to which virtual machines within a service context connect. 
     
     
       7. The method of  claim 6 , wherein configuring the gateway is based on a logical network identifier, tenant identifier and policy information received from the cloud management platform. 
     
     
       8. One or more non-transitory computer readable storage media encoded with computer executable instructions that, when executed by a processor, cause the processor to:
 receive an identifier of a logical network to which a virtual workload connects and a policy for the logical network, wherein the virtual workload is associated with an overlay technology; and 
 configure, based on the identifier of the logical network and the policy, a gateway to connect traffic for the virtual workload on the logical network to a particular virtual local area network (VLAN) interface of physical network service equipment on which the policy is configured, wherein the physical network service equipment is provisioned with a service context for each of a plurality of tenants. 
 
     
     
       9. The non-transitory computer readable storage media of  claim 8 , wherein the instructions that cause the processor to receive an identifier of a logical network comprise instructions that cause the processor to receive an identifier for a Virtual Extensible Local Area Network (VXLAN) segment associated with the virtual workload, and wherein configuring comprises configuring a VXLAN/VLAN gateway to connect traffic for the VXLAN segment to the particular VLAN. 
     
     
       10. The non-transitory computer readable storage media of  claim 9 , wherein the physical network service equipment is preconfigured with one or more policies, each with a corresponding context and VLAN identifier, and further comprising instructions that cause the processor to:
 publish information pertaining to the policies preconfigured on the physical network service equipment and corresponding VLAN identifiers to a cloud management platform; 
 configure a pool of VXLAN-based networks for each tenant in the cloud management platform; and 
 select a policy when a network is allocated from a particular tenant's pool of networks and generating information comprising a VXLAN segment identifier and a policy identifier; 
 wherein the instructions that cause the processor to configure comprise instructions that cause the processor to configure the gateway based on the VXLAN segment identifier and the policy identifier. 
 
     
     
       11. The non-transitory computer readable storage media of  claim 9 , further comprising instructions that cause the processor to:
 create a tenant context on the physical network service equipment when a tenant is provisioned in a cloud management platform; 
 configure a pool of VXLAN-based networks for each tenant in the cloud management platform; 
 generate information comprising a policy, VXLAN segment identifier and tenant identifier based on the pool of VXLAN-based networks configured; 
 allocate a VLAN for a newly instantiated tenant network and creating a VLAN interface on the physical network service equipment; and 
 configure the policy obtained from the cloud management platform on the VLAN interface in the physical network service equipment within a tenant context based on the tenant identifier; and 
 wherein the instructions operable to configure the gateway comprises instructions operable to configure a VXLAN/VLAN gateway to connect the VXLAN-based tenant network to the VLAN interface on the physical network service equipment based on the VXLAN segment identifier. 
 
     
     
       12. The non-transitory computer readable storage media of  claim 8 , further comprising instructions that cause the processor to:
 provision the physical network service equipment with the service context for each tenant; and 
 configure the physical network service equipment with multiple policies, each policy within a service context for a particular tenant and having a policy identifier, and one VLAN being associated with each policy. 
 
     
     
       13. The non-transitory computer readable storage media of  claim 12 , further comprising instructions that cause the processor to define a policy for each logical network to which virtual machines within a service context connect. 
     
     
       14. The non-transitory computer readable storage media of  claim 13 , wherein the instructions that cause the processor to configure the gateway comprise instructions that cause the processor to configure the gateway based on a logical network identifier, tenant identifier and policy information received from the cloud management platform. 
     
     
       15. An apparatus comprising:
 a network interface unit configured to enable network communications; and 
 a memory;  
 a processor coupled to the network interface unit and the memory, wherein the processor is configured to:
 process a received identifier of a logical network to which a virtual workload connects and a policy for the logical network, wherein the virtual workload is associated with an overlay technology; and 
 configure, based on the identifier of the logical network and the policy, a gateway to connect traffic for the virtual workload on the logical network to a particular virtual local area network (VLAN) interface of physical network service equipment on which the policy is configured, wherein the physical network service equipment is provisioned with a service context for each of a plurality of tenants. 
 
 
     
     
       16. The apparatus of  claim 15 , wherein the processor is configured to receive an identifier for a Virtual Extensible Local Area Network (VXLAN) segment associated with the virtual workload, and to configuring a VXLAN/VLAN gateway to connect traffic for the VXLAN segment to the particular VLAN. 
     
     
       17. The apparatus of  claim 16 , wherein the physical network service equipment is preconfigured with one or more policies, each with a corresponding context and VLAN identifier, and wherein the processor is further configured to:
 publish information pertaining to the policies preconfigured on the physical network service equipment and corresponding VLAN identifiers to a cloud management platform; configure a pool of VXLAN-based networks for each tenant in the cloud management platform; 
 select a policy when a network is allocated from a particular tenant's pool of networks and generating information comprising a VXLAN segment identifier and a policy identifier; and 
 configure the gateway based on the VXLAN segment identifier and the policy identifier. 
 
     
     
       18. The apparatus of  claim 16 , wherein the processor is further configured to:
 create a tenant context on the physical network service equipment when a tenant is provisioned in a cloud management platform; 
 configure a pool of VXLAN-based networks for each tenant in the cloud management platform; 
 generate information comprising a policy, VXLAN segment identifier and tenant identifier based on the pool of VXLAN-based networks configured; 
 allocate a VLAN for a newly instantiated tenant network and creating a VLAN interface on the physical network service equipment; 
 configure the policy obtained from the cloud management platform on the VLAN interface in the physical network service equipment within a tenant context based on the tenant identifier; and 
 configure a VXLAN/VLAN gateway to connect the VXLAN-based tenant network to the VLAN interface on the physical network service equipment based on the VXLAN segment identifier. 
 
     
     
       19. The apparatus of  claim 16 , wherein the processor is further configured to:
 provision the physical network service equipment with the service context for each tenant; and 
 configure the physical network service equipment with multiple policies, each policy within a service context for a particular tenant and having a policy identifier, and one VLAN being associated with each policy. 
 
     
     
       20. The apparatus of  claim 19 , wherein the processor is further configured to define a policy for each logical network to which virtual machines within a service context connect, and to configure the gateway based on a logical network identifier, tenant identifier and policy information received from the cloud management platform. 
     
     
       21. The method of claim 1, wherein receiving an identifier of a logical network includes receiving an overlay segment identifier;
 wherein the gateway is a logical network to virtual network gateway and configuring includes configuring the gateway to connect traffic for the identified overlay segment of the logical network to a particular VLAN, identified by a VLAN identifier; and   using the gateway to connect traffic between the logical network and a physical network connected to the physical network service equipment in accord with the policy, wherein the traffic in the logical network is isolated in part using the overlay segment identifier, and the traffic in the physical network is isolated in part using the VLAN identifier.    
     
     
       22. The method of claim 21, wherein the policy is applied to the physical network service equipment, and wherein the physical network service equipment includes at least one of firewall equipment, load balancer equipment, or a switch.  
     
     
       23. The method of claim 22, wherein the policy applied for a first tenant in the plurality of tenants differs from the policy applied for a second tenant in the plurality of tenants.  
     
     
       24. The method of claim 22, wherein a single VLAN is associated with a tenant.  
     
     
       25. The method of claim 22, wherein multiple VLANs are associated with a tenant.  
     
     
       26. The method of claim 22, wherein multiple virtual network segments are associated with a tenant.  
     
     
       27. The method of claim 21, further comprising:
 creating a tenant context on the physical network service equipment when a tenant is provisioned in a cloud management platform;   configuring at least one overlay-based virtual network for the tenant in the cloud management platform;   generating the policy as a generated policy to be applied to the physical network service equipment, wherein the physical network service equipment includes at least one of firewall equipment, load balancer equipment, or a switch;   creating a VLAN interface on the physical network service equipment;   connecting the VLAN interface to the overlay-based virtual network identified by the overlay segment identifier; and   configuring the physical network service equipment to act according to the generated policy when connecting traffic between the virtual and the physical network.    
     
     
       28. The method of claim 21, further comprising:
 provisioning the physical network service equipment with the service context for each tenant; and   configuring the physical network service equipment with multiple policies, each policy within a service context for a particular tenant.    
     
     
       29. The method of claim 28, further comprising, through a cloud management platform, defining a policy for each logical network to which virtual machines within a service context connect.  
     
     
       30. The non-transitory computer readable storage media of claim 8, wherein the instructions that cause the processor to receive an identifier of a logical network include instructions that cause the processor to receive an overlay segment identifier;
 wherein the gateway is a logical network to virtual network gateway and the instructions that cause the processor to configure include instructions that cause the processor to configure the gateway to connect traffic for the identified overlay segment of the logical network to a particular VLAN, identified by a VLAN identifier; and   wherein the instructions are configured to cause the processor to use the gateway to connect traffic between the logical network and a physical network connected to the physical network service equipment in accord with the policy, wherein the traffic in the logical network is isolated in part using the overlay segment identifier, and the traffic in the physical network is isolated in part using the VLAN identifier.    
     
     
       31. The non-transitory computer readable storage media of claim 30, wherein the policy is applied to the physical network service equipment, and wherein the physical network service equipment includes at least one of firewall equipment, load balancer equipment, or a switch.  
     
     
       32. The non-transitory computer readable storage media of claim 31, wherein the policy applied for a first tenant in the plurality of tenants differs from the policy applied for a second tenant in the plurality of tenants.  
     
     
       33. The non-transitory computer readable storage media of claim 31, wherein a single VLAN is associated with a tenant.  
     
     
       34. The non-transitory computer readable storage media of claim 31, wherein multiple VLANs are associated with a tenant.  
     
     
       35. The non-transitory computer readable storage media of claim 31, wherein multiple virtual network segments are associated with a tenant.  
     
     
       36. The non-transitory computer readable storage media of claim 30, wherein the instructions further cause the processor to:
 create a tenant context on the physical network service equipment when a tenant is provisioned in a cloud management platform;   configure at least one overlay-based virtual network for the tenant in the cloud management platform;   generating the policy as a generated policy to be applied to the physical network service equipment, wherein the physical network service equipment includes at least one of firewall equipment, load balancer equipment, or a switch;   create a VLAN interface on the physical network service equipment;   connect the VLAN interface to the overlay-based virtual network identified by the overlay segment identifier; and   configure the physical network service equipment to act according to the generated policy when connecting traffic between the virtual and the physical network.    
     
     
       37. The non-transitory computer readable storage media of claim 30, wherein the instructions further cause the processor to:
 provision the physical network service equipment with the service context for each tenant; and   configure the physical network service equipment with multiple policies, each policy within a service context for a particular tenant.    
     
     
       38. The non-transitory computer readable storage media of claim 37, wherein the instructions further cause the processor to, through a cloud management platform, define a policy for each logical network to which virtual machines within a service context connect.  
     
     
       39. An apparatus comprising:
 a network interface unit configured to enable network communications; and   a memory;   a processor coupled to the network interface unit and the memory, wherein the processor is configured to:
 process a received identifier of a logical network to which a virtual workload connects and a policy for the logical network, wherein the virtual workload is associated with an overlay technology; and 
   configure, based on the identifier of the logical network and the policy, a gateway to connect traffic for the virtual workload on the logical network to a particular virtual local area network (VLAN) interface of physical network service equipment on which the policy is configured, wherein the physical network service equipment is provisioned with a service context for each of a plurality of tenants,   wherein the gateway is a logical network to virtual network gateway, and the apparatus is configured to:   receive an overlay segment identifier;   configure the gateway to connect traffic for the identified overlay segment of the logical network to a particular VLAN, identified by a VLAN identifier; and   use the gateway to connect traffic between the logical network and a physical network connected to the physical network service equipment in accord with the policy, wherein the traffic in the logical network is isolated in part using the overlay segment identifier, and the traffic in the physical network is isolated in part using the VLAN identifier.    
     
     
       40. The apparatus of claim 39, wherein the policy is applied to the physical network service equipment, and wherein the physical network service equipment includes at least one of firewall equipment, load balancer equipment, or a switch.  
     
     
       41. The apparatus of claim 40, wherein the policy applied for a first tenant in the plurality of tenants differs from the policy applied for a second tenant in the plurality of tenants.  
     
     
       42. The apparatus of claim 40, wherein a single VLAN is associated with a tenant.  
     
     
       43. The apparatus of claim 40, wherein multiple VLANs are associated with a tenant.  
     
     
       44. The apparatus of claim 40, wherein multiple virtual network segments are associated with a tenant.  
     
     
       45. The apparatus of claim 39, wherein the processor is further configured to:
 create a tenant context on the physical network service equipment when a tenant is provisioned in a cloud management platform;   configure at least one overlay-based virtual network for the tenant in the cloud management platform;   generate the policy as a generated policy to be applied to the physical network service equipment, wherein the physical network service equipment includes at least one of firewall equipment, load balancer equipment, or a switch;   create a VLAN interface on the physical network service equipment;   connect the VLAN interface to the overlay-based virtual network identified by the overlay segment identifier; and   configure the physical network service equipment to act according to the generated policy when connecting traffic between the virtual and the physical network.    
     
     
       46. The apparatus of claim 39, wherein the processor is further configured to:
 provision the physical network service equipment with the service context for each tenant; and   configure the physical network service equipment with multiple policies, each policy within a service context for a particular tenant.    
     
     
       47. The apparatus of claim 46, wherein the processor is configured to, through a cloud management platform, define a policy for each logical network to which virtual machines within a service context connect.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.