-
公开(公告)号:US09825814B2
公开(公告)日:2017-11-21
申请号:US14809971
申请日:2015-07-27
发明人: Joji Thomas Mekkattuparamban , Vijay Chander , Saurabh Jain , Van Lieu , Badhri Madabusi Vijayaraghavan , Praveen Jain , Munish Mehta , Michael R. Smith , Narender Enduri
CPC分类号: H04L41/0893 , H04L41/0886 , H04L61/15 , H04L61/6022 , H04L63/101 , H04L63/104
摘要: Systems, methods, and computer-readable storage media are provided for dynamically setting an end point group for an end point. An endpoint can be assigned a default end point group when added to a network. For example, the default end point group can be a baseline port/security group which is considered an untrusted group. The end point can then be dynamically assigned an end point group based on a set of group selection rules. For example, the group selection rules can identify an end point group based on the MAC address or other attributes. When the end point is added to the network, the MAC address and/or other attributes of the end point can be determined and used to assign an end point group. As another example, an end point group can be assigned based on the amount of traffic or guest operation system.
-
公开(公告)号:US10581744B2
公开(公告)日:2020-03-03
申请号:US15367317
申请日:2016-12-02
发明人: Munish Mehta , Saurabh Jain , Praveen Jain , Ronak K. Desai , Yibin Yang
IPC分类号: H04L12/815 , H04L12/24 , H04L12/761 , H04L12/931 , H04L12/715 , H04L12/717 , H04L12/753
摘要: Presented herein are traffic pruning techniques that define the pruning at the group level. A software defined network (SDN) controller determines first and second endpoint groups (EPGs) of an SDN associated with the SDN controller. The SDN runs on a plurality of networking devices that interconnect a plurality of endpoints that are each attached to one or more host devices. The SDN controller determines a host-EPG mapping for the SDN, as well as a networking device-host mapping for the SDN. The SDN controller then uses the host-EPG mapping, the networking device-host mapping, and one or more group-based policies associated with traffic sent from the first EPG to the second EPG to compute hardware pruning policies defining how to prune multi-destination traffic sent from the first EPG to the second EPG. The hardware pruning policies are then installed in one or more of the networking devices or the host devices.
-
公开(公告)号:US20180159781A1
公开(公告)日:2018-06-07
申请号:US15367317
申请日:2016-12-02
发明人: Munish Mehta , Saurabh Jain , Praveen Jain , Ronak K. Desai , Yibin Yang
IPC分类号: H04L12/815 , H04L12/24 , H04L12/761 , H04L12/931
摘要: Presented herein are traffic pruning techniques that define the pruning at the group level. A software defined network (SDN) controller determines first and second endpoint groups (EPGs) of an SDN associated with the SDN controller. The SDN runs on a plurality of networking devices that interconnect a plurality of endpoints that are each attached to one or more host devices. The SDN controller determines a host-EPG mapping for the SDN, as well as a networking device-host mapping for the SDN. The SDN controller then uses the host-EPG mapping, the networking device-host mapping, and one or more group-based policies associated with traffic sent from the first EPG to the second EPG to compute hardware pruning policies defining how to prune multi-destination traffic sent from the first EPG to the second EPG. The hardware pruning policies are then installed in one or more of the networking devices or the host devices.
-
4.发明申请公开(公告)号:US20180139150A1
公开(公告)日:2018-05-17
申请号:US15353093
申请日:2016-11-16
发明人: Saurabh Jain , Vijay K. Chander , Vijayan Ramakrishnan , Ronak K. Desai , Praveen Jain , Munish Mehta , Yibin Yang
IPC分类号: H04L12/919 , H04L12/24 , H04L12/26
CPC分类号: H04L47/765 , H04L41/0823 , H04L41/0896 , H04L41/12
摘要: The techniques presented herein use dynamic endpoint group (EPG) binding changes to facilitate cross-tenant resource sharing. A first node of a multi-tenant software defined network determines that an application on a first endpoint has initiated operation and needs temporary access to resources located at a second endpoint. The first and second endpoints are associated with first and second tenants, respectively, that are logically segregated from one another by the software defined network. The first node dynamically changes an initial EPG binding associated with the first endpoint to a second EPG binding that enables the first endpoint to temporarily directly access the resources at the second endpoint. The first node subsequently determines that the application on the first endpoint no longer needs access to the resources located at a second endpoint and, as such, changes the second EPG binding associated with the first endpoint back to the initial EPG binding.
-
公开(公告)号:US20210266255A1
公开(公告)日:2021-08-26
申请号:US16799476
申请日:2020-02-24
发明人: Sivakumar Ganapathy , Saurabh Jain , Neelesh Kumar , Prashanth Matety , Hari Hara Prasad Muthulingam , Suresh Pasupula
IPC分类号: H04L12/741 , H04L29/08 , H04L12/46
摘要: Techniques for maintaining virtual routing and forwarding (VRF) segregation for network paths through multi-cloud fabrics that utilize shared services, e.g., application load balancers. The router of a first network of a multi-cloud fabric receives a first data packet from a source end-point group within the first network and forwards the first data packet to a service end-point group. The service end-point group may forward the first data packet to a destination end-point group of a second network of the multi-cloud fabric. The service end-point group may receive a second data packet from the destination end-point group and forward the second data packet to the router. Based on one of (i) an identity of the service end-point group or (ii) an address of the source end-point group, a VRF may be identified and the second data packet may be forwarded by the router to the source end-point group using the VRF.
-
公开(公告)号:US10891147B1
公开(公告)日:2021-01-12
申请号:US15376365
申请日:2016-12-12
发明人: Vijayan Ramakrishnan , Saurabh Jain , Vijay Chander , Ronak K. Desai , Praveen Jain , Munish Mehta , Yibin Yang
IPC分类号: G06F9/455
摘要: Aspects of the embodiments are directed to forming a virtual machine management (VMM) domain in a heterogeneous datacenter. Aspects can include mapping an endpoint group to multiple VMM domains, each VMM domain associated with one or more virtual machine management systems of a single type that each share one or more management system characteristics; instantiating a virtual switch instance, the virtual switch instance associated with a the VMM domain; and instantiating the endpoint group mapped to the VMM domain as a network component associated with the virtual switch instance.
-
7.发明授权公开(公告)号:US10469402B2
公开(公告)日:2019-11-05
申请号:US15353093
申请日:2016-11-16
发明人: Saurabh Jain , Vijay K. Chander , Vijayan Ramakrishnan , Ronak K. Desai , Praveen Jain , Munish Mehta , Yibin Yang
IPC分类号: G06F15/167 , H04L12/919 , H04L12/24
摘要: The techniques presented herein use dynamic endpoint group (EPG) binding changes to facilitate cross-tenant resource sharing. A first node of a multi-tenant software defined network determines that an application on a first endpoint has initiated operation and needs temporary access to resources located at a second endpoint. The first and second endpoints are associated with first and second tenants, respectively, that are logically segregated from one another by the software defined network. The first node dynamically changes an initial EPG binding associated with the first endpoint to a second EPG binding that enables the first endpoint to temporarily directly access the resources at the second endpoint. The first node subsequently determines that the application on the first endpoint no longer needs access to the resources located at a second endpoint and, as such, changes the second EPG binding associated with the first endpoint back to the initial EPG binding.
-
公开(公告)号:US20170339188A1
公开(公告)日:2017-11-23
申请号:US15159379
申请日:2016-05-19
发明人: Praveen Jain , Munish Mehta , Saurabh Jain , Yibin Yang
IPC分类号: H04L29/06
CPC分类号: H04L63/20 , G06F9/455 , H04L45/586 , H04L49/70 , H04L63/0428
摘要: Microsegmentation in a heterogeneous software-defined network can be performed by classifying endpoints associated with a first virtualized environment into respective endpoint groups based on respective attributes, and classifying endpoints associated with a second virtualized environment into respective security groups based on respective attributes. Each respective endpoint group can correspond to a respective security group having the same attribute. Each respective endpoint group and corresponding security group can be associated with a respective policy model defining rules for processing associated traffic. Each of the respective security groups can be used to generate a respective network attribute endpoint group, which can include the network addresses of those endpoints in the respective security group. Each respective network attribute endpoint group can inherit the policy model of the respective endpoint group corresponding to the respective security group. Traffic between the endpoints can then be processed based on the various classifications and associated rules.
-
公开(公告)号:US10171507B2
公开(公告)日:2019-01-01
申请号:US15159379
申请日:2016-05-19
发明人: Praveen Jain , Munish Mehta , Saurabh Jain , Yibin Yang
IPC分类号: G06F21/00 , H04L29/06 , H04L12/931 , G06F9/455 , H04L12/713
摘要: Microsegmentation in a heterogeneous software-defined network can be performed by classifying endpoints associated with a first virtualized environment into respective endpoint groups based on respective attributes, and classifying endpoints associated with a second virtualized environment into respective security groups based on respective attributes. Each respective endpoint group can correspond to a respective security group having the same attribute. Each respective endpoint group and corresponding security group can be associated with a respective policy model defining rules for processing associated traffic. Each of the respective security groups can be used to generate a respective network attribute endpoint group, which can include the network addresses of those endpoints in the respective security group. Each respective network attribute endpoint group can inherit the policy model of the respective endpoint group corresponding to the respective security group. Traffic between the endpoints can then be processed based on the various classifications and associated rules.
-
公开(公告)号:US20160352576A1
公开(公告)日:2016-12-01
申请号:US14809971
申请日:2015-07-27
发明人: Joji Thomas Mekkattuparamban , Vijay Chander , Saurabh Jain , Van Lieu , Badhri Madabusi Vijayaraghavan , Praveen Jain , Munish Mehta , Michael R. Smith , Narender Enduri
IPC分类号: H04L12/24
CPC分类号: H04L41/0893 , H04L41/0886 , H04L61/15 , H04L61/6022 , H04L63/101 , H04L63/104
摘要: Systems, methods, and computer-readable storage media are provided for dynamically setting an end point group for an end point. An endpoint can be assigned a default end point group when added to a network. For example, the default end point group can be a baseline port/security group which is considered an untrusted group. The end point can then be dynamically assigned an end point group based on a set of group selection rules. For example, the group selection rules can identify an end point group based on the MAC address or other attributes. When the end point is added to the network, the MAC address and/or other attributes of the end point can be determined and used to assign an end point group. As another example, an end point group can be assigned based on the amount of traffic or guest operation system.
摘要翻译: 提供了系统,方法和计算机可读存储介质,用于动态设置端点的端点组。 当添加到网络时,端点可以被分配一个默认端点组。 例如,默认端点组可以是被认为是不可信组的基准端口/安全组。 然后可以基于一组组选择规则动态地为端点组分配端点组。 例如,组选择规则可以基于MAC地址或其他属性来识别端点组。 当终点被添加到网络中时,可以确定端点的MAC地址和/或其他属性,并用于分配端点组。 作为另一示例,可以基于流量或客户操作系统的数量来分配端点组。
-
-
-
-
-
-
-
-
-
搜索结果
10 条记录 (耗时 0.014 秒)
