-
公开(公告)号:US20250039129A1
公开(公告)日:2025-01-30
申请号:US18229645
申请日:2023-08-02
Applicant: VMware LLC
Inventor: Pierluigi Rolando , Peng Li , Boon S. Ang , Guolin Yang , Wenyi Jiang , Yuxiao Zhang , Raju Koganty , Subrahmanyam Manuguri , Kok Pyng Liew , Jin Heo , Srinath Suriyanarayanan Thillaisthanam
Abstract: Some embodiments provide a novel method for processing flows at an embedded hardware switch of a physical network interface card (PNIC) connected to a host computer. A firewall of the PNIC detects an end of a particular data message flow associated with a particular VM of the host computer. Processing of the particular data message flow was offloaded from the firewall to an embedded hardware switch of the PNIC. After detecting the end of the particular data message flow, the firewall ends offloading of the particular data message flow by deleting a first flow record stored at the embedded hardware switch for the particular data message flow. The firewall deletes a second flow record stored at the first firewall for the particular data message flow.
-
公开(公告)号:US20250039128A1
公开(公告)日:2025-01-30
申请号:US18229633
申请日:2023-08-02
Applicant: VMware LLC
Inventor: Pierluigi Rolando , Peng Li , Boon S. Ang , Guolin Yang , Wenyi Jiang , Yuxiao Zhang , Raju Koganty , Subrahmanyam Manuguri , Kok Pyng Liew , Jin Heo , Srinath Suriyanarayanan Thillaisthanam
Abstract: Some embodiments provide a novel method for offloading firewall operations from a host computer executing a set of one or more virtual machines (VMs) to a physical network interface card (PNIC) connected to the host computer. The method configures, on the PNIC, a first firewall to determine actions to perform on flows associated with the set of VMs, and to offload processing of the flows to a flow-cache second firewall of the PNIC. The method configures, on the PNIC, the flow-cache second firewall to process a first set of flows based on a first set of actions determined by the first firewall, and to offload processing of a second set of flows to an embedded hardware switch of the PNIC. The method configures, on the PNIC, the embedded hardware switch to process the second set of flows based on a second set of actions determined by the first firewall.
-
公开(公告)号:US12088493B2
公开(公告)日:2024-09-10
申请号:US17179174
申请日:2021-02-18
Applicant: VMware LLC
Inventor: Rahul Mishra , Kantesh Mundaragi , Stephen Tan , Akhila Naveen , Pierluigi Rolando , Raju Koganty
Abstract: In an embodiment, a method for a VRF and multi-service insertion on edge gateways is described. In an embodiment, the method comprises obtaining a rule configuration. Based on, at least in part, the rule configuration, a rule table is created. The rule table comprises rule data records, wherein a rule data record comprises packet attributes and a redirection identifier. A policy configuration comprising policy records is obtained. Each policy record comprises a redirection identifier, a next_hop, and an address pair for interfaces. A mapping between VRF identifiers and address pairs is generated. Based on, at least in part, the mapping and the policy configuration, a policy table is generated. The policy table comprises table records, wherein a table record comprises a redirection identifier, a next_hop, and an address pair. The rule and policy tables are used to redirect a packet from an edge gateway to a service virtual machine.
-
公开(公告)号:US20250039140A1
公开(公告)日:2025-01-30
申请号:US18229647
申请日:2023-08-02
Applicant: VMware LLC
Inventor: Pierluigi Rolando , Peng Li , Boon S. Ang , Guolin Yang , Wenyi Jiang , Yuxiao Zhang , Raju Koganty , Subrahmanyam Manuguri , Kok Pyng Liew , Jin Heo , Srinath Suriyanarayanan Thillaisthanam
IPC: H04L9/40
Abstract: Some embodiments provide a novel method for using connection tracking records to process data messages at a physical network interface card (PNIC) connected to a host computer. A first software firewall of the PNIC determines whether processing of a flow is passable to a second software firewall of the PNIC and to a third hardware firewall of the PNIC. The first software firewall creates a connection tracking record for the flow and data specifying whether processing of the flow is passable to the second software firewall and independently whether processing of the flow is passable to the third hardware firewall. The first software firewall provides the connection tracking record and said data to the second software firewall of the PNIC so that the second software firewall processes the flow or passes the connection tracking record and the data to the third hardware firewall if determination was that the flow is passable to the third hardware firewall.
-
5.发明申请
公开(公告)号:US20250039139A1
公开(公告)日:2025-01-30
申请号:US18229646
申请日:2023-08-02
Applicant: VMware LLC
Inventor: Pierluigi Rolando , Peng Li , Boon S. Ang , Guolin Yang , Wenyi Jiang , Yuxiao Zhang , Raju Koganty , Subrahmanyam Manuguri , Kok Pyng Liew , Jin Heo , Srinath Suriyanarayanan Thillaisthanam
IPC: H04L9/40
Abstract: Some embodiments provide a novel method for updating firewall rules for data message flows processed at a physical network interface card (PNIC) connected to a host computer. A firewall of the PNIC receives an update to a particular firewall rule. The firewall identifies a particular data message flow that is processed at an embedded hardware switch of the PNIC using the particular firewall rule. The firewall updates a flow record associated with the particular data message flow to reflect the received update to the particular firewall rule. The firewall provides the updated flow record to the embedded hardware switch for the embedded hardware switch to process the particular flow according to the received update.
-
公开(公告)号:US12170616B2
公开(公告)日:2024-12-17
申请号:US18103366
申请日:2023-01-30
Applicant: VMware LLC
Inventor: Rahul Jain , Kantesh Mundaragi , Pierluigi Rolando , Jayant Jain , Mukesh Hira
IPC: H04L45/745 , G06F9/455 , H04L12/46 , H04L49/00 , H04L49/354
Abstract: Example methods and systems are provided a network device to perform tunnel-based service insertion in a public cloud environment. An example method may comprise establishing a tunnel between the network device and a service path. The method may also comprise: in response to receiving a first encapsulated packet, identifying the service path specified by a service insertion rule; generating and sending a second encapsulated packet over the tunnel to cause the service path to process an inner packet according to one or more services. The method may further comprise: in response to receiving, from the service path via the tunnel, a third encapsulated packet that includes the inner packet processed by the service path, sending the inner packet processed by the service path, or a fourth encapsulated packet, towards a destination address of the inner packet.
-
公开(公告)号:US12231252B2
公开(公告)日:2025-02-18
申请号:US17528094
申请日:2021-11-16
Applicant: VMware LLC
Inventor: Rahul Mishra , Pierluigi Rolando , Stephen Tan , Raju Koganty
IPC: H04L12/18 , H04L12/46 , H04L45/16 , H04L61/2596 , H04L101/622
Abstract: Some embodiments of the invention provide novel methods for providing transparent services for multicast data messages traversing a network edge device operating at a boundary between two networks. The method analyzes data messages received at the network edge device to determine whether they require a service provided at the boundary and whether they are unicast or multicast (including broadcast). The method modifies a multicast destination media access control (MAC) address of a multicast data message requiring a service to be a unicast destination MAC address and provides, without processing by a standard routing function, the modified data message directly to an interface associated with a service node that provides the particular service required by the data message. The method receives the serviced data message, restores the multicast destination MAC address, and forwards the serviced data message to a set of destinations associated with the multicast destination address.
-
公开(公告)号:US20250036439A1
公开(公告)日:2025-01-30
申请号:US18229644
申请日:2023-08-02
Applicant: VMware LLC
Inventor: Pierluigi Rolando , Peng Li , Boon S. Ang , Guolin Yang , Wenyi Jiang , Yuxiao Zhang , Raju Koganty , Subrahmanyam Manuguri , Kok Pyng Liew , Jin Heo , Srinath Suriyanarayanan Thillaisthanam
IPC: G06F9/455 , H04L41/0897
Abstract: Some embodiments provide a novel method for migrating virtual machines (VMs) from a first host computer to a second host computer. The first host computer is connected to a physical network interface card (PNIC) that performs middlebox service operations for flows associated with the VMs. At the PNIC, the method receives a notification that a VM is to be migrated from the first to the second host computer. The method configures an embedded hardware switch of the PNIC to forward a set of flows associated with the VM to a firewall of the PNIC. The embedded hardware switch was initially programmed to process the set of flows instead of the firewall. The method synchronizes flow cache information regarding the set of flows from the embedded hardware switch to the firewall. The method processes the set of flows at the firewall until the VM is migrated to the second host computer.
-
公开(公告)号:US12177067B2
公开(公告)日:2024-12-24
申请号:US18102684
申请日:2023-01-28
Applicant: VMware LLC
Inventor: Akhila Naveen , Kantesh Mundaragi , Rahul Mishra , Fenil Kavathia , Raju Koganty , Pierluigi Rolando , Yong Feng , Jayant Jain
IPC: H04L41/0806 , H04L12/66 , H04L45/42 , H04L49/35 , H04L67/53
Abstract: Some embodiments provide a method for configuring a gateway machine in a datacenter. The method receives a definition of a logical network for implementation in the datacenter. The logical network includes at least one logical switch to which logical network endpoints attach and a logical router for handling data traffic between the logical network endpoints in the datacenter and an external network. The method receives configuration data attaching a third-party service to at least one interface of the logical router via an additional logical switch designated for service attachments. The third-party service is for performing non-forwarding processing on the data traffic between the logical network endpoints and the external network. The method configures the gateway machine in the datacenter to implement the logical router and redirect at least a subset of the data traffic between the logical network endpoints and the external network to the attached third-party service.
