Service chaining based on labels in control and forwarding
A method for routing is disclosed. The method comprises establishing an overlay network, comprising a plurality of network elements and an overlay controller; wherein the overlay controller is in communication with each network element via a secure tunnel established through an underlying transport network; receiving by the overlay controller, information from each service-hosting network element information said information identifying a service hosted at that service-hosting network element, and label associated with the service-hosting network element; identifying by the overlay controller, at least one policy that associates traffic from a site with a service; and causing by said overly controller, the at least one policy to be executed so that traffic from the site identified in the policy is routed using the underlying transport network to the service-hosting network element associated with the said service.
Latest Cisco Technology, Inc. Patents:
- ENFORCING CONDITIONAL ACCESS TO NETWORK SERVICES BASED ON AUTHORIZATION STATUSES ASSOCIATED WITH NETWORK FLOWS
- CLIENT DEVICE IDENTIFIER FOR DUAL-WI-FI CONNECTIONS
- MALLEABLE ROUTING FOR DATA PACKETS
- STORAGE SYSTEM CONFIGURATION BASED FILESYSTEM DESTINATIONS
- DISTRIBUTED PATH COMPUTATION AND CENTRALIZED PATH ENFORCEMENT IN COMPUTER NETWORTKS
Embodiments of the present invention relate to networking.
BACKGROUNDEnterprises and Service Providers (SPs) have a common requirement to pass data traffic through certain locations or along certain paths.
Existing solutions have the ability to pass traffic through a single location or to tie traffic to a specific path by determining a specific hop-by-hop forwarding path. However, if any service along the path experiences a disruption, then the only remedy is to rely on routing protocols that inherently lack awareness of service locations.
SUMMARYIn one aspect there is provided a network system comprising a plurality of service locations, wherein each service location is equipped to make independent forwarding decisions based on policy and wherein a service can be provided in a redundant fashion making the infrastructure aware of where a service is located and how it can be backed up.
In a second aspect there is provided a mechanism to allow for several different services to be tied together in a chain.
Other aspects of the invention will be apparent from the detailed description below.
In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the invention. It will be apparent, however, to one skilled in the art that the invention can be practiced without these specific details. In other instances, structures and devices are shown in block or flow diagram form only in order to avoid obscuring the invention. Accommodate
Reference in this specification to “one embodiment” or “an embodiment” means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the invention. The appearance of the phrase “in one embodiment” in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Moreover, various features are described which may be exhibited by some embodiments and not by others. Similarly, various requirements are described which may be requirements for some embodiments but not other embodiments.
Moreover, although the following description contains many specifics for the purposes of illustration, anyone skilled in the art will appreciate that many variations and/or alterations to the details are within the scope of the present invention. Similarly, although many of the features of the present invention are described in terms of each other, or in conjunction with each other, one skilled in the art will appreciate that many of these features can be provided independently of other features. Accordingly, this description of the invention is set forth without any loss of generality to, and without imposing limitations upon, the invention.
Broadly, embodiments of the present invention disclose a service chain construct that may be used to facilitate routing within a network based on service availability within the network.
In one embodiment, to realize the service chain construct, network elements may be interconnected across a regular network infrastructure in order to provide an overlay network on top of the regular network infrastructure.
In one embodiment, in order for the overlay control plane protocol to provide a functional architecture, it distributes overlay routes that are learned from each location where an overlay network element is present, together with external addresses used as next-hop addresses for the overlay routes. The external addresses may be assigned to the physical interfaces of the overlay network elements that attach to the underlying network 108. In one embodiment, the overlay routes may only be accessed through the overlay network 100 and the next-hop addresses can only be reached through the underlying network 108. Together, the overlay routes and next-hop addresses provide for a complete and functional overlay architecture, as will be explained. As far as the underlying network 108 is concerned, the only element used to forward traffic between the sites is the next-hop address. The underlying network 108 does not know about any other routes, addresses or labels that may be used for providing a functional network infrastructure within the overlay network 100 itself.
Secure tunnels are established between the next-hop addresses, which define the elements (hubs or edges) that actually instantiate the overlay network 100. The secure tunnels define a control plane, as shown in
In one embodiment, within the overlay network 100, the overlay controller 102 processes control plane traffic, but does not get involved in the processing of data traffic. All data traffic is processed by the network elements present at site locations, such as a branch office, or central locations, such as a data center or a headquarters location. These network elements if, at a branch location is referred to as an “edge” and if, at a central location, is referred to as a “hub”. In
Providing Services
In general, services within a network may be provided at two or more layers. However, the most common layers are User services or Applications, and Network services or Applications. The differentiator between the two is that users will actively interact with user services, such as those provided through a web-browser, where network services are applied to network traffic in a way that is, or at least should be, transparent to the user.
Providing applications for user consumption requires the network to carry traffic from the user endpoint to the service endpoint and back. Providing network services requires a direct interaction between the network elements closest to the user, the network elements closest to the service, and traditionally, all the network elements in between. Even with this simplification that removes dependency on the intermediate network, there are still challenges in providing network level services that can be delivered in a way that is transparent to the user. These challenges include:
Chaining multiple services together, either in the same or in different locations of the network;
Overloading an existing control plane protocol with service information in a way that it was not designed to handle;
Minimizing the rerouting and shuffling of network traffic such that it only has to touch the sites where the services required for a given type of traffic are located;
Providing different services or chains of services depending on the direction of traffic; Requirements may be different depending on whether the traffic is originating from user location or is destined for a user location
Offering different services depending on which virtual domain a given user may be a part of;
Providing traffic load distribution across multiple different locations that are providing different instances of the same service;
Distributing awareness across the network of which services are available and where the are located;
Providing Services in the Overlay Network 100
An enormous benefit of providing services in an overlay network 100 is that the network elements sitting in between the user facing elements and the service facing elements do not have to be involved in the delivery of network level services. The entire responsibility of providing the service now rests with network element serving the user location and the network element serving the service location. As used herein the network element serving the user location is referred to as an “edge router or “edge, wherein the network element serving the service location will be referred to as a “hub router” or “hub”.
In one embodiment, the overlay controller may be provisioned with or at least have access to traffic policy functions. These traffic policy functions may be distributed to selected hubs and edges and may be used to direct traffic. In one embodiment, the use of labels that identify services and provide for a forwarding tag, allows the overlay network 100 to overcome all of the previously presented challenges. Labels that represent Virtual Private Networks (VPN) may be combined, in some embodiments, with the Service labels to provide services that are VPN-specific and are reached using VPN-specific policies, versus general overlay network policies for reaching a service identified solely by a service label applicable to the entire overlay network.
In each of the locations where a network level service is being provided, which technically could be either an Edge or a Hub location but for the sake of simplicity in the examples are presented as Hub sites, the Hub router is configured with information on which service it is providing and how to reach from a locally configured interface. The hub router will advertise this service using a label that identifies the type of service and how edge routers, by prepending the same label to packets being sent out from their sites, can reach the service. The next-hop address that the hub router uses to connect with the underlying network is also used as the means of actually getting to the same hub site across the intermediate network. This is how an edge router forwarding traffic into the overlay network determines which tunnel to use to reach the intended destination.
Services that may exist and provided at the network level include, but are not limited to, the following:
Firewall services
Intrusion Detection services
Traffic scrubbing services
Traffic sampling and analytical services
Caching
Deep Packet Inspection
Internet Service
Based on the advertisements of routes from each edge and hub router and the advertisements of service labels from each hub router hosting a service, potentially restricted on a per-VPN basis by associating a service-label with a VPN-label, the overlay controller 102 constructs policies that are subsequently distributed to the network elements (hubs and edges) involved. The set of policies and their required contents are related to the exact nature of the service chain that is being constructed. Two examples are provided below.
Example 1: Simple Service-Chain with Only a Single ServiceThe setup for this service and network infrastructure is the following:
A router in a hub location, Hub2 advertises a service with a Label of 1 and a Service-type of Firewall (see
The network administrator decides that all traffic going to and from the Internet must pass through the firewall service
The Internet entry and exit point is through a hub router referred to as Hub3, which could be advertised as a service but not in this example, for reasons of simplicity.
Each Edge location is equipped with the necessary routing information required to determine if traffic must be sent to the Internet or not.
The setup and distribution of policies will take place as follows:
Block 400: Hub2 advertises Service information: (Service-Type, Label) to the controller 102.
Block 402: The overlay controller 102 constructs the set of required policies and distributes them accordingly. This means that each node involved will be assigned a policy for managing the required traffic flow.
Block 404: Every Edge-router receives an outbound policy (for traffic towards the Internet) stipulating that all the traffic matching the routes received from Hub3, will be encapsulated in a packet with a Service-label of 1, matching the Firewall Service, and a next-hop address of Hub2. This will ensure all traffic destined for the Internet is using the tunnel from the Edge-router to Hub2
Block 406: The controller 102 creates a policy (in) for Service Locations: For received Traffic arriving tagged with Service-Label, forward traffic to service-element and advertises the policy thus created to each hub.
Block 408: Hub2 receives an inbound policy (for traffic received on its external interface), stipulating that all received traffic matching Service Label 1 is sent to the firewall. Exactly how the traffic is forwarded is a local decision.
Block 410: Hub2 receives an outbound policy (for traffic received from the Firewall) stipulating that the traffic destined for the Internet must be encapsulated with a next-hop address of Hub3, taking the traffic to the Internet. Any traffic destined for an Edge-router in the overlay network is sent with an encapsulation of that Edge-routers next-hop address
Block 412: Hub3 receives an inbound policy (for traffic received from the Internet) stipulating that all traffic matching a destination advertised from an Edge-router is encapsulated in a packet with a Service-label of 1, matching the Firewall Service, and a next-hop address of Hub2
Example 2: Two Services are Chained TogetherUsing the same setup as in the prior example, but adding that all traffic returning from the Internet must not only pass through the Firewall Service, but also pass through an Intrusion Detection Service, the modification required to the infrastructure is the following:
Hub1 hosts the Intrusion Detection service and advertises a service with a Label of 2 and a Service-type of Intrusion Detection.
The changes in setup and distribution of policies is following:
Hub2, hosting the firewall service, has one addition to its outbound policy. All traffic destined for any Edge-router in the overlay network must be encapsulated with a Service-label of 2 and a next-hop address of Hub1.
Hub1 is equipped with policies identical to what Hub2 had in the previous example, with the differences being that the label matching is done on Service-label 2 for inbound traffic.
Block 500: Edge1 receives a packet destined for Network Entry/Exit point. Local policy tells Edge1 that the path to reach Hub3 is through Hub2
Block 502: Edge1 encapsulates the packet with information containing the address of Hub2 and the Label for the Service at Hub2, then sends it off.
Block 504: Hub2 receives the packet from Hub2 with the Service-label. The service label is removed and forwarded to the service-element.
Block 506 Hub2 later receives the packet from the service-element. Local policy dictates that traffic destined for Hub3 should use the address of Hub3.
Block 508 Hub2 encapsulates the packet with information containing the address of Hub3, then sends it off.
Delivering on Other Requirements
The list of requirements presented earlier had several attributes that were not covered in the previous examples. The facilities used to deliver on those requirements are all present in this architecture and are used in the following ways to ensure that all requirements can be met
For purposes of clarity, the control plane protocol used in this architecture is designed to distribute routing information, policy information and labels. By overloading the labels with inherent representations of services, information on services can be distributed without any modifications to the protocol itself.
The rerouting and reshuffling of traffic and control information is avoided entirely by making this service-chaining architecture policy driven and decoupled from the underlying forwarding plane represented by the intermediate underlying network.
By adding VPN-designations to the service attachments points, services can be delivered on a per-VPN basis. This requires the use of a label-stack where one label represent the VPN and another label represents the service. Alternatively, and at a higher administrative cost, service-labels can be assigned in VPN-specific ranges to avoid the use of a label-stack.
If traffic-load distribution is desired, then multiple service-locations can advertise the same service-type using identical labels, which would allow for each ingress Edge-router to distribute load across the set of service-sites based on some condition that is inherently defined or decided by policy.
Associating services with Service-type designators and associating them with the external addresses of Hub-locations, provides inherent location and service-availability awareness. This could be further augmented by geo-location information or other more specific location-related attributes.
Establishment of a Service Chain
In one embodiment, to a method for establishing a service chain is shown in
Block 300: The overlay controller 102 establishes secure control channel with all associated network elements (hubs and edges).
Block 302: The service-hosting locations (hubs) advertise their service type and associated label to the overlay controller 102.
Block 304: The overlay controller 102 uses the service information received when constructing policies for the edge routers that are to use them.
The central controller can either:
Apply the service policy to overlay routes before sending those to edge nodes with overlay next hop and label changed to that of service.
Block 306: The central controller pushes the service policies to the edge routers. These policies link traffic to the ultimate destination with a service chain.
Block 308: The central controller can also push policies to the service hosting routers, instructing them of their role in a given service chain and how to forward inbound and outbound traffic related to each VPN and each Service.
Policy Construction and Information Distribution
In one embodiment, the controller 102 has the option of building a policy involving a service chain in two different ways:
1) The services along with the policies are both advertised to the edge routers that are to use them.
2) Services are advertised service nodes to the controller. Controller then uses the policy to resolve the overlay routes over service routes. It then advertises the resolved overlay routes to those edge nodes that are provisioned to receive those routes.
In the first option, policies can be implemented that takes the availability, capacity, latency, location and other aspects of the service chain into account and gives each edge router the awareness to select the most optimal service chain. In the second option, the edge routers are kept unaware of that they are using a service chain and simply operate based on the information they have been provided for the purpose of forwarding traffic.
Service Identification
In one embodiment, a service route, service label, service identifier and transport location (TLOC) identify each service. Specific service chains are established by policy and do not require any additional information to be distributed for traffic to flow along the path instantiated by the creation of the service chain. The Service Route is distributed for identification purposes only and is not used for forwarding.\
Traffic Forwarding in the Service Chain
In one embodiment, each edge node uses existing destination routes that are given a next-hop TLOC pointing to the entry point of a service chain. This route to TLOC assignment can be done by the central controller as a way of enforcing central service-chain policy, or by edge router when enforcing policies either distributed by the central controller or created locally on the device.
In one embodiment, each service router in the path of a service chain accepts inbound traffic based on the destination TLOC and VPN Label in the received packet and forwards it out the associated interface for the specific service being associated with the TLOC/Label combination. In the outbound direction, each service router must be equipped with policy describing what the next hop is for the particular destination. This allows for each service router to support multiple service chains and different policies for each direction of traffic. Since the outgoing direction is controlled by policy, this allows for great flexibility in choosing the next point in the service chain based on individually defined criteria for that service chain, service, or service router.
The service chaining architecture and method described above provides the following benefits:
Bidirectional Service Chains:
The service chaining architecture provides for the ability to create both unidirectional and bi-directional service chains simply by means of policy with no requirement to advertise additional routing information or labels.
Service Chain Eligibility:
The service chaining architecture is inherently aware of which services are present in a fully functional service chain. This awareness allows for the ability to qualify the eligibility of each specific service chain as the nature of each chain might change during the course of providing service. If crucial service may fail then the service chain could be taken out of service whereas the failure of non-crucial service could render the chain to operate either uninterrupted or with lower priority versus other available chains.
Service-Type Awareness:
The service type is included in the advertisements from each service location and allows for each hop in a service chain, inclusive of ingress and egress points, to make decisions of which specific instance of a given service-type to use. Deciding factors can include capacity, location, current load and other influential characteristics.
Service any Casting:
Each hop in a service chain is equipped to make decisions of which instance of a given service to use at any time. This is strongly linked to the service-type awareness claim but does not have to be. Redundancy through any casting can also be linked to capacity, location, current load and other influential factors aside from service-type.
Primary and Backup Service Locations:
Policies pushed by the central controller can be used to dictate primary and secondary, or backup, locations where a given service is being provided. This further extends the Service-type awareness function described above. The switch from a primary to a backup service can be decided upon and pushed by the central controller, or through previously defined and pushed policy, take place at the edge router upon detection of pre-defined failure conditions.
Equal and Unequal Cost Load-Balancing:
Centrally defined and pushed policies can also influence how traffic is distributed across multiple sites providing the same service for the purpose of explicitly equal cost load-balancing, or if desired, using weights to achieve unequal cost load-balancing.
Centrally defined and pushed policies can also influence how traffic is distributed across multiple sites providing the same service for the purpose of explicitly equal cost load-balancing, or if desired, using weights to achieve unequal cost load-balancing.
Centrally Administered and Provisioned Service Chains:
The service chaining concept described has the distinct advantage that the entire function can be provisioned from a central controller location without having to perform and specific per edge-node configuration or provisioning. As soon as the policy creation is complete on the central controller and services have been made available and linked with the defined policies, edge-nodes that are to use a defined service chain are triggered to do so by the central controller. For convergence between service locations, changes in current service chain or service site affiliation, or service chain eligibility, decisions and changes can be taken and executed upon by the central controller, the edge node, or both. How these actions are performed depend on how the policies were constructed at the central controller. This claim however, does not limit the provisioning or operation of a service chain that is partially performed by the central controller and augmented by service routers or edge routers.
The hardware also typically receives a number of inputs and outputs for communicating information externally. For interface with a user or operator, the hardware may include one or more user input output devices 606 (e.g., a keyboard, mouse, etc.) and a display 608. For additional storage, the hardware 600 may also include one or more mass storage devices 610, e.g., a Universal Serial Bus (USB) or other removable disk drive, a hard disk drive, a Direct Access Storage Device (DASD), an optical drive (e.g. a Compact Disk (CD) drive, a Digital Versatile Disk (DVD) drive, etc.) and/or a USB drive, among others. Furthermore, the hardware may include an interface with one or more networks 612 (e.g., a local area network (LAN), a wide area network (WAN), a wireless network, and/or the Internet among others) to permit the communication of information with other computers coupled to the networks. It should be appreciated that the hardware typically includes suitable analog and/or digital interfaces between the processor 612 and each of the components, as is well known in the art.
The hardware 600 operates under the control of an operating system 614, and executes application software 616 which includes various computer software applications, components, programs, objects, modules, etc. to perform the techniques described above.
In general, the routines executed to implement the embodiments of the invention, may be implemented as part of an operating system or a specific application, component, program, object, module or sequence of instructions referred to as “computer programs.” The computer programs typically comprise one or more instructions set at various times in various memory and storage devices in a computer, and that, when read and executed by one or more processors in a computer, cause the computer to perform operations necessary to execute elements involving the various aspects of the invention. Moreover, while the invention has been described in the context of fully functioning computers and computer systems, those skilled in the art will appreciate that the various embodiments of the invention are capable of being distributed as a program product in a variety of forms, and that the invention applies equally regardless of the particular type of machine or computer-readable media used to actually effect the distribution. Examples of computer-readable media include but are not limited to recordable type media such as volatile and non-volatile memory devices, USB and other removable media, hard disk drives, optical disks (e.g., Compact Disk Read-Only Memory (CD ROMS), Digital Versatile Disks, (DVDs), etc.), flash drives among others.
Although the present invention has been described with reference to specific exemplary embodiments, it will be evident that the various modification and changes can be made to these embodiments without departing from the broader spirit of the invention. Accordingly, the specification and drawings are to be regarded in an illustrative sense rather than in a restrictive sense.
Claims
1. A method for routing, comprising:
- establishing an overlay network, comprising a plurality of network elements and an overlay controller, wherein the overlay controller is in communication with each network element via a secure tunnel established through an underlying transport network;
- receiving, by the overlay controller, a first message from a first network element of the plurality of network elements, wherein the first message identifies a first service hosted at available through the first network element and a first label associated with the first service;
- receiving, by the overlay controller, a second message from a second network element of the plurality of network elements, wherein the second message identifies a second service hosted at available through the second network element and a second label associated with the second service;
- constructing, by the overlay controller, a policy defining a service chain that links the first service and the second service; and
- pushing distributing, by the overlay controller, the policy to a site so that traffic from the site including the first label is routed using the underlying transport network to the first network element hosting the first service and subsequently to the second network elementhosting the second service.
2. The method of claim 1, wherein the pushing distributing comprises:
- in response to the policy also defining flow of outbound traffic, pushing distributing the policy created on the overlay controller to the plurality of network elements characterized as being one of including an edge router and a hub router.
3. The method of claim 1, wherein the pushing distributing comprises:
- in response to the policy also defining flow of inbound traffic, pushing distributing the policy created on the overlay controller to the first network element.
4. The method of claim 1, wherein the pushing distributing comprises applying the policy to an overlay route prior to sending the overlay route to a third network element of the plurality of network elements, wherein the third network element is associated with an overlay next hop that refers to the first network element and traffic at the third network elements is associated with the first label.
5. A non-transitory computer-readable medium having stored thereon, instructions which, when executed by a controller, cause the controller to perform or control performance of operations comprising:
- establishing an overlay network, comprising a plurality of network elements and an overlay controller, wherein the overlay controller is in communication with each network element via a secure tunnel established through an underlying transport network;
- receiving, by the overlay controller, a first message from a first network element of the plurality of network elements, wherein the first message identifies a first service hosted at available through the first network element and a first label associated with the first service;
- receiving, by the overlay controller, a second message from a second network element of the plurality of network elements, wherein the second message identifies a second service hosted at available through the second network element and a second label associated with the second service;
- constructing, by the overlay controller, a policy defining a service chain that links the first service and the second service; and
- pushing distributing, by the overlay controller, the policy to a site so that traffic from the site including the first label is routed using the underlying transport network to the first network element hosting the first service and subsequently to the second networkelement hosting the second service.
6. The non-transitory computer-readable medium of claim 5, wherein the pushing distributing comprises:
- in response to the policy also defining flow of outbound traffic, pushing distributing the policy created on the overlay controller to the plurality of network elements characterized as being one of including an edge router and a hub router.
7. The non-transitory computer-readable medium of claim 5, wherein the pushing distributing comprises:
- in response to the policy also defining flow of inbound traffic, pushing distributing the policy created on the overlay controller to the first network element.
8. The non-transitory computer-readable medium of claim 5, wherein the pushing distributing comprises applying the policy to an overlay route prior to sending the overlay route to a third network element of the plurality of network elements, wherein the third network element is associated with an overlay next hop that refers to the first network element and traffic at the third network elements is associated with the first label.
9. An overlay controller, comprising:
- a processor; and
- a memory coupled to the processor, the memory storing instructions which when executed by the processor causes the overlay controller to perform or control performance of operations, comprising: establishing an overlay network, comprising a plurality of network elements and an overlay controller, wherein the overlay controller is in communication with each network element via a secure tunnel established through an underlying transport network; receiving, by the overlay controller, a first message from a first network element of the plurality of network elements, wherein the first message identifies a first service hosted at available through the first network element and a first label associated with the first service; receiving, by the overlay controller, a second message from a second network element of the plurality of network elements, wherein the second message identifies a second service hosted at available through the second network element and a second label associated with the second service; constructing, by the overlay controller, a policy defining a service chain that links the first service and the second service; and pushing distributing, by the overlay controller, the at least one policy to a site so that traffic from the site including the first label is routed using the underlying transport network to the first network element hosting the first service and subsequently to the second network elementhosting the second service.
10. The overlay controller of claim 9, wherein the pushing distributing comprises:
- in response to the policy also defining flow of outbound traffic, pushing distributing the policy created on the overlay controller to the plurality of network elements characterized as being one of including an edge router and a hub router.
11. The overlay controller of claim 9, wherein the pushing distributing comprises:
- in response to the policy also defining flow of inbound traffic, pushing distributing the policy created on the overlay controller to the first network element.
12. The overlay controller of claim 9, wherein the pushing distributing comprises applying the policy to an overlay route prior to sending the overlay route to a third network element of the plurality of network elements, wherein the third network element is associated with an overlay next hop that refers to the first network element and traffic at the third network elements is associated with the first label.
13. The method of claim 1, wherein packets of the traffic from the site include a stack of labels, including the first label and a third label identifying a virtual private network (VPN).
14. The non-transitory computer-readable medium of claim 5, wherein packets of the traffic from the site include a stack of labels, including the first label and a third label identifying a virtual private network (VPN).
15. The overlay controller of claim 9, wherein packets of the traffic from the site include a stack of labels, including the first label and a third label identifying a virtual private network (VPN).
16. The overlay controller of claim 9, wherein the first message indicates that the first service is associated with a particular virtual private network (VPN).
17. The overlay controller of claim 16, wherein the policy instructs the site to insert the first label into data packets that are sent through the particular VPN and forgo insertion of the first label into data packets that are sent outside the particular VPN.
18. The overlay controller of claim 16, wherein the second message indicates that the second service is associated with the particular VPN.
19. A method for forwarding network traffic to a network service in an overlay network, the method comprising:
- establishing an overlay network, comprising a plurality of network devices and an overlay controller, wherein the overlay controller is in communication with one or more of the network devices via a communications channel established through an underlying transport network, wherein at least a plurality of the network devices are overlay network devices, each overlay network device operative to establish a network layer tunnel with at least one other overlay network device of the overlay network;
- receiving, by the overlay controller, a first message from at least one of the plurality of network devices, the first message relating to a network service available through a first overlay network device of the overlay network, the first message comprising a first identifier associated with the network service;
- receiving, by the overlay controller, a second message from at least one of the plurality of network devices, the second message identifies a user service available through a first network device and including a second identifier associated with the user service;
- constructing based on at least a portion of the first and second message, one or more policies;
- distributing the one or more policies to one or more of the overlay network devices of the overlay network,
- at least one of the one or more policies defining a service chain and linking the network service to the user service, the policy operative to cause one or more of the overlay network devices of the overlay network to forward, over a corresponding network layer tunnel, network traffic associated with one or more services and matching an attribute to the first overlay network device;
- wherein the first overlay network device is operative to provide the network traffic to the first network service, and subsequently forward the network traffic received from the network service to the first network device.
20. The method of claim 19, wherein the network service is any one of a service in the group consisting of firewall services, intrusion detection services, traffic scrubbing services, caching services, traffic sampling and analytical services, deep packet inspection services, and internet services.
21. The method of claim 19, wherein the user service is accessible through a browser.
22. The method of claim 19, further comprising
- receiving, by the overlay controller, a first message from the first overlay network device, wherein the first message identifies the network service available through the first overlay network device.
23. The method of claim 19, wherein each overlay network device is operative to establish a secure network layer tunnel with at least one other overlay network device of the overlay network.
24. The method of claim 19, wherein at least one of the plurality of overlay network devices is a hub network device, and at least another one of the plurality of overlay network devices is an edge network device.
25. The method of claim 19, wherein at least a second one of the one or more policies is operative to cause the first overlay network device to forward, over a corresponding network layer tunnel, the network traffic associated with the user service and matching the attribute to a second overlay network device.
26. The method of claim 19, wherein the communications channels between the overlay controller and the overlay network devices are secure communications channels.
27. The method of claim 19, wherein the communications channels between the overlay controller and the overlay network devices are secure tunnel connections.
28. An overlay network controller, comprising:
- a processor;
- a memory coupled to the processor, the memory storing instructions which when executed by the processor causes the controller to: establish an overlay network; comprising a plurality of overlay network devices and the overlay controller; communicate with each overlay network device via a communications channel established through an underlying transport network; facilitate the establishment by each overlay network device of a network layer tunnel with at least one other overlay network device of the overlay network; access a first message defining a network service available through a first overlay network device of the overlay network, wherein the first message comprising a first identifier associated with the network service; access a second message identifying a user service available through a first network device and including a second identifier associated with the user service; construct one or more policies and distribute the one or more policies to one or more of the overlay network devices of the overlay network, at least one of the one or more policies defining a service chain and linking the network service to the user service, the policy operative to cause one or more of the overlay network devices of the overlay network to forward, over a corresponding network layer tunnel, network traffic associated with the user service and matching an attribute to the first overlay network device; wherein the first overlay network device is operative to provide the network traffic to the network service, and subsequently forward the network traffic received from the network service to the first network device.
29. The overlay network controller of claim 28, wherein the network service is any one of a service in the group consisting of firewall services, intrusion detection services, traffic scrubbing services, caching services, traffic sampling and analytical services, deep packet inspection services, and internet services.
30. The overlay network controller of claim 28, wherein the user service is accessible through a browser.
31. The overlay network controller of claim 28, wherein the instructions which when executed by the processor causes the controller to receive the first message from the first overlay network device, wherein the first message identifies the network service available through the first overlay network device.
32. The overlay network controller of claim 28, wherein each overlay network device establishes a secure network layer tunnel with at least one other overlay network device of the overlay network.
33. The overlay network controller of claim 28, wherein at least one of the plurality of overlay network devices is a hub network device, and at least another one of the plurality of overlay network devices is an edge network device.
34. The overlay network controller of claim 28, wherein at least a second one of the one or more policies is operative to cause the first overlay network device to forward, over a corresponding network layer tunnel, the network traffic associated with the user service and matching the attribute to a second overlay network device.
35. The overlay network controller of claim 28, wherein the communications channels between the overlay controller and the overlay network devices are secure communications channels.
36. The overlay network controller of claim 28, wherein the communications channels between the overlay controller and the overlay network devices are secure tunnel connections.
37. A system for forwarding network traffic to a network service in an overlay network, the system comprising:
- a controller and a plurality of overlay network devices, the plurality of overlay network devices each operative to establish a network layer tunnel with at least one other overlay network device of the plurality of overlay network devices;
- the controller comprising: a processor; a memory coupled to the processor, the memory storing instructions which when executed by the processor causes the controller to: establish an overlay network comprising the plurality of overlay network devices and an overlay controller, wherein the overlay controller communicates with each overlay network device via a communications channel established through an underlying transport network, access a first message defining the network service available through a first overlay network device of the overlay network, the first message comprising a first identifier associated with the network service; access a second message identifying to a user service available through a first network device and including a second identifier associated with the user service; construct one or more policies and distribute the one or more policies to one or more of the overlay network devices of the overlay network, at least one of the one or more policies defining a service chain and linking the network service to the user service, the policy operative to cause one or more of the overlay network devices of the overlay network to forward, over a corresponding network layer tunnel, network traffic associated with the user service and matching an attribute to the first overlay network device; wherein the first overlay network device is operative to provide the network traffic to the network service, and subsequently forward the network traffic received from the network service to a second network device having reachability to the first network device.
38. The system of claim 37, wherein the network service is any one of a service in the group consisting of firewall services, intrusion detection services, traffic scrubbing services, caching services, traffic sampling and analytical services, deep packet inspection services, and internet services.
39. The system of claim 37, wherein the user service is accessible through a browser.
40. The system of claim 37, wherein the instructions which when executed by the processor causes the controller to receive a first message from the first overlay network device, wherein the first message identifies the network service available through the first overlay network device.
41. The system of claim 37, wherein each overlay network device is operative to establish a secure network layer tunnel with at least one other overlay network device of the overlay network.
42. The system of claim 37, wherein at least one of the plurality of overlay network devices is a hub network device, and at least another one of the plurality of overlay network devices is an edge network device.
43. The system of claim 37, wherein at least a second one of the one or more policies is operative to cause the first overlay network device to forward, over a corresponding network layer tunnel, the network traffic associated with the user service and matching the attribute to a second overlay network device.
44. The system of claim 37, wherein the communications channels between the overlay controller and the overlay network devices are secure communications channels.
45. The system of claim 37, wherein the communications channels between the overlay controller and the overlay network devices are secure tunnel connections.
6044396 | March 28, 2000 | Adams |
6289419 | September 11, 2001 | Takahashi |
6535607 | March 18, 2003 | Chandersekaran et al. |
6594361 | July 15, 2003 | Chaney et al. |
6611872 | August 26, 2003 | McCanne |
6675225 | January 6, 2004 | Genty et al. |
7117530 | October 3, 2006 | Lin |
7120682 | October 10, 2006 | Salama |
7251824 | July 31, 2007 | Edwards et al. |
7925592 | April 12, 2011 | Issa et al. |
7995573 | August 9, 2011 | Danzeisen et al. |
8023504 | September 20, 2011 | Shah |
8041039 | October 18, 2011 | Tajima et al. |
8224971 | July 17, 2012 | Miller et al. |
8515079 | August 20, 2013 | Asati et al. |
8516552 | August 20, 2013 | Raleigh |
8594323 | November 26, 2013 | Dondeti |
8868698 | October 21, 2014 | Millington et al. |
8879739 | November 4, 2014 | Bieber |
8954740 | February 10, 2015 | Moscaritolo et al. |
8959333 | February 17, 2015 | Falk et al. |
9467478 | October 11, 2016 | Khan et al. |
9659170 | May 23, 2017 | Chapman, III |
9736113 | August 15, 2017 | Khan et al. |
9980303 | May 22, 2018 | Shanks et al. |
10277558 | April 30, 2019 | Khan et al. |
10298672 | May 21, 2019 | Shanks et al. |
10917926 | February 9, 2021 | Shanks et al. |
20030140142 | July 24, 2003 | Marples et al. |
20040034702 | February 19, 2004 | He |
20040088369 | May 6, 2004 | Yeager et al. |
20040103205 | May 27, 2004 | Larson et al. |
20040184603 | September 23, 2004 | Pearson et al. |
20040203590 | October 14, 2004 | Shteyn |
20050021610 | January 27, 2005 | Bozionek et al. |
20050044356 | February 24, 2005 | Srivastava et al. |
20050071280 | March 31, 2005 | Irwin et al. |
20050094814 | May 5, 2005 | Aihara |
20060015643 | January 19, 2006 | Orava et al. |
20060088031 | April 27, 2006 | Nalawade |
20060155721 | July 13, 2006 | Grunwald et al. |
20060165233 | July 27, 2006 | Nonaka et al. |
20060221830 | October 5, 2006 | Hu |
20060233180 | October 19, 2006 | Serghi et al. |
20060288209 | December 21, 2006 | Vogler |
20070086431 | April 19, 2007 | Abu-Amara |
20070104115 | May 10, 2007 | Decasper |
20070118885 | May 24, 2007 | Elrod |
20070140110 | June 21, 2007 | Kaler |
20070153782 | July 5, 2007 | Fletcher et al. |
20070185814 | August 9, 2007 | Boccon-Gibod et al. |
20070230688 | October 4, 2007 | Tajima et al. |
20070248232 | October 25, 2007 | Driscoll et al. |
20070299954 | December 27, 2007 | Fatula |
20080013738 | January 17, 2008 | Tajima et al. |
20080080716 | April 3, 2008 | McAlister et al. |
20080130902 | June 5, 2008 | Foo Kune et al. |
20080147820 | June 19, 2008 | Maeda et al. |
20080273704 | November 6, 2008 | Norrman et al. |
20090193253 | July 30, 2009 | Falk et al. |
20090216910 | August 27, 2009 | Duchesneau |
20090220080 | September 3, 2009 | Herne et al. |
20090296924 | December 3, 2009 | Oksman et al. |
20100014677 | January 21, 2010 | Sato et al. |
20100058082 | March 4, 2010 | Locker et al. |
20100064008 | March 11, 2010 | Yan et al. |
20100122084 | May 13, 2010 | Liu |
20100169563 | July 1, 2010 | Horner |
20100281251 | November 4, 2010 | Arauz Rosado |
20100325423 | December 23, 2010 | Etchegoyen |
20110010553 | January 13, 2011 | Cahn |
20110110377 | May 12, 2011 | Alkhatib et al. |
20110064222 | March 17, 2011 | Wiseman |
20110075674 | March 31, 2011 | Li et al. |
20110164750 | July 7, 2011 | Maas et al. |
20110296510 | December 1, 2011 | Hatlelid et al. |
20120051221 | March 1, 2012 | Bui et al. |
20120092986 | April 19, 2012 | Chen |
20120134361 | May 31, 2012 | Wong |
20120180122 | July 12, 2012 | Yan et al. |
20120266209 | October 18, 2012 | Gooding et al. |
20120284370 | November 8, 2012 | Hierro |
20130034094 | February 7, 2013 | Cardona et al. |
20130051559 | February 28, 2013 | Baba |
20130121142 | May 16, 2013 | Bai |
20130163446 | June 27, 2013 | Kruger et al. |
20130182712 | July 18, 2013 | Aguayo et al. |
20130201909 | August 8, 2013 | Bosch et al. |
20130223444 | August 29, 2013 | Liljenstolpe et al. |
20130251154 | September 26, 2013 | Tanizawa et al. |
20130266007 | October 10, 2013 | Kumbhare et al. |
20130306276 | November 21, 2013 | Duchesneau |
20130329725 | December 12, 2013 | Nakil et al. |
20130335582 | December 19, 2013 | Itasaki et al. |
20140003425 | January 2, 2014 | Zhao |
20140079059 | March 20, 2014 | Amir et al. |
20140153457 | June 5, 2014 | Liu |
20140153572 | June 5, 2014 | Hampel et al. |
20140189363 | July 3, 2014 | Thomas et al. |
20140223520 | August 7, 2014 | Gafni |
20140294018 | October 2, 2014 | Sung et al. |
20140297438 | October 2, 2014 | Dua |
20140331050 | November 6, 2014 | Armstrong et al. |
20140380039 | December 25, 2014 | Larson et al. |
20150006737 | January 1, 2015 | Chen et al. |
20150033298 | January 29, 2015 | Martini |
20150092603 | April 2, 2015 | Aguayo et al. |
20150103839 | April 16, 2015 | Chandrashekhar et al. |
20150106620 | April 16, 2015 | Cabrera et al. |
20150127797 | May 7, 2015 | Attar et al. |
20150229490 | August 13, 2015 | Brandstätter |
20150256521 | September 10, 2015 | Cummings et al. |
20160036785 | February 4, 2016 | Ambroz et al. |
20160080268 | March 17, 2016 | Anand et al. |
20160226762 | August 4, 2016 | Zhang et al. |
20170076291 | March 16, 2017 | Cairns et al. |
20170155628 | June 1, 2017 | Rohloff et al. |
20170223154 | August 3, 2017 | Hammam et al. |
20180054438 | February 22, 2018 | Li et al. |
20180091417 | March 29, 2018 | Oréet al. |
1254059 | April 2006 | CN |
2013007496 | January 2013 | WO |
2015092491 | June 2015 | WO |
- Lara et al., “Network Innovation using OpenFlow: A Survey,” CSE Jounral Articles, Dept. of Computer Science and Engineering, 2014, pp. 1-21.
- “Aruba Central Support Page”, Hewlett Packard Enterprise Development, 2021, 2 pages, https://help.central.arubanetworks.com/latest/documentation/online_help/content/gateways/cfg/overlay-orchestration/tunnel-orchestration.htm.
- “Aruba Central Support Page: Advertising Overlay Routes”, Hewlett Packard Enterprise Development, 2021, 8 pages, https://help.central.arubanetworks.com/latest/documentation/online_help/content/gateways/cfg/routing/overlay_routing.htm.
- “Aruba SD-WAN Solution, User Guide”, Hewlett Packard Enterprise Company, 2019, 316 pages.
- “FAQ: Vormetric Key Management Key Vault”, Version 5.2, May 14, 2012, 5 pages.
- “FAQ: Vormetric Key Management—Key Agent for Oracle Transparent Data Encryption”, Version 7.2, Jul. 2, 2012, 8 pages, Vormetric.com.
- “Ipsec UDP Mode in Silver Peak Unity EdgeConnect”, Silver Peak, Whitepaper, 12 pages, https://www.silver-peak.com/sites/default/files/userdocs/silver-peak-whitepaper-ipsec-udp-1018_1.pdf.
Type: Grant
Filed: Nov 25, 2020
Date of Patent: Sep 10, 2024
Assignee: Cisco Technology, Inc. (San Jose, CA)
Inventors: Lars Olof Stefan Olofsson (Dubai), Atif Khan (San Jose, CA), Syed Khalid Raza (Fremont, CA), Himanshu H. Shah (Milpitas, CA), Amir Khan (San Jose, CA), Nehal Bhau (San Jose, CA)
Primary Examiner: Robert L Nasser
Application Number: 17/104,933
International Classification: H04L 12/28 (20060101); H04L 12/911 (20130101); H04L 45/64 (20220101); H04L 47/70 (20220101);