Dynamic control channel establishment for software-defined networks having centralized control
US-9100285-B1 · Aug 4, 2015 · US
Implementing logical network security on a hardware switch
US10182035B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10182035-B2 |
| Application number | US-201615253562-A |
| Country | US |
| Kind code | B2 |
| Filing date | Aug 31, 2016 |
| Priority date | Jun 29, 2016 |
| Publication date | Jan 15, 2019 |
| Grant date | Jan 15, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Some embodiments provide a method for applying a security policy defined for a logical network to an MHFE that integrates physical workloads (e.g., physical machines connected to the MHFE) with the logical network. The method applies the security policy to the MHFE by generating a set of ACL rules based on the security policy's definition and configuring the MHFE to apply the ACL rules on the network traffic that is forwarded to and/or from the physical machines. In order to configure an MHFE to implement the different LFEs of a logical network, some embodiments propagate an open source database stored on the MHFE, using an open source protocol. Some embodiments propagate a particular table of the database such that each record of the table creates an association between a port of an LFE stored in a logical forwarding table and one or more ACL rules stored in an ACL table.
First claim
Opening claim text (preview).
We claim: 1. A method for configuring a managed hardware forwarding element (MHFE) to implement a security policy for a logical network, the method comprising: receiving a plurality of security rules to be applied to network traffic of a logical network that logically connects a plurality of data compute nodes executing on a set of host machines to a physical machine that is connected to the MHFE, wherein at least one security rule comprises an identifier of a security group as a source or destination address, the security group comprises a plurality of network elements, and the plurality of network elements comprises a plurality of data compute nodes that are a common type of server; generating a plurality of access control list (ACL) rules based on the plurality of security rules; and configuring the MHFE to apply the generated ACL rules to network traffic forwarded to and from the physical machine. 2. The method of claim 1 , wherein at least one security rule in the plurality of security rules comprises a particular field that specifies the rule has to be applied at a logical switch to which the physical machine is logically coupled. 3. The method of claim 2 , wherein the MHFE implements the logical switch by mapping a logical port of the logical switch to a physical port of the MHFE to which the physical machine is connected. 4. The method of claim 1 , wherein at least a subset of the plurality of security rules comprises firewall rules that are applied to a set of logical forwarding elements of the logical network in a distributed manner by a logical firewall. 5. The method of claim 4 , wherein the logical firewall comprises a set of firewall instances that is instantiated in the set of host machines to apply the firewall rules on the set of logical forwarding elements. 6. The method of claim 5 , wherein the set of logical forwarding elements is implemented by a set of managed forwarding elements, each managed forwarding element executing on a host machine in the set of host machines, wherein each firewall instance is also implemented by a managed forwarding element. 7. The method of claim 1 , wherein configuring the MHFE comprises populating an ACL table stored on the MHFE with the plurality of ACL rules. 8. A method for configuring a managed hardware forwarding element (MHFE) to implement a security policy for a logical network, the method comprising: receiving a plurality of security rules to be applied to network traffic of a logical network that logically connects a plurality of data compute nodes executing on a set of host machines to a physical machine that is connected to the MHFE; generating a plurality of access control list (ACL) rules based on the plurality of security rules; and configuring the MHFE to apply the generated ACL rules to network traffic forwarded to and from the physical machine, wherein configuring the MHFE comprises populating an ACL table stored on the MHFE with the plurality of ACL rules by distributing the ACL rules data to the MHFE using an open source protocol that is recognizable and used by the MHFE. 9. The method of claim 8 , wherein at least one security rule in the plurality of security rules comprises a security group as a source or destination address, the security group comprising a plurality of network elements. 10. The method of claim 9 , wherein the plurality of network elements comprises a plurality of data compute nodes that share a common property. 11. The method of claim 10 , wherein the common property in the plurality of data compute nodes comprises implementing a common web server. 12. The method of claim 9 , wherein the plurality of network elements comprises at least the physical machine. 13. A non-transitory machine readable medium storing a program for configuring a managed hardware forwarding element (MHFE) to implement a security policy for a logical network, the program executable by at least one processing unit, the program comprising sets of instructions for: receiving a plurality of security rules to be applied to network traffic of a logical network that logically connects a plurality of data compute nodes executing on a set of host machines to a physical machine that is connected to the MHFE, wherein at least one security rule comprises an identifier of a security group as a source or destination address, the security group comprises a plurality of network elements, and the plurality of network elements comprises a plurality of data compute nodes that are a common type of server; generating a plurality of access control list (ACL) rules based on the plurality of security rules; and configuring the MHFE to apply the generated ACL rules to network traffic forwarded to and from the physical machine. 14. The non-transitory machine readable medium of claim 13 , wherein at least one security rule in the plurality of security rules comprises a particular field that specifies the rule has to be applied at a logical switch to which the physical machine is logically coupled. 15. The non-transitory machine readable medium of claim 14 , wherein the MHFE implements the logical switch by mapping a logical port of the logical switch to a physical port of the MHFE to which the physical machine is connected. 16. The non-transitory machine readable medium of claim 13 , wherein at least a subset of the plurality of security rules comprises firewall rules that are applied to a set of logical forwarding elements of the logical network in a distributed manner by a logical firewall. 17. The non-transitory machine readable medium of claim 16 , wherein the logical firewall comprises a set of firewall instances that is instantiated in the set of host machines to apply the firewall rules on the set of logical forwarding elements. 18. The non-transitory machine readable medium of claim 17 , wherein the set of logical forwarding elements is implemented by a set of managed forwarding elements, each managed forwarding element executing on a host machine in the set of host machines, wherein each firewall instance is also implemented by a managed forwarding element. 19. The non-transitory machine readable medium of claim 13 , wherein the plurality of network elements comprises at least the physical machine.
Assignees
Inventors
Classifications
Access control lists [ACL] · CPC title
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
- H04L63/0236Primary
Filtering by address, protocol, port number or service, e.g. IP-address or URL · CPC title
Rule management · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10182035B2 cover?
- Some embodiments provide a method for applying a security policy defined for a logical network to an MHFE that integrates physical workloads (e.g., physical machines connected to the MHFE) with the logical network. The method applies the security policy to the MHFE by generating a set of ACL rules based on the security policy's definition and configuring the MHFE to apply the ACL rules on the n…
- Who is the assignee on this patent?
- Nicira Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0236. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jan 15 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).