Computer hardware executes operating system software and user application software. The computer hardware includes components like Central Processing Units (CPUs), Random Access Memory (RAM), Network Interface Cards (NICs), and data storage drives. The CPUs execute the operating system software to control the computer hardware. The CPUs execute the user application software to interact with the operating system software. The operating system software controls the computer hardware on behalf of the user application software.
Virtualization software was introduced to free the interface between the computer hardware and the user application software. The virtualization software interacts with the operating system software that supports the user applications—referred to as the guest operating system and the guest applications. The virtualization software also interacts with a variety of computer hardware including the CPUs, RAM, NICs, and storage drives. The virtualization software comprises hypervisors and virtual machines. The virtual machine software features virtual CPUs, virtual RAM, virtual NICs, and virtual storage drives. The guest operating systems interact with the virtual machines instead of the physical computer hardware. For example, a guest operating system calls a virtual NIC for a data communication service.
The hypervisors implement virtual switches to network the virtual machines. The virtual switches exchange data between the various virtual machines operating on a single host. The virtual switches also exchange data between the virtual machines and the physical NICs to connect those virtual machines other virtual machines on other hosts and other systems generally. To assist network users, the hypervisors may allow the deployment of logical network overlays in their control plane to serve the virtual machines. For example, a guest user application calls its guest OS to exchange application data. The guest OS commands virtual NIC to exchange the application data, and the virtual NIC exchanges data with a virtual switch instantiated by the hypervisor. Based on the logical network overlay, the hypervisor may translate the logical destination address of egress traffic from the virtual machine to a physical host destination address and encapsulate the egress traffic with new network packet headers addressed to a host of the destination virtual machine. Likewise, the hypervisor may decapsulate packets destined for the local virtual machine to maintain the illusion that the virtual machine resides on the logical network.
A logical network manager distributes the logical networking overlays across multiple hypervisors in the hypervisor control plane. The hypervisors use the logical networking overlays to translate logical network traffic from the virtual NICs into encapsulated physical network traffic via the virtual switches and associated tunnel endpoints that perform the encapsulation and decapsulation operations. Unfortunately, the logical networks and the virtual networks do not efficiently and effectively control access between the virtual machines and the virtual switches when the virtual machines use logical ports in the logical network overlays.
The open-access that virtual switches provide to virtual machines that use logical ports fosters poor quality-of-service. Some virtual machines may overuse a logical port and its virtual switch at the expense of other virtual machines. Techniques to control access to data networks have been developed. For example, the Institute of Electrical and Electronics Engineers (IEEE) standard 802.1x specifies an Extensible Authentication Protocol (EAP). EAP is commonly used to control computer access to Local Area Networks (LANs). EAP has not been optimized for virtual switches that serve logical network overlays.