A single physical platform may be segregated into a plurality of virtual networks. Here, the physical platform incorporates at least one virtual machine monitor (VMM). A conventional VMM typically runs on a computer and presents to other software the abstraction of one or more virtual machines (VMs). Each VM may function as a self-contained platform, running its own “guest operating system” (i.e., an operating system (OS) hosted by the VMM) and other software, collectively referred to as guest software.
Processes running within a VM are provided with an abstraction of some hardware resources and may be unaware of other VMs within the system. Every VM assumes that it has full control over the hardware resources allocated to it. The VMM is an entity that is responsible for appropriately managing and arbitrating system resources among the VMs including, but not limited to, processors, input/out (I/O) devices and memory.
Network interface card (NIC) virtualization is a technique for providing an abstraction of a physical NIC(s) to the VMs. Through virtualization, the same physical NIC(s) can be shared by multiple VMs. In addition, NIC virtualization allows a VM to be presented with multiple instances of the same physical NIC. For example, a system may have a single physical NIC, but a VM may see multiple virtual NICs (VNICs), each of which interfaces with different networks inside the physical platform and/or the external network to which the physical NIC is attached. In fact, the actual physical NIC does not even have to be present in order to enable inter-VM communication within a system. The VNIC that is presented to a VM may be completely different than the actual physical NIC, thereby making it possible to expose features to the VM that may not exist in the actual physical hardware.
There is a limit on the total number of virtual networks and the maximum number of VMs per virtual network in the single physical platform. In addition, virtual networks cannot be reconfigured at run time of the VMM because it involves moving one or more VMs from one virtual network to another, which requires a restart of the affected VMs and the entire VMM.
A virtual switch may be utilized to provide a switching function for routing information or data frames between the plurality of virtual networks. The virtual switch typically identifies the source VNIC node of a data frame by the MAC address of the VNIC from which the data frame was sent or by the MAC address stored in the data frame itself. Any malicious software (e.g., guest OS running in a VM) can spoof the MAC address and thus cause the receiving node of the data frame to believe it came from a different source VNIC node than the actual source VNIC node from which it came. Spoofing of MAC addresses comprises the integrity of the virtual networks.