The present disclosure relates to networking, and more particularly systems and methods that implement and manage virtual networks.
The advent of cloud-based computing has created new demands for service providers. Service providers would like to provide each customer with a virtual network, with the ability to add hosts and change topology decoupled from the physical network. Virtualization of the network allows service providers to create customer-configurable network topologies which can be changed by altering virtual routers and virtual switches without any change in hardware. Virtual routers also allow segregation of customers' data for security and use-based pricing. Dedicated hardware can provide some of these features but can be expensive. There remains a need for a tool that allows a virtual network to be overlaid over an existing network and allows that virtual network's topology to change independently of the underlying network.
Presently disclosed are a system and method that facilitate packet routing using a virtual network overlaid on a physical network. In various embodiments, the present disclosure provides for the flexible interconnection of network elements at multiple layers of the OSI model, including, L2 (Layer-2, i.e. Link Layer), L3 (Layer-3, i.e. Network Layer) and L4 (Layer-4, i.e. Transport Layer). Network elements may be interconnected with virtual L2 switches and L3 routers. The virtual L2 networks' packets may be transported over the existing L3 network using tunneling, without requiring any changes to the L3 network. Various tunneling methods may be used, such as GRE, Ethernet over IP, VXLan, MPLS over IP or CAPWAP. The Internet Protocol (IP) packets routed by the virtual L3 router may be transported over the existing L3 network, without requiring any changes to the existing L3 network.
In an embodiment, the virtual L2 switches and virtual L3 routers appear to the elements they connect as physical L2 switches and physical L3 routers, although they may not be implemented using physical L2 and L3 network elements. There can be an arbitrary number of virtual network elements (switches or routers), each virtually connected to an arbitrary number of network elements. In one configuration, each virtual L2 switch is connected to one virtual L3 router, which can be connected to an arbitrary number of other L3 routers.
The system's virtual L2 switches and virtual L3 routers can connect a large number of network elements, regardless of geographical separation. The system can connect elements that are either physical or virtual, connecting, for example, virtual machines emulated on server computers to physical routers that are connected to the internet.
A method and system for creating and managing virtual networks comprising a plurality of virtual routers and switches is provided. The method and system may also provide for L3/L4 firewall services, source and/or destination network address translation services, and load balancing as described in more detail below. Presently disclosed is a method of routing a packet from a first node to a second node that comprises receiving a packet at a first node of an underlying network; accessing a virtual routing table to determine a next hop for the packet in a virtual network topology, where the next hop is either an interior facing (logical) port or an exterior facing (materialized) port, and continuing to access subsequent virtual routing tables in series until the next hop is determined to be an exterior facing port on a second node of the network; and sending the packet over the underlying network to the exterior facing port of the second node. The step of accessing a virtual routing table to determine a next hop for the packet may also include executing a lookup in each virtual routing table, where the lookup table contains the next hop data for the packet. In one embodiment, the first node of the network is configured to access an external network, and the second node of the network is configured to host a virtual machine. The method may also include applying a pre-routing modification and/or post-routing modification to the packet for at least one hop in the virtual network. In one embodiment, the next hop for a packet is determined from the source address and/or destination address. In addition, the pre-routing and post-routing processes may utilize the source address, source port, destination address and/or destination port to determine the desired modification or translation of the packet. The method may also comprise storing at least one virtual routing table in a distributed state on a plurality of nodes in the underlying network. In various embodiments, the underlying network may include an Ethernet network, a private IP network, a public IP network, or other networks capable of providing connectivity between the nodes.
Also disclosed is a method of routing packets comprising the steps of receiving a packet of a flow at a first node; accessing a flow table and determining that the packet does not match an existing flow rule; communicating the packet to a decision engine; accessing a virtual network topology stored in a shared database accessible by a plurality of nodes; creating a flow rule for the packet; and communicating the flow rule to the flow table. —The step of creating a flow rule may further comprise determining a routing sequence for the packet in the network based on a virtual topology established by a network tenant.
Also disclosed is a method of stateful connection tracking for deleting a flow entry comprising the steps of receiving a FIN packet with a sequence number at an edge node with a flow configurable switch; identifying a flow rule corresponding to the packet in the flow configurable switch; identifying the flow rule for deletion and communicating the identified flow rule to a distributed state in a shared database; and communicating the packet based upon the corresponding flow rule. In embodiments, the system provides means for simulating a TCP connection state machine and keeping its state in the shared database.
In embodiments, the flow may be an inbound flow or an outbound flow of a TCP connection. The method may further include deleting the identified flow upon receiving an ACK packet corresponding to the FIN packet. In an embodiment, the method also comprises identifying an opposite direction flow stored in the distributed state that corresponds to the identified flow; identifying the opposite direction flow for deletion; and deleting the identified flow and the opposite direction flow upon receiving an ACK packet corresponding to the FIN packet.
In another embodiment, a method of performing destination network address translation comprises the steps of receiving a first packet at a first node, the first packet having a destination address; creating a first flow rule corresponding to the first packet, where the first flow rule comprises an aggregation of the modifications made to a packet traversing a plurality of virtual devices in the virtual network topology; applying the first flow rule to the first packet; receiving a second packet at a second node in response to the first packet, the second packet having a source address; creating a second flow rule corresponding to the second packet; and accessing the first flow from a distributed state and applying the destination network address translation to the source address of the second packet. The method may also comprise waiting until the first flow rule is stored in the distributed state before forwarding the first packet such that the second packet is not received until the first flow rule is stored in the distributed state. In one embodiment, the first packet and second packet correspond to a TCP connection. In another embodiment, the method further comprises, applying a load balancing algorithm to balance loads on the underlying network resources.