The present invention generally relates to communication networks, and, more particularly, to a system for steering data packets in a communication network.
A communication network typically includes multiple digital systems such as gateways, switches, and access points. In a cloud computing environment, multiple computers are connected to each other and to servers via the communication network to exchange data packets, e.g., the World Wide Web (WWW) or the Internet. Generally, compute nodes are used as servers to service the computers. The compute nodes include processors for executing multiple application and service virtual machines.
A virtual machine (VM) is an operating system that runs on a processor of a compute node and uses the same hardware resources as the compute node. Application VMs executed on the compute nodes include user-defined applications and are based on a transmission control internet protocol (TCP-IP) or a user datagram protocol (UDP), while the service VMs executed on the compute node include network services such as network security services such as firewall (FW), distributed denial of security service (DDoS), intrusion detection system (IDS), and web application firewall (WAF).
A compute node running multiple application and service VMs will receive data packets from one of the application VMs being executed thereon or from another compute node in the network. The data packets need to be serviced by a set of network services defined by a network administrator. To service a data packet with the set of network services, the data packet must be steered through a set of network service VMs corresponding to the set of network services. Steering the data packets through the set of network service VMs based on the traffic steering rules and the set of network services assigned to the data packet is called traffic steering.
One known technique for steering data packets includes utilization of a perimeter switch. The perimeter switch includes two types of ports: input and output ports. Each of the input and output ports includes node ports and transit ports. A data packet thus is received at the node ports of the perimeter switch. Based on a classification operation, the data packet is assigned a service chain that identifies the services and corresponding service VMs required for processing the data packet. The node ports are used for determining the position or the service stage of the data packet in the service chain and the next service in the service chain. Based on the next service to process the data packet, a new destination address of a next service VM is assigned to the data packet. Subsequently, the data packet is transmitted on a node port associated with the next service in the service chain.
The total number of services required for servicing the data packet is variable. Further, to identify the node ports of the service VMs for additional services that may be added for scalability, the hardware in the compute nodes must be upgraded. Thus, the utilization of ports to detect the position of the data packet in the service chain does not provide a scalable solution as the use of ports to determine the position of the data packet in the service chain will include multiple ports, eventually requiring a hardware upgrade for each compute node.
Another technique for steering data packets involves the introduction of new network protocols in the packet header to identify the next service VM for processing the data packet. This too will involve upgrading the software for identifying the protocol information in the data packet.
Therefore, it would be advantageous to have a system and method for steering data packets that is scalable and doesn't require hardware or software upgrades at the compute nodes.