WO2024215943A1 - Routable and intent-based service chains - Google Patents

Routable and intent-based service chains Download PDF

Info

Publication number
WO2024215943A1
WO2024215943A1 PCT/US2024/024150 US2024024150W WO2024215943A1 WO 2024215943 A1 WO2024215943 A1 WO 2024215943A1 US 2024024150 W US2024024150 W US 2024024150W WO 2024215943 A1 WO2024215943 A1 WO 2024215943A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
service
traffic
service chain
services
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/US2024/024150
Other languages
French (fr)
Inventor
Pritam Baruah
Amjad Inamdar
Laxmikantha Reddy Ponnuru
Samir D Thoria
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cisco Technology Inc
Original Assignee
Cisco Technology Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US18/356,853 external-priority patent/US20240348549A1/en
Application filed by Cisco Technology Inc filed Critical Cisco Technology Inc
Priority to EP24726786.7A priority Critical patent/EP4695955A1/en
Publication of WO2024215943A1 publication Critical patent/WO2024215943A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • H04L45/036Updating the topology between route computation elements, e.g. between OpenFlow controllers
    • H04L45/037Routes obligatorily traversing service-related nodes
    • H04L45/0377Routes obligatorily traversing service-related nodes for service chaining
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0894Policy-based network configuration management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/302Route determination based on requested QoS
    • H04L45/306Route determination based on the nature of the carried application

Definitions

  • the present technology pertains to service chaining and, more specifically, to providing routable and intent-based definition for one or more services in a service chain to be applied to relevant network traffic as the network traffic traverses through a network.
  • Service chaining allows network operators to steer traffic through various services, such as firewalls, WAN optimizers, and Intrusion Detection Systems (IDSs), among others, which together enforce specific policies and provide a desired functionality for the traffic.
  • the services in a service chain can be “chained” together in a particular sequence along the path of the traffic to process the traffic through the sequence of services.
  • a network operator may define a service chain (SC) including a firewall and a WAN optimizer for traffic associated with an application. When such traffic is received, it is first routed to the firewall in the service chain, which provides firewall capabilities such as deep packet inspection and access control.
  • SC service chain
  • the traffic After the traffic is processed by the firewall, it is routed to the WAN optimizer in the service chain, which can compress the traffic, apply quality-of-service (QoS) policies, or perform other traffic optimization functionalities. Once the traffic is processed by the WAN optimizer, it is routed towards its intended destination.
  • QoS quality-of-service
  • the network operator can program rules or policies for redirecting an application’s traffic through a sequence of services in the service chain.
  • the network provider can program an access control list (ACL) in the network device’s hardware, such as the network device’s Ternary Content Addressable Memory (TCAM).
  • the ACL can include entries which together specify the sequence of services in the service chain for the application’s traffic.
  • the ACL entries can identify specific addresses associated with the application’s traffic, such as origin or destination IP addresses associated with the application’s traffic, which the network device can use to match an ACL entry to traffic.
  • the network device can then use the ACL entries to route the application’s traffic through the sequence of services in the service chain.
  • Service instances within an SC may be in arbitrary geographies and location types (public clouds, Customer Premise Equipment (CPEs), data centers, etc.) and connected to the enterprise network in disparate ways. This leads to complex end-to-end networking and traffic steering, that can be extremely complicated to manage.
  • CPEs Customer Premise Equipment
  • FIG. 2 illustrates a block diagram of an example service chain configuration for application traffic according to some aspects of the present disclosure
  • FIG. 3 illustrates an example service fabric workflow for applying service chains to network traffic in an enterprise network, according to some aspects of the present disclosure
  • FIG. 4 visually illustrates an example of routable and intent-based service chains applied to network traffic, according to some aspects of the present disclosure
  • FIG. 5 illustrates an example process for steering network traffic to routable and intent-based service chains according to some aspects of the present disclosure
  • references to “one embodiment” or “an embodiment” means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the disclosure.
  • the appearances of the phrase “in one embodiment” in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments.
  • various features are described which may be exhibited by some embodiments and not by others.
  • the terms used in this specification generally have their ordinary meanings in the art, within the context of the disclosure, and in the specific context where each term is used. Alternative language and synonyms may be used for any one or more of the terms discussed herein, and no special significance should be placed upon whether or not a term is elaborated or discussed herein.
  • a service can be software that resides in memory of a client device and/or one or more servers of a content management system and perform one or more functions when a processor executes the software associated with the service.
  • a service is a program or a collection of programs that carry out a specific function.
  • a service can be considered a server.
  • the memory can be a non-transitory computer-readable medium.
  • the computer-readable storage devices, mediums, and memories can include a cable or wireless signal containing a bit stream and the like.
  • non-transitory computer-readable storage media expressly exclude media such as energy, carrier signals, electromagnetic waves, and signals per se.
  • Methods according to the above-described examples can be implemented using computer-executable instructions that are stored or otherwise available from computer-readable media.
  • Such instructions can comprise, for example, instructions and data which cause or otherwise configure a general-purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions. Portions of computer resources used can be accessible over a network.
  • the executable computer instructions may be, for example, binaries, intermediate format instructions such as assembly language, firmware, or source code.
  • Examples of computer-readable media that may be used to store instructions, information used, and/or information created during methods according to described examples include magnetic or optical disks, solid-state memory devices, flash memory, USB devices provided with non-volatile memory, networked storage devices, and so on.
  • Devices implementing methods according to these disclosures can comprise hardware, firmware and/or software, and can take any of a variety of form factors. Typical examples of such form factors include servers, laptops, smartphones, small form factor personal computers, personal digital assistants, and so on.
  • the functionality described herein also can be embodied in peripherals or add-in cards. Such functionality can also be implemented on a circuit board among different chips or different processes executing in a single device, by way of further example.
  • the instructions, media for conveying such instructions, computing resources for executing them, and other structures for supporting such computing resources are means for providing the functions described in these disclosures.
  • the present disclosure is directed to making service-chains routable and intent-based within an enterprise network.
  • making service-chains routable is analogous to treating a service chain as an IP address, hence simplifying end-to-end networking and traffic routing for subjecting data packets to one or more relevant services in a SC.
  • a method for simplifying steering of network traffic includes receiving an intent-based description of one or more services to be applied to the network traffic; defining a type for a service chain that includes the one or more services based on the intent-based description, the type serving as an address for the service chain for routing the network traffic to and from the one or more service included in the service chain; implementing the service chain at one or more network hubs; and implementing a traffic steering policy in the network for steering the network traffic to the one or more network hubs to be serviced by the one or more services.
  • the type is selected from a group of service chain types.
  • the intent-based description identifies the one or more network hubs, and implementing the service chain includes instantiating the service chain at each of the one or more network hubs.
  • instantiating the service chain includes generating a configuration for the service chain; and downloading the configuration at each of the one or more network hubs.
  • implementing the traffic steering policy includes generating the traffic steering policy; and sending the traffic steering policy to one or more network routers for steering the network traffic (1) to the one or more network hubs; and (2) to one or more intended destination after the network traffic is serviced by the one or more services.
  • the one or more services include at least one of a firewall service, an intrusion detection system service, and a flow analyzer service.
  • a network controller includes one or more memories having computer- readable instructions stored therein; and one or more processors.
  • the one or more processors are configured to execute the computer-readable instructions to receive an intent-based description of one or more services to be applied to network traffic; define a type for a service chain that includes the one or more services based on the intent-based description, the type serving as an address for the service chain for routing the network traffic to and from the one or more service included in the service chain; implement the service chain at one or more network hubs; and implement a traffic steering policy in the network for steering the network traffic to the one or more network hubs to be serviced by the one or more services.
  • the disclosed technology addresses the need in the art for reducing the complexities associated with accessing dispersed service instances in a service chain.
  • Example embodiments proposed herein solve these problems by making service-chains routable and intent-based within an enterprise network.
  • making service-chains routable is analogous to treating a service chain as an IP address, hence simplifying end-to-end networking and traffic routing for subjecting data packets to one or more relevant services in a SC.
  • the present disclosure allows a user to create an abstract type to express an SC (e.g., one of the above examples of intent-based expression of a SC).
  • the expressed ‘type’ may then be instantiated in any number of sites (locations) that can span geographies and location types.
  • an SC type may be defined as “Apply Firewall & Flow Analyzer.” This SC type can then be instantiated in all sites (or one site, two or more sites, etc.) that have reachability to restricted sites.
  • an SC type may be defied as “Apply Firewall & Intrusion Detection System,” that can be instantiated in Dallas & Austin.
  • the disclosure begins with a description of example network architectures for a software-defined network (e.g., SD-WAN) in which SC may be used for servicing various network traffic.
  • a software-defined network e.g., SD-WAN
  • SC software-defined network
  • FIG. 2 An example of a SC configuration will then be described with reference to FIG. 2.
  • Examples of routable and intent -based SCs will then be described with reference to FIGs. 3-
  • FIG. 1 illustrates an example of a high-level network architecture according to some aspects of the present disclosure.
  • An example of an implementation of the network architecture 100 is the Cisco® SD-WAN architecture.
  • Cisco® SD-WAN architecture is the Cisco® SD-WAN architecture.
  • Cisco® SD-WAN architecture is the Cisco® SD-WAN architecture.
  • FIG. 1 illustrates an example of a high-level network architecture according to some aspects of the present disclosure.
  • An example of an implementation of the network architecture 100 is the Cisco® SD-WAN architecture.
  • Cisco® SD-WAN architecture Cisco® SD-WAN architecture
  • the network architecture 100 can comprise an orchestration plane 102, a management plane 120, a control plane 130, and a data plane 140.
  • the orchestration plane can 102 assist in the automatic on-boarding of edge network devices 142 (e.g., switches, routers, etc.) in an overlay network.
  • the orchestration plane 102 can include one or more physical or virtual network orchestrator appliances 104.
  • the network orchestrator appliance(s) 104 can perform the initial authentication of the edge network devices 142 and orchestrate connectivity between devices of the control plane 130 and the data plane 140.
  • the network orchestrator appliance(s) 104 can also enable communication of devices located behind Network Address Translation (NAT).
  • NAT Network Address Translation
  • physical or virtual Cisco® SD-WAN vBond appliances can operate as the network orchestrator appliance(s) 104.
  • the management plane 120 can be responsible for central configuration and monitoring of a network.
  • the management plane 120 can include one or more physical or virtual network management appliances 122 and an analytics engine 124.
  • the network management appliance(s) 122 using analytics engine 124, can provide centralized management of the network via a graphical user interface to enable a user to monitor, configure, and maintain the edge network devices 142 and links (e g., Internet transport network 160, MPLS network 162, 4G/LTE network 164) in an underlay and overlay network.
  • Analytics engine 124 can collect and provide various analytics on operation of network 100 and any components thereof.
  • Output of analytics engine 124 can then be used by network appliance(s) 122 to automatically monitor, configure and/or maintain operations of network 100 and/or enable a user to do the same.
  • the network management appliance(s) 122 can support multi-tenancy and enable centralized management of logically isolated networks associated with different entities (e.g., enterprises, divisions within enterprises, groups within divisions, etc ).
  • the network management appliance(s) 122 can be a dedicated network management system for a single entity.
  • physical or virtual Cisco® SD-WAN vManage appliances can operate as the network management appliance(s) 122.
  • the control plane 130 can build and maintain a network topology and make decisions on where traffic flows.
  • the control plane 130 can include one or more physical or virtual network controller appliance(s) 132.
  • the network controller appliance(s) 132 can establish secure connections to each network device 142 and distribute route and policy information via a control plane protocol (e.g., Overlay Management Protocol (OMP) (discussed in further detail below), Open Shortest Path First (OSPF), Intermediate System to Intermediate System (IS-IS), Border Gateway Protocol (BGP), Protocol-Independent Multicast (PIM), Internet Group Management Protocol (IGMP), Internet Control Message Protocol (ICMP), Address Resolution Protocol (ARP), Bidirectional Forwarding Detection (BFD), Link Aggregation Control Protocol (LACP), etc.).
  • OMP Overlay Management Protocol
  • OSPF Open Shortest Path First
  • IS-IS Intermediate System to Intermediate System
  • Border Gateway Protocol BGP
  • IGMP Internet Group Management Protocol
  • ICMP Internet Control Message Protocol
  • ARP Address Resolution Protocol
  • the network controller appliance(s) 132 can operate as route reflectors.
  • the network controller appliance(s) 132 can also orchestrate secure connectivity in the data plane 140 between and among the edge network devices 142.
  • the network controller appliance(s) 132 can distribute crypto key information among the network device(s) 142. This can allow the network to support a secure network protocol or application (e.g., Internet Protocol Security (IPSec), Transport Layer Security (TLS), Secure Shell (SSH), etc.) without Internet Key Exchange (IKE) and enable scalability of the network.
  • IPSec Internet Protocol Security
  • TLS Transport Layer Security
  • SSH Secure Shell
  • IKE Internet Key Exchange
  • physical or virtual Cisco® SD-WAN vSmart controllers can operate as the network controller appliance(s) 132.
  • the data plane 140 can be responsible for forwarding packets based on decisions from the control plane 130.
  • the data plane 140 can include the edge network devices 142, which can be physical or virtual network devices.
  • the edge network devices 142 can operate at the edges various network environments of an organization, such as in one or more data centers or colocation centers 150, campus networks 152, branch office networks 154, home office networks 156, and so forth, or in the cloud (e.g., Infrastructure as a Service (laaS), Platform as a Service (PaaS), SaaS, and other cloud service provider networks).
  • laaS Infrastructure as a Service
  • PaaS Platform as a Service
  • SaaS SaaS
  • the edge network devices 142 can provide secure data plane connectivity among sites over one or more WAN transports, such as via one or more Internet transport networks 160 (e.g., Digital Subscriber Line (DSL), cable, etc.), MPLS networks 162 (or other private packet-switched network (e.g., Metro Ethernet, Frame Relay, Asynchronous Transfer Mode (ATM), etc.), mobile networks 164 (e.g., 3G, 4G/LTE, 5G, etc.), or other WAN technology (e.g., Synchronous Optical Networking (SONET), Synchronous Digital Hierarchy (SDH), Dense Wavelength Division Multiplexing (DWDM), or other fiberoptic technology; leased lines (e.g., Tl/El, T3/E3, etc.); Public Switched Telephone Network (PSTN), Integrated Services Digital Network (ISDN), or other private circuit-switched network; small aperture terminal (VS AT) or other satellite network; etc.).
  • Internet transport networks 160 e.g., Digital Subscriber Line (DSL
  • the edge network devices 142 can be responsible for traffic forwarding, security, encryption, quality of service (QoS), and routing (e.g., BGP, OSPF, etc.), among other tasks.
  • QoS quality of service
  • routing e.g., BGP, OSPF, etc.
  • physical or virtual Cisco® SD-WAN vEdge routers can operate as the edge network devices 142.
  • FIG. 2 illustrates a block diagram of an example service chain configuration for application traffic according to some aspects of the present disclosure.
  • a service chain 202 is configured to process traffic between endpoint 204 and endpoint 206.
  • Endpoint 204 can include any device or server (physical and/or virtual) on a network, such as a cloud consumer network (e.g., a private cloud or on-premises site), and endpoint 206 can include any device or server (physical and/or virtual) on a different network, such as a public cloud.
  • endpoint 204 can be an application or server on a private cloud
  • endpoint 206 can be an application or server on a public cloud.
  • Service chain 202 includes service applications 212, 214, 216, which may be configured to apply specific L4 (Layer 4) through L7 (Layer 7) policies to traffic between endpoint 204 and endpoint 206.
  • Service applications 212, 214, 216 can be implemented via respective virtual machines (VMs), software containers, servers, nodes, clusters of nodes, data centers, etc.
  • VMs virtual machines
  • Example service applications include, without limitations, firewalls, Intrusion Detection Systems (IDS), Intrusion Detection Systems (IDS), WAN Optimizers, Network Address Translation (NAT) systems, virtual routers/switches, load balancers, Virtual Private Network (VPN) gateways, data loss prevention (DLP) systems, web application firewalls (WAFs), application delivery controllers (ADCs), packet capture appliances, secure sockets layer (SSL) appliances, adaptive security appliances (AS As), etc.
  • IDS Intrusion Detection Systems
  • IDDS Intrusion Detection Systems
  • WAN Optimizers Network Address Translation
  • NAT Network Address Translation
  • VPN Virtual Private Network
  • DLP data loss prevention
  • WAFs web application firewalls
  • ADCs application delivery controllers
  • packet capture appliances Secure sockets layer (SSL) appliances
  • SSL secure sockets layer
  • AS As adaptive security appliances
  • Service applications 212, 214, 216 in service chain 202 are interconnected via a logical link 208A, which is supported by a physical link 208B through physical infrastructure 210.
  • Physical infrastructure 210 can include one or more networks, nodes, data centers, clouds, hardware resources, physical locations, etc. Traffic from endpoint 204 can be routed to physical infrastructure 210 through physical link 208B, and redirected by physical infrastructure 210 along logical link 208 A and through service chain 202.
  • FIG. 3 illustrates an example service fabric workflow for applying service chains to network traffic in an enterprise network, according to some aspects of the present disclosure.
  • an intended SC may be expressed by a user (e.g., Apply Firewall Service and Intrusion Detection System (IDS) Service to Network Traffic from Branch 1 to Branch 2).
  • IDS Intrusion Detection System
  • SC-Hub 302 can be an on-premise site, a cloud based site (e.g., on Amazon Web Services, a Software Defined Cloud Interconnect (SDCI) site, etc.).
  • SDCI Software Defined Cloud Interconnect
  • an SC is defined with FW Service 304 and IDS Service 306 as the underlying services.
  • SC-Hub 302 may have a Hub 308 (may also be referred to as cEdge) acting as a gatewa/switch.
  • SC-Hub 302 may have more than one Hub 308.
  • the SC (consisting of FW Service 304 and IDS Service 306) may be configured on Hub 308 and then advertised to vSmart 310 (vSmart 310 may be any one of network appliances described with reference to FIG. 1 including, but not limited to, one or more of control plane network appliances 132).
  • SC may be advertised by vSmart 310 to Branch 1 312.
  • network traffic originating from Branch 1 312 and destined for Branch 2 314 may be steered towards SC-Hub 302, where FW Service 304 and IDS Service 306 may be applied to (executed on) data packets (network traffic) from Branch 1 312.
  • FW Service 304 and IDS Service 306 may be applied to (executed on) data packets (network traffic) from Branch 1 312.
  • data packets to which FW Service 304 and IDS Service 306 are applied are forwarded to Branch 2 314.
  • FW Service 304 and IDS Service 306 are two abstract servicetypes grouped and sequenced into an abstract SC-type.
  • a service-type may selected from a group of defined service types (e g., FW service, IDS service, Flow Analyzer service, WAN optimizer service, etc.).
  • an SC-type may be selected from a defined namespace (e.g., an SC consisting of FW Service 304 and IDS Service 306 may be given SC-type SCI).
  • the group of service types and/or SC types may be expanded with existing services and/or SCs modified or deleted.
  • SCI is reachable from SC-HUB 302 and hence may be advertised as SC I just like an IP address.
  • traffic from Branch 1 312 destined for Branch2 that need to be service chained by SCI will automatically be steered to SC- HUB 302 (e.g., over SDWAN 316, which can be the same as example network 100 of FIG. 1) if it is specified in a traffic policy such as example traffic policy below: Traffic steering policy format match ⁇ criterial> action accept set service-chain SCI
  • a service chain may be defined wherein, each service has a hierarchical single construct that embeds all routing requirements for the relevant service in the service chain.
  • Example embodiments of a single construct for a service are described in U.S. Application No. 18/348,065, filed on July 6, 2023, the entire content of which is incorporated herein by reference.
  • SCl_t service FW Service sequence 100 service IDS Service sequence 200.
  • FIG. 4 visually illustrates an example of routable and intent-based service chains applied to network traffic, according to some aspects of the present disclosure.
  • the system e.g., via vSmart 310
  • An example of such intent-based description can be - "Apply Firewall & Intrusion Detection System to all traffic to and from enterprise workloads in AWS. For branches in Texas, these workloads are reachable through hub sites in Dallas & Austin," where AWS stands for Amazon Web Services.
  • Branch 1 402 may be in Texas and AWS-WL1 404 may be a cloud-based workload with address IP1.
  • Branch 1 402 may be connected to AWS via a middle- mile sites (e.g., provided by an SDCI provider). Examples of such middle-mile sites include SC- HUB SDCI DALLAS 406 and SC-HUB SDCI AUSTIN 408. Gateways may be available in both Dallas and Austin.
  • AWS-WL1 404 may be reachable from both Dallas and Austin SDCI sites (e.g., SC-HUB SDCI D ALLAS 406 and SC-HUB SDCI AUSTIN 408).
  • SCI t 410 An SC-type for the intent-based description above may be created (SCI t 410).
  • SCI t 410 may include a Firewall Service (FW 412) and an IDS service (IDS 414) may be instantiated in both Dallas and Austin.
  • FW 412 Firewall Service
  • IDS 414 IDS service
  • service instances FW1 418 and FW2 424 (of abstract type FW) as well as service instances IDS1 420 and IDS2 426 (of abstract type IDS) are brought up at SC- HUB SDCI D ALLAS 406 and SC-HUB_SDCI_AUSTIN 408 as shown in FIG. 4.
  • FW1 418 and IDS1 420 are shown as part of one instance at Dallas (e.g., SCI -Dallas 416) while FW2 424 and IDS2 426 are shown as part of another instance at Austin (e.g., SCI -Austin 422).
  • a service instance may be brought up in a specified location for specified provider(s) and/or vendor account(s), while in other examples, a service instance bring-up does not happen as part of instantiation.
  • all that is used to route network traffic to a service is the IP of the service instance and a route towards the service instance.
  • networking parameters toward the service instances are specified in the service instances.
  • the services can be in any location (e.g., in SC-HUB SDCI D ALLAS 406, SC-HUB SDCI AUSTIN 408, in another SDCI , cloud networks VPC/VNETs, on-premise network component, etc.).
  • An example configuration of a SC l_t 410 may be downloaded by vSmart 310 (or alternatively by a vManage or any other network control appliances) to SC-HUB SDCI DALLAS 406 and SC-HUB SDCI AUSTIN 408: service-chain SCI service-chain-vrf 10 service-chain-description SCl_t service FW sequence 100 service IDS sequence 200
  • SC I t 410 may be advertised by SC-HUB SDCI D ALLAS 406 and SC- HUB SDCI AUSTIN 408 through OMP to vSmart 310.
  • a centralized data policy can be specified in vSmart 310 for steering network traffic. In other example embodiments any known or to be developed control policy, as desired, and/or localized policy may be used.
  • vSmart 310 may resolve the policy action such that traffic from Branch Is 402 to AWS-WL1 404 are routed through Dallas & Austin.
  • the routing through Dallas and Austin e.g., SC-HUB SDCI D ALLAS 406 and SC-HUB SDCI AUSTIN 408 may be performed based on Equal Cost Multi-Path (ECMP) routing.
  • ECMP Equal Cost Multi-Path
  • a traffic steering policy may be created and placed anywhere in the network such that any data packet/network traffic to which SCI is applicable, is routed towards the SC (e.g., one of SCl-Dallas 416 at SC-HUB_SDCI_DALLAS 406 or SCl-Austin 422 at SC- HUB_SDCI_AUSTIN 408).
  • An example traffic steering policy may be as shown below in relation to non-limiting example of FIG. 4: policy data-policy DP BRANCH TO AWS vpn-list VPN_ALL sequence 10 match destination-prefix-list PFX LIST AWS WLI IPI I action accept set service-chain SCI
  • FIG. 5 illustrates an example process for steering network traffic to routable and intentbased service chains according to some aspects of the present disclosure.
  • the process of FIG. 5 will be described from the perspective of a network controller appliance such as network controller appliance 132, which as described above can be a vSmart, a vManage, etc.
  • network controller appliance 132 which as described above can be a vSmart, a vManage, etc.
  • example embodiments are limited thereto, and the same process can be performed by any other network appliance (e.g., network management appliance 122, etc.)
  • the example routine depicts a particular sequence of operations, the sequence may be altered without departing from the scope of the present disclosure. For example, some of the operations depicted may be performed in parallel or in a different sequence that does not materially affect the function of the routine. In other examples, different components of an example device or system that implements the routine may perform functions at substantially the same time or in a specific sequence.
  • the method includes receiving an intent-based description of one or more services to be applied to network traffic at block 502.
  • intent-based description can identify the desired services along with one or more network hubs and network traffic origin and destination, the one or more services include at least one of a firewall service, an intrusion detection system service, and a flow analyzer service, etc., as described above.
  • the one or more network hubs may not be specified but may then be determined by network controller appliance 132 based on various network and load balancing conditions (e.g., in proximity of network traffic origin and/or destination).
  • the method includes defining a type for a service chain that includes the one or more services based on the intent-based description at block 504.
  • network controller appliance 132 may determine the desired services expressed in the intent-based description by analyzing the intent-based description using any known or to be developed language processing models.
  • intent-based description may be provided via voice command. Accordingly, processing thereof may be performed using any known or to be developed speech processing techniques.
  • a determined type may be as described above (e.g., SC l_t 410).
  • the type may service as an address (analogous to an IP address) for the service chain thereby making the service chain easily routable for routing the network traffic to and from the one or more service included in the service chain.
  • a type for a service chain may be selected from a group of defined service chain types.
  • the method includes implementing the service chain at one or more network hubs at block 506.
  • implementing the service chain at one or more network hubs includes instantiating the service chain at each of the one or more network hubs (e.g., as described above with reference to FIGs. 3 and 4).
  • instantiating the service chain includes generating a configuration for the service chain and downloading the configuration at each of the one or more network hubs. This may be performed as described above with reference to FIG. 4.
  • the service chain can be implemented at at least two network hubs (e.g., SC- HUB SDCI DALLAS 406 and SC-HUB SDCI AUSTIN 408). Therefore, the network traffic can be steered to any one of the two network hubs based on Equal Cost Multi-Path (ECMP) routing.
  • ECMP Equal Cost Multi-Path
  • the method further includes implementing a traffic steering policy in the network for steering the network traffic to the one or more network hubs to be serviced by the one or more services at block 508.
  • network controller appliance 132 may implement the traffic steering policy by generating the traffic steering policy and sending the traffic steering policy to one or more network routers (and/or any other component in network 100 through which data packets associated with the network traffic may traverse) for steering the network traffic (1) to the one or more network hubs (to be serviced by the one or more services) and (2) to one or more intended destination after the network traffic is serviced by the one or more services.
  • FIG. 6 shows an example of a computing system, according to some aspects of the present disclosure.
  • Computing system 600 can be for example any computing device making up network 100 such as network controller appliances 132, network management appliances 122, and/or any component thereof in which the components of the system are in communication with each other using connection 602.
  • Connection 602 can be a physical connection via a bus, or a direct connection into processor 604, such as in a chipset architecture.
  • Connection 602 can also be a virtual connection, networked connection, or logical connection.
  • computing system 600 is a distributed system in which the functions described in this disclosure can be distributed within a datacenter, multiple data centers, a peer network, etc.
  • one or more of the described system components represents many such components each performing some or all of the function for which the component is described.
  • the components can be physical or virtual devices.
  • Example computing system 600 includes at least one processing unit (CPU or processor) 604 and connection 602 that couples various system components including system memory 608, such as read-only memory (ROM) 610 and random access memory (RAM) 612 to processor 604.
  • system memory 608 such as read-only memory (ROM) 610 and random access memory (RAM) 612 to processor 604.
  • Computing system 600 can include a cache of high-speed memory 606 connected directly with, in close proximity to, or integrated as part of processor 604.
  • Processor 604 can include any general purpose processor and a hardware service or software service, such as services 616, 618, and 620 stored in storage device 614, configured to control processor 604 as well as a special-purpose processor where software instructions are incorporated into the actual processor design.
  • Processor 604 may essentially be a completely self-contained computing system, containing multiple cores or processors, a bus, memory controller, cache, etc.
  • a multi -core processor may be symmetric or asymmetric.
  • computing system 600 includes an input device 626, which can represent any number of input mechanisms, such as a microphone for speech, a touch- sensitive screen for gesture or graphical input, keyboard, mouse, motion input, speech, etc.
  • Computing system 600 can also include output device 622, which can be one or more of a number of output mechanisms known to those of skill in the art.
  • output device 622 can be one or more of a number of output mechanisms known to those of skill in the art.
  • multimodal systems can enable a user to provide multiple types of input/output to communicate with computing system 600.
  • Computing system 600 can include communication interface 624, which can generally govern and manage the user input and system output.
  • Storage device 614 can be a non-volatile memory device and can be a hard disk or other types of computer readable media which can store data that are accessible by a computer, such as magnetic cassettes, flash memory cards, solid state memory devices, digital versatile disks, cartridges, random access memories (RAMs), read-only memory (ROM), and/or some combination of these devices.
  • a computer such as magnetic cassettes, flash memory cards, solid state memory devices, digital versatile disks, cartridges, random access memories (RAMs), read-only memory (ROM), and/or some combination of these devices.
  • the storage device 614 can include software services, servers, services, etc., that when the code that defines such software is executed by the processor 604, it causes the system to perform a function.
  • a hardware service that performs a particular function can include the software component stored in a computer-readable medium in connection with the necessary hardware components, such as processor 604, connection 602, output device 622, etc., to carry out the function.
  • a method for simplifying steering of network traffic includes receiving an intent-based description of one or more services to be applied to the network traffic; defining a type for a service chain that includes the one or more services based on the intent-based description, the type serving as an address for the service chain for routing the network traffic to and from the one or more service included in the service chain; implementing the service chain at one or more network hubs; and implementing a traffic steering policy in the network for steering the network traffic to the one or more network hubs to be serviced by the one or more services.
  • the present technology may be presented as including individual functional blocks including functional blocks comprising devices, device components, steps or routines in a method embodied in software, or combinations of hardware and software.
  • a service can be software that resides in memory of a client device and/or one or more servers of a content management system and perform one or more functions when a processor executes the software associated with the service.
  • a service is a program or a collection of programs that carry out a specific function.
  • a service can be considered a server.
  • the memory can be a non-transitory computer-readable medium.
  • the computer-readable storage devices, mediums, and memories can include a cable or wireless signal containing a bit stream and the like.
  • non-transitory computer-readable storage media expressly exclude media such as energy, carrier signals, electromagnetic waves, and signals per se.
  • Methods according to the above-described examples can be implemented using computer-executable instructions that are stored or otherwise available from computer-readable media.
  • Such instructions can comprise, for example, instructions and data which cause or otherwise configure a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions. Portions of computer resources used can be accessible over a network.
  • the executable computer instructions may be, for example, binaries, intermediate format instructions such as assembly language, firmware, or source code.
  • Examples of computer-readable media that may be used to store instructions, information used, and/or information created during methods according to described examples include magnetic or optical disks, solid-state memory devices, flash memory, USB devices provided with non-volatile memory, networked storage devices, and so on.
  • Devices implementing methods according to these disclosures can comprise hardware, firmware and/or software, and can take any of a variety of form factors. Typical examples of such form factors include servers, laptops, smartphones, small form factor personal computers, personal digital assistants, and so on.
  • the functionality described herein also can be embodied in peripherals or add-in cards. Such functionality can also be implemented on a circuit board among different chips or different processes executing in a single device, by way of further example.
  • the instructions, media for conveying such instructions, computing resources for executing them, and other structures for supporting such computing resources are means for providing the functions described in these disclosures.
  • Claim language or other language reciting “at least one of’ a set and/or “one or more” of a set indicates that one member of the set or multiple members of the set (in any combination) satisfy the claim.
  • claim language reciting “at least one of A and B” or “at least one of A or B” means A, B, or A and B.
  • claim language reciting “at least one of A, B, and C” or “at least one of A, B, or C” means A, B, C, or A and B, or A and C, or B and C, or A and B and C.
  • the language “at least one of’ a set and/or “one or more” of a set does not limit the set to the items listed in the set.
  • claim language reciting “at least one of A and B” or “at least one of A or B” can mean A, B, or A and B, and can additionally include items not listed in the set of A and B.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present disclosure is directed to making service-chains routable and intent-based within an enterprise network. In one aspect, a method for simplifying steering of network traffic includes receiving an intent-based description of one or more services to be applied to the network traffic; defining a type for a service chain that includes the one or more services based on the intent-based description, the type serving as an address for the service chain for routing the network traffic to and from the one or more service included in the service chain; implementing the service chain at one or more network hubs; and implementing a traffic steering policy in the network for steering the network traffic to the one or more network hubs to be serviced by the one or more services.

Description

ROUTABLE AND INTENT-BASED SERVICE CHAINS
TECHNICAL FIELD
[0001] The present technology pertains to service chaining and, more specifically, to providing routable and intent-based definition for one or more services in a service chain to be applied to relevant network traffic as the network traffic traverses through a network.
BACKGROUND
[0002] Service chaining allows network operators to steer traffic through various services, such as firewalls, WAN optimizers, and Intrusion Detection Systems (IDSs), among others, which together enforce specific policies and provide a desired functionality for the traffic. The services in a service chain can be “chained” together in a particular sequence along the path of the traffic to process the traffic through the sequence of services. For example, a network operator may define a service chain (SC) including a firewall and a WAN optimizer for traffic associated with an application. When such traffic is received, it is first routed to the firewall in the service chain, which provides firewall capabilities such as deep packet inspection and access control. After the traffic is processed by the firewall, it is routed to the WAN optimizer in the service chain, which can compress the traffic, apply quality-of-service (QoS) policies, or perform other traffic optimization functionalities. Once the traffic is processed by the WAN optimizer, it is routed towards its intended destination.
[0003] To implement a service chain, the network operator can program rules or policies for redirecting an application’s traffic through a sequence of services in the service chain. For example, the network provider can program an access control list (ACL) in the network device’s hardware, such as the network device’s Ternary Content Addressable Memory (TCAM). The ACL can include entries which together specify the sequence of services in the service chain for the application’s traffic. The ACL entries can identify specific addresses associated with the application’s traffic, such as origin or destination IP addresses associated with the application’s traffic, which the network device can use to match an ACL entry to traffic. The network device can then use the ACL entries to route the application’s traffic through the sequence of services in the service chain.
[0004] Service instances within an SC may be in arbitrary geographies and location types (public clouds, Customer Premise Equipment (CPEs), data centers, etc.) and connected to the enterprise network in disparate ways. This leads to complex end-to-end networking and traffic steering, that can be extremely complicated to manage.
BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS
[0005] In order to describe the manner in which the above-recited and other advantages and features of the disclosure can be obtained, a more particular description of the principles briefly described above will be rendered by reference to specific embodiments thereof which are illustrated in the appended drawings. Understanding that these drawings depict only exemplary embodiments of the disclosure and are not therefore to be considered to be limiting of its scope, the principles herein are described and explained with additional specificity and detail through the use of the accompanying drawings in which:
[0006] FIG. 1 illustrates an example of a high-level network architecture according to some aspects of the present disclosure;
[0007] FIG. 2 illustrates a block diagram of an example service chain configuration for application traffic according to some aspects of the present disclosure;
[0008] FIG. 3 illustrates an example service fabric workflow for applying service chains to network traffic in an enterprise network, according to some aspects of the present disclosure;
[0009] FIG. 4 visually illustrates an example of routable and intent-based service chains applied to network traffic, according to some aspects of the present disclosure;
[0010] FIG. 5 illustrates an example process for steering network traffic to routable and intent-based service chains according to some aspects of the present disclosure; and
[0011] FIG. 6 shows an example of a computing system, according to some aspects of the present disclosure.
DETAILED DESCRIPTION
[0012] Aspects of the invention are set out in the independent claims and preferred features are set out in the dependent claims. Features of one aspect may be applied to each aspect alone or in combination with other features.
[0013] Various embodiments of the disclosure are discussed in detail below. While specific implementations are discussed, it should be understood that this is done for illustration purposes only. A person skilled in the relevant art will recognize that other components and configurations may be used without parting from the spirit and scope of the disclosure. Thus, the following description and drawings are illustrative and are not to be construed as limiting. Numerous specific details are described to provide a thorough understanding of the disclosure. However, in certain instances, well-known or conventional details are not described in order to avoid obscuring the description. References to one or an embodiment in the present disclosure can be references to the same embodiment or any embodiment; and, such references mean at least one of the embodiments.
[0014] Reference to “one embodiment” or “an embodiment” means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the disclosure. The appearances of the phrase “in one embodiment” in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Moreover, various features are described which may be exhibited by some embodiments and not by others. [0015] The terms used in this specification generally have their ordinary meanings in the art, within the context of the disclosure, and in the specific context where each term is used. Alternative language and synonyms may be used for any one or more of the terms discussed herein, and no special significance should be placed upon whether or not a term is elaborated or discussed herein. In some cases, synonyms for certain terms are provided. A recital of one or more synonyms does not exclude the use of other synonyms. The use of examples anywhere in this specification including examples of any terms discussed herein is illustrative only and is not intended to further limit the scope and meaning of the disclosure or of any example term. Likewise, the disclosure is not limited to various embodiments given in this specification.
[0016] For clarity of explanation, in some instances, the present technology may be presented as including individual functional blocks including functional blocks comprising devices, device components, steps or routines in a method embodied in software, or combinations of hardware and software.
[0017] Any of the steps, operations, functions, or processes described herein may be performed or implemented by a combination of hardware and software services or services, alone or in combination with other devices. In some embodiments, a service can be software that resides in memory of a client device and/or one or more servers of a content management system and perform one or more functions when a processor executes the software associated with the service. In some embodiments, a service is a program or a collection of programs that carry out a specific function. In some embodiments, a service can be considered a server. The memory can be a non-transitory computer-readable medium.
[0018] In some embodiments, the computer-readable storage devices, mediums, and memories can include a cable or wireless signal containing a bit stream and the like. However, when mentioned, non-transitory computer-readable storage media expressly exclude media such as energy, carrier signals, electromagnetic waves, and signals per se.
[0019] Methods according to the above-described examples can be implemented using computer-executable instructions that are stored or otherwise available from computer-readable media. Such instructions can comprise, for example, instructions and data which cause or otherwise configure a general-purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions. Portions of computer resources used can be accessible over a network. The executable computer instructions may be, for example, binaries, intermediate format instructions such as assembly language, firmware, or source code. Examples of computer-readable media that may be used to store instructions, information used, and/or information created during methods according to described examples include magnetic or optical disks, solid-state memory devices, flash memory, USB devices provided with non-volatile memory, networked storage devices, and so on.
[0020] Devices implementing methods according to these disclosures can comprise hardware, firmware and/or software, and can take any of a variety of form factors. Typical examples of such form factors include servers, laptops, smartphones, small form factor personal computers, personal digital assistants, and so on. The functionality described herein also can be embodied in peripherals or add-in cards. Such functionality can also be implemented on a circuit board among different chips or different processes executing in a single device, by way of further example.
[0021] The instructions, media for conveying such instructions, computing resources for executing them, and other structures for supporting such computing resources are means for providing the functions described in these disclosures.
[0022] Without intent to limit the scope of the disclosure, examples of instruments, apparatus, methods and their related results according to the embodiments of the present disclosure are given below. Note that titles or subtitles may be used in the examples for convenience of a reader, which in no way should limit the scope of the disclosure. Unless otherwise defined, technical and scientific terms used herein have the meaning as commonly understood by one of ordinary skill in the art to which this disclosure pertains. In the case of conflict, the present document, including definitions will control.
[0023] Additional features and advantages of the disclosure will be set forth in the description which follows, and in part will be obvious from the description, or can be learned by practice of the herein disclosed principles. The features and advantages of the disclosure can be realized and obtained by means of the instruments and combinations particularly pointed out in the appended claims. These and other features of the disclosure will become more fully apparent from the following description and appended claims, or can be learned by the practice of the principles set forth herein.
OVERVIEW
[0024] The present disclosure is directed to making service-chains routable and intent-based within an enterprise network. In other words, making service-chains routable is analogous to treating a service chain as an IP address, hence simplifying end-to-end networking and traffic routing for subjecting data packets to one or more relevant services in a SC.
[0025] In one aspect, a method for simplifying steering of network traffic includes receiving an intent-based description of one or more services to be applied to the network traffic; defining a type for a service chain that includes the one or more services based on the intent-based description, the type serving as an address for the service chain for routing the network traffic to and from the one or more service included in the service chain; implementing the service chain at one or more network hubs; and implementing a traffic steering policy in the network for steering the network traffic to the one or more network hubs to be serviced by the one or more services.
[0026] In another aspect, the type is selected from a group of service chain types.
[0027] In another aspect, the intent-based description identifies the one or more network hubs, and implementing the service chain includes instantiating the service chain at each of the one or more network hubs.
[0028] In another aspect, instantiating the service chain includes generating a configuration for the service chain; and downloading the configuration at each of the one or more network hubs.
[0029] In another aspect, implementing the traffic steering policy includes generating the traffic steering policy; and sending the traffic steering policy to one or more network routers for steering the network traffic (1) to the one or more network hubs; and (2) to one or more intended destination after the network traffic is serviced by the one or more services.
[0030] In another aspect, the service chain is implemented at at least two network hubs, and the network traffic is steered to one of the two network hubs based on Equal Cost Multi-Path (ECMP) routing.
[0031] In another aspect, the one or more services include at least one of a firewall service, an intrusion detection system service, and a flow analyzer service.
[0032] In one aspect, a network controller includes one or more memories having computer- readable instructions stored therein; and one or more processors. The one or more processors are configured to execute the computer-readable instructions to receive an intent-based description of one or more services to be applied to network traffic; define a type for a service chain that includes the one or more services based on the intent-based description, the type serving as an address for the service chain for routing the network traffic to and from the one or more service included in the service chain; implement the service chain at one or more network hubs; and implement a traffic steering policy in the network for steering the network traffic to the one or more network hubs to be serviced by the one or more services.
[0033] In one aspect, one or more non-transitory computer-readable media include computer- readable instructions, which when executed by one or more processors of a network controller, cause the network controller to receive an intent-based description of one or more services to be applied to network traffic; define a type for a service chain that includes the one or more services based on the intent-based description, the type serving as an address for the service chain for routing the network traffic to and from the one or more service included in the service chain; implement the service chain at one or more network hubs; and implement a traffic steering policy in the network for steering the network traffic to the one or more network hubs to be serviced by the one or more services.
EXAMPLE EMBODIMENTS
[0034] The disclosed technology addresses the need in the art for reducing the complexities associated with accessing dispersed service instances in a service chain.
[0035] As alluded to above, A SC is a set of services applied to a packet in a defined sequence, and inserted somewhere in the path across the network to the packet's destination. The device in which an SC is inserted is called a Service Chain Hub (hereafter: "SC-HUB"). SCs have an inherent structure to them, in that, packets can traverse through the services and back to the SC- HUB in a defined path. Furthermore, service instances within an SC might be in arbitrary geographies and location types (public clouds, CPEs, data centers, etc.) and connected to the enterprise network in disparate ways. This leads to complex end-to-end networking and traffic steering, that can be extremely complicated to manage.
[0036] Furthermore, services within a SC are conceptually independent entities, so network administrators get pre-occupied by the individual service instances and their networking in every location rather than treating the set of services by the inherently abstract nature of the user's ultimate intent.
[0037] Example embodiments proposed herein solve these problems by making service-chains routable and intent-based within an enterprise network. In other words, making service-chains routable is analogous to treating a service chain as an IP address, hence simplifying end-to-end networking and traffic routing for subjecting data packets to one or more relevant services in a SC.
[0038] A user's intent in applying one or more services in a SC to a particular network traffic can be expressed as, for example, “Apply Firewall & Flow Analyzer to all traffic to and from all restricted sites," “Apply Firewall & Intrusion Detection System to all traffic to and from enterprise workloads in AWS. For branches in Texas, these workloads are reachable through hub sites in Dallas & Austin,” etc.
[0039] As will be described in more detail below, the present disclosure allows a user to create an abstract type to express an SC (e.g., one of the above examples of intent-based expression of a SC). The expressed ‘type’ may then be instantiated in any number of sites (locations) that can span geographies and location types.
[0040] With regard to the example intent-based expression of SCs above, an SC type may be defined as “Apply Firewall & Flow Analyzer.” This SC type can then be instantiated in all sites (or one site, two or more sites, etc.) that have reachability to restricted sites. For the second example, an SC type may be defied as “Apply Firewall & Intrusion Detection System,” that can be instantiated in Dallas & Austin.
[0041] The disclosure begins with a description of example network architectures for a software-defined network (e.g., SD-WAN) in which SC may be used for servicing various network traffic. An example of a SC configuration will then be described with reference to FIG. 2. Examples of routable and intent -based SCs will then be described with reference to FIGs. 3-
6.
[0042] FIG. 1 illustrates an example of a high-level network architecture according to some aspects of the present disclosure. An example of an implementation of the network architecture 100 is the Cisco® SD-WAN architecture. However, one of ordinary skill in the art will understand that, for the network architecture 100 and any other system discussed in the present disclosure, there can be additional or fewer component in similar or alternative configurations. The illustrations and examples provided in the present disclosure are for conciseness and clarity. Other embodiments may include different numbers and/or types of elements but one of ordinary skill the art will appreciate that such variations do not depart from the scope of the present disclosure.
[0043] In this example, the network architecture 100 can comprise an orchestration plane 102, a management plane 120, a control plane 130, and a data plane 140. The orchestration plane can 102 assist in the automatic on-boarding of edge network devices 142 (e.g., switches, routers, etc.) in an overlay network. The orchestration plane 102 can include one or more physical or virtual network orchestrator appliances 104. The network orchestrator appliance(s) 104 can perform the initial authentication of the edge network devices 142 and orchestrate connectivity between devices of the control plane 130 and the data plane 140. In some embodiments, the network orchestrator appliance(s) 104 can also enable communication of devices located behind Network Address Translation (NAT). In some embodiments, physical or virtual Cisco® SD-WAN vBond appliances can operate as the network orchestrator appliance(s) 104.
[0044] The management plane 120 can be responsible for central configuration and monitoring of a network. The management plane 120 can include one or more physical or virtual network management appliances 122 and an analytics engine 124. In some embodiments, the network management appliance(s) 122, using analytics engine 124, can provide centralized management of the network via a graphical user interface to enable a user to monitor, configure, and maintain the edge network devices 142 and links (e g., Internet transport network 160, MPLS network 162, 4G/LTE network 164) in an underlay and overlay network. Analytics engine 124 can collect and provide various analytics on operation of network 100 and any components thereof. Output of analytics engine 124 can then be used by network appliance(s) 122 to automatically monitor, configure and/or maintain operations of network 100 and/or enable a user to do the same. The network management appliance(s) 122 can support multi-tenancy and enable centralized management of logically isolated networks associated with different entities (e.g., enterprises, divisions within enterprises, groups within divisions, etc ). Alternatively or in addition, the network management appliance(s) 122 can be a dedicated network management system for a single entity. In some embodiments, physical or virtual Cisco® SD-WAN vManage appliances can operate as the network management appliance(s) 122.
[0045] The control plane 130 can build and maintain a network topology and make decisions on where traffic flows. The control plane 130 can include one or more physical or virtual network controller appliance(s) 132. The network controller appliance(s) 132 can establish secure connections to each network device 142 and distribute route and policy information via a control plane protocol (e.g., Overlay Management Protocol (OMP) (discussed in further detail below), Open Shortest Path First (OSPF), Intermediate System to Intermediate System (IS-IS), Border Gateway Protocol (BGP), Protocol-Independent Multicast (PIM), Internet Group Management Protocol (IGMP), Internet Control Message Protocol (ICMP), Address Resolution Protocol (ARP), Bidirectional Forwarding Detection (BFD), Link Aggregation Control Protocol (LACP), etc.). In some embodiments, the network controller appliance(s) 132 can operate as route reflectors. The network controller appliance(s) 132 can also orchestrate secure connectivity in the data plane 140 between and among the edge network devices 142. For example, in some embodiments, the network controller appliance(s) 132 can distribute crypto key information among the network device(s) 142. This can allow the network to support a secure network protocol or application (e.g., Internet Protocol Security (IPSec), Transport Layer Security (TLS), Secure Shell (SSH), etc.) without Internet Key Exchange (IKE) and enable scalability of the network. In some embodiments, physical or virtual Cisco® SD-WAN vSmart controllers can operate as the network controller appliance(s) 132.
[0046] The data plane 140 can be responsible for forwarding packets based on decisions from the control plane 130. The data plane 140 can include the edge network devices 142, which can be physical or virtual network devices. The edge network devices 142 can operate at the edges various network environments of an organization, such as in one or more data centers or colocation centers 150, campus networks 152, branch office networks 154, home office networks 156, and so forth, or in the cloud (e.g., Infrastructure as a Service (laaS), Platform as a Service (PaaS), SaaS, and other cloud service provider networks). The edge network devices 142 can provide secure data plane connectivity among sites over one or more WAN transports, such as via one or more Internet transport networks 160 (e.g., Digital Subscriber Line (DSL), cable, etc.), MPLS networks 162 (or other private packet-switched network (e.g., Metro Ethernet, Frame Relay, Asynchronous Transfer Mode (ATM), etc.), mobile networks 164 (e.g., 3G, 4G/LTE, 5G, etc.), or other WAN technology (e.g., Synchronous Optical Networking (SONET), Synchronous Digital Hierarchy (SDH), Dense Wavelength Division Multiplexing (DWDM), or other fiberoptic technology; leased lines (e.g., Tl/El, T3/E3, etc.); Public Switched Telephone Network (PSTN), Integrated Services Digital Network (ISDN), or other private circuit-switched network; small aperture terminal (VS AT) or other satellite network; etc.). The edge network devices 142 can be responsible for traffic forwarding, security, encryption, quality of service (QoS), and routing (e.g., BGP, OSPF, etc.), among other tasks. In some embodiments, physical or virtual Cisco® SD-WAN vEdge routers can operate as the edge network devices 142.
[0047] FIG. 2 illustrates a block diagram of an example service chain configuration for application traffic according to some aspects of the present disclosure. In example configuration 200, a service chain 202 is configured to process traffic between endpoint 204 and endpoint 206. Endpoint 204 can include any device or server (physical and/or virtual) on a network, such as a cloud consumer network (e.g., a private cloud or on-premises site), and endpoint 206 can include any device or server (physical and/or virtual) on a different network, such as a public cloud. For example, endpoint 204 can be an application or server on a private cloud and endpoint 206 can be an application or server on a public cloud.
[0048] Service chain 202 includes service applications 212, 214, 216, which may be configured to apply specific L4 (Layer 4) through L7 (Layer 7) policies to traffic between endpoint 204 and endpoint 206. Service applications 212, 214, 216 can be implemented via respective virtual machines (VMs), software containers, servers, nodes, clusters of nodes, data centers, etc. Example service applications (212, 214, 216) include, without limitations, firewalls, Intrusion Detection Systems (IDS), Intrusion Detection Systems (IDS), WAN Optimizers, Network Address Translation (NAT) systems, virtual routers/switches, load balancers, Virtual Private Network (VPN) gateways, data loss prevention (DLP) systems, web application firewalls (WAFs), application delivery controllers (ADCs), packet capture appliances, secure sockets layer (SSL) appliances, adaptive security appliances (AS As), etc.
[0049] Service applications 212, 214, 216 in service chain 202 are interconnected via a logical link 208A, which is supported by a physical link 208B through physical infrastructure 210. Physical infrastructure 210 can include one or more networks, nodes, data centers, clouds, hardware resources, physical locations, etc. Traffic from endpoint 204 can be routed to physical infrastructure 210 through physical link 208B, and redirected by physical infrastructure 210 along logical link 208 A and through service chain 202.
[0050] FIG. 3 illustrates an example service fabric workflow for applying service chains to network traffic in an enterprise network, according to some aspects of the present disclosure. As Initially, an intended SC may be expressed by a user (e.g., Apply Firewall Service and Intrusion Detection System (IDS) Service to Network Traffic from Branch 1 to Branch 2).
[0051] Based on this intent-based SC, within SC-Hub 302, FW Service 304 and IDS Services 306 may be deployed. SC-Hub 302 can be an on-premise site, a cloud based site (e.g., on Amazon Web Services, a Software Defined Cloud Interconnect (SDCI) site, etc.). In this instance, an SC is defined with FW Service 304 and IDS Service 306 as the underlying services.
[0052] SC-Hub 302 may have a Hub 308 (may also be referred to as cEdge) acting as a gatewa/switch. SC-Hub 302 may have more than one Hub 308. The SC (consisting of FW Service 304 and IDS Service 306) may be configured on Hub 308 and then advertised to vSmart 310 (vSmart 310 may be any one of network appliances described with reference to FIG. 1 including, but not limited to, one or more of control plane network appliances 132).
[0053] Next, SC may be advertised by vSmart 310 to Branch 1 312. In response, network traffic originating from Branch 1 312 and destined for Branch 2 314 may be steered towards SC-Hub 302, where FW Service 304 and IDS Service 306 may be applied to (executed on) data packets (network traffic) from Branch 1 312. Thereafter, data packets to which FW Service 304 and IDS Service 306 are applied, are forwarded to Branch 2 314.
[0054] In example of FIG. 3, FW Service 304 and IDS Service 306 are two abstract servicetypes grouped and sequenced into an abstract SC-type. A service-type may selected from a group of defined service types (e g., FW service, IDS service, Flow Analyzer service, WAN optimizer service, etc.). Similarly an SC-type may be selected from a defined namespace (e.g., an SC consisting of FW Service 304 and IDS Service 306 may be given SC-type SCI). Analogous to an IP address, the group of service types and/or SC types may be expanded with existing services and/or SCs modified or deleted. In example of FIG. 3, SCI is reachable from SC-HUB 302 and hence may be advertised as SC I just like an IP address. As noted, traffic from Branch 1 312 destined for Branch2 that need to be service chained by SCI will automatically be steered to SC- HUB 302 (e.g., over SDWAN 316, which can be the same as example network 100 of FIG. 1) if it is specified in a traffic policy such as example traffic policy below: Traffic steering policy format match <criterial> action accept set service-chain SCI
[0055] An example template for defining an SC may be as follows:
SC template service-chain <> service-chain-vrf <> service-chain-description
Figure imgf000014_0001
service <> sequence <> service <> sequence <>
[0056] In some examples, a service chain may be defined wherein, each service has a hierarchical single construct that embeds all routing requirements for the relevant service in the service chain. Example embodiments of a single construct for a service are described in U.S. Application No. 18/348,065, filed on July 6, 2023, the entire content of which is incorporated herein by reference.
[0057] Using the above template for defining a SC, the following SC for the example of FIG. 3 maybe defined: service-chain SCI service-chain-vrf 10 service-chain-description SCl_t service FW Service sequence 100 service IDS Service sequence 200.
[0058] FIG. 4 visually illustrates an example of routable and intent-based service chains applied to network traffic, according to some aspects of the present disclosure. Initially, the system (e.g., via vSmart 310), may receive an intent -based description of one or more services to be applied to a particular type of traffic. An example of such intent-based description can be - "Apply Firewall & Intrusion Detection System to all traffic to and from enterprise workloads in AWS. For branches in Texas, these workloads are reachable through hub sites in Dallas & Austin," where AWS stands for Amazon Web Services.
[0059] In example of FIG. 4, Branch 1 402 may be in Texas and AWS-WL1 404 may be a cloud-based workload with address IP1. Branch 1 402 may be connected to AWS via a middle- mile sites (e.g., provided by an SDCI provider). Examples of such middle-mile sites include SC- HUB SDCI DALLAS 406 and SC-HUB SDCI AUSTIN 408. Gateways may be available in both Dallas and Austin. AWS-WL1 404 may be reachable from both Dallas and Austin SDCI sites (e.g., SC-HUB SDCI D ALLAS 406 and SC-HUB SDCI AUSTIN 408).
[0060] An SC-type for the intent-based description above may be created (SCI t 410). SCI t 410 may include a Firewall Service (FW 412) and an IDS service (IDS 414) may be instantiated in both Dallas and Austin.
[0061] During instantiation, service instances FW1 418 and FW2 424 (of abstract type FW) as well as service instances IDS1 420 and IDS2 426 (of abstract type IDS) are brought up at SC- HUB SDCI D ALLAS 406 and SC-HUB_SDCI_AUSTIN 408 as shown in FIG. 4. FW1 418 and IDS1 420 are shown as part of one instance at Dallas (e.g., SCI -Dallas 416) while FW2 424 and IDS2 426 are shown as part of another instance at Austin (e.g., SCI -Austin 422).
[0062] In one example, a service instance may be brought up in a specified location for specified provider(s) and/or vendor account(s), while in other examples, a service instance bring-up does not happen as part of instantiation. In examples, where service instance bring-up does not happen as part the instantiation, all that is used to route network traffic to a service is the IP of the service instance and a route towards the service instance.
[0063] Furthermore, during instantiation, networking parameters toward the service instances (e.g., SCl-Dallas 416 and SCl-Austin 422) are specified in the service instances. In one example, only the networking is specified inside the instance and hence, the services can be in any location (e.g., in SC-HUB SDCI D ALLAS 406, SC-HUB SDCI AUSTIN 408, in another SDCI , cloud networks VPC/VNETs, on-premise network component, etc.). An example configuration of a SC l_t 410 may be downloaded by vSmart 310 (or alternatively by a vManage or any other network control appliances) to SC-HUB SDCI DALLAS 406 and SC-HUB SDCI AUSTIN 408: service-chain SCI service-chain-vrf 10 service-chain-description SCl_t service FW sequence 100 service IDS sequence 200
[0064] With networking parameters specified and SCl-Dallas 416 and SCl-Austin 422 downloaded at SC-HUB SDCI D ALLAS 406 and SC-HUB SDCI AUSTIN 408, respectively, as described above, SC I t 410 may be advertised by SC-HUB SDCI D ALLAS 406 and SC- HUB SDCI AUSTIN 408 through OMP to vSmart 310. [0065] In one example, a centralized data policy can be specified in vSmart 310 for steering network traffic. In other example embodiments any known or to be developed control policy, as desired, and/or localized policy may be used. Once an appropriate policy is applied, vSmart 310 may resolve the policy action such that traffic from Branch Is 402 to AWS-WL1 404 are routed through Dallas & Austin. In one example, the routing through Dallas and Austin (e.g., SC-HUB SDCI D ALLAS 406 and SC-HUB SDCI AUSTIN 408 may be performed based on Equal Cost Multi-Path (ECMP) routing.
[0066] Finally, a traffic steering policy may be created and placed anywhere in the network such that any data packet/network traffic to which SCI is applicable, is routed towards the SC (e.g., one of SCl-Dallas 416 at SC-HUB_SDCI_DALLAS 406 or SCl-Austin 422 at SC- HUB_SDCI_AUSTIN 408). An example traffic steering policy may be as shown below in relation to non-limiting example of FIG. 4: policy data-policy DP BRANCH TO AWS vpn-list VPN_ALL sequence 10 match destination-prefix-list PFX LIST AWS WLI IPI I action accept set service-chain SCI
I default-action drop apply-policy site-list SITE Branchl data-policy DP BRANCH TO AWS from-service.
[0067] FIG. 5 illustrates an example process for steering network traffic to routable and intentbased service chains according to some aspects of the present disclosure. The process of FIG. 5 will be described from the perspective of a network controller appliance such as network controller appliance 132, which as described above can be a vSmart, a vManage, etc. However, example embodiments are limited thereto, and the same process can be performed by any other network appliance (e.g., network management appliance 122, etc.) Although the example routine depicts a particular sequence of operations, the sequence may be altered without departing from the scope of the present disclosure. For example, some of the operations depicted may be performed in parallel or in a different sequence that does not materially affect the function of the routine. In other examples, different components of an example device or system that implements the routine may perform functions at substantially the same time or in a specific sequence.
[0068] According to some examples, the method includes receiving an intent-based description of one or more services to be applied to network traffic at block 502. In some examples, such intent-based description can identify the desired services along with one or more network hubs and network traffic origin and destination, the one or more services include at least one of a firewall service, an intrusion detection system service, and a flow analyzer service, etc., as described above. In some examples, the one or more network hubs may not be specified but may then be determined by network controller appliance 132 based on various network and load balancing conditions (e.g., in proximity of network traffic origin and/or destination).
[0069] According to some examples, the method includes defining a type for a service chain that includes the one or more services based on the intent-based description at block 504. In some examples, network controller appliance 132 may determine the desired services expressed in the intent-based description by analyzing the intent-based description using any known or to be developed language processing models. In some examples, intent-based description may be provided via voice command. Accordingly, processing thereof may be performed using any known or to be developed speech processing techniques.
[0070] In some examples, a determined type may be as described above (e.g., SC l_t 410). The type may service as an address (analogous to an IP address) for the service chain thereby making the service chain easily routable for routing the network traffic to and from the one or more service included in the service chain. As noted above, a type for a service chain may be selected from a group of defined service chain types.
[0071] According to some examples, the method includes implementing the service chain at one or more network hubs at block 506. In some examples, implementing the service chain at one or more network hubs includes instantiating the service chain at each of the one or more network hubs (e.g., as described above with reference to FIGs. 3 and 4). In some examples, instantiating the service chain includes generating a configuration for the service chain and downloading the configuration at each of the one or more network hubs. This may be performed as described above with reference to FIG. 4.
[0072] The service chain can be implemented at at least two network hubs (e.g., SC- HUB SDCI DALLAS 406 and SC-HUB SDCI AUSTIN 408). Therefore, the network traffic can be steered to any one of the two network hubs based on Equal Cost Multi-Path (ECMP) routing.
[0073] According to some examples, the method further includes implementing a traffic steering policy in the network for steering the network traffic to the one or more network hubs to be serviced by the one or more services at block 508. In some examples, network controller appliance 132 may implement the traffic steering policy by generating the traffic steering policy and sending the traffic steering policy to one or more network routers (and/or any other component in network 100 through which data packets associated with the network traffic may traverse) for steering the network traffic (1) to the one or more network hubs (to be serviced by the one or more services) and (2) to one or more intended destination after the network traffic is serviced by the one or more services.
[0074] FIG. 6 shows an example of a computing system, according to some aspects of the present disclosure. Computing system 600 can be for example any computing device making up network 100 such as network controller appliances 132, network management appliances 122, and/or any component thereof in which the components of the system are in communication with each other using connection 602. Connection 602 can be a physical connection via a bus, or a direct connection into processor 604, such as in a chipset architecture. Connection 602 can also be a virtual connection, networked connection, or logical connection.
[0075] In some embodiments, computing system 600 is a distributed system in which the functions described in this disclosure can be distributed within a datacenter, multiple data centers, a peer network, etc. In some embodiments, one or more of the described system components represents many such components each performing some or all of the function for which the component is described. In some embodiments, the components can be physical or virtual devices.
[0076] Example computing system 600 includes at least one processing unit (CPU or processor) 604 and connection 602 that couples various system components including system memory 608, such as read-only memory (ROM) 610 and random access memory (RAM) 612 to processor 604. Computing system 600 can include a cache of high-speed memory 606 connected directly with, in close proximity to, or integrated as part of processor 604.
[0077] Processor 604 can include any general purpose processor and a hardware service or software service, such as services 616, 618, and 620 stored in storage device 614, configured to control processor 604 as well as a special-purpose processor where software instructions are incorporated into the actual processor design. Processor 604 may essentially be a completely self-contained computing system, containing multiple cores or processors, a bus, memory controller, cache, etc. A multi -core processor may be symmetric or asymmetric.
[0078] To enable user interaction, computing system 600 includes an input device 626, which can represent any number of input mechanisms, such as a microphone for speech, a touch- sensitive screen for gesture or graphical input, keyboard, mouse, motion input, speech, etc. Computing system 600 can also include output device 622, which can be one or more of a number of output mechanisms known to those of skill in the art. In some instances, multimodal systems can enable a user to provide multiple types of input/output to communicate with computing system 600. Computing system 600 can include communication interface 624, which can generally govern and manage the user input and system output. There is no restriction on operating on any particular hardware arrangement, and therefore the basic features here may easily be substituted for improved hardware or firmware arrangements as they are developed.
[0079] Storage device 614 can be a non-volatile memory device and can be a hard disk or other types of computer readable media which can store data that are accessible by a computer, such as magnetic cassettes, flash memory cards, solid state memory devices, digital versatile disks, cartridges, random access memories (RAMs), read-only memory (ROM), and/or some combination of these devices.
[0080] The storage device 614 can include software services, servers, services, etc., that when the code that defines such software is executed by the processor 604, it causes the system to perform a function. In some embodiments, a hardware service that performs a particular function can include the software component stored in a computer-readable medium in connection with the necessary hardware components, such as processor 604, connection 602, output device 622, etc., to carry out the function.
[0081] In summary, the present disclosure is directed to making service-chains routable and intent-based within an enterprise network. In one aspect, a method for simplifying steering of network traffic includes receiving an intent-based description of one or more services to be applied to the network traffic; defining a type for a service chain that includes the one or more services based on the intent-based description, the type serving as an address for the service chain for routing the network traffic to and from the one or more service included in the service chain; implementing the service chain at one or more network hubs; and implementing a traffic steering policy in the network for steering the network traffic to the one or more network hubs to be serviced by the one or more services.
[0082] For clarity of explanation, in some instances, the present technology may be presented as including individual functional blocks including functional blocks comprising devices, device components, steps or routines in a method embodied in software, or combinations of hardware and software.
[0083] Any of the steps, operations, functions, or processes described herein may be performed or implemented by a combination of hardware and software services or services, alone or in combination with other devices. In some embodiments, a service can be software that resides in memory of a client device and/or one or more servers of a content management system and perform one or more functions when a processor executes the software associated with the service. In some embodiments, a service is a program or a collection of programs that carry out a specific function. In some embodiments, a service can be considered a server. The memory can be a non-transitory computer-readable medium.
[0084] In some embodiments, the computer-readable storage devices, mediums, and memories can include a cable or wireless signal containing a bit stream and the like. However, when mentioned, non-transitory computer-readable storage media expressly exclude media such as energy, carrier signals, electromagnetic waves, and signals per se.
[0085] Methods according to the above-described examples can be implemented using computer-executable instructions that are stored or otherwise available from computer-readable media. Such instructions can comprise, for example, instructions and data which cause or otherwise configure a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions. Portions of computer resources used can be accessible over a network. The executable computer instructions may be, for example, binaries, intermediate format instructions such as assembly language, firmware, or source code. Examples of computer-readable media that may be used to store instructions, information used, and/or information created during methods according to described examples include magnetic or optical disks, solid-state memory devices, flash memory, USB devices provided with non-volatile memory, networked storage devices, and so on.
[0086] Devices implementing methods according to these disclosures can comprise hardware, firmware and/or software, and can take any of a variety of form factors. Typical examples of such form factors include servers, laptops, smartphones, small form factor personal computers, personal digital assistants, and so on. The functionality described herein also can be embodied in peripherals or add-in cards. Such functionality can also be implemented on a circuit board among different chips or different processes executing in a single device, by way of further example.
[0087] The instructions, media for conveying such instructions, computing resources for executing them, and other structures for supporting such computing resources are means for providing the functions described in these disclosures.
[0088] Although a variety of examples and other information was used to explain aspects within the scope of the appended claims, no limitation of the claims should be implied based on particular features or arrangements in such examples, as one of ordinary skill would be able to use these examples to derive a wide variety of implementations. Further and although some subject matter may have been described in language specific to examples of structural features and/or method steps, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to these described features or acts. For example, such functionality can be distributed differently or performed in components other than those identified herein. Rather, the described features and steps are disclosed as examples of components of systems and methods within the scope of the appended claims.
[0089] Claim language or other language reciting “at least one of’ a set and/or “one or more” of a set indicates that one member of the set or multiple members of the set (in any combination) satisfy the claim. For example, claim language reciting “at least one of A and B” or “at least one of A or B” means A, B, or A and B. In another example, claim language reciting “at least one of A, B, and C” or “at least one of A, B, or C” means A, B, C, or A and B, or A and C, or B and C, or A and B and C. The language “at least one of’ a set and/or “one or more” of a set does not limit the set to the items listed in the set. For example, claim language reciting “at least one of A and B” or “at least one of A or B” can mean A, B, or A and B, and can additionally include items not listed in the set of A and B.

Claims

CLAIMS What is claimed is:
1. A method for simplifying steering of network traffic, the method comprising: receiving an intent-based description of one or more services to be applied to the network traffic; defining a type for a service chain that includes the one or more services based on the intent-based description, the type serving as an address for the service chain for routing the network traffic to and from the one or more service included in the service chain; implementing the service chain at one or more network hubs; and implementing a traffic steering policy in the network for steering the network traffic to the one or more network hubs to be serviced by the one or more services.
2. The method of claim 1, wherein the type is selected from a group of service chain types.
3. The method of claim 1 or 2, wherein the intent-based description identifies the one or more network hubs, and implementing the service chain includes instantiating the service chain at each of the one or more network hubs.
4. The method of claim 3, wherein instantiating the service chain comprises: generating a configuration for the service chain; and downloading the configuration at each of the one or more network hubs.
5. The method of any of claims 1 to 4, wherein implementing the traffic steering policy comprises: generating the traffic steering policy; and sending the traffic steering policy to one or more network routers for steering the network traffic (1) to the one or more network hubs; and (2) to one or more intended destination after the network traffic is serviced by the one or more services.
6. The method of any of claims 1 to 5, wherein the service chain is implemented at at least two network hubs, and the network traffic is steered to one of the two network hubs based on Equal Cost MultiPath (ECMP) routing.
7. The method of any of claims 1 to 6, wherein the one or more services include at least one of a firewall service, an intrusion detection system service, and a flow analyzer service.
8. A network controller comprising: one or more memories having computer-readable instructions stored therein; and one or more processors configured to execute the computer-readable instructions to: receive an intent-based description of one or more services to be applied to network traffic; define a type for a service chain that includes the one or more services based on the intentbased description, the type serving as an address for the service chain for routing the network traffic to and from the one or more service included in the service chain; implement the service chain at one or more network hubs; and implement a traffic steering policy in the network for steering the network traffic to the one or more network hubs to be serviced by the one or more services.
9. The network controller of claim 8, wherein the type is selected from a group of service chain types.
10. The network controller of claim 8 or 9, wherein the intent-based description identifies the one or more network hubs, and the network controller is configured to implement the service chain by instantiating the service chain at each of the one or more network hubs.
11. The network controller of claim 10, wherein the network controller is configured to instantiate the service chain by: generating a configuration for the service chain; and downloading the configuration at each of the one or more network hubs.
12. The network controller of any of claims 8 to 11, wherein the network controller is configured to implement the traffic steering policy by: generating the traffic steering policy; and sending the traffic steering policy to one or more network routers for steering the network traffic (1) to the one or more network hubs; and (2) to one or more intended destination after the network traffic is serviced by the one or more services.
13. The network controller of any of claims 8 to 12, wherein the service chain is implemented at at least two network hubs, and the network traffic is steered to one of the two network hubs based on Equal Cost MultiPath (ECMP) routing.
14. The network controller of any of claims 8 to 13, wherein the one or more services include at least one of a firewall service, an intrusion detection system service, and a flow analyzer service.
15. One or more non-transitory computer-readable media comprising computer-readable instructions, which when executed by one or more processors of a network controller, cause the network controller to: receive an intent-based description of one or more services to be applied to network traffic; define a type for a service chain that includes the one or more services based on the intentbased description, the type serving as an address for the service chain for routing the network traffic to and from the one or more service included in the service chain; implement the service chain at one or more network hubs; and implement a traffic steering policy in the network for steering the network traffic to the one or more network hubs to be serviced by the one or more services.
16. The one or more non-transitory computer-readable media of claim 15, wherein the intent-based description identifies the one or more network hubs, and the execution of the computer-readable instructions cause the network controller to implement the service chain by instantiating the service chain at each of the one or more network hubs.
17. The one or more non-transitory computer-readable media of claim 16, wherein the execution of the computer-readable instructions cause the network controller to instantiate the service chain by: generating a configuration for the service chain; and downloading the configuration at each of the one or more network hubs.
18. The one or more non-transitory computer-readable media of any of claims 15 to 17, wherein the execution of the computer-readable instructions cause the network controller to implement the traffic steering policy by: generating the traffic steering policy; and sending the traffic steering policy to one or more network routers for steering the network traffic (1) to the one or more network hubs; and (2) to one or more intended destination after the network traffic is serviced by the one or more services.
19. The one or more non-transitory computer-readable media of any of claims 15 to 18, wherein the service chain is implemented at at least two network hubs, and the network traffic is steered to one of the two network hubs based on Equal Cost MultiPath (ECMP) routing.
20. The one or more non-transitory computer-readable media of any of claims 15 to 19, wherein the one or more services include at least one of a firewall service, an intrusion detection system service, and a flow analyzer service.
21. Apparatus for simplifying steering of network traffic, the apparatus comprising: means for receiving an intent-based description of one or more services to be applied to the network traffic; means for defining a type for a service chain that includes the one or more services based on the intent-based description, the type serving as an address for the service chain for routing the network traffic to and from the one or more service included in the service chain; means for implementing the service chain at one or more network hubs; and means for implementing a traffic steering policy in the network for steering the network traffic to the one or more network hubs to be serviced by the one or more services.
22. The apparatus according to claim 21 further comprising means for implementing the method according to any of claims 2 to 7.
23. A computer program, computer program product or computer readable medium comprising instructions which, when executed by a computer, cause the computer to carry out the steps of the method of any of claims 1 to 7.
PCT/US2024/024150 2023-04-11 2024-04-11 Routable and intent-based service chains Ceased WO2024215943A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP24726786.7A EP4695955A1 (en) 2023-04-11 2024-04-11 Routable and intent-based service chains

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
IN202341026925 2023-04-11
IN202341026925 2023-04-11
US18/356,853 2023-07-21
US18/356,853 US20240348549A1 (en) 2023-04-11 2023-07-21 Routable and intent-based service chains

Publications (1)

Publication Number Publication Date
WO2024215943A1 true WO2024215943A1 (en) 2024-10-17

Family

ID=91129860

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2024/024150 Ceased WO2024215943A1 (en) 2023-04-11 2024-04-11 Routable and intent-based service chains

Country Status (2)

Country Link
EP (1) EP4695955A1 (en)
WO (1) WO2024215943A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160344565A1 (en) * 2015-05-20 2016-11-24 Cisco Technology, Inc. System and method to facilitate the assignment of service functions for service chains in a network environment
US20170019335A1 (en) * 2015-07-14 2017-01-19 Microsoft Technology Licensing, Llc Highly Available Service Chains for Network Services
US20170310611A1 (en) * 2016-04-26 2017-10-26 Cisco Technology, Inc. System and method for automated rendering of service chaining
US20200272501A1 (en) * 2019-02-22 2020-08-27 Vmware, Inc. Specifying service chains

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160344565A1 (en) * 2015-05-20 2016-11-24 Cisco Technology, Inc. System and method to facilitate the assignment of service functions for service chains in a network environment
US20170019335A1 (en) * 2015-07-14 2017-01-19 Microsoft Technology Licensing, Llc Highly Available Service Chains for Network Services
US20170310611A1 (en) * 2016-04-26 2017-10-26 Cisco Technology, Inc. System and method for automated rendering of service chaining
US20200272501A1 (en) * 2019-02-22 2020-08-27 Vmware, Inc. Specifying service chains

Also Published As

Publication number Publication date
EP4695955A1 (en) 2026-02-18

Similar Documents

Publication Publication Date Title
US11870755B2 (en) Dynamic intent-based firewall
US11412051B1 (en) System and method for connecting virtual networks in a branch site to clouds
JP7373560B2 (en) Synergistic DNS security updates
US9853898B1 (en) Dynamic service chain provisioning
WO2022035635A1 (en) Intent-driven cloud branches
US10230628B2 (en) Contract-defined execution of copy service
US10374884B2 (en) Automatically, dynamically generating augmentation extensions for network feature authorization
AU2020341323A1 (en) Policy plane integration across multiple domains
US11088915B1 (en) Live network sandboxing on a centralized management system
CN116783580B (en) Systems and methods for connecting virtual networks in branch sites to the cloud.
US10567222B2 (en) Recommending configurations for client networking environment based on aggregated cloud managed information
US20240348549A1 (en) Routable and intent-based service chains
EP4695955A1 (en) Routable and intent-based service chains
US12549472B2 (en) Single hierarchical construct for defining a service in a service chain
US20250317392A1 (en) Selective choice of nat methods based on application type using sd-wan centralized policies
EP4695961A1 (en) Single hierarchical construct for defining a service in a service chain
US12562983B2 (en) Service routing using IP encapsulation
US20250322084A1 (en) Enforcing trusted and untrusted postures on data traffic and transports
US20250317395A1 (en) Methods, devices, and computer-readable media for load balancing in port channels
US20260005959A1 (en) ENABLING IDENTIFICATION AND EXECUTION OF SOURCE BASED SRv6 NETWORK PROGRAMMING FUNCTIONS
US20250317391A1 (en) Proactive hashing for packet processing engine
US20250392625A1 (en) Enabling security policies on cloud security provider based on sd-wan context
US20260067255A1 (en) Sd-wan catalyst manager-driven automated provisioning of sse
US20260067214A1 (en) Efficient policy handing in high availability network
WO2025064355A1 (en) Automated ordering of service in service chain for software-defined wide area networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24726786

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2024726786

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2024726786

Country of ref document: EP

Effective date: 20251111

ENP Entry into the national phase

Ref document number: 2024726786

Country of ref document: EP

Effective date: 20251111

ENP Entry into the national phase

Ref document number: 2024726786

Country of ref document: EP

Effective date: 20251111

ENP Entry into the national phase

Ref document number: 2024726786

Country of ref document: EP

Effective date: 20251111

ENP Entry into the national phase

Ref document number: 2024726786

Country of ref document: EP

Effective date: 20251111

ENP Entry into the national phase

Ref document number: 2024726786

Country of ref document: EP

Effective date: 20251111

ENP Entry into the national phase

Ref document number: 2024726786

Country of ref document: EP

Effective date: 20251111

ENP Entry into the national phase

Ref document number: 2024726786

Country of ref document: EP

Effective date: 20251111

ENP Entry into the national phase

Ref document number: 2024726786

Country of ref document: EP

Effective date: 20251111

WWP Wipo information: published in national office

Ref document number: 2024726786

Country of ref document: EP