BR102019001963A2 - USING SHARED RESOURCES - Google Patents

Abstract

using shared resources a system and method to provide private instances of shared resources using vxlan technology is disclosed, the system consists of a private manageable lan (mlan), a separate virtual lan (vlan) to place resources to be shared, and instances (replicas) of shared resources located on a customer's private network.

Description

USING SHARED RESOURCES CROSS REFERENCE TO ANOTHER PATENT APPLICATION

This patent application claims the priority of U.S. patent application 15/688366, filed on August 28, 2017. The aforementioned patent application is hereby incorporated by reference in its entirety.

TECHNICAL FIELD

[002] The technical field is Virtual Computing and how to provide private examples of shared resources.

BACKGROUND OF THE INVENTION

[003] The scale of cloud services continues to expand. What has already been “good enough” via QinQ cloud implementations (up to 1,048,576 devices / networks) has been supplanted by VxLAN technology, which has the capacity of 16,777,216 networks * 16,777,216 devices. This points the way for the deployment of IPV6 with expanded addressing capability and provides a path for the IoT to be deployed. There are three main advantages for VxLAN: a) increased address space and scalability because VxLAN has 24 bits versus 12 with VLANs in the tag associated with VxLAN, b) The Virtual Layer 2 network is on a completely different network than the physical Layer network 2. This allows the layer 2 network to be extended to a different location, c) isolation / security provided by having each Virtual Terminal Point along the way providing tag encryption at each point along the way, while maintaining the “load” useful ”, from Layer 2 encryption.

[004] Although much has been disclosed about VxLAN, what has not been disclosed is how industry-level cloud providers can provide private instances of shared resources. This is especially complicated because it is easy, trivial and known to anyone experienced in the art, it is like providing private “human scale” instances - use the hypervisor (A hypervisor, or virtual machine monitor, is software, firmware or hardware that creates and runs virtual machines) to provide private instances. Every primary hypervisor has the ability to provide private instances on a virtual machine. What 20 will be taught in this patent disclosure is how to do the same thing that a hypervisor does with virtual machines using a cluster of physical machines on a scale that corresponds to the enhanced VxLAN addressing capabilities.

[005] In the field of VxLAN networks (VxLAN), a system is used to isolate customers within individual private networks, as long as they have conforming equipment (virtual or physical) to meet the specifications, which are governed by IETF standards. The key component is a VTEP (Virtual Transmission Endpoint) to provide new encryption when it leaves the network, a firewall that prevents unauthorized packets from entering the network and a router to provide a route to another customer-controlled network with a VTEP .

[006] What is described here is the use of networking and virtualization concepts in a large grouped system to be able to dynamically allocate private instances of shared resources to 10 users.

[007] In this case, the term "computing device" refers to any electronic device with a processor and means for storing data. And as used here, the term "network connection" refers to any means of allowing a plurality of computing devices to communicate. In addition, the term “trunked” used here refers to programmatically linking multiple network connections together to create redundancy and increased bandwidth over a single logical connection. The term “packet network” refers to a message formatted in the form of packets transmitted over a network. The term "hardware source" refers to a networked computing device. The term "virtual resource" refers to an allocation on a networked computing device that refers to a virtual representation of a computing device or software application, such as a database. Used here, the term "Manageable LAN", sometimes called "MLAN", refers to a LAN containing hardware or virtual resources used exclusively for the startup, configuration, and maintenance of other LANs. Used here, the term "data center ”refers to complex central storage containing a multitude of servers and network routing hardware. A“ traditional data center ”is a data center lacking virtualization. The term“ firewall / vtep / virtual router ”refers to a virtual implementation of a firewall / vtep / router with a virtual Ethernet port. The one used here, the term, “maintenance” refers to maintaining a functioning network resource.

SUMMARY OF THE INVENTION

[008] A computer program system, method and product is disclosed here to provide private instances of shared resources using VxLAN standards. A virtual and / or physical network contains a Manageable LAN (MLAN) and several customer networks nested in a higher level network. The MLAN contains at least one physical or virtual firewall / vtep / router combination. Each customer network contains a combination of firewall / vtep / router as well as a number of physical hardware machines and virtual machines maintained by the management system. The customer's network appears as a separate normal network for the customer.

[009] The system itself connects a plurality of computer systems as a clustered system through a switched loop communications link. All storage devices in the system can be clustered to create a distributed file system, which makes the drives appear to be a giant pool of space in which any particular virtual machine can be contained anywhere.

[010] The one described here is a method for sharing a network resource, physical or virtual, between a plurality of network clients. Private instances of shared resources can be contained in one or more customer networks.

[011] In the preferred embodiment, a system for organizing and managing private instances of shared resources is disclosed. The system comprises at least one network switch and at least one computing device. The computing device includes at least one manageable console interface with at least one client, at least one network connection and at least one storage device. The storage device contains software capable of starting and maintaining a Manageable LAN (MLAN) comprising a firewall and a plurality of Virtual LANs (VLANs), in which each client network comprises a virtual firewall and a plurality of network resources. The plurality of network resources are virtual resources determined and allocated through a selection mechanism using at least one resource factor, in at least one computing device capable of working in a network. A private network for the network of shared resources of the management system is provided, and replicas of the virtual machine are provided on the customer's network through a virtual connection through which the customer cannot network. It is like a “unidirectional mirror”, because it is completely visible and completely invisible to the management system and cannot be networked from a customer perspective. It is used to keep customers separate.

[012] In the preferred embodiment, a method for organizing and managing private instances of shared resources is disclosed. The method comprises the initialization of a Managed LAN (MLAN) that comprises a combination of firewall / vtep / router, adding a plurality of Virtual LANs (VLANs), in which each client network comprises a virtual combination of firewall / vtep / router and a plurality of network resources; maintenance of MLAN networks and customers. A private network for the network of shared resources of the management system is provided and replicas of the virtual machine are provided on the customer's network via a virtual wire that the customer cannot network. It is like a “unidirectional mirror”, because it is completely visible and completely invisible to the management system and unable to be connected from a customer's perspective. It is used to keep customers separate.

BRIEF DESCRIPTION OF THE DRAWINGS

[013] The detailed description is described with reference to the attached figures. In the figures, the leftmost digit (s) of a reference number, identifies the figure in which the reference number appears first. The same numbers are used throughout the drawings to refer to features and components:

[014] FIG. 1 is a block diagram of the hardware used in the system;

[015] FIG. 2 demonstrates reaching shared resources through firewall / vtep / private and non-editable routers;

[016] FIG. 3 demonstrates reaching shared resources across multiple ports on a shared firewall / vtep / router resource;

[017] FIG. 4 illustrates the tag structure for both VxLAN and QinQ tags before they are removed by the management system and the resulting unidentified information is placed in the customer's virtual data center;

[018] FIG. 5 demonstrates a system for organizing and managing private instances of shared resources;

[019] FIG. 6 demonstrates a method for organizing and managing private instances of shared resources.

DETAILED DESCRIPTION

[020] With reference to FIG. 1, system 100 comprises a plurality of redundant sets of low-cost storage nodes (RAIDS) 101a - 101f, a plurality of solid state storage nodes 102a - 102c, a plurality of processing nodes 103a -103g, a plurality network connections 104a - 104g, and a plurality of network switches 105a - 105b. Storage nodes 101a - 101f are redundant in high-level storage. Storage nodes 101a and 101b form a pair, 101c and 101d form a pair and 101e and 101f form a pair. Solid State Disks (SSDs) are used for databases and high capacity disk operations on nodes 102a - 102f. SSDs 102a and 102b pair, 102c and 102d pair and 102e and 102f pair. Each processing node 103a through 103g contains 2 or more multi-core processors. In this embodiment, network connections 104a through 104g are shown as a network switch, but any embodiment can have any transport mechanism.

[021] In additional embodiments, network connections 104 may use more or less connections and use other protocols. Network switch 105a can be a switch, such as an Ethernet switch, depending on which protocol network connections 104 use; The network switch 105b can be a switch such as an Ethernet switch used to communicate outside the network. The switches are resettable to add networks at a granular level. Switches can natively support VLANs, which allow out-of-the-box VLANs. All client tags are handled by processing nodes 103. An extraordinary skill in the relevant art will recognize that the number of components shown in FIG. 1 is for illustration only and may be more or less in current implementations.

[022] With reference to FIG. 2, the 2100 network is a top-level network used as a Managed LAN, or MLAN, containing the firewall / vtep / router 2101 started by the storage server. The MLAN 2100 is responsible for the initialization, configuration and maintenance of all customer networks in the 100 system, as well as shared resource networks and physical networks in the system. The firewall / vtep / router 2101 has 3 ports, one connected to the MLAN 2100, one connected to the upper layer network 2300 (“VLAN 0”) and one connected to the network 2200, the network of shared resources. The upper layer network 2300 contains several 2310 client networks, all with their own firewall / vtep / router, 2311.

[023] A person skilled in the relevant art will recognize that the element numbers represented in FIG. 2 are exemplary only. Each upper layer network can contain up to 255 or 4,095 customer networks (depending on the supplier and the price chosen). There are also VxLAN devices available that allow up to 16,777,216 networks other than 16,777,216 devices per network, having a special “tag”. All tags are removed by the management system before being placed in a customer's virtual data center. At startup, each storage node 101 contacts each of the other storage nodes to find out whether or not any of them started the boot process by creating a manageable firewall / vtep / router 2101, a boot server, and a management console 2102 If none of the other nodes have started the process yet, the ping node starts the process. Initially, the managed firewall / vtep / router 2101 starts. If the MLAN 2100 is routed through a firewall / vtep / virtual router, storage nodes 101 will need to initially perform the process that starts managing the firewall / vtep / router. This does not prevent a firewall / vtep / router hardware for the MLAN 2100, but in this mode only servers and switches are needed and the same underlying structures that provide redundancy and availability for servers can provide high availability for firewall / vtep / routers and routers in one virtual environment.

[024] In the preferred embodiment, a group of storage servers can initiate redundant copies of the firewall / vtep / router 2101. Each instance of the firewall / vtep / router will have the same MAC address and network assignment for any connected Ethernet ports. Using normal routing schemes, this can cause a bank of switches to route packets to different firewall / vtep / routers depending on the connection source, but this will have no negative effects if the network devices in question still have the same settings and information routing.

[025] Private instances of shared resources go through a normal boot process. After a command to start a private instance of shared resources is issued (by a system-wide boot, the client start command or other system need), the management console takes the initial request and queries the data source of the available processing nodes. Once selected, by the mechanism mentioned above; this private instance of shared resources creates an Ethernet device connected to the upper layer network or the nested network to which the private instance of shared resources connects. Unlike normal Ethernet devices, this network device does not receive an IP address or any routing information. The physical server itself does not respond and does not actually see any packets received from that interface. The physical device is mapped directly to a virtual device, giving access to the virtual machine to a network completely separate from the physical machine. After the appropriate network devices are added to a processing node, management console 2102 then queries its data source and connects to the client's hidden firewall / vtep / router.

[026] At startup of the private instance of shared resources, a rule is included to provide the customer with console access to a web interface to the 2102 management console. This gives customers the ability to access the private instance of shared resources as if were on the keyboard of a physical machine. From the web interface of the client's secure management console, they can control the screen, keyboard and mouse inputs of their private instances of shared resources.

[027] When a new client is added, they are providing a number of external IPs and a single subnet of their networks. Every possible IP on the subnet is statically assigned to a MAC address that may or may not be used. A 2310 client network is created and the first address on the subnet is assigned to the firewall / vtep / router 2311 on the client network. The firewall / vtep / router contains a DHCP table created when the firewall / vtep / router is initialized to contain the mappings of the MAC addresses pre-registered to the IPs, so that the IP is known as the machine, are added. The customer is provided with a 2001 gateway configured to deliver the customer's network packets directly to the firewall / vtep / virtual router 2311 through an IPSEC tunnel. In addition, network packets from all external traffic are routed directly to the client's firewall / vtep / router 2311. The firewall / vtep / router 2311 has a port connected to a firewall / vtep / router 2318 that receives external traffic through network switch 205b, equivalent to network switch 105b. Traffic from the client through the IPSEC tunnel to the individual client network 2310a, is shown as a dotted line in FIG. 2. The firewall / vtep / router 2311 also has a port connected to its individual client network 2318. In some modalities, an optional port can be used to connect to a replica of shared resources, such as those contained in the 2200 network.

[028] The last subnet address is assigned as management console 2102. Management console 2102 is connected to the main firewall / vtep / router 2101 on the MLAN 2100 and, in some embodiments, is reached via the optional port firewall / vtep / client router. From there the customer can view the network settings and add private instances of shared resources 2312 - 2315. The customer is able to create and be charged for private instances of shared resources on his client network. The client is able to add replicas of private instances of shared resources because they are already on the network, but their MAC / IPs will not be assigned and they are not visible. Private instances of shared resources can be almost any type of solution, such as a Windows or Linux web server, a Voice over IP server, etc. After the model is chosen, a MAC address is assigned from the client firewall / vtep / router 2311 and a model image corresponding to the shared resources of a storage node 101 is obtained and initialized in the storage. Thereafter, the 2102 management console adds the sharing feature to the list of shared resources that need to be run. The next processing node 103 that asks about tasks that need to be performed is assigned to the shared resource. If it is the first shared resource that runs on that specific client network, it will initialize a virtual listening port for that network. Once the private instance of shared resources is connected to the network, the firewall / vtep / router checks its MAC address and assigns it its pre-configured IP address from the DHCP table.

[029] The client can use HTML5 or remote desktop to log in to the newly created virtual machine and view the user's API / GUI as if he were in front of a physical machine with the same image. From there the user can do anything that can be done normally on a physical machine, abstracted from the private instance of shared resources or the fact of being contained in a network running on system 100 in a distant data center. To the user, replicas 2314 - 2315 appear to be like any other physical machine contained in a traditional network subnet.

[030] Customers can access private instances of shared resources on a network of shared resources, such as resources 2202 - 2205 on the 2200 network. In some ways, customers can connect to these resources by configuring the optional port on their firewall / vtep / router 2311 to connect to the IP of the selected shared resource. An empty network is created between the ports of the two firewalls / vtep / routers on both sides as a "virtual wire". It should be noted that the network is "empty" and cannot be connected from the customer's perspective. When viewed from the management system (which the customer cannot access), everything is visible. It is similar to a unidirectional mirror where all the light is reflected when you are on one side of the mirror (it cannot be networked), but it is a transparent piece of glass on the other side (the MLAN side). The rules are configured on the firewalls / vtep / routers at both ends to handle the new traffic. On the client's network side, the firewall / vtep / router 2311 dynamically adds a virtual port to itself and maps the port to a network address table on the client's firewall / vtep / router 2311. If a customer wants to share resources from more than one location, several optional ports can be added. In this situation, the firewall / vtep / router must be temporarily turned off to make the additional connection.

[031] FIG. 3 the shared resources network 3200 and the customer networks 3310 are identical to the shared resource network 2200 and the customer networks 2310, respectively. This figure shows a preferred embodiment that has a separate port on the shared firewall / vtep / router 3201 resource for each incoming connection from networks of 3310 clients trying to use a shared resource 3202 - 3205. A firewall / vtep / router rule is designed for each individual door.

[032] FIG. 4 illustrates the tag structure for QinQ and VxLAN. FIG. 4a is the adequacy of the structure of the QinQ header tag. Components A-G of FIG. 4a are explained individually. The header tag is 22 bytes long. Component A is 6 bytes long and contains the destination address. Component B is 6 bytes long and contains the source address. Component C is 2 bytes long and contains VLAN type 0x8a88. Component D is 2 bytes in size and contains the second VLAN tag. Component E is 2 bytes long and contains VLAN type 0x8a88. Component F is 2 bytes long and contains the first VLAN tag. Component G is 2 bytes long and contains Ethernet type 0x0800. FIG. 4b is a representation of the VxLAN header tag structure. As there are more components in the VxLAN structure, they are broken up into groups. The first group of components called MAC External Header, are components A, B, C, D and G. In total, they are 14 bytes long, with 4 bytes optional or 18 bytes in total. This group is equivalent to the corresponding header tags in the QinQ header tag. Component A is 6 bytes long and contains the destination address. Component B is 6 bytes long and contains the source address. Component E is 2 bytes long and contains VLAN type 0x8100. It is optional. Component F is 2 bytes long and contains the VLAN tag. It is optional. Component G is 2 bytes long and contains Ethernet type 0x0800. The second group of components is called the External Header IPv4 and are H-L components. In total, they are 20 bytes long. Component H is 9 bytes long and contains Miscellaneous Data. Component I is one byte and contains the 0x11 protocol. Component J is 2 bytes long and contains the Checksum Header (Checksum or checksum, is a code used to verify the integrity of data transmitted through a noisy channel or stored in some medium for some time). Component K is 4 bytes long and contains the source IP. Component L is 4 bytes long and contains the destination IP. The third group of components is known as the External Header UPD and are M-P components. In total, they are 8 bytes long. Component M is 2 bytes long and contains the source port. Component N is 2 bytes long and contains the VxLAN port. Component 0 is 2 bytes long and contains the UDP length. Component P is 2 bytes long and contains a Checksum 0x0000. The last and fourth group of components is known as the VxLAN header and are Q-T components. In total they are 8 bytes in length. The Q component is 1 byte long and contains VxLAN flags. Component R is 3 bytes long and is reserved. Component S is 3 bytes long and contains NIV. The T component is one byte long and is reserved. This leaves the Internal Header L2 & Payload (In computing, payload refers to the load of a data transmission) ... unnumbered - a total of 14 bytes or 18 bytes if options are included ... is the address of destination (6 bytes), the source address (6 bytes), VLAN type 0x8100 (2 bytes - optional), VLAN tag (2 bytes-optional) and Ethernet type 0x0800 (2 bytes).

[033] All VLAN, QinQ and VxLAN tags are removed by the management system before being placed inside a customer's virtual data center.

[034] FIG. 5 illustrates a system 500 for organizing and managing private instances of shared resources, in accordance with an embodiment of the present invention. Although the present subject is explained considering that the present invention is implemented in the 500 system, it can be understood that the present invention can also be implemented in a variety of computing systems, such as a laptop, a desktop computer, a notebook, a station a mainframe computer, a server, a network server and the like. It will be understood that the 500 system can be accessed by multiple users or applications residing in the database system. Examples of the 500 system may include, but are not limited to, a portable computer, a personal digital assistant, a hand node, sensors, routers, gateways and a workstation. System 500 is communicatively coupled with each other and / or other nodes or node or devices to form a network (not shown). Examples of the 500 system may include, but are not limited to, a portable computer, a personal digital assistant, a hand node, sensors, 5 routers, gateways and a workstation.

[035] System 500 can include a processor 502, an interface 504 and a memory 506. Processor 502 can be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuits, and / or any nodes that manipulate signals based on operating instructions. Among other capabilities, at least one processor is configured to search and execute computer-readable instructions or modules stored in 506 memory.

[036] The interface (I / O interface) 504, can include a variety of software and hardware interfaces, for example, a web interface, a graphical user interface and the like. The I / O interface can allow the database system, the first node, the second node and the third node to interact directly with a user. In addition, the I / O interface can allow node 504 to communicate with other nodes or nodes, compute nodes, such as web servers and external data servers (not shown). The I / O interface can facilitate various communications over a wide variety of networks and protocol types, including wired networks, for example, GSM, CDMA, LAN, cable, etc., and wireless networks such as WLAN, cellular or satellite . The I / O interface can include one or more ports to connect a number of nodes to 1 other, or to another server. The I / O interface can provide interaction between the user and the 500 system, via a screen or management console provided for the interface.

[037] Memory 506 may include any computer-readable medium known in the art including, for example, volatile memory, such as Static Random Access Memory (SRAM) and Dynamic Random Access Memory (DRAM), and / or non-volatile memory , such as Read-Only Memory (ROM), programmable and erasable ROM, flash memories, hard drives, optical discs and magnetic tapes. Memory 506 may include a plurality of instructions or modules or applications to perform various functions. Memory includes routines, programs, objects, components, data structures, etc., that perform specific tasks or implement specific abstract data types.

[038] In one implementation, a 500 system for organizing and managing private instances of shared resources is released. The system comprises at least one network switch and at least one computing device. The computing device includes at least one 504 management console to interface with at least one client, at least one network connection and at least one storage device. The storage device containing the software is capable of starting and maintaining a Manageable LAN (MLAN) comprising a firewall / vtep / router 508, and a plurality of Virtual LANs (networks) 510, where each customer network comprises a firewall / vtep / router and a plurality of private instances of shared resources. 512 is the use / addition of private instances of shared resources. 514 is changing a private instance of a shared resource.

[039] The 506 storage device (memory) may also include at least one encryption folder configured to store at least encryption keys. The encryption keys are accessible by clients connected via the network switch to the system.

[040] The storage device (memory) 506 can also communicate the determination of the private instances of sharing resources on the connectable computing devices to at least one client connected via a network switch. The storage device (memory) 506 can receive customer information regarding private instances of shared resources.

[041] The 506 storage device (memory) can receive at least one request in the system via the management console, the request is preferably received remotely and preferably associated with rules that limit the request.

[042] FIG. 6 illustrates a method for organizing and manipulating network resources, according to an embodiment of the present subject. The method can be described in the general context of the computer's executable instructions. Generally, executable computer instructions can include routines, programs, objects, components, data structures, procedures, modules, functions, etc., that perform specific functions or implement certain types of abstract data. The method can also be practiced in a distributed computing environment, where functions are performed by remote processing devices that are connected via a communications network. In a distributed computing environment, computer executable instructions can be placed on storage media for local and remote computers, including memory storage devices.

[043] The order in which the method is described is not intended to be interpreted as a delimitation, and any number of the described method blocks can be combined in any order to implement the alternative method or methods. In addition, individual blocks can be excluded from the method without departing from the scope of protection of the subject described here. In addition, the method can be implemented on any appropriate hardware, software, firmware or combination. However, for ease of explanation, in the embodiments described below, the process can be considered implemented in the above described in FIG. 6.

• • No bloco 602, uma LAN Gerenciável (MLAN) compreendendo um firewall/vtep/roteador é inicializada.
• • No bloco 604, uma pluralidade de LANs Virtuais (VLANs) é adicionada. Cada rede de cliente compreende um firewall/vtep/roteador virtual e uma pluralidade de recursos de rede. A pluralidade dos recursos de rede são recursos virtuais determinados e alocados por meio do mecanismo de seleção usando, pelo menos, um fator de recurso, em, pelo menos, um dispositivo de computação conectável em rede.
• • No bloco 606, as redes MLAN e clientes são mantidas.
• • No bloco 608, instâncias privadas de recursos compartilhados estão disponíveis em uma rede de recursos compartilhados.
• • No bloco 610, as réplicas dos recursos compartilhados estão disponíveis na rede do cliente.

[044] In an implementation, the method for organizing and managing private instances of shared resources is disclosed:

• • In block 602, a Manageable LAN (MLAN) comprising a firewall / vtep / router is initialized.
• • In block 604, a plurality of Virtual LANs (VLANs) are added. Each client network comprises a firewall / vtep / virtual router and a plurality of network resources. The plurality of network resources are virtual resources determined and allocated through the selection mechanism using at least one resource factor, in at least one network-connectable computing device.
• • In block 606, the MLAN and customer networks are maintained.
• • In block 608, private instances of shared resources are available on a network of shared resources.
• • In block 610, replicas of shared resources are available on the customer's network.

[045] One skilled in the art can understand that any known or new algorithms are used for the implementation of the present invention. However, it should be noted that, the present invention provides a method to be used during the backup operation to achieve the benefits mentioned above, and technical advances, regardless of the use of any known or new algorithms.

[046] A person of ordinary skill in the art may be aware that, in combination with the examples described in the embodiments disclosed in this specification, units and algorithm steps may be implemented by electronic hardware, or a combination of computer software and electronic hardware. Whether the functions are performed by hardware or software, depends on the particular application conditions and design restriction of the technical solution. A person skilled in the art may use different methods to implement the functions described for each particular application, but the implementation should not be considered to be beyond the scope of the present invention.

[047] It can be clearly understood by a person skilled in the art that, for the purpose of a convenient and brief description, for a detailed work process of the system, apparatus and previous unit, reference can be made to a corresponding process in the method modalities above, and details are not described here again.

[048] In the various embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method can be implemented in other ways. For example, the embodiment of the described node is merely exemplary. For example, the division of the unit is merely a division of the logical function and can be another division in the actual implementation. For example, a plurality of units or components can be combined or integrated into another system, or some features can be ignored or not implemented. In addition, the mutual couplings displayed or discussed or direct couplings or communication connections can be implemented through some interfaces. Indirect couplings or communication connections between devices or units can be implemented in electronic, mechanical or other ways.

[049] When functions are implemented in a form of functional software unit and are sold or used as a standalone product, the functions can be stored on a computer readable storage medium. Based on this understanding, the technical solutions of the present invention, or the part that contributes to the prior art, or a part of the technical solutions, can be implemented in the form of a software product. The computer software product is stored on a storage medium and includes several instructions for instructing a computer node (which may be a personal computer, a server or a network node) to perform all or part of the steps in the methods described in embodiment of the present invention. The previous storage media includes: any media that stores program code such as a USB flash drive, a removable hard drive, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk.

[050] Devices that are in communication with each other do not need to be in continuous communication with each other, unless expressly specified otherwise. In addition, devices that are in communication with each other can communicate directly or indirectly through one or more intermediaries.

[051] When a single device or article is described here, it will be readily apparent that more than one device / article (whether cooperating or not) can be used instead of a single device / article. Likewise, when more than one device or item is described here (regardless of whether they cooperate), it will be readily apparent that a single device / item can be used in place of more than one device or item or a different number of devices / items can be used. be used instead of the number of devices or programs shown. The functionality and / or features of a device may alternatively be incorporated by one or more devices that are not explicitly described as having such functionality / features. Thus, other embodiments of the invention need not include the device itself.

[052] Finally, the language used in the specification was selected primarily for reading and instructional purposes, and may not have been selected to outline or circumscribe the inventive subject. It is therefore intended that the scope of the invention is limited not by this detailed description, but by any claims that are issued in an application based here. Consequently, the disclosure of embodiments of the invention is intended to be illustrative, but not limiting, of the scope of the invention, which is presented in the following claims.

[053] With respect to the use of substantially any plural and / or singular terms in this document, those skilled in the art can translate from the plural to the singular and / or from the singular to the plural as is appropriate for the context and / or application. The various singular / plural permutations can be expressly presented here for the sake of clarity.

[054] Although implementations for system and method to initialize and maintain a series of virtual local area networks contained in a clustered computer system, have been described in specific language for structural features and / or methods, this is to be understood as the appended claims they are not necessarily limited to the specific characteristics or methods described. Instead, specific features and methods are disclosed as examples of implementations of the system and method for providing private instances of shared resources.

Claims (16)

A method for sharing network resources, the method characterized by steps of: initialization and maintenance, by at least one among a plurality of computing devices, a Manageable LAN (MLAN) comprising at least one physical firewall or one firewall / vtep / virtual router; where the firewall / vtep / virtual router contains a virtual Ethernet port; initialize and maintain a plurality of client virtual LANs (VLANs) that use the VxLAN standard to provide private instances; where each VLAN client comprises a corresponding virtual firewall; add a plurality of network resources to the customer's VLANs; and remove all VLAN tags, QinQ tags and VxLAN tags from a management system before placing them in a corresponding customer's virtual data center; where a plurality of network resources are virtual resources allocated on at least one networked computing device, and the step of initializing and maintaining a plurality of client VLANs comprises the creation of an Ethernet device without an IP address and routing information . Method according to claim 1, characterized in that the plurality of client VLANs share network resources. Method according to claim 1, characterized in that the plurality of client VLANs share the plurality of network resources. Method according to claim 1, characterized in that the plurality of network resources are virtual resources. Method according to claim 1, characterized in that at least one of the pluralities of network resources is physical hardware. The method of claim 1, characterized by creating, by a customer connected to said, at least one of a plurality of computing devices, private instances of the plurality of network resources in the customer's network. Method according to claim 6, characterized by adding, by said customer, replicas of said private instances of the plurality of network resources and having their MAC / IP assigned and made visible. A system for sharing network resources, characterized by:

• • At least one network switch;
• • At least one customer.

A plurality of computing devices, each of the plurality of computing devices characterized by at least one network connection, at least one management console to interface with at least one client and at least one device storage containing software configured to: initialize and maintain a Manageable LAN (MLAN) network that includes at least a physical firewall or a firewall / vtep / virtual router; where the firewall / vtep / virtual router contains a virtual Ethernet port; initialize and maintain a plurality of client virtual LANs (VLANs) that use the VxLAN standard to provide private instances; where each VLAN client comprises a corresponding virtual firewall; add a plurality of network resources to the customer's VLANs; and remove all VLAN tags, QinQ tags and VxLAN tags, by a management system before placing them inside a corresponding customer's virtual data center; where a plurality of network resources are virtual resources allocated on at least one networked computing device, and the step of initializing and maintaining a plurality of client VLANs comprises the creation of an Ethernet device without an IP address and routing information . The system of claim 8, further characterized by a group of storage servers configured to initiate redundant copies of the firewall / vtep / router; where each instance of the firewall / vtep / router contains the same MAC address and network assignment for any connected Ethernet ports. The system of claim 8, characterized in that the plurality of client VLANs share network resources. The system of claim 8, characterized in that the plurality of client VLANs share the plurality of network resources. The system of claim 8, characterized in that the plurality of network resources are virtual resources. System according to claim 8, characterized in that at least one of the pluralities of network resources is physical hardware. System claim 8, characterized by still software configured to: create, for said client, private instances of the plurality of network resources in the client's network. The system of claim 14, further characterized by software configured to: add, by said customer, replicas of said private instances of the plurality of network resources and have their MAC / IP assigned and made visible.

Images