US20210184945A1 - Network throughput assurance, anomaly detection and mitigation in service chain - Google Patents
Network throughput assurance, anomaly detection and mitigation in service chain Download PDFInfo
- Publication number
- US20210184945A1 US20210184945A1 US16/713,569 US201916713569A US2021184945A1 US 20210184945 A1 US20210184945 A1 US 20210184945A1 US 201916713569 A US201916713569 A US 201916713569A US 2021184945 A1 US2021184945 A1 US 2021184945A1
- Authority
- US
- United States
- Prior art keywords
- service chain
- throughput
- virtual service
- inline
- statistics
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0823—Errors, e.g. transmission errors
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/50—Network service management, e.g. ensuring proper service fulfilment according to agreements
- H04L41/5003—Managing SLA; Interaction between SLA and QoS
- H04L41/5019—Ensuring fulfilment of SLA
- H04L41/5025—Ensuring fulfilment of SLA by proactively reacting to service quality change, e.g. by reconfiguration after service quality degradation or upgrade
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/06—Generation of reports
- H04L43/062—Generation of reports related to network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
- H04L43/0888—Throughput
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/20—Arrangements for monitoring or testing data switching networks the monitoring system or the monitored elements being virtualised, abstracted or software-defined entities, e.g. SDN or NFV
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45591—Monitoring or debugging support
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
Definitions
- the present technology pertains in general to network virtualization and in particular to providing throughput assurance for a service chain of virtualized network functions.
- Network virtualization abstracts networking connectivity and services that have traditionally been delivered via hardware into a logical virtual network that runs on top of a physical network in a hypervisor.
- Network virtualization can be implemented through virtual network functions (VNFs) running on virtual machines (VMs). These VNFs can handle or otherwise perform specific network functions like firewall functions or load balancing functions.
- VNFs virtual network functions
- VMs virtual machines
- These VNFs can handle or otherwise perform specific network functions like firewall functions or load balancing functions.
- multiple VNFs on one or more hypervisor platforms can be stitched together to create virtualized service chains in a network environment.
- a service chain can be used to implement various network functions in connecting consumers to one or more cloud service providers (e.g. Amazon Web Services®, Microsoft Azure®, etc.).
- a typical service chain may consist of a router, a load balancer, and a firewall in a virtual form factor.
- network traffic can pass through the various VNF branches of a virtual service chain between a cloud service provider and a client
- FIG. 1A illustrates an example cloud computing architecture
- FIG. 1B illustrates an example fog computing architecture
- FIG. 2A illustrates a diagram of an example network environment, such as a data center
- FIG. 2B illustrates another example of a network environment
- FIG. 3 illustrates a schematic diagram of an example virtual machine (VM) deployment
- FIG. 4 illustrates an example virtualized network environment with a network throughput assurance agent, in accordance with various aspects of the subject technology
- FIG. 5 illustrates an example computing system
- FIG. 6 illustrates an example network device.
- one embodiment or “an embodiment” can refer to the same embodiment or any embodiment(s). Moreover, reference to “one embodiment” or “an embodiment” means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the disclosure. The appearances of the phrase “in one embodiment” in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Features described herein with reference to one embodiment can be combined with features described with reference to any embodiment.
- Disclosed herein are systems, methods and computer-readable storage media for monitoring virtualized network functions in a virtual service chain.
- a method can include monitoring a virtual service chain formed by a plurality of stitched virtualized network functions running on a plurality of virtual nodes.
- An inline statistics agent can generate inline statistics of the operation of the virtual service chain. Further, an actual throughput of the virtual service chain can be identified from the inline statistics. As follows, throughput assurance for the virtual service chain can be provided by comparing the actual throughput of the virtual service chain with an expected throughput of the virtual service chain.
- the inline statistic agent can be implemented in a hypervisor layer under the plurality of virtual nodes. Further, the virtualized network functions can be stitched together at least in part, through the hypervisor layer. Accordingly, data passing between the virtualized network functions can be monitored by the inline statistics agent in the hypervisor layer to generate the inline statistics for the virtual service chain.
- Data passing between the virtualized network functions can be analyzed on a per-virtual node basis of the plurality of virtual nodes to generate inline statistics for each of the virtualized network functions in the virtual service chain as part of generating the inline statistics for the virtual service chain.
- the inline statistics for each of the virtualized network functions can be generated by comparing ingress data throughput at each of the virtualized network functions to corresponding egress data throughput at each of the virtualized network functions.
- the inline statistics for each of the virtualized network functions can be compared with the inline statistics of one or more adjacent virtualized network functions in the virtual service chain.
- the throughput assurance for the virtual service chain can be provided based on comparisons of the inline statistics of each of the virtualized functions with the inline statistics of the one or more adjacent virtualized network functions in the virtual service chain.
- Adjacent virtualized network functions can share a virtual link point in the virtual service chain to allow the data to pass directly between the adjacent virtualized network functions as the data passes through the virtual service chain.
- Corresponding egress data throughput at each of the virtualized network functions can be compared with the expected throughput of the virtual service chain.
- the throughput assurance for the virtual service chain can be provided based on comparisons of the corresponding egress data throughput at each of the virtualized network functions with the expected throughput of the virtual service chain.
- a virtualized network function in the virtual service chain can be recognized as behaving as an anomaly in the virtual service chain based on a comparison with an egress data throughput at the virtualized network function with the expected throughput of the virtual service chain.
- the virtualized network function can be reported as the anomaly as part of providing the throughput assurance for the virtual service chain.
- the virtualized network function can be identified as the anomaly in response to the egress data throughput at the virtualized network function being below the expected throughput of the virtual service chain.
- Throughput of a first virtualized network function of the virtual service chain can be compared to the expected throughput for the virtual service chain.
- the throughput assurance for the virtual service chain can be provided based on a comparison of the entering throughput to the expected throughput of the virtual service chain. Specifically, if the entering throughput is less than the expected throughput, then the data passing between the virtualized network functions can be analyzed on a per-virtual node basis to provide the throughput assurance for the virtual service chain.
- the virtual service chain can be formed between a customer and a provider. Further, the throughput assurance for the virtual service chain is provided in either or both a direction from the consumer to the provider and from the provider to the consumer. Additionally, an infrastructure provider of the plurality of virtual nodes can be different from a network service provider of the virtual service chain.
- a system can include one or more processors and at least one computer-readable storage medium storing instructions which, when executed by the one or more processors, cause the one or more processors to monitor a virtual service chain formed by a plurality of stitched virtualized network functions running on a plurality of virtual nodes.
- the instructions can also cause the one or more processors to generate, by an inline statistics agent, inline statistics of the operation of the virtual service chain.
- the inline statistics agent can be implemented in a hypervisor layer under the plurality of virtual nodes.
- the instructions can cause the one or more processors to identify an actual throughput of the virtual service chain from the inline statistics. Additionally, the instructions can cause the one or more processors to provide throughput assurance for the virtual service chain by comparing the actual throughput of the virtual service chain with an expected throughput of the virtual service chain.
- a non-transitory computer-readable storage medium having stored therein instructions which, when executed by a processor, cause the processor to monitor a virtual service chain formed by a plurality of stitched virtualized network functions running on a plurality of virtual nodes.
- the instructions can also cause the processor to generate, by an inline statistics agent, inline statistics of the operation of the virtual service chain.
- the virtualized network functions can be stitched together, at least in part, through a hypervisor layer and the data passing between the virtualized network functions can be monitored by the inline statistics agent in the hypervisor layer to generate the inline statistics for the virtual service chain.
- the instructions can cause the processor to identify an actual throughput of the virtual service chain from the inline statistics. Additionally, the instructions can cause the processor to provide throughput assurance for the virtual service chain by comparing the actual throughput of the virtual service chain with an expected throughput of the virtual service chain.
- the disclosed technology addresses the need in the art for providing throughput assurance in virtualized network service chains.
- the disclosed technology address the need in the art for monitoring virtualized network functions on a per-network function basis to effectively detect and mitigate an impact of anomalies in a service chain.
- the present technology involves systems, methods, and computer-readable media for providing throughput assurance, anomaly detection and anomaly mitigation in a virtualized network service chain.
- the present technology involves systems, methods, and computer-readable media for providing throughput assurance, anomaly detection, and anomaly mitigation in a virtualized network service chain on a per-network function basis.
- FIGS. 1A, 1B, 2A, 2B A description of network environments and architectures for network data access and services, as illustrated in FIGS. 1A, 1B, 2A, 2B is first disclosed herein.
- FIGS. 5 and 6 These variations shall be described herein as the various embodiments are set forth.
- FIG. 1A A description of network environments and architectures for network data access and services, as illustrated in FIGS. 1A, 1B, 2A, 2B is first disclosed herein.
- FIGS. 5 and 6 A description of network environments and architectures for network data access and services, as illustrated in FIGS. 3-4 .
- FIG. 1A illustrates a diagram of an example cloud computing architecture 100 .
- the architecture can include a cloud 102 .
- the cloud 102 can include one or more private clouds, public clouds, and/or hybrid clouds.
- the cloud 102 can include cloud elements 104 - 114 .
- the cloud elements 104 - 114 can include, for example, servers 104 , virtual machines (VMs) 106 , one or more software platforms 108 , applications or services 110 , software containers 112 , and infrastructure nodes 114 .
- the infrastructure nodes 114 can include various types of nodes, such as compute nodes, storage nodes, network nodes, management systems, etc.
- the cloud 102 can provide various cloud computing services via the cloud elements 104 - 114 , such as software as a service (SaaS) (e.g., collaboration services, email services, enterprise resource planning services, content services, communication services, etc.), infrastructure as a service (IaaS) (e.g., security services, networking services, systems management services, etc.), platform as a service (PaaS) (e.g., web services, streaming services, application development services, etc.), and other types of services such as desktop as a service (DaaS), information technology management as a service (ITaaS), managed software as a service (MSaaS), mobile backend as a service (MBaaS), etc.
- SaaS software as a service
- IaaS infrastructure as a service
- PaaS platform as a service
- DaaS desktop as a service
- ITaaS information technology management as a service
- MSaaS managed software as a service
- MaaS mobile back
- the client endpoints 116 can connect with the cloud 102 to obtain one or more specific services from the cloud 102 .
- the client endpoints 116 can communicate with elements 104 - 114 via one or more public networks (e.g., Internet), private networks, and/or hybrid networks (e.g., virtual private network).
- public networks e.g., Internet
- private networks e.g., private networks
- hybrid networks e.g., virtual private network
- the client endpoints 116 can include any device with networking capabilities, such as a laptop computer, a tablet computer, a server, a desktop computer, a smartphone, a network device (e.g., an access point, a router, a switch, etc.), a smart television, a smart car, a sensor, a GPS device, a game system, a smart wearable object (e.g., smartwatch, etc.), a consumer object (e.g., Internet refrigerator, smart lighting system, etc.), a city or transportation system (e.g., traffic control, toll collection system, etc.), an internet of things (IoT) device, a camera, a network printer, a transportation system (e.g., airplane, train, motorcycle, boat, etc.), or any smart or connected object (e.g., smart home, smart building, smart retail, smart glasses, etc.), and so forth.
- a network device e.g., an access point, a router, a switch, etc.
- a smart television
- FIG. 1B illustrates a diagram of an example fog computing architecture 150 .
- the fog computing architecture 150 can include the cloud layer 154 , which includes the cloud 102 and any other cloud system or environment, and the fog layer 156 , which includes fog nodes 162 .
- the client endpoints 116 can communicate with the cloud layer 154 and/or the fog layer 156 .
- the architecture 150 can include one or more communication links 152 between the cloud layer 154 , the fog layer 156 , and the client endpoints 116 . Communications can flow up to the cloud layer 154 and/or down to the client endpoints 116 .
- the fog layer 156 or “the fog” provides the computation, storage and networking capabilities of traditional cloud networks, but closer to the endpoints.
- the fog can thus extend the cloud 102 to be closer to the client endpoints 116 .
- the fog nodes 162 can be the physical implementation of fog networks.
- the fog nodes 162 can provide local or regional services and/or connectivity to the client endpoints 116 .
- traffic and/or data can be offloaded from the cloud 102 to the fog layer 156 (e.g., via fog nodes 162 ).
- the fog layer 156 can thus provide faster services and/or connectivity to the client endpoints 116 , with lower latency, as well as other advantages such as security benefits from keeping the data inside the local or regional network(s).
- the fog nodes 162 can include any networked computing devices, such as servers, switches, routers, controllers, cameras, access points, gateways, etc. Moreover, the fog nodes 162 can be deployed anywhere with a network connection, such as a factory floor, a power pole, alongside a railway track, in a vehicle, on an oil rig, in an airport, on an aircraft, in a shopping center, in a hospital, in a park, in a parking garage, in a library, etc.
- a network connection such as a factory floor, a power pole, alongside a railway track, in a vehicle, on an oil rig, in an airport, on an aircraft, in a shopping center, in a hospital, in a park, in a parking garage, in a library, etc.
- one or more fog nodes 162 can be deployed within fog instances 158 , 160 .
- the fog instances 158 , 160 can be local or regional clouds or networks.
- the fog instances 158 , 160 can be a regional cloud or data center, a local area network, a network of fog nodes 162 , etc.
- one or more fog nodes 162 can be deployed within a network, or as standalone or individual nodes, for example.
- one or more of the fog nodes 162 can be interconnected with each other via links 164 in various topologies, including star, ring, mesh or hierarchical arrangements, for example.
- one or more fog nodes 162 can be mobile fog nodes.
- the mobile fog nodes can move to different geographical locations, logical locations or networks, and/or fog instances while maintaining connectivity with the cloud layer 154 and/or the endpoints 116 .
- a particular fog node can be placed in a vehicle, such as an aircraft or train, which can travel from one geographical location and/or logical location to a different geographical location and/or logical location.
- the particular fog node may connect to a particular physical and/or logical connection point with the cloud 154 while located at the starting location and switch to a different physical and/or logical connection point with the cloud 154 while located at the destination location.
- the particular fog node can thus move within particular clouds and/or fog instances and, therefore, serve endpoints from different locations at different times.
- FIG. 2A illustrates a diagram of an example Network Environment 200 , such as a data center.
- the Network Environment 200 can include a data center, which can support and/or host the cloud 102 .
- the Network Environment 200 can include a Fabric 220 which can represent the physical layer or infrastructure (e.g., underlay) of the Network Environment 200 .
- Fabric 220 can include Spines 202 (e.g., spine routers or switches) and Leafs 204 (e.g., leaf routers or switches) which can be interconnected for routing or switching traffic in the Fabric 220 .
- Spines 202 e.g., spine routers or switches
- Leafs 204 e.g., leaf routers or switches
- Spines 202 can interconnect Leafs 204 in the Fabric 220 , and Leafs 204 can connect the Fabric 220 to an overlay or logical portion of the Network Environment 200 , which can include application services, servers, virtual machines, containers, endpoints, etc. Thus, network connectivity in the Fabric 220 can flow from Spines 202 to Leafs 204 , and vice versa.
- the interconnections between Leafs 204 and Spines 202 can be redundant (e.g., multiple interconnections) to avoid a failure in routing.
- Leafs 204 and Spines 202 can be fully connected, such that any given Leaf is connected to each of the Spines 202 , and any given Spine is connected to each of the Leafs 204 .
- Leafs 204 can be, for example, top-of-rack (“ToR”) switches, aggregation switches, gateways, ingress and/or egress switches, provider edge devices, and/or any other type of routing or switching device.
- ToR top-of-rack
- Leafs 204 can be responsible for routing and/or bridging tenant or customer packets and applying network policies or rules. Network policies and rules can be driven by one or more Controllers 216 , and/or implemented or enforced by one or more devices, such as Leafs 204 .
- Leafs 204 can connect other elements to the Fabric 220 .
- Leafs 204 can connect Servers 206 , Hypervisors 208 , Virtual Machines (VMs) 210 , Applications 212 , Network Device 214 , etc., with Fabric 220 .
- VMs Virtual Machines
- Such elements can reside in one or more logical or virtual layers or networks, such as an overlay network.
- Leafs 204 can encapsulate and decapsulate packets to and from such elements (e.g., Servers 206 ) in order to enable communications throughout Network Environment 200 and Fabric 220 .
- Leafs 204 can also provide any other devices, services, tenants, or workloads with access to Fabric 220 .
- Servers 206 connected to Leafs 204 can similarly encapsulate and decapsulate packets to and from Leafs 204 .
- Servers 206 can include one or more virtual switches or routers or tunnel endpoints for tunneling packets between an overlay or logical layer hosted by, or connected to, Servers 206 and an underlay layer represented by Fabric 220 and accessed via Leafs 204 .
- Applications 212 can include software applications, services, containers, appliances, functions, service chains, etc.
- Applications 212 can include a firewall, a database, a CDN server, an IDS/IPS, a deep packet inspection service, a message router, a virtual switch, etc.
- An application from Applications 212 can be distributed, chained, or hosted by multiple endpoints (e.g., Servers 206 , VMs 210 , etc.), or may run or execute entirely from a single endpoint.
- VMs 210 can be virtual machines hosted by Hypervisors 208 or virtual machine managers running on Servers 206 .
- VMs 210 can include workloads running on a guest operating system on a respective server.
- Hypervisors 208 can provide a layer of software, firmware, and/or hardware that creates, manages, and/or runs the VMs 210 .
- Hypervisors 208 can allow VMs 210 to share hardware resources on Servers 206 , and the hardware resources on Servers 206 to appear as multiple, separate hardware platforms.
- Hypervisors 208 on Servers 206 can host one or more VMs 210 .
- VMs 210 can be migrated to other Servers 206 .
- Servers 206 can similarly be migrated to other physical locations in Network Environment 200 .
- a server connected to a specific leaf can be changed to connect to a different or additional leaf.
- Such configuration or deployment changes can involve modifications to settings, configurations and policies that are applied to the resources being migrated as well as other network components.
- one or more Servers 206 , Hypervisors 208 , and/or VMs 210 can represent or reside in a tenant or customer space.
- Tenant space can include workloads, services, applications, devices, networks, and/or resources that are associated with one or more clients or subscribers. Accordingly, traffic in Network Environment 200 can be routed based on specific tenant policies, spaces, agreements, configurations, etc. Moreover, addressing can vary between one or more tenants. In some configurations, tenant spaces can be divided into logical segments and/or networks and separated from logical segments and/or networks associated with other tenants. Addressing, policy, security and configuration information between tenants can be managed by Controllers 216 , Servers 206 , Leafs 204 , etc.
- Configurations in Network Environment 200 can be implemented at a logical level, a hardware level (e.g., physical), and/or both.
- configurations can be implemented at a logical and/or hardware level based on endpoint or resource attributes, such as endpoint types and/or application groups or profiles, through a software-defined networking (SDN) framework (e.g., Application-Centric Infrastructure (ACI) or VMWARE NSX).
- SDN software-defined networking
- ACI Application-Centric Infrastructure
- VMWARE NSX software-defined networking
- one or more administrators can define configurations at a logical level (e.g., application or software level) through Controllers 216 , which can implement or propagate such configurations through Network Environment 200 .
- Controllers 216 can be Application Policy Infrastructure Controllers (APICs) in an ACI framework.
- Controllers 216 can be one or more management components for associated with other SDN solutions, such as NSX Managers.
- Such configurations can define rules, policies, priorities, protocols, attributes, objects, etc., for routing and/or classifying traffic in Network Environment 200 .
- such configurations can define attributes and objects for classifying and processing traffic based on Endpoint Groups, Security Groups (SGs), VM types, bridge domains (BDs), virtual routing and forwarding instances (VRFs), tenants, priorities, firewall rules, etc.
- Traffic policies and rules can be enforced based on tags, attributes, or other characteristics of the traffic, such as protocols associated with the traffic, EPGs associated with the traffic, SGs associated with the traffic, network address information associated with the traffic, etc.
- Network Environment 200 can be configured according to one or more particular SDN solutions, such as CISCO ACI or VMWARE NSX. These example SDN solutions are briefly described below.
- ACI can provide an application-centric or policy-based solution through scalable distributed enforcement.
- ACI supports integration of physical and virtual environments under a declarative configuration model for networks, servers, services, security, requirements, etc.
- the ACI framework implements EPGs, which can include a collection of endpoints or applications that share common configuration requirements, such as security, QoS, services, etc.
- Endpoints can be virtual/logical or physical devices, such as VMs, containers, hosts, or physical servers that are connected to Network Environment 200 .
- Endpoints can have one or more attributes such as a VM name, guest OS name, a security tag, application profile, etc.
- Application configurations can be applied between EPGs, instead of endpoints directly, in the form of contracts.
- Leafs 204 can classify incoming traffic into different EPGs.
- the classification can be based on, for example, a network segment identifier such as a VLAN ID, VXLAN Network Identifier (VNID), NVGRE Virtual Subnet Identifier (VSID), MAC address, IP address, etc.
- VNID VXLAN Network Identifier
- VSID Virtual Subnet Identifier
- MAC address IP address
- IP address IP address
- classification in the ACI infrastructure can be implemented by ACI virtual edge (AVE), which can run on a host, such as a server, e.g. a vSwitch running on a server.
- AVE can classify traffic based on specified attributes, and tag packets of different attribute EPGs with different identifiers, such as network segment identifiers (e.g., VLAN ID).
- Leafs 204 can tie packets with their attribute EPGs based on their identifiers and enforce policies, which can be implemented and/or managed by one or more Controllers 216 .
- Leaf 204 can classify to which EPG the traffic from a host belongs and enforce policies accordingly.
- VMWARE NSX hosts can run a distributed firewall (DFW) which can classify and process traffic.
- DFW distributed firewall
- VMs namely, application, database and web VMs
- Traffic protection can be provided within the network segment based on the VM type.
- HTTP traffic can be allowed among web VMs, and disallowed between a web VM and an application or database VM.
- security groups can be used to group the specific VMs (e.g., web VMs, application VMs, database VMs).
- DFW rules can be configured to implement policies for the specific security groups.
- DFW rules can be configured to block HTTP traffic between web, application, and database security groups.
- Network Environment 200 can deploy different hosts via Leafs 204 , Servers 206 , Hypervisors 208 , VMs 210 , Applications 212 , and Controllers 216 , such as VMWARE ESXi hosts, WINDOWS HYPER-V hosts, bare metal physical hosts, etc.
- Network Environment 200 may interoperate with a variety of Hypervisors 208 , Servers 206 (e.g., physical and/or virtual servers), SDN orchestration platforms, etc.
- Network Environment 200 may implement a declarative model to allow its integration with application design and holistic network policy.
- Controllers 216 can provide centralized access to fabric information, application configuration, resource configuration, application-level configuration modeling for a SDN infrastructure, integration with management systems or servers, etc. Controllers 216 can form a control plane that interfaces with an application plane via northbound APIs and a data plane via southbound APIs.
- Controllers 216 can define and manage application-level model(s) for configurations in Network Environment 200 .
- application or device configurations can also be managed and/or defined by other components in the network.
- a hypervisor or virtual appliance such as a VM or container, can run a server or management tool to manage software and services in Network Environment 200 , including configurations and settings for virtual appliances.
- Network Environment 200 can include one or more different types of SDN solutions, hosts, etc.
- Controllers 216 may be interchangeably referenced as controllers, APICs, or APIC controllers.
- technologies and concepts herein are not limited to ACI solutions and may be implemented in other architectures and scenarios, including other SDN solutions as well as other types of networks which may not deploy an SDN solution.
- hosts can refer to Servers 206 (e.g., physical or logical), Hypervisors 208 , VMs 210 , containers (e.g., Applications 212 ), etc., and can run or include any type of server or application solution.
- Non-limiting examples of “hosts” can include virtual switches or routers, such as distributed virtual switches (DVS), AVE nodes, vector packet processing (VPP) switches; VCENTER and NSX MANAGERS; bare metal physical hosts; HYPER-V hosts; VMs; DOCKER Containers; etc.
- DVD distributed virtual switches
- VPP vector packet processing
- FIG. 2B illustrates another example of Network Environment 200 .
- Network Environment 200 includes Endpoints 222 connected to Leafs 204 in Fabric 220 .
- Endpoints 222 can be physical and/or logical or virtual entities, such as servers, clients, VMs, hypervisors, software containers, applications, resources, network devices, workloads, etc.
- an Endpoint 222 can be an object that represents a physical device (e.g., server, client, switch, etc.), an application (e.g., web application, database application, etc.), a logical or virtual resource (e.g., a virtual switch, a virtual service appliance, a virtualized network function (VNF), a VM, a service chain, etc.), a container running a software resource (e.g., an application, an appliance, a VNF, a service chain, etc.), storage, a workload or workload engine, etc.
- a physical device e.g., server, client, switch, etc.
- an application e.g., web application, database application, etc.
- a logical or virtual resource e.g., a virtual switch, a virtual service appliance, a virtualized network function (VNF), a VM, a service chain, etc.
- VNF virtualized network function
- VM virtualized network function
- a container running a software resource e.g
- Endpoints 122 can have an address (e.g., an identity), a location (e.g., host, network segment, virtual routing and forwarding (VRF) instance, domain, etc.), one or more attributes (e.g., name, type, version, patch level, OS name, OS type, etc.), a tag (e.g., security tag), a profile, etc.
- an address e.g., an identity
- a location e.g., host, network segment, virtual routing and forwarding (VRF) instance, domain, etc.
- attributes e.g., name, type, version, patch level, OS name, OS type, etc.
- a tag e.g., security tag
- Endpoints 222 can be associated with respective Logical Groups 218 .
- Logical Groups 218 can be logical entities containing endpoints (physical and/or logical or virtual) grouped together according to one or more attributes, such as endpoint type (e.g., VM type, workload type, application type, etc.), one or more requirements (e.g., policy requirements, security requirements, QoS requirements, customer requirements, resource requirements, etc.), a resource name (e.g., VM name, application name, etc.), a profile, platform or operating system (OS) characteristics (e.g., OS type or name including guest and/or host OS, etc.), an associated network or tenant, one or more policies, a tag, etc.
- endpoint type e.g., VM type, workload type, application type, etc.
- requirements e.g., policy requirements, security requirements, QoS requirements, customer requirements, resource requirements, etc.
- a resource name e.g., VM name, application name, etc.
- a logical group can be an object representing a collection of endpoints grouped together.
- Logical Group 1 can contain client endpoints
- Logical Group 2 can contain web server endpoints
- Logical Group 3 can contain application server endpoints
- Logical Group N can contain database server endpoints, etc.
- Logical Groups 218 are EPGs in an ACI environment and/or other logical groups (e.g., SGs) in another SDN environment.
- Traffic to and/or from Endpoints 222 can be classified, processed, managed, etc., based Logical Groups 218 .
- Logical Groups 218 can be used to classify traffic to or from Endpoints 222 , apply policies to traffic to or from Endpoints 222 , define relationships between Endpoints 222 , define roles of Endpoints 222 (e.g., whether an endpoint consumes or provides a service, etc.), apply rules to traffic to or from Endpoints 222 , apply filters or access control lists (ACLs) to traffic to or from Endpoints 222 , define communication paths for traffic to or from Endpoints 222 , enforce requirements associated with Endpoints 222 , implement security and other configurations associated with Endpoints 222 , etc.
- ACLs access control lists
- Logical Groups 218 can be EPGs used to define contracts in the ACI. Contracts can include rules specifying what and how communications between EPGs take place. For example, a contract can define what provides a service, what consumes a service, and what policy objects are related to that consumption relationship. A contract can include a policy that defines the communication path and all related elements of a communication or relationship between EPs or EPGs. For example, a Web EPG can provide a service that a Client EPG consumes, and that consumption can be subject to a filter (ACL) and a service graph that includes one or more services, such as firewall inspection services and server load balancing.
- ACL filter
- FIG. 3 illustrates a schematic diagram of an example virtual machine (VM) deployment 310 .
- the host 302 can include one or more VMs 316 .
- the VMs 316 can be configured to run workloads like VNFs based on hardware resources 312 on the host 302 .
- the VMs 316 can run on guest operating systems 314 on a virtual operating platform provided by a hypervisor 318 .
- Each VM can run a respective guest operating system which can be the same or different as other guest operating systems associated with other VMs on the host 302 .
- each VM can have one or more network addresses, such as an internet protocol (IP) address.
- IP internet protocol
- the VMs 316 can communicate with hypervisors 318 and/or any remote devices or networks using the one or more network addresses.
- IP internet protocol
- Hypervisors 318 can be a layer of software, firmware, and/or hardware that creates and runs VMs 316 .
- the hypervisors 318 can be virtual machine managers (VMM) for hosting and managing the VMs 316 .
- the guest operating systems running on VMs 316 can share virtualized hardware resources created by the hypervisors 318 .
- the virtualized hardware resources can provide the illusion of separate hardware components.
- the virtualized hardware resources can perform as physical hardware components (e.g., memory, storage, processor, network interface, etc.), and can be driven by the hardware resources 312 on the host 302 .
- Hypervisors 318 can have one or more network addresses, such as an internet protocol (IP) address, to communicate with other devices, components, or networks.
- IP internet protocol
- the hypervisors 318 can have a dedicated IP address which they can use to communicate with VMs 316 and/or any remote devices or networks.
- Hardware resources 312 can provide the underlying physical hardware driving operations and functionalities provided by the host 302 , hypervisors 318 , and VMs 316 .
- Hardware resources 312 can include, for example, one or more memory resources, one or more storage resources, one or more communication interfaces, one or more processors, one or more circuit boards, one or more extension cards, one or more power supplies, one or more antennas, one or more peripheral components, etc.
- the host 302 can also include one or more host operating systems (not shown).
- the number of host operating system can vary by configuration. For example, some configurations can include a dual boot configuration that allows the host 302 to boot into one of multiple host operating systems. In other configurations, the host 302 may run a single host operating system. Host operating systems can run on hardware resources 312 . In some cases, a hypervisor 318 can run on, or utilize, a host operating system on the host 302 .
- the host 302 can also have one or more network addresses, such as an internet protocol (IP) address, to communicate with other devices, components, or networks.
- IP internet protocol
- the host 302 can have an IP address assigned to a communications interface from hardware resources 312 , which it can use to communicate with VMs 316 , hypervisor 318 , switches, and/or any remote devices or networks.
- the host 302 can run a distributed function router.
- VMs 316 on host 302 can host and execute one or more functionalities of the distributed function router.
- host 302 can also host multiple distributed function routers via VMs 316 .
- VM 1 can host and run a first distributed function router
- VM 2 can host and run a second distributed function router.
- the first and second distributed function routers can be different function routers or may be instances of a same function router which can be configured for load balancing, failover, auto-scaling, etc.
- the present includes systems, methods, and computer-readable media for solving these problems/discrepancies.
- the present technology involves systems, methods, and computer-readable media for providing throughput assurance, anomaly detection and anomaly mitigation in a virtualized network service chain. More specifically, the present technology involves systems, methods, and computer-readable media for providing throughput assurance, anomaly detection, and anomaly mitigation in a virtualized network service chain on a per-network function basis.
- FIG. 4 illustrates an example virtualized network environment 400 with a network throughput assurance agent 401 in accordance with various aspects of the subject technology.
- the virtualized network environment 400 can be implemented according to an applicable network architecture, such as the cloud computing architecture 100 or fog computing architecture 150 shown in FIGS. 1A and 1B . Further, the virtualized network environment 400 can be implemented in an applicable network environment, such as the example network environment 200 shown in FIGS. 2A and 2B .
- the virtualized network environment 400 can be formed, at least in part, according to an applicable virtual machine deployment, such as the virtual machine (VM) deployment 310 shown in FIG. 3 .
- the virtualized network environment 400 includes a switching fabric 402 .
- the switching fabric 402 can include physical hardware implementing one or more virtual machines and virtual functions.
- the switching fabric 402 can function as a host and support a hypervisor 404 running on top of the switching fabric 402 .
- the hypervisor 404 and the switching fabric 402 may be connected using network interface cards (not shown).
- the hypervisor 404 can be connected to the switching fabric 402 using physical network interface cards (pNICs).
- pNICs physical network interface cards
- the hypervisor 404 functions according to an applicable layer for providing a virtual operating platform upon which one or more VNFs can run, such as the hypervisor 318 shown in FIG. 3 .
- the hypervisor 404 can function to create a virtual operating platform supporting a first VNF 406 - 1 , a second VNF 406 - 2 , and a third VNF 406 - 3 (collectively referred to as “VNFs 406 ”). While only three VNFs 406 are shown in FIG. 4 , the virtualized network environment 400 can include more VNFs or less VNFs.
- the VNFs 406 can form all or part of a virtual service chain. Specifically, the VNFs 406 can be stitched together, e.g. through the hypervisor 404 , to form, at least part of, a virtual service chain of VNFs.
- a virtual service chain is a grouping of VNFs that are stitched together such that the VNFs apply operations to network traffic passing through the virtual service chain based on the arrangement of, e.g. in the order of, the VNFs in the virtual service chain. For example, traffic entering the virtual service chain at point 408 , as ingress traffic for the virtual service chain, can be directed to the first VNF 406 - 1 at point 412 as ingress traffic to the first VNF 406 - 1 .
- the first VNF 406 - 1 can perform one or more operations on the traffic.
- the traffic can pass out of the first VNF 406 - 1 at point 414 as egress traffic to the first VNF 406 - 1 after the first VNF 406 - 1 performs one or more operations on the traffic.
- the egress traffic of the first VNF 406 - 1 that exits the first VNF 406 - 1 at point 414 can serve as ingress traffic to the second VNF 406 - 2 .
- the traffic can enter the second VNF 406 - 2 at point 416 as ingress traffic.
- the second VNF 406 - 2 can perform one or more operations on the traffic.
- the traffic can pass out of the second VNF 406 - 2 at point 418 as egress traffic to the second VNF 406 - 2 after the second VNF 406 - 2 performs one or more operations on the traffic.
- the traffic can pass into the third VNF 406 - 3 at point 420 as ingress traffic to the third VNF 406 - 3 and pass out of the third VNF 406 - 3 at point 422 as egress traffic to the third VNF 406 - 3 .
- the traffic exiting the third VNF 406 - 3 is the egress traffic for the virtual service chain and exits the virtual service chain at point 410 .
- the VNFs 406 can be stitched together through the hypervisor 404 to form the virtual service chain. Specifically, traffic passing between the VNFs 406 can pass through the hypervisor 404 . For example, traffic passing out of the first VNF 406 - 1 at point 414 can pass into the hypervisor 404 and then into the second VNF 406 - 2 at point 416 . Accordingly, adjacent VNFs in the virtual service chain can be linked together/stitched together through one or more link points formed in the hypervisor 404 . More specifically, traffic can directly pass between adjacent VNFs through the one or more link points in the hypervisor 404 that link the adjacent VNFs to each other. By stitching together the VNFs 406 through the hypervisor 404 to form the virtual service chain, the functionality of the VNFs 406 may be combined, e.g. in a building block-style fashion, to provide various networking communication services.
- Adjacent VNFs in a service chain include VNFs that are logically next to each other in the service chain, e.g. from a traffic processing perspective, in the order in which the VNFs operate on data passing through the service chain.
- VNFs that are logically next to each other in the service chain, e.g. from a traffic processing perspective, in the order in which the VNFs operate on data passing through the service chain.
- the first and second VNFs 406 - 1 and 406 - 2 are adjacent to each other.
- the second VNF 406 - 2 and the third VNF 406 - 3 are adjacent to each other.
- a VNF can have only one adjacent VNF based on the position of the VNF in a virtual service chain.
- the first VNF 406 - 1 has only one adjacent VNF
- the second VNF 406 - 2 as the first VNF 406 - 1 is the first VNF in the virtual service chain.
- the third VNF 406 - 3 has only one adjacent VNF
- the second VNF 406 - 2 as the third VNF 406 - 3 is the last VNF in the virtual service chain.
- a VNF can have a plurality of adjacent VNFs based on the position of the VNF in the virtual service chain.
- the second VNF 406 - 2 has two adjacent VNFs, the first VNF 406 - 1 and the third VNF 406 - 3 .
- the virtual service chain in the example environment 400 shown in FIG. 4 can be formed between a consumer and a provider of network services.
- the virtual service chain can be formed between a client and a cloud-based service provider.
- traffic shown in FIG. 4 is shown as unidirectional, e.g. from point 408 to 410
- the virtual service chain can also perform operations on traffic passing in the opposite direction, e.g. from point 410 to 408 .
- the techniques for providing assurance can be applied to bidirectional traffic passing through the virtual service chain.
- the technique described herein can be applied to traffic passing from a consumer to a provider through a virtual service chain and traffic passing from the provider to the consumer through the virtual service chain.
- the provider of the VNFs 406 can be different from a provider of the switching fabric 402 .
- the VNFs 406 can be provided and maintained by a network service provider that is different from a provider of the actual infrastructure/hardware, e.g. switching fabric 402 , over which the VNFs 406 are run through one or more VMs.
- the throughput assurance agent 401 can provide assurance for the virtual service chain. Specifically, the throughput assurance agent 401 can provide throughput assurance for the virtual service chain.
- Throughput assurance for a virtual service chain can include applicable information related to network assurance and throughput in the virtual service chain.
- throughput assurance can include an information related to a virtual service chain operation at or beneath an expected throughput for the virtual service chain, information related to a VNF behaving as an anomaly in the virtual service chain, and other applicable information related to VNFs operating, e.g. together, in the virtual service chain.
- throughput assurance can include an indication of throughput correlated across VNFs in a service chain.
- throughput assurance can include which link, e.g.
- VNF in a service chain dropped traffic and a location of the link in the service chain.
- a VNF behaving as an anomaly can include a VNF behaving differently from an expected behavior of the VNF.
- a VNF behaving as an anomaly can include that an actual throughput at the VNF has dropped below an expected throughput at the VNF.
- a VNF behaving as an anomaly can include a VNF that drops traffic.
- the throughput assurance agent 401 is shown connected to the hypervisor 404 .
- the throughput assurance agent 401 can be implemented, at least in part, in the hypervisor 404 .
- the throughput assurance agent 401 can include an inline statistics agent that is implemented in the hypervisor 404 .
- the inline statistics agent functions to generate inline statistics for the virtual service chain. Specifically, the inline statistics agent can monitor traffic passing through the virtual service chain to generate inline statistics for the virtual service chain. More specifically, when the inline statistics agent is implemented in the hypervisor 404 the inline statistics agent can monitor traffic passing to and from the VNFs 406 through the hypervisor layer to generate inline statistics for the virtual service chain. Inline statistics can include applicable information related to the operation of the VNFs 406 in the virtual service chain. For example, inline statistics can include an actual throughput of traffic passing into and out of the virtual service chain.
- the inline statistics agent can generate inline statistics on a per-VNF basis. Specifically, as the inline statistics agent can generate inline statistics by monitoring traffic through the hypervisor 404 , the inline statistics agent can generate inline statistics for each of the VNFs 406 on a per-VNF basis. More specifically, the inline statistics agent can analyze data passing into, out of, and/or between the VNFs 406 through the hypervisor 404 to generate inline statistics for each of the VNFs 406 on a per-VNF basis. For example, the inline statistics agent can generate inline statistics for the second VNF 406 - 2 that includes ingress traffic throughput at the second VNF 406 - 2 , corresponding to point 416 in the traffic flow.
- the inline statistics agent can generate inline statistics for the second VNF 406 - 2 that includes egress traffic throughput at the second VNF 406 - 2 , corresponding to point 418 in the traffic flow.
- the inline statistics agent can generate inline statistics for the first VNF 406 - 1 that includes an ingress traffic throughput for the first VNF 406 - 1 , which is the ingress traffic throughput for the entire virtual service chain as a whole.
- the inline statistics agent can generate inline statistics for the third VNF 406 - 3 that includes an egress traffic throughput for the third VNF 406 - 3 , which is the egress traffic throughput for the entire virtual service chain as a whole. Ingress and egress traffic throughput at each of the VNFs 406 can be included as part of an actual throughput for the virtual service chain.
- the inline statistics agent can generate inline statistics based on ingress traffic throughput and egress traffic throughput at each of the VNFs 406 .
- the inline statistics agent can compare an ingress traffic throughput at each of the VNFs 406 with an output traffic throughput at each of the VNFs 406 to generate corresponding inline statistics for each of the VNFs 406 . For example, if the throughput between ingress and egress traffic passing through the first VNF 406 - 1 is different, then the inline statistics agent can generate inline statistics indicating that traffic is being dropped at the first VNF 406 - 1 .
- the inline statistics agent can generate inline statistics for the virtual service chain based on user/administrator input. For example, a provider of the VNFs can provide input which can be used to generate the inline statistics for the virtual service chain. Specifically, the statistics agent generate inline statistics from a user-input graph indicating the VNFs 406 and the corresponding virtual links, e.g. formed at point 412 , formed between points 414 and 416 , formed between points 418 and 420 , and formed at point 422 of the corresponding traffic flow of the service chain. Further, the inline statistics agent can generate inline statistics from a configuration file describing the topological configuration of the VNFs 406 within the virtual service chain.
- the inline statistics agent can generate the inline statistics based on an expected throughput of the virtual service chain and/or an expected throughput of one or more of the VNFs 406 .
- the inline statistics agent can generate inline statistics based on an expected ingress traffic throughput of the virtual service chain and/or an expected ingress traffic throughput of one or more of the VNFs 406 .
- the inline statistics agent can generate inline statistics based on an expected egress traffic throughput of the virtual service chain and/or an expected egress traffic throughput of one or more of the VNFs 406 .
- the inline statistics agent can identify expected throughput, e.g. egress and ingress traffic throughput, using an applicable technique.
- the inline statistics agent can identify expected throughput based on applicable information, e.g. as part of an input graph or a topological configuration file received from a user/administrator.
- the inline statistics agent can collect the statistics periodically or otherwise at set times.
- the inline statistics agent can use the most recently collected statistical data point as a reference point in gathering inline statistics.
- the inline statistics agent can use a moving average of a set of the most recently collected statistical data points to gather inline statistics.
- the throughput assurance agent 401 can provide throughput assurance for the virtual service chain based on the inline statistics generated by the inline statistics agent. In particular, the throughput assurance agent 401 can provide throughput assurance for the service chain for network traffic from a consumer to a network service provider. Additionally, the throughput assurance agent 401 can provide throughput assurance for the service chain for traffic from the service provider to the consumer. Further, the throughput assurance agent 401 may provide throughput assurance for the service chain for bidirectional traffic between the service provider and the consumer.
- the throughput assurance agent 401 can provide end-to-end throughput assurance for the virtual service chain. Specifically, the throughput assurance agent 401 can compare an entering throughput of the virtual service chain to an exit throughput off the virtual service chain to provide end-to-end throughput assurance. More specifically, the throughput assurance agent 401 can provide end-to-end throughput assurance by comparing the throughput at point 408 to the first VNF 406 - 1 and the throughput at point 410 out of the third VNF 406 - 3 . If the throughput at input point 408 equals or is within a threshold range of the throughput at output point 410 , then the throughput assurance agent 401 agent can report that there is no throughput anomaly in the service chain.
- the threshold range can be a user-defined threshold.
- the throughput assurance agent 401 can provide throughput assurance by comparing inline statistics for each of the VNFs 406 with an expected traffic throughput of the service chain.
- An expected throughput can include an expected throughput or a range of expected throughput that either or both a consumer desires or a provider of the VNFs 406 has assured.
- the throughput assurance agent 401 can directly compare the egress data throughput at each of the VNFs 406 , e.g. corresponding to points 414 , 418 , and 422 , to the expected throughput of the service chain.
- one or more of the VNFs 406 have a throughput lower than the expected throughput or outside of a range of an expected throughput, then the statistics agent can flag the corresponding one or more VNFs 406 as an anomaly or otherwise provide applicable throughput assurance.
- the throughput assurance agent 401 can provide throughput assurance for the virtual service chain by comparing the inline statistics for two or more of the VNFs 406 .
- the throughput assurance agent 401 can provide throughput assurance for the virtual service chain by comparing inline statistics for a VNF to inline statistics of one or more adjacent VNFs.
- the throughput assurance agent 401 can compare the inline statistics of the first VFR 406 - 1 with the inline statistics of the second VRF 406 - 2 .
- the throughput assurance agent 401 can compare the inline statistics of the second VRF 406 - 2 with the inline statistics of both the first VNF 406 - 1 and the third VNF 406 - 3 .
- the throughput assurance agent 401 can compare the inline statistics of the third VRF 406 - 3 with the inline statistics of the second VRF 406 - 2 . Referring to FIG. 4 , the throughput assurance agent 401 can verify that VNFs 406 - 1 , 406 - 2 , and 406 - 3 do not cause a drop in network throughput by checking that the throughput of the ingress and egress nodes of each of the VNFs 406 are equal or within a threshold range of each other.
- the throughput assurance agent 401 can check that the throughput at ingress point 412 is equal to the throughput at egress point 414 ; the throughput at ingress point 416 is equal to the throughput at egress point 414 and egress point 418 ; and the throughput at ingress point 420 is equal to the throughput at egress point 418 and egress point 422 . If one or more of the equalities do not hold, the statistics agent may report the specific VNF of the VNFs 406 involved in the inequality as the VNF causing the throughput anomaly.
- the techniques described with respect to comparing ingress and egress throughput across the VNFs 406 can be compared based on thresholds. For example, if the throughput at egress point 414 is falls outside of a threshold when compared to the throughput at ingress point 412 , then the throughput assurance agent 401 can identify the first VNG 406 - 1 as an anomaly.
- Applicable thresholds as described herein, can be user-defined, e.g. user-defined ranges.
- the expected data throughput for the service chain may be higher than the actual traffic throughput at the input point 408 , corresponding to the entering throughput for the virtual service chain.
- the entering throughput for the service chain at the first VNF 406 can be lower than the expected throughput for the virtual service chain.
- the throughput assurance agent 401 can provide throughput assurance based on the entering throughput being lower than the expected throughput for the virtual service chain. Specifically, if the entering throughput is lower than the expected throughput for the virtual service chain, then the corresponding throughput, e.g. ingress and egress throughput, at each of the VNFs can be less than the expected throughput for the virtual service chain. As a result, the throughput assurance agent can refrain from flagging the VNFs 406 as anomalies even though the throughput of one or more of the VNFs 406 drops below a threshold of the expected throughput of the virtual service chain.
- the expected data throughput for the service chain may be lower than the actual traffic throughput at the input point 408 , corresponding to the entering throughput for the virtual service chain.
- the entering throughput for the service chain at the first VNF 406 can be higher than the expected data throughput for the virtual service chain.
- the throughput assurance agent 401 can provide throughput assurance based on the entering throughput being higher than the expected throughput for the virtual service chain. Specifically, if the entering throughput is higher than the expected throughput for the virtual service chain, then the corresponding throughput can ensure that the throughput at each of the VNFs 406 does not drop below the expected throughput or a threshold range of the expected throughput of the virtual service chain.
- the throughput assurance agent 401 can be configured to automatically analyze inline statistics for each of the VNFs 406 and corresponding points 412 , 414 , 416 , 418 , 420 , and 422 . Specifically, the throughput assurance agent 401 can compare ingress and egress traffic throughput at each of the VNFs 406 on a per-VNF basis to identify any potential drops in throughput across the VNFs 406 in response to the entering throughput being lower or higher than the expected throughput. In turn, the throughput assurance agent 401 can mark a VNF as an anomaly if a drop in throughput is observed across the VNF.
- the throughput assurance agent 401 can analyze inline statistics for each of the VNFs 406 to ensure that the throughput across each of the VNFs 406 does not drop below the expected throughput or a threshold range of the expected throughput of the virtual service chain.
- the throughput assurance agent 401 can determine a point of traffic drop in the service chain. Specifically, the throughput assurance agent 401 can collect the statistics of the virtual links in the service chain.
- the virtual links may include the link between the consumer's incoming traffic and the first VNF of the service chain, the link between consecutive VNFs, e.g. corresponding to adjacent VNFs, in the service chain, and/or the link between the last VNF of the service chain and the outgoing traffic to the service provider.
- the throughput assurance agent 401 can collect the ingress and egress traffic statistics of each VNF, as included as part of the generated inline statistics, to determine the point of traffic anomaly.
- An identified traffic anomaly point can then be used to deduce the exact cause of failure.
- Example causes of failure in a service chain include sub-optimal placement algorithms, network I/O bottle necks, CPU profiling, user misconfigurations, and memory trashing.
- the throughput assurance agent 401 detects one or more anomalies, e.g. a drop in traffic across a VNF, in the service chain, then the throughput assurance agent 401 can feed the anomaly information to a deduction agent, e.g. as included as part of the throughput assurance agent 401 .
- the deduction agent can then run deductions based on the environment 400 .
- the deduction agent can make deductions based on the VNF placement, VNF licensing, CPU pinning, or NUMA node balancing, e.g. as indicated by user-provided information.
- Deduction made by the deduction agent can include applicable deductions related to providing throughput assurance.
- deductions can include that a VNF is improperly configured in the environment 400 .
- the deduction agent can deduce possible causes of the network throughput anomaly to the user.
- possible can include CPU usage, firewall, and traffic being dropped in the service chain.
- the deduction output from the deduction agent would be used to alert the user.
- the user alert may include the deduction, as well as specific throughput information for each of the nodes in the service chain as collected by the statistic agent.
- the output from the deduction agent can be used to trigger an auto-correct feature to mitigate anomalies in the service chain.
- the auto-correct feature may be implemented as policies where each type of anomaly triggers a specific mitigation action to be taken on the service chain.
- FIG. 5 illustrates a computing system architecture 500 wherein the components of the system are in electrical communication with each other using a connection 505 , such as a bus.
- exemplary system 500 includes a processing unit (CPU or processor) 510 and a system connection 505 that couples various system components including the system memory 515 , such as read only memory (ROM) 520 and random access memory (RAM) 525 , to the processor 510 .
- the system 500 can include a cache 512 of high-speed memory connected directly with, in close proximity to, or integrated as part of the processor 510 .
- the system 500 can copy data from the memory 515 and/or the storage device 530 to the cache 512 for quick access by the processor 510 .
- the cache 512 can provide a performance boost that avoids processor 510 delays while waiting for data.
- These and other modules can control or be configured to control the processor 510 to perform various actions.
- Other system memory 515 may be available for use as well.
- the memory 515 can include multiple different types of memory with different performance characteristics.
- the processor 510 can include any general purpose processor and a hardware or software service, such as service 1 532 , service 2 534 , and service 3 536 stored in storage device 530 , configured to control the processor 510 as well as a special-purpose processor where software instructions are incorporated into the actual processor design.
- the processor 510 may be a completely self-contained computing system, containing multiple cores or processors, a bus, memory controller, cache, etc.
- a multi-core processor may be symmetric or asymmetric.
- an input device 545 can represent any number of input mechanisms, such as a microphone for speech, a touch-sensitive screen for gesture or graphical input, keyboard, mouse, motion input, speech and so forth.
- An output device 535 can also be one or more of a number of output mechanisms known to those of skill in the art.
- multimodal systems can enable a user to provide multiple types of input to communicate with the computing device 500 .
- the communications interface 540 can generally govern and manage the user input and system output. There is no restriction on operating on any particular hardware arrangement and therefore the basic features here may easily be substituted for improved hardware or firmware arrangements as they are developed.
- Storage device 530 is a non-volatile memory and can be a hard disk or other types of computer readable media which can store data that are accessible by a computer, such as magnetic cassettes, flash memory cards, solid state memory devices, digital versatile disks, cartridges, random access memories (RAMs) 525 , read only memory (ROM) 520 , and hybrids thereof.
- RAMs random access memories
- ROM read only memory
- the storage device 530 can include services 532 , 534 , 536 for controlling the processor 510 .
- Other hardware or software modules are contemplated.
- the storage device 530 can be connected to the system connection 505 .
- a hardware module that performs a particular function can include the software component stored in a computer-readable medium in connection with the necessary hardware components, such as the processor 510 , connection 505 , output device 535 , and so forth, to carry out the function.
- FIG. 6 illustrates an example network device 600 suitable for performing switching, routing, load balancing, and other networking operations.
- Network device 600 includes a central processing unit (CPU) 604 , interfaces 602 , and a bus 610 (e.g., a PCI bus).
- CPU central processing unit
- the CPU 604 is responsible for executing packet management, error detection, and/or routing functions.
- the CPU 604 preferably accomplishes all these functions under the control of software including an operating system and any appropriate applications software.
- CPU 604 may include one or more processors 608 , such as a processor from the INTEL X86 family of microprocessors.
- processor 608 can be specially designed hardware for controlling the operations of network device 600 .
- a memory 606 e.g., non-volatile RAM, ROM, etc.
- memory 606 also forms part of CPU 604 .
- memory 606 also forms part of CPU 604 .
- memory 606 also forms part of CPU 604 .
- memory
- the interfaces 602 are typically provided as modular interface cards (sometimes referred to as “line cards”). Generally, they control the sending and receiving of data packets over the network and sometimes support other peripherals used with the network device 600 .
- the interfaces that may be provided are Ethernet interfaces, frame relay interfaces, cable interfaces, DSL interfaces, token ring interfaces, and the like.
- various very high-speed interfaces may be provided such as fast token ring interfaces, wireless interfaces, Ethernet interfaces, Gigabit Ethernet interfaces, ATM interfaces, HSSI interfaces, POS interfaces, FDDI interfaces, WIFI interfaces, 3G/4G/5G cellular interfaces, CAN BUS, LoRA, and the like.
- these interfaces may include ports appropriate for communication with the appropriate media. In some cases, they may also include an independent processor and, in some instances, volatile RAM.
- the independent processors may control such communications intensive tasks as packet switching, media control, signal processing, crypto processing, and management. By providing separate processors for the communications intensive tasks, these interfaces allow the master CPU 604 to efficiently perform routing computations, network diagnostics, security functions, etc.
- FIG. 6 Although the system shown in FIG. 6 is one specific network device of the present technology, it is by no means the only network device architecture on which the present technology can be implemented. For example, an architecture having a single processor that handles communications as well as routing computations, etc., is often used. Further, other types of interfaces and media could also be used with the network device 600 .
- the network device may employ one or more memories or memory modules (including memory 606 ) configured to store program instructions for the general-purpose network operations and mechanisms for roaming, route optimization and routing functions described herein.
- the program instructions may control the operation of an operating system and/or one or more applications, for example.
- the memory or memories may also be configured to store tables such as mobility binding, registration, and association tables, etc.
- Memory 606 could also hold various software containers and virtualized execution environments and data.
- the network device 600 can also include an application-specific integrated circuit (ASIC), which can be configured to perform routing and/or switching operations.
- ASIC application-specific integrated circuit
- the ASIC can communicate with other components in the network device 600 via the bus 610 , to exchange data and signals and coordinate various types of operations by the network device 600 , such as routing, switching, and/or data storage operations, for example.
- the present technology may be presented as including individual functional blocks including functional blocks comprising devices, device components, steps or routines in a method embodied in software, or combinations of hardware and software.
- the computer-readable storage devices, media, and memories can include a cable or wireless signal containing a bit stream and the like.
- non-transitory computer-readable storage media expressly exclude media such as energy, carrier signals, electromagnetic waves, and signals per se.
- Such instructions can comprise, for example, instructions and data which cause or otherwise configure a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions. Portions of computer resources used can be accessible over a network.
- the computer executable instructions may be, for example, binaries, intermediate format instructions such as assembly language, firmware, or source code. Examples of computer-readable media that may be used to store instructions, information used, and/or information created during methods according to described examples include magnetic or optical disks, flash memory, USB devices provided with non-volatile memory, networked storage devices, and so on.
- Devices implementing methods according to these disclosures can comprise hardware, firmware and/or software, and can take any of a variety of form factors. Typical examples of such form factors include laptops, smart phones, small form factor personal computers, personal digital assistants, rackmount devices, standalone devices, and so on. Functionality described herein also can be embodied in peripherals or add-in cards. Such functionality can also be implemented on a circuit board among different chips or different processes executing in a single device, by way of further example.
- the instructions, media for conveying such instructions, computing resources for executing them, and other structures for supporting such computing resources are means for providing the functions described in these disclosures.
- Claim language reciting “at least one of” refers to at least one of a set and indicates that one member of the set or multiple members of the set satisfy the claim. For example, claim language reciting “at least one of A and B” means A, B, or A and B.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Environmental & Geological Engineering (AREA)
- Algebra (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Mathematical Physics (AREA)
- Probability & Statistics with Applications (AREA)
- Pure & Applied Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Quality & Reliability (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Systems, methods, and computer-readable media for providing throughput assurance in a virtual service chain. A virtual service chain formed by a plurality of stitched virtualized network functions running on a plurality of virtual nodes can be monitored. An inline statistics agent can generate inline statistics of the operation of the virtual service chain. Further, an actual throughput of the virtual service chain can be identified from the inline statistics. As follows, throughput assurance for the virtual service chain can be provided by comparing the actual throughput of the virtual service chain with an expected throughput of the virtual service chain.
Description
- The present technology pertains in general to network virtualization and in particular to providing throughput assurance for a service chain of virtualized network functions.
- Network virtualization abstracts networking connectivity and services that have traditionally been delivered via hardware into a logical virtual network that runs on top of a physical network in a hypervisor. Network virtualization can be implemented through virtual network functions (VNFs) running on virtual machines (VMs). These VNFs can handle or otherwise perform specific network functions like firewall functions or load balancing functions. Within network virtualization, multiple VNFs on one or more hypervisor platforms can be stitched together to create virtualized service chains in a network environment. For example, a service chain can be used to implement various network functions in connecting consumers to one or more cloud service providers (e.g. Amazon Web Services®, Microsoft Azure®, etc.). A typical service chain may consist of a router, a load balancer, and a firewall in a virtual form factor. In operation, network traffic can pass through the various VNF branches of a virtual service chain between a cloud service provider and a client.
- Users typically expect a specific throughput for a service chain. Specifically, users expect that the service chain is configured correctly on the hypervisor platform and that a specific throughput is achievable through the individual VNFs, and the corresponding service chain as a whole. Typically, an infrastructure provider/service provider for the service chain is responsible for assuring an expected throughput for the chain. However, it is currently difficult for service providers to diagnose and resolve issues in service chains due to a lack of visibility in virtual networks. In particular, as multiple VNFs are used in a virtual service chain and as a result of poor visibility in virtual networks, it is difficult for service providers to identify which link or VNF is behaving as an anomaly in the service chain, e.g. as part of providing throughput assurance for the service chain to a customer.
-
FIG. 1A illustrates an example cloud computing architecture; -
FIG. 1B illustrates an example fog computing architecture; -
FIG. 2A illustrates a diagram of an example network environment, such as a data center; -
FIG. 2B illustrates another example of a network environment; -
FIG. 3 illustrates a schematic diagram of an example virtual machine (VM) deployment; -
FIG. 4 illustrates an example virtualized network environment with a network throughput assurance agent, in accordance with various aspects of the subject technology; -
FIG. 5 illustrates an example computing system; and -
FIG. 6 illustrates an example network device. - Various embodiments of the disclosure are discussed in detail below. While specific implementations are discussed, it should be understood that this is done for illustration purposes only. A person skilled in the relevant art will recognize that other components and configurations may be used without parting from the spirit and scope of the disclosure. Thus, the following description and drawings are illustrative and are not to be construed as limiting. Numerous specific details are described to provide a thorough understanding of the disclosure. However, in certain instances, well-known or conventional details are not described in order to avoid obscuring the description.
- As used herein, “one embodiment” or “an embodiment” can refer to the same embodiment or any embodiment(s). Moreover, reference to “one embodiment” or “an embodiment” means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the disclosure. The appearances of the phrase “in one embodiment” in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Features described herein with reference to one embodiment can be combined with features described with reference to any embodiment.
- The terms used in this specification generally have their ordinary meanings in the art, within the context of the disclosure and the specific context where each term is used. Alternative language and synonyms may be used for any one or more of the terms discussed herein, and no special significance should be placed upon whether or not a term is elaborated or discussed herein. In some cases, synonyms for certain terms are provided. A recital of one or more synonyms does not exclude the use of other synonyms. The use of examples anywhere in this specification, including examples of any terms discussed herein, is illustrative and not intended to limit the scope and meaning of the disclosure or any example term. Likewise, the disclosure is not limited to the specific embodiments or examples described in this disclosure.
- Without intent to limit the scope of the disclosure, examples of instruments, apparatus, methods and their related functionalities are provided below. Titles or subtitles may be used in the examples for convenience of a reader, and in no way should limit the scope of the disclosure. Unless otherwise defined, technical and scientific terms used herein have the meaning as commonly understood by one of ordinary skill in the art to which this disclosure pertains. In the case of a conflict, the present document and included definitions will control.
- Additional features and advantages of the disclosure will be set forth in the description which follows, and in part will be recognized from the description, or can be learned by practice of the herein disclosed principles. The features and advantages of the disclosure can be realized and obtained by means of the instruments and combinations particularly pointed out herein. These and other features of the disclosure will become more fully apparent from the following description and appended claims, or can be learned by the practice of the principles set forth herein.
- Disclosed herein are systems, methods and computer-readable storage media for monitoring virtualized network functions in a virtual service chain.
- A method can include monitoring a virtual service chain formed by a plurality of stitched virtualized network functions running on a plurality of virtual nodes. An inline statistics agent can generate inline statistics of the operation of the virtual service chain. Further, an actual throughput of the virtual service chain can be identified from the inline statistics. As follows, throughput assurance for the virtual service chain can be provided by comparing the actual throughput of the virtual service chain with an expected throughput of the virtual service chain.
- The inline statistic agent can be implemented in a hypervisor layer under the plurality of virtual nodes. Further, the virtualized network functions can be stitched together at least in part, through the hypervisor layer. Accordingly, data passing between the virtualized network functions can be monitored by the inline statistics agent in the hypervisor layer to generate the inline statistics for the virtual service chain.
- Data passing between the virtualized network functions can be analyzed on a per-virtual node basis of the plurality of virtual nodes to generate inline statistics for each of the virtualized network functions in the virtual service chain as part of generating the inline statistics for the virtual service chain. The inline statistics for each of the virtualized network functions can be generated by comparing ingress data throughput at each of the virtualized network functions to corresponding egress data throughput at each of the virtualized network functions.
- The inline statistics for each of the virtualized network functions can be compared with the inline statistics of one or more adjacent virtualized network functions in the virtual service chain. As follows, the throughput assurance for the virtual service chain can be provided based on comparisons of the inline statistics of each of the virtualized functions with the inline statistics of the one or more adjacent virtualized network functions in the virtual service chain. Adjacent virtualized network functions can share a virtual link point in the virtual service chain to allow the data to pass directly between the adjacent virtualized network functions as the data passes through the virtual service chain.
- Corresponding egress data throughput at each of the virtualized network functions, as included as part of the inline statistics for each of the virtualized network functions, can be compared with the expected throughput of the virtual service chain. As follows, the throughput assurance for the virtual service chain can be provided based on comparisons of the corresponding egress data throughput at each of the virtualized network functions with the expected throughput of the virtual service chain. Further, a virtualized network function in the virtual service chain can be recognized as behaving as an anomaly in the virtual service chain based on a comparison with an egress data throughput at the virtualized network function with the expected throughput of the virtual service chain. As follows, the virtualized network function can be reported as the anomaly as part of providing the throughput assurance for the virtual service chain. The virtualized network function can be identified as the anomaly in response to the egress data throughput at the virtualized network function being below the expected throughput of the virtual service chain.
- Throughput of a first virtualized network function of the virtual service chain can be compared to the expected throughput for the virtual service chain. In turn, the throughput assurance for the virtual service chain can be provided based on a comparison of the entering throughput to the expected throughput of the virtual service chain. Specifically, if the entering throughput is less than the expected throughput, then the data passing between the virtualized network functions can be analyzed on a per-virtual node basis to provide the throughput assurance for the virtual service chain.
- The virtual service chain can be formed between a customer and a provider. Further, the throughput assurance for the virtual service chain is provided in either or both a direction from the consumer to the provider and from the provider to the consumer. Additionally, an infrastructure provider of the plurality of virtual nodes can be different from a network service provider of the virtual service chain.
- A system can include one or more processors and at least one computer-readable storage medium storing instructions which, when executed by the one or more processors, cause the one or more processors to monitor a virtual service chain formed by a plurality of stitched virtualized network functions running on a plurality of virtual nodes. The instructions can also cause the one or more processors to generate, by an inline statistics agent, inline statistics of the operation of the virtual service chain. The inline statistics agent can be implemented in a hypervisor layer under the plurality of virtual nodes. Further, the instructions can cause the one or more processors to identify an actual throughput of the virtual service chain from the inline statistics. Additionally, the instructions can cause the one or more processors to provide throughput assurance for the virtual service chain by comparing the actual throughput of the virtual service chain with an expected throughput of the virtual service chain.
- A non-transitory computer-readable storage medium having stored therein instructions which, when executed by a processor, cause the processor to monitor a virtual service chain formed by a plurality of stitched virtualized network functions running on a plurality of virtual nodes. The instructions can also cause the processor to generate, by an inline statistics agent, inline statistics of the operation of the virtual service chain. The virtualized network functions can be stitched together, at least in part, through a hypervisor layer and the data passing between the virtualized network functions can be monitored by the inline statistics agent in the hypervisor layer to generate the inline statistics for the virtual service chain. Further, the instructions can cause the processor to identify an actual throughput of the virtual service chain from the inline statistics. Additionally, the instructions can cause the processor to provide throughput assurance for the virtual service chain by comparing the actual throughput of the virtual service chain with an expected throughput of the virtual service chain.
- The foregoing, together with other features and embodiments, will become more apparent upon referring to the following specification, claims, and accompanying drawings.
- The disclosed technology addresses the need in the art for providing throughput assurance in virtualized network service chains. In particular, the disclosed technology address the need in the art for monitoring virtualized network functions on a per-network function basis to effectively detect and mitigate an impact of anomalies in a service chain. The present technology involves systems, methods, and computer-readable media for providing throughput assurance, anomaly detection and anomaly mitigation in a virtualized network service chain. In particular, the present technology involves systems, methods, and computer-readable media for providing throughput assurance, anomaly detection, and anomaly mitigation in a virtualized network service chain on a per-network function basis.
- A description of network environments and architectures for network data access and services, as illustrated in
FIGS. 1A, 1B, 2A, 2B is first disclosed herein. A discussion of systems, methods, and computer-readable media for implementing virtual machine network deployments and providing throughput assurance for virtualized network service chains in the deployments, as shown inFIGS. 3-4 , will then follow. The discussion then concludes with a brief description of example devices, as illustrated inFIGS. 5 and 6 . These variations shall be described herein as the various embodiments are set forth. The disclosure now turns toFIG. 1A . -
FIG. 1A illustrates a diagram of an examplecloud computing architecture 100. The architecture can include acloud 102. Thecloud 102 can include one or more private clouds, public clouds, and/or hybrid clouds. Moreover, thecloud 102 can include cloud elements 104-114. The cloud elements 104-114 can include, for example,servers 104, virtual machines (VMs) 106, one ormore software platforms 108, applications orservices 110,software containers 112, andinfrastructure nodes 114. Theinfrastructure nodes 114 can include various types of nodes, such as compute nodes, storage nodes, network nodes, management systems, etc. - The
cloud 102 can provide various cloud computing services via the cloud elements 104-114, such as software as a service (SaaS) (e.g., collaboration services, email services, enterprise resource planning services, content services, communication services, etc.), infrastructure as a service (IaaS) (e.g., security services, networking services, systems management services, etc.), platform as a service (PaaS) (e.g., web services, streaming services, application development services, etc.), and other types of services such as desktop as a service (DaaS), information technology management as a service (ITaaS), managed software as a service (MSaaS), mobile backend as a service (MBaaS), etc. - The
client endpoints 116 can connect with thecloud 102 to obtain one or more specific services from thecloud 102. Theclient endpoints 116 can communicate with elements 104-114 via one or more public networks (e.g., Internet), private networks, and/or hybrid networks (e.g., virtual private network). Theclient endpoints 116 can include any device with networking capabilities, such as a laptop computer, a tablet computer, a server, a desktop computer, a smartphone, a network device (e.g., an access point, a router, a switch, etc.), a smart television, a smart car, a sensor, a GPS device, a game system, a smart wearable object (e.g., smartwatch, etc.), a consumer object (e.g., Internet refrigerator, smart lighting system, etc.), a city or transportation system (e.g., traffic control, toll collection system, etc.), an internet of things (IoT) device, a camera, a network printer, a transportation system (e.g., airplane, train, motorcycle, boat, etc.), or any smart or connected object (e.g., smart home, smart building, smart retail, smart glasses, etc.), and so forth. -
FIG. 1B illustrates a diagram of an examplefog computing architecture 150. Thefog computing architecture 150 can include thecloud layer 154, which includes thecloud 102 and any other cloud system or environment, and thefog layer 156, which includesfog nodes 162. Theclient endpoints 116 can communicate with thecloud layer 154 and/or thefog layer 156. Thearchitecture 150 can include one ormore communication links 152 between thecloud layer 154, thefog layer 156, and theclient endpoints 116. Communications can flow up to thecloud layer 154 and/or down to theclient endpoints 116. - The
fog layer 156 or “the fog” provides the computation, storage and networking capabilities of traditional cloud networks, but closer to the endpoints. The fog can thus extend thecloud 102 to be closer to theclient endpoints 116. Thefog nodes 162 can be the physical implementation of fog networks. Moreover, thefog nodes 162 can provide local or regional services and/or connectivity to theclient endpoints 116. As a result, traffic and/or data can be offloaded from thecloud 102 to the fog layer 156 (e.g., via fog nodes 162). Thefog layer 156 can thus provide faster services and/or connectivity to theclient endpoints 116, with lower latency, as well as other advantages such as security benefits from keeping the data inside the local or regional network(s). - The
fog nodes 162 can include any networked computing devices, such as servers, switches, routers, controllers, cameras, access points, gateways, etc. Moreover, thefog nodes 162 can be deployed anywhere with a network connection, such as a factory floor, a power pole, alongside a railway track, in a vehicle, on an oil rig, in an airport, on an aircraft, in a shopping center, in a hospital, in a park, in a parking garage, in a library, etc. - In some configurations, one or
more fog nodes 162 can be deployed withinfog instances fog instances fog instances fog nodes 162, etc. In some configurations, one ormore fog nodes 162 can be deployed within a network, or as standalone or individual nodes, for example. Moreover, one or more of thefog nodes 162 can be interconnected with each other vialinks 164 in various topologies, including star, ring, mesh or hierarchical arrangements, for example. - In some cases, one or
more fog nodes 162 can be mobile fog nodes. The mobile fog nodes can move to different geographical locations, logical locations or networks, and/or fog instances while maintaining connectivity with thecloud layer 154 and/or theendpoints 116. For example, a particular fog node can be placed in a vehicle, such as an aircraft or train, which can travel from one geographical location and/or logical location to a different geographical location and/or logical location. In this example, the particular fog node may connect to a particular physical and/or logical connection point with thecloud 154 while located at the starting location and switch to a different physical and/or logical connection point with thecloud 154 while located at the destination location. The particular fog node can thus move within particular clouds and/or fog instances and, therefore, serve endpoints from different locations at different times. -
FIG. 2A illustrates a diagram of anexample Network Environment 200, such as a data center. In some cases, theNetwork Environment 200 can include a data center, which can support and/or host thecloud 102. TheNetwork Environment 200 can include aFabric 220 which can represent the physical layer or infrastructure (e.g., underlay) of theNetwork Environment 200.Fabric 220 can include Spines 202 (e.g., spine routers or switches) and Leafs 204 (e.g., leaf routers or switches) which can be interconnected for routing or switching traffic in theFabric 220.Spines 202 can interconnectLeafs 204 in theFabric 220, andLeafs 204 can connect theFabric 220 to an overlay or logical portion of theNetwork Environment 200, which can include application services, servers, virtual machines, containers, endpoints, etc. Thus, network connectivity in theFabric 220 can flow fromSpines 202 toLeafs 204, and vice versa. The interconnections betweenLeafs 204 andSpines 202 can be redundant (e.g., multiple interconnections) to avoid a failure in routing. In some embodiments,Leafs 204 andSpines 202 can be fully connected, such that any given Leaf is connected to each of theSpines 202, and any given Spine is connected to each of theLeafs 204.Leafs 204 can be, for example, top-of-rack (“ToR”) switches, aggregation switches, gateways, ingress and/or egress switches, provider edge devices, and/or any other type of routing or switching device. -
Leafs 204 can be responsible for routing and/or bridging tenant or customer packets and applying network policies or rules. Network policies and rules can be driven by one ormore Controllers 216, and/or implemented or enforced by one or more devices, such asLeafs 204.Leafs 204 can connect other elements to theFabric 220. For example,Leafs 204 can connectServers 206,Hypervisors 208, Virtual Machines (VMs) 210,Applications 212,Network Device 214, etc., withFabric 220. Such elements can reside in one or more logical or virtual layers or networks, such as an overlay network. In some cases,Leafs 204 can encapsulate and decapsulate packets to and from such elements (e.g., Servers 206) in order to enable communications throughoutNetwork Environment 200 andFabric 220.Leafs 204 can also provide any other devices, services, tenants, or workloads with access toFabric 220. In some cases,Servers 206 connected toLeafs 204 can similarly encapsulate and decapsulate packets to and fromLeafs 204. For example,Servers 206 can include one or more virtual switches or routers or tunnel endpoints for tunneling packets between an overlay or logical layer hosted by, or connected to,Servers 206 and an underlay layer represented byFabric 220 and accessed viaLeafs 204. -
Applications 212 can include software applications, services, containers, appliances, functions, service chains, etc. For example,Applications 212 can include a firewall, a database, a CDN server, an IDS/IPS, a deep packet inspection service, a message router, a virtual switch, etc. An application fromApplications 212 can be distributed, chained, or hosted by multiple endpoints (e.g.,Servers 206,VMs 210, etc.), or may run or execute entirely from a single endpoint. -
VMs 210 can be virtual machines hosted byHypervisors 208 or virtual machine managers running onServers 206.VMs 210 can include workloads running on a guest operating system on a respective server.Hypervisors 208 can provide a layer of software, firmware, and/or hardware that creates, manages, and/or runs theVMs 210.Hypervisors 208 can allowVMs 210 to share hardware resources onServers 206, and the hardware resources onServers 206 to appear as multiple, separate hardware platforms. Moreover,Hypervisors 208 onServers 206 can host one ormore VMs 210. - In some cases,
VMs 210 can be migrated toother Servers 206.Servers 206 can similarly be migrated to other physical locations inNetwork Environment 200. For example, a server connected to a specific leaf can be changed to connect to a different or additional leaf. Such configuration or deployment changes can involve modifications to settings, configurations and policies that are applied to the resources being migrated as well as other network components. - In some cases, one or
more Servers 206,Hypervisors 208, and/orVMs 210 can represent or reside in a tenant or customer space. Tenant space can include workloads, services, applications, devices, networks, and/or resources that are associated with one or more clients or subscribers. Accordingly, traffic inNetwork Environment 200 can be routed based on specific tenant policies, spaces, agreements, configurations, etc. Moreover, addressing can vary between one or more tenants. In some configurations, tenant spaces can be divided into logical segments and/or networks and separated from logical segments and/or networks associated with other tenants. Addressing, policy, security and configuration information between tenants can be managed byControllers 216,Servers 206,Leafs 204, etc. - Configurations in
Network Environment 200 can be implemented at a logical level, a hardware level (e.g., physical), and/or both. For example, configurations can be implemented at a logical and/or hardware level based on endpoint or resource attributes, such as endpoint types and/or application groups or profiles, through a software-defined networking (SDN) framework (e.g., Application-Centric Infrastructure (ACI) or VMWARE NSX). To illustrate, one or more administrators can define configurations at a logical level (e.g., application or software level) throughControllers 216, which can implement or propagate such configurations throughNetwork Environment 200. In some examples,Controllers 216 can be Application Policy Infrastructure Controllers (APICs) in an ACI framework. In other examples,Controllers 216 can be one or more management components for associated with other SDN solutions, such as NSX Managers. - Such configurations can define rules, policies, priorities, protocols, attributes, objects, etc., for routing and/or classifying traffic in
Network Environment 200. For example, such configurations can define attributes and objects for classifying and processing traffic based on Endpoint Groups, Security Groups (SGs), VM types, bridge domains (BDs), virtual routing and forwarding instances (VRFs), tenants, priorities, firewall rules, etc. Other example network objects and configurations are further described below. Traffic policies and rules can be enforced based on tags, attributes, or other characteristics of the traffic, such as protocols associated with the traffic, EPGs associated with the traffic, SGs associated with the traffic, network address information associated with the traffic, etc. Such policies and rules can be enforced by one or more elements inNetwork Environment 200, such asLeafs 204,Servers 206,Hypervisors 208,Controllers 216, etc. As previously explained,Network Environment 200 can be configured according to one or more particular SDN solutions, such as CISCO ACI or VMWARE NSX. These example SDN solutions are briefly described below. - ACI can provide an application-centric or policy-based solution through scalable distributed enforcement. ACI supports integration of physical and virtual environments under a declarative configuration model for networks, servers, services, security, requirements, etc. For example, the ACI framework implements EPGs, which can include a collection of endpoints or applications that share common configuration requirements, such as security, QoS, services, etc. Endpoints can be virtual/logical or physical devices, such as VMs, containers, hosts, or physical servers that are connected to
Network Environment 200. Endpoints can have one or more attributes such as a VM name, guest OS name, a security tag, application profile, etc. Application configurations can be applied between EPGs, instead of endpoints directly, in the form of contracts.Leafs 204 can classify incoming traffic into different EPGs. The classification can be based on, for example, a network segment identifier such as a VLAN ID, VXLAN Network Identifier (VNID), NVGRE Virtual Subnet Identifier (VSID), MAC address, IP address, etc. - In some cases, classification in the ACI infrastructure can be implemented by ACI virtual edge (AVE), which can run on a host, such as a server, e.g. a vSwitch running on a server. For example, the AVE can classify traffic based on specified attributes, and tag packets of different attribute EPGs with different identifiers, such as network segment identifiers (e.g., VLAN ID). Finally,
Leafs 204 can tie packets with their attribute EPGs based on their identifiers and enforce policies, which can be implemented and/or managed by one ormore Controllers 216.Leaf 204 can classify to which EPG the traffic from a host belongs and enforce policies accordingly. - Another example SDN solution is based on VMWARE NSX. With VMWARE NSX, hosts can run a distributed firewall (DFW) which can classify and process traffic. Consider a case where three types of VMs, namely, application, database and web VMs, are put into a single layer-2 network segment. Traffic protection can be provided within the network segment based on the VM type. For example, HTTP traffic can be allowed among web VMs, and disallowed between a web VM and an application or database VM. To classify traffic and implement policies, VMWARE NSX can implement security groups, which can be used to group the specific VMs (e.g., web VMs, application VMs, database VMs). DFW rules can be configured to implement policies for the specific security groups. To illustrate, in the context of the previous example, DFW rules can be configured to block HTTP traffic between web, application, and database security groups.
- Returning now to
FIG. 2A ,Network Environment 200 can deploy different hosts viaLeafs 204,Servers 206,Hypervisors 208,VMs 210,Applications 212, andControllers 216, such as VMWARE ESXi hosts, WINDOWS HYPER-V hosts, bare metal physical hosts, etc.Network Environment 200 may interoperate with a variety ofHypervisors 208, Servers 206 (e.g., physical and/or virtual servers), SDN orchestration platforms, etc.Network Environment 200 may implement a declarative model to allow its integration with application design and holistic network policy. -
Controllers 216 can provide centralized access to fabric information, application configuration, resource configuration, application-level configuration modeling for a SDN infrastructure, integration with management systems or servers, etc.Controllers 216 can form a control plane that interfaces with an application plane via northbound APIs and a data plane via southbound APIs. - As previously noted,
Controllers 216 can define and manage application-level model(s) for configurations inNetwork Environment 200. In some cases, application or device configurations can also be managed and/or defined by other components in the network. For example, a hypervisor or virtual appliance, such as a VM or container, can run a server or management tool to manage software and services inNetwork Environment 200, including configurations and settings for virtual appliances. - As illustrated above,
Network Environment 200 can include one or more different types of SDN solutions, hosts, etc. For the sake of clarity and explanation purposes, various examples in the disclosure will be described with reference to an ACI framework, andControllers 216 may be interchangeably referenced as controllers, APICs, or APIC controllers. However, it should be noted that the technologies and concepts herein are not limited to ACI solutions and may be implemented in other architectures and scenarios, including other SDN solutions as well as other types of networks which may not deploy an SDN solution. - Further, as referenced herein, the term “hosts” can refer to Servers 206 (e.g., physical or logical),
Hypervisors 208,VMs 210, containers (e.g., Applications 212), etc., and can run or include any type of server or application solution. Non-limiting examples of “hosts” can include virtual switches or routers, such as distributed virtual switches (DVS), AVE nodes, vector packet processing (VPP) switches; VCENTER and NSX MANAGERS; bare metal physical hosts; HYPER-V hosts; VMs; DOCKER Containers; etc. -
FIG. 2B illustrates another example ofNetwork Environment 200. In this example,Network Environment 200 includesEndpoints 222 connected toLeafs 204 inFabric 220.Endpoints 222 can be physical and/or logical or virtual entities, such as servers, clients, VMs, hypervisors, software containers, applications, resources, network devices, workloads, etc. For example, anEndpoint 222 can be an object that represents a physical device (e.g., server, client, switch, etc.), an application (e.g., web application, database application, etc.), a logical or virtual resource (e.g., a virtual switch, a virtual service appliance, a virtualized network function (VNF), a VM, a service chain, etc.), a container running a software resource (e.g., an application, an appliance, a VNF, a service chain, etc.), storage, a workload or workload engine, etc. Endpoints 122 can have an address (e.g., an identity), a location (e.g., host, network segment, virtual routing and forwarding (VRF) instance, domain, etc.), one or more attributes (e.g., name, type, version, patch level, OS name, OS type, etc.), a tag (e.g., security tag), a profile, etc. -
Endpoints 222 can be associated with respectiveLogical Groups 218.Logical Groups 218 can be logical entities containing endpoints (physical and/or logical or virtual) grouped together according to one or more attributes, such as endpoint type (e.g., VM type, workload type, application type, etc.), one or more requirements (e.g., policy requirements, security requirements, QoS requirements, customer requirements, resource requirements, etc.), a resource name (e.g., VM name, application name, etc.), a profile, platform or operating system (OS) characteristics (e.g., OS type or name including guest and/or host OS, etc.), an associated network or tenant, one or more policies, a tag, etc. For example, a logical group can be an object representing a collection of endpoints grouped together. To illustrate,Logical Group 1 can contain client endpoints,Logical Group 2 can contain web server endpoints,Logical Group 3 can contain application server endpoints, Logical Group N can contain database server endpoints, etc. In some examples,Logical Groups 218 are EPGs in an ACI environment and/or other logical groups (e.g., SGs) in another SDN environment. - Traffic to and/or from
Endpoints 222 can be classified, processed, managed, etc., basedLogical Groups 218. For example,Logical Groups 218 can be used to classify traffic to or fromEndpoints 222, apply policies to traffic to or fromEndpoints 222, define relationships betweenEndpoints 222, define roles of Endpoints 222 (e.g., whether an endpoint consumes or provides a service, etc.), apply rules to traffic to or fromEndpoints 222, apply filters or access control lists (ACLs) to traffic to or fromEndpoints 222, define communication paths for traffic to or fromEndpoints 222, enforce requirements associated withEndpoints 222, implement security and other configurations associated withEndpoints 222, etc. - In an ACI environment,
Logical Groups 218 can be EPGs used to define contracts in the ACI. Contracts can include rules specifying what and how communications between EPGs take place. For example, a contract can define what provides a service, what consumes a service, and what policy objects are related to that consumption relationship. A contract can include a policy that defines the communication path and all related elements of a communication or relationship between EPs or EPGs. For example, a Web EPG can provide a service that a Client EPG consumes, and that consumption can be subject to a filter (ACL) and a service graph that includes one or more services, such as firewall inspection services and server load balancing. -
FIG. 3 illustrates a schematic diagram of an example virtual machine (VM)deployment 310. In this example, thehost 302 can include one ormore VMs 316. TheVMs 316 can be configured to run workloads like VNFs based onhardware resources 312 on thehost 302. TheVMs 316 can run onguest operating systems 314 on a virtual operating platform provided by ahypervisor 318. Each VM can run a respective guest operating system which can be the same or different as other guest operating systems associated with other VMs on thehost 302. Moreover, each VM can have one or more network addresses, such as an internet protocol (IP) address. TheVMs 316 can communicate withhypervisors 318 and/or any remote devices or networks using the one or more network addresses. -
Hypervisors 318 can be a layer of software, firmware, and/or hardware that creates and runsVMs 316. For example, thehypervisors 318 can be virtual machine managers (VMM) for hosting and managing theVMs 316. The guest operating systems running onVMs 316 can share virtualized hardware resources created by thehypervisors 318. The virtualized hardware resources can provide the illusion of separate hardware components. Moreover, the virtualized hardware resources can perform as physical hardware components (e.g., memory, storage, processor, network interface, etc.), and can be driven by thehardware resources 312 on thehost 302.Hypervisors 318 can have one or more network addresses, such as an internet protocol (IP) address, to communicate with other devices, components, or networks. For example, thehypervisors 318 can have a dedicated IP address which they can use to communicate withVMs 316 and/or any remote devices or networks. -
Hardware resources 312 can provide the underlying physical hardware driving operations and functionalities provided by thehost 302,hypervisors 318, andVMs 316.Hardware resources 312 can include, for example, one or more memory resources, one or more storage resources, one or more communication interfaces, one or more processors, one or more circuit boards, one or more extension cards, one or more power supplies, one or more antennas, one or more peripheral components, etc. - The
host 302 can also include one or more host operating systems (not shown). The number of host operating system can vary by configuration. For example, some configurations can include a dual boot configuration that allows thehost 302 to boot into one of multiple host operating systems. In other configurations, thehost 302 may run a single host operating system. Host operating systems can run onhardware resources 312. In some cases, ahypervisor 318 can run on, or utilize, a host operating system on thehost 302. - The
host 302 can also have one or more network addresses, such as an internet protocol (IP) address, to communicate with other devices, components, or networks. For example, thehost 302 can have an IP address assigned to a communications interface fromhardware resources 312, which it can use to communicate withVMs 316,hypervisor 318, switches, and/or any remote devices or networks. - In some examples, the
host 302 can run a distributed function router. For example,VMs 316 onhost 302 can host and execute one or more functionalities of the distributed function router. In some cases, host 302 can also host multiple distributed function routers viaVMs 316. For example,VM 1 can host and run a first distributed function router andVM 2 can host and run a second distributed function router. The first and second distributed function routers can be different function routers or may be instances of a same function router which can be configured for load balancing, failover, auto-scaling, etc. - As discussed previously, users typically expect a specific throughput for a virtualized service chain in a virtualized network environment. Specifically, users expect that the service chain is configured correctly on the hypervisor platform and that a specific throughput is achievable through the individual VNFs, and the corresponding service chain as a whole. Typically, an infrastructure provider/service provider for the service chain is responsible for assuring an expected throughput for the chain. However, it is currently difficult for service providers to diagnose and resolve issues in service chains due to a lack of visibility in virtual networks. In particular, as multiple VNFs are used in a virtual service chain and as a result of poor visibility in virtual networks, it is difficult for service providers to identify which link or VNF is behaving as an anomaly in the service chain, e.g. as part of providing throughput assurance for the service chain to a customer.
- The present includes systems, methods, and computer-readable media for solving these problems/discrepancies. Specifically, the present technology involves systems, methods, and computer-readable media for providing throughput assurance, anomaly detection and anomaly mitigation in a virtualized network service chain. More specifically, the present technology involves systems, methods, and computer-readable media for providing throughput assurance, anomaly detection, and anomaly mitigation in a virtualized network service chain on a per-network function basis.
-
FIG. 4 illustrates an examplevirtualized network environment 400 with a networkthroughput assurance agent 401 in accordance with various aspects of the subject technology. Thevirtualized network environment 400 can be implemented according to an applicable network architecture, such as thecloud computing architecture 100 orfog computing architecture 150 shown inFIGS. 1A and 1B . Further, thevirtualized network environment 400 can be implemented in an applicable network environment, such as theexample network environment 200 shown inFIGS. 2A and 2B . - The
virtualized network environment 400 can be formed, at least in part, according to an applicable virtual machine deployment, such as the virtual machine (VM)deployment 310 shown inFIG. 3 . Specifically, thevirtualized network environment 400 includes a switchingfabric 402. The switchingfabric 402 can include physical hardware implementing one or more virtual machines and virtual functions. Specifically, the switchingfabric 402 can function as a host and support ahypervisor 404 running on top of the switchingfabric 402. Thehypervisor 404 and the switchingfabric 402 may be connected using network interface cards (not shown). For example, thehypervisor 404 can be connected to the switchingfabric 402 using physical network interface cards (pNICs). - The hypervisor 404 functions according to an applicable layer for providing a virtual operating platform upon which one or more VNFs can run, such as the
hypervisor 318 shown inFIG. 3 . Specifically, thehypervisor 404 can function to create a virtual operating platform supporting a first VNF 406-1, a second VNF 406-2, and a third VNF 406-3 (collectively referred to as “VNFs 406”). While only three VNFs 406 are shown inFIG. 4 , thevirtualized network environment 400 can include more VNFs or less VNFs. - The VNFs 406 can form all or part of a virtual service chain. Specifically, the VNFs 406 can be stitched together, e.g. through the
hypervisor 404, to form, at least part of, a virtual service chain of VNFs. A virtual service chain, as used herein, is a grouping of VNFs that are stitched together such that the VNFs apply operations to network traffic passing through the virtual service chain based on the arrangement of, e.g. in the order of, the VNFs in the virtual service chain. For example, traffic entering the virtual service chain atpoint 408, as ingress traffic for the virtual service chain, can be directed to the first VNF 406-1 atpoint 412 as ingress traffic to the first VNF 406-1. In turn, the first VNF 406-1 can perform one or more operations on the traffic. As follows, the traffic can pass out of the first VNF 406-1 atpoint 414 as egress traffic to the first VNF 406-1 after the first VNF 406-1 performs one or more operations on the traffic. - As the first VNF 406-1 is adjacent to the second VNF 406-2 in the virtual service chain, the egress traffic of the first VNF 406-1 that exits the first VNF 406-1 at
point 414 can serve as ingress traffic to the second VNF 406-2. Specifically, the traffic can enter the second VNF 406-2 atpoint 416 as ingress traffic. In turn, the second VNF 406-2 can perform one or more operations on the traffic. As follows, the traffic can pass out of the second VNF 406-2 atpoint 418 as egress traffic to the second VNF 406-2 after the second VNF 406-2 performs one or more operations on the traffic. Similarly, the traffic can pass into the third VNF 406-3 atpoint 420 as ingress traffic to the third VNF 406-3 and pass out of the third VNF 406-3 atpoint 422 as egress traffic to the third VNF 406-3. As the third VNF 406-3 is the last VNF in the virtual service chain, the traffic exiting the third VNF 406-3 is the egress traffic for the virtual service chain and exits the virtual service chain atpoint 410. - The VNFs 406 can be stitched together through the
hypervisor 404 to form the virtual service chain. Specifically, traffic passing between the VNFs 406 can pass through thehypervisor 404. For example, traffic passing out of the first VNF 406-1 atpoint 414 can pass into thehypervisor 404 and then into the second VNF 406-2 atpoint 416. Accordingly, adjacent VNFs in the virtual service chain can be linked together/stitched together through one or more link points formed in thehypervisor 404. More specifically, traffic can directly pass between adjacent VNFs through the one or more link points in thehypervisor 404 that link the adjacent VNFs to each other. By stitching together the VNFs 406 through thehypervisor 404 to form the virtual service chain, the functionality of the VNFs 406 may be combined, e.g. in a building block-style fashion, to provide various networking communication services. - Adjacent VNFs in a service chain, as used herein, include VNFs that are logically next to each other in the service chain, e.g. from a traffic processing perspective, in the order in which the VNFs operate on data passing through the service chain. For example, in the
environment 400 show inFIG. 4 , the first and second VNFs 406-1 and 406-2 are adjacent to each other. Further, the second VNF 406-2 and the third VNF 406-3 are adjacent to each other. A VNF can have only one adjacent VNF based on the position of the VNF in a virtual service chain. For example, the first VNF 406-1 has only one adjacent VNF, the second VNF 406-2, as the first VNF 406-1 is the first VNF in the virtual service chain. Similarly, the third VNF 406-3 has only one adjacent VNF, the second VNF 406-2, as the third VNF 406-3 is the last VNF in the virtual service chain. Further, a VNF can have a plurality of adjacent VNFs based on the position of the VNF in the virtual service chain. For example, the second VNF 406-2 has two adjacent VNFs, the first VNF 406-1 and the third VNF 406-3. - The virtual service chain in the
example environment 400 shown inFIG. 4 can be formed between a consumer and a provider of network services. For example, the virtual service chain can be formed between a client and a cloud-based service provider. Further, while the traffic shown inFIG. 4 is shown as unidirectional, e.g. frompoint 408 to 410, the virtual service chain can also perform operations on traffic passing in the opposite direction, e.g. frompoint 410 to 408. Accordingly, the techniques for providing assurance that are discussed herein, can be applied to bidirectional traffic passing through the virtual service chain. For example, the technique described herein can be applied to traffic passing from a consumer to a provider through a virtual service chain and traffic passing from the provider to the consumer through the virtual service chain. - The provider of the VNFs 406 can be different from a provider of the switching
fabric 402. For example, the VNFs 406 can be provided and maintained by a network service provider that is different from a provider of the actual infrastructure/hardware, e.g. switchingfabric 402, over which the VNFs 406 are run through one or more VMs. - The
throughput assurance agent 401 can provide assurance for the virtual service chain. Specifically, thethroughput assurance agent 401 can provide throughput assurance for the virtual service chain. Throughput assurance for a virtual service chain, as used herein, can include applicable information related to network assurance and throughput in the virtual service chain. For example, throughput assurance can include an information related to a virtual service chain operation at or beneath an expected throughput for the virtual service chain, information related to a VNF behaving as an anomaly in the virtual service chain, and other applicable information related to VNFs operating, e.g. together, in the virtual service chain. For example, throughput assurance can include an indication of throughput correlated across VNFs in a service chain. In another example, throughput assurance can include which link, e.g. VNF, in a service chain dropped traffic and a location of the link in the service chain. A VNF behaving as an anomaly can include a VNF behaving differently from an expected behavior of the VNF. For example, a VNF behaving as an anomaly can include that an actual throughput at the VNF has dropped below an expected throughput at the VNF. In another example, a VNF behaving as an anomaly can include a VNF that drops traffic. - In the
example environment 400 shown inFIG. 4 , thethroughput assurance agent 401 is shown connected to thehypervisor 404. In being connected to thehypervisor 404, thethroughput assurance agent 401 can be implemented, at least in part, in thehypervisor 404. Specifically, thethroughput assurance agent 401 can include an inline statistics agent that is implemented in thehypervisor 404. - The inline statistics agent functions to generate inline statistics for the virtual service chain. Specifically, the inline statistics agent can monitor traffic passing through the virtual service chain to generate inline statistics for the virtual service chain. More specifically, when the inline statistics agent is implemented in the
hypervisor 404 the inline statistics agent can monitor traffic passing to and from the VNFs 406 through the hypervisor layer to generate inline statistics for the virtual service chain. Inline statistics can include applicable information related to the operation of the VNFs 406 in the virtual service chain. For example, inline statistics can include an actual throughput of traffic passing into and out of the virtual service chain. - The inline statistics agent can generate inline statistics on a per-VNF basis. Specifically, as the inline statistics agent can generate inline statistics by monitoring traffic through the
hypervisor 404, the inline statistics agent can generate inline statistics for each of the VNFs 406 on a per-VNF basis. More specifically, the inline statistics agent can analyze data passing into, out of, and/or between the VNFs 406 through thehypervisor 404 to generate inline statistics for each of the VNFs 406 on a per-VNF basis. For example, the inline statistics agent can generate inline statistics for the second VNF 406-2 that includes ingress traffic throughput at the second VNF 406-2, corresponding to point 416 in the traffic flow. Further in the example, the inline statistics agent can generate inline statistics for the second VNF 406-2 that includes egress traffic throughput at the second VNF 406-2, corresponding to point 418 in the traffic flow. In another example, the inline statistics agent can generate inline statistics for the first VNF 406-1 that includes an ingress traffic throughput for the first VNF 406-1, which is the ingress traffic throughput for the entire virtual service chain as a whole. In yet another example, the inline statistics agent can generate inline statistics for the third VNF 406-3 that includes an egress traffic throughput for the third VNF 406-3, which is the egress traffic throughput for the entire virtual service chain as a whole. Ingress and egress traffic throughput at each of the VNFs 406 can be included as part of an actual throughput for the virtual service chain. - In generating inline statistics on a per-VNF basis, the inline statistics agent can generate inline statistics based on ingress traffic throughput and egress traffic throughput at each of the VNFs 406. Specifically, the inline statistics agent can compare an ingress traffic throughput at each of the VNFs 406 with an output traffic throughput at each of the VNFs 406 to generate corresponding inline statistics for each of the VNFs 406. For example, if the throughput between ingress and egress traffic passing through the first VNF 406-1 is different, then the inline statistics agent can generate inline statistics indicating that traffic is being dropped at the first VNF 406-1.
- The inline statistics agent can generate inline statistics for the virtual service chain based on user/administrator input. For example, a provider of the VNFs can provide input which can be used to generate the inline statistics for the virtual service chain. Specifically, the statistics agent generate inline statistics from a user-input graph indicating the VNFs 406 and the corresponding virtual links, e.g. formed at
point 412, formed betweenpoints points point 422 of the corresponding traffic flow of the service chain. Further, the inline statistics agent can generate inline statistics from a configuration file describing the topological configuration of the VNFs 406 within the virtual service chain. - Further, the inline statistics agent can generate the inline statistics based on an expected throughput of the virtual service chain and/or an expected throughput of one or more of the VNFs 406. Specifically, the inline statistics agent can generate inline statistics based on an expected ingress traffic throughput of the virtual service chain and/or an expected ingress traffic throughput of one or more of the VNFs 406. Further, the inline statistics agent can generate inline statistics based on an expected egress traffic throughput of the virtual service chain and/or an expected egress traffic throughput of one or more of the VNFs 406. The inline statistics agent can identify expected throughput, e.g. egress and ingress traffic throughput, using an applicable technique. Specifically, the inline statistics agent can identify expected throughput based on applicable information, e.g. as part of an input graph or a topological configuration file received from a user/administrator.
- The inline statistics agent can collect the statistics periodically or otherwise at set times. In one example, the inline statistics agent can use the most recently collected statistical data point as a reference point in gathering inline statistics. In another example, the inline statistics agent can use a moving average of a set of the most recently collected statistical data points to gather inline statistics.
- The
throughput assurance agent 401 can provide throughput assurance for the virtual service chain based on the inline statistics generated by the inline statistics agent. In particular, thethroughput assurance agent 401 can provide throughput assurance for the service chain for network traffic from a consumer to a network service provider. Additionally, thethroughput assurance agent 401 can provide throughput assurance for the service chain for traffic from the service provider to the consumer. Further, thethroughput assurance agent 401 may provide throughput assurance for the service chain for bidirectional traffic between the service provider and the consumer. - In providing throughput assurance, the
throughput assurance agent 401 can provide end-to-end throughput assurance for the virtual service chain. Specifically, thethroughput assurance agent 401 can compare an entering throughput of the virtual service chain to an exit throughput off the virtual service chain to provide end-to-end throughput assurance. More specifically, thethroughput assurance agent 401 can provide end-to-end throughput assurance by comparing the throughput atpoint 408 to the first VNF 406-1 and the throughput atpoint 410 out of the third VNF 406-3. If the throughput atinput point 408 equals or is within a threshold range of the throughput atoutput point 410, then thethroughput assurance agent 401 agent can report that there is no throughput anomaly in the service chain. The threshold range can be a user-defined threshold. - Further, the
throughput assurance agent 401 can provide throughput assurance by comparing inline statistics for each of the VNFs 406 with an expected traffic throughput of the service chain. An expected throughput can include an expected throughput or a range of expected throughput that either or both a consumer desires or a provider of the VNFs 406 has assured. In comparing inline statistics for each of the VNFs 406 with an expected traffic throughput, thethroughput assurance agent 401 can directly compare the egress data throughput at each of the VNFs 406, e.g. corresponding topoints - The
throughput assurance agent 401 can provide throughput assurance for the virtual service chain by comparing the inline statistics for two or more of the VNFs 406. In particular, thethroughput assurance agent 401 can provide throughput assurance for the virtual service chain by comparing inline statistics for a VNF to inline statistics of one or more adjacent VNFs. Specifically, thethroughput assurance agent 401 can compare the inline statistics of the first VFR 406-1 with the inline statistics of the second VRF 406-2. Further, thethroughput assurance agent 401 can compare the inline statistics of the second VRF 406-2 with the inline statistics of both the first VNF 406-1 and the third VNF 406-3. Additionally, thethroughput assurance agent 401 can compare the inline statistics of the third VRF 406-3 with the inline statistics of the second VRF 406-2. Referring toFIG. 4 , thethroughput assurance agent 401 can verify that VNFs 406-1, 406-2, and 406-3 do not cause a drop in network throughput by checking that the throughput of the ingress and egress nodes of each of the VNFs 406 are equal or within a threshold range of each other. Specifically, thethroughput assurance agent 401 can check that the throughput atingress point 412 is equal to the throughput ategress point 414; the throughput atingress point 416 is equal to the throughput ategress point 414 andegress point 418; and the throughput atingress point 420 is equal to the throughput ategress point 418 andegress point 422. If one or more of the equalities do not hold, the statistics agent may report the specific VNF of the VNFs 406 involved in the inequality as the VNF causing the throughput anomaly. While reference is made in to comparing the throughput between the VNFs as being equal or not, the techniques described with respect to comparing ingress and egress throughput across the VNFs 406 can be compared based on thresholds. For example, if the throughput ategress point 414 is falls outside of a threshold when compared to the throughput atingress point 412, then thethroughput assurance agent 401 can identify the first VNG 406-1 as an anomaly. Applicable thresholds, as described herein, can be user-defined, e.g. user-defined ranges. - In various embodiments, the expected data throughput for the service chain may be higher than the actual traffic throughput at the
input point 408, corresponding to the entering throughput for the virtual service chain. Specifically, the entering throughput for the service chain at the first VNF 406 can be lower than the expected throughput for the virtual service chain. In turn, thethroughput assurance agent 401 can provide throughput assurance based on the entering throughput being lower than the expected throughput for the virtual service chain. Specifically, if the entering throughput is lower than the expected throughput for the virtual service chain, then the corresponding throughput, e.g. ingress and egress throughput, at each of the VNFs can be less than the expected throughput for the virtual service chain. As a result, the throughput assurance agent can refrain from flagging the VNFs 406 as anomalies even though the throughput of one or more of the VNFs 406 drops below a threshold of the expected throughput of the virtual service chain. - Conversely, the expected data throughput for the service chain may be lower than the actual traffic throughput at the
input point 408, corresponding to the entering throughput for the virtual service chain. Specifically, the entering throughput for the service chain at the first VNF 406 can be higher than the expected data throughput for the virtual service chain. In turn, thethroughput assurance agent 401 can provide throughput assurance based on the entering throughput being higher than the expected throughput for the virtual service chain. Specifically, if the entering throughput is higher than the expected throughput for the virtual service chain, then the corresponding throughput can ensure that the throughput at each of the VNFs 406 does not drop below the expected throughput or a threshold range of the expected throughput of the virtual service chain. - Further, if the entering throughput is lower or higher than the expected throughput for the virtual service chain, then the
throughput assurance agent 401 can be configured to automatically analyze inline statistics for each of the VNFs 406 andcorresponding points throughput assurance agent 401 can compare ingress and egress traffic throughput at each of the VNFs 406 on a per-VNF basis to identify any potential drops in throughput across the VNFs 406 in response to the entering throughput being lower or higher than the expected throughput. In turn, thethroughput assurance agent 401 can mark a VNF as an anomaly if a drop in throughput is observed across the VNF. For example, if the entering throughput is higher than the expected throughput, then thethroughput assurance agent 401 can analyze inline statistics for each of the VNFs 406 to ensure that the throughput across each of the VNFs 406 does not drop below the expected throughput or a threshold range of the expected throughput of the virtual service chain. - In providing throughput assurance based on identified drops in traffic throughput in the service chain, the
throughput assurance agent 401 can determine a point of traffic drop in the service chain. Specifically, thethroughput assurance agent 401 can collect the statistics of the virtual links in the service chain. The virtual links may include the link between the consumer's incoming traffic and the first VNF of the service chain, the link between consecutive VNFs, e.g. corresponding to adjacent VNFs, in the service chain, and/or the link between the last VNF of the service chain and the outgoing traffic to the service provider. Specifically, thethroughput assurance agent 401 can collect the ingress and egress traffic statistics of each VNF, as included as part of the generated inline statistics, to determine the point of traffic anomaly. - An identified traffic anomaly point can then be used to deduce the exact cause of failure. Example causes of failure in a service chain include sub-optimal placement algorithms, network I/O bottle necks, CPU profiling, user misconfigurations, and memory trashing. Specifically, if the
throughput assurance agent 401 detects one or more anomalies, e.g. a drop in traffic across a VNF, in the service chain, then thethroughput assurance agent 401 can feed the anomaly information to a deduction agent, e.g. as included as part of thethroughput assurance agent 401. The deduction agent can then run deductions based on theenvironment 400. For example, the deduction agent can make deductions based on the VNF placement, VNF licensing, CPU pinning, or NUMA node balancing, e.g. as indicated by user-provided information. Deduction made by the deduction agent can include applicable deductions related to providing throughput assurance. For example, deductions can include that a VNF is improperly configured in theenvironment 400. - In turn, the deduction agent can deduce possible causes of the network throughput anomaly to the user. For example, possible can include CPU usage, firewall, and traffic being dropped in the service chain.
- In some examples, the deduction output from the deduction agent would be used to alert the user. The user alert may include the deduction, as well as specific throughput information for each of the nodes in the service chain as collected by the statistic agent.
- In some examples, the output from the deduction agent can be used to trigger an auto-correct feature to mitigate anomalies in the service chain. The auto-correct feature may be implemented as policies where each type of anomaly triggers a specific mitigation action to be taken on the service chain.
-
FIG. 5 illustrates acomputing system architecture 500 wherein the components of the system are in electrical communication with each other using aconnection 505, such as a bus.Exemplary system 500 includes a processing unit (CPU or processor) 510 and asystem connection 505 that couples various system components including thesystem memory 515, such as read only memory (ROM) 520 and random access memory (RAM) 525, to theprocessor 510. Thesystem 500 can include acache 512 of high-speed memory connected directly with, in close proximity to, or integrated as part of theprocessor 510. Thesystem 500 can copy data from thememory 515 and/or thestorage device 530 to thecache 512 for quick access by theprocessor 510. In this way, thecache 512 can provide a performance boost that avoidsprocessor 510 delays while waiting for data. These and other modules can control or be configured to control theprocessor 510 to perform various actions.Other system memory 515 may be available for use as well. Thememory 515 can include multiple different types of memory with different performance characteristics. Theprocessor 510 can include any general purpose processor and a hardware or software service, such asservice 1 532,service 2 534, andservice 3 536 stored instorage device 530, configured to control theprocessor 510 as well as a special-purpose processor where software instructions are incorporated into the actual processor design. Theprocessor 510 may be a completely self-contained computing system, containing multiple cores or processors, a bus, memory controller, cache, etc. A multi-core processor may be symmetric or asymmetric. - To enable user interaction with the
computing device 500, aninput device 545 can represent any number of input mechanisms, such as a microphone for speech, a touch-sensitive screen for gesture or graphical input, keyboard, mouse, motion input, speech and so forth. Anoutput device 535 can also be one or more of a number of output mechanisms known to those of skill in the art. In some instances, multimodal systems can enable a user to provide multiple types of input to communicate with thecomputing device 500. Thecommunications interface 540 can generally govern and manage the user input and system output. There is no restriction on operating on any particular hardware arrangement and therefore the basic features here may easily be substituted for improved hardware or firmware arrangements as they are developed. -
Storage device 530 is a non-volatile memory and can be a hard disk or other types of computer readable media which can store data that are accessible by a computer, such as magnetic cassettes, flash memory cards, solid state memory devices, digital versatile disks, cartridges, random access memories (RAMs) 525, read only memory (ROM) 520, and hybrids thereof. - The
storage device 530 can includeservices processor 510. Other hardware or software modules are contemplated. Thestorage device 530 can be connected to thesystem connection 505. In one aspect, a hardware module that performs a particular function can include the software component stored in a computer-readable medium in connection with the necessary hardware components, such as theprocessor 510,connection 505,output device 535, and so forth, to carry out the function. -
FIG. 6 illustrates anexample network device 600 suitable for performing switching, routing, load balancing, and other networking operations.Network device 600 includes a central processing unit (CPU) 604,interfaces 602, and a bus 610 (e.g., a PCI bus). When acting under the control of appropriate software or firmware, theCPU 604 is responsible for executing packet management, error detection, and/or routing functions. TheCPU 604 preferably accomplishes all these functions under the control of software including an operating system and any appropriate applications software.CPU 604 may include one ormore processors 608, such as a processor from the INTEL X86 family of microprocessors. In some cases,processor 608 can be specially designed hardware for controlling the operations ofnetwork device 600. In some cases, a memory 606 (e.g., non-volatile RAM, ROM, etc.) also forms part ofCPU 604. However, there are many different ways in which memory could be coupled to the system. - The
interfaces 602 are typically provided as modular interface cards (sometimes referred to as “line cards”). Generally, they control the sending and receiving of data packets over the network and sometimes support other peripherals used with thenetwork device 600. Among the interfaces that may be provided are Ethernet interfaces, frame relay interfaces, cable interfaces, DSL interfaces, token ring interfaces, and the like. In addition, various very high-speed interfaces may be provided such as fast token ring interfaces, wireless interfaces, Ethernet interfaces, Gigabit Ethernet interfaces, ATM interfaces, HSSI interfaces, POS interfaces, FDDI interfaces, WIFI interfaces, 3G/4G/5G cellular interfaces, CAN BUS, LoRA, and the like. Generally, these interfaces may include ports appropriate for communication with the appropriate media. In some cases, they may also include an independent processor and, in some instances, volatile RAM. The independent processors may control such communications intensive tasks as packet switching, media control, signal processing, crypto processing, and management. By providing separate processors for the communications intensive tasks, these interfaces allow themaster CPU 604 to efficiently perform routing computations, network diagnostics, security functions, etc. - Although the system shown in
FIG. 6 is one specific network device of the present technology, it is by no means the only network device architecture on which the present technology can be implemented. For example, an architecture having a single processor that handles communications as well as routing computations, etc., is often used. Further, other types of interfaces and media could also be used with thenetwork device 600. - Regardless of the network device's configuration, it may employ one or more memories or memory modules (including memory 606) configured to store program instructions for the general-purpose network operations and mechanisms for roaming, route optimization and routing functions described herein. The program instructions may control the operation of an operating system and/or one or more applications, for example. The memory or memories may also be configured to store tables such as mobility binding, registration, and association tables, etc.
Memory 606 could also hold various software containers and virtualized execution environments and data. - The
network device 600 can also include an application-specific integrated circuit (ASIC), which can be configured to perform routing and/or switching operations. The ASIC can communicate with other components in thenetwork device 600 via thebus 610, to exchange data and signals and coordinate various types of operations by thenetwork device 600, such as routing, switching, and/or data storage operations, for example. - For clarity of explanation, in some instances the present technology may be presented as including individual functional blocks including functional blocks comprising devices, device components, steps or routines in a method embodied in software, or combinations of hardware and software.
- In some embodiments the computer-readable storage devices, media, and memories can include a cable or wireless signal containing a bit stream and the like. However, when mentioned, non-transitory computer-readable storage media expressly exclude media such as energy, carrier signals, electromagnetic waves, and signals per se.
- Methods according to the above-described examples can be implemented using computer-executable instructions that are stored or otherwise available from computer readable media. Such instructions can comprise, for example, instructions and data which cause or otherwise configure a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions. Portions of computer resources used can be accessible over a network. The computer executable instructions may be, for example, binaries, intermediate format instructions such as assembly language, firmware, or source code. Examples of computer-readable media that may be used to store instructions, information used, and/or information created during methods according to described examples include magnetic or optical disks, flash memory, USB devices provided with non-volatile memory, networked storage devices, and so on.
- Devices implementing methods according to these disclosures can comprise hardware, firmware and/or software, and can take any of a variety of form factors. Typical examples of such form factors include laptops, smart phones, small form factor personal computers, personal digital assistants, rackmount devices, standalone devices, and so on. Functionality described herein also can be embodied in peripherals or add-in cards. Such functionality can also be implemented on a circuit board among different chips or different processes executing in a single device, by way of further example.
- The instructions, media for conveying such instructions, computing resources for executing them, and other structures for supporting such computing resources are means for providing the functions described in these disclosures.
- Although a variety of examples and other information was used to explain aspects within the scope of the appended claims, no limitation of the claims should be implied based on particular features or arrangements in such examples, as one of ordinary skill would be able to use these examples to derive a wide variety of implementations. Further and although some subject matter may have been described in language specific to examples of structural features and/or method steps, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to these described features or acts. For example, such functionality can be distributed differently or performed in components other than those identified herein. Rather, the described features and steps are disclosed as examples of components of systems and methods within the scope of the appended claims.
- Claim language reciting “at least one of” refers to at least one of a set and indicates that one member of the set or multiple members of the set satisfy the claim. For example, claim language reciting “at least one of A and B” means A, B, or A and B.
Claims (20)
1. A method comprising:
monitoring a virtual service chain formed by a plurality of stitched virtualized network functions running on a plurality of virtual nodes;
generating, by an inline statics agent, inline statistics of the operation of the virtual service chain;
identifying an actual throughput of the virtual service chain from the inline statistics; and
providing throughput assurance for the virtual service chain by comparing the actual throughput of the virtual service chain with an expected throughput of the virtual service chain.
2. The method of claim 1 , wherein the inline statics agent is implemented in a hypervisor layer under the plurality of virtual nodes.
3. The method of claim 2 , wherein the virtualized network functions are stitched together, at least in part, through the hypervisor layer and data passing between the virtualized network functions is monitored by the inline statistics agent in the hypervisor layer to generate the inline statistics for the virtual service chain.
4. The method of claim 1 , further comprising analyzing data passing between the virtualized network functions on a per-virtual node basis of the plurality of virtual nodes to generate inline statistics for each of the virtualized network functions in the virtual service chain as part of generating the inline statistics for the virtual service chain.
5. The method of claim 4 , wherein the inline statistics for each of the virtualized network functions is generated by comparing ingress data throughput at each of the virtualized network functions to corresponding egress data throughput at each of the virtualized network functions.
6. The method of claim 4 , further comprising:
comparing the inline statistics for each of the virtualized network functions with the inline statistics of one or more adjacent virtualized network functions in the virtual service chain; and
providing the throughput assurance for the virtual service chain based on comparisons of the inline statistics of each of the virtualized functions with the inline statistics of the one or more adjacent virtualized network functions in the virtual service chain.
7. The method of claim 6 , wherein adjacent virtualized network functions share a virtual link point in the virtual service chain to allow the data to pass directly between the adjacent virtualized network functions as the data passes through the virtual service chain.
8. The method of claim 4 , further comprising:
comparing corresponding egress data throughput at each of the virtualized network functions, as included as part of the inline statistics for each of the virtualized network functions, with the expected throughput of the virtual service chain; and
providing the throughput assurance for the virtual service chain based on comparisons of the corresponding egress data throughput at each of the virtualized network functions with the expected throughput of the virtual service chain.
9. The method of claim 8 , further comprising:
determining that a virtualized network function in the virtual service chain is behaving as an anomaly in the virtual service chain based on a comparison with an egress data throughput at the virtualized network function with the expected throughput of the virtual service chain; and
reporting the virtualized network function as the anomaly as part of providing the throughput assurance for the virtual service chain.
10. The method of claim 9 , wherein the virtualized network function is identified as the anomaly in response to the egress data throughput at the virtualized network function being below the expected throughput of the virtual service chain.
11. The method of claim 4 , further comprising:
comparing entering throughput of a first virtualized network function of the virtual service chain to the expected throughput; and
providing the throughput assurance for the virtual service chain based on a comparison of the entering throughput to the expected throughput.
12. The method of claim 11 , further comprising analyzing the data passing between the virtualized network function on the per-virtual node basis if the entering throughput is less than the expected throughput.
13. The method of claim 1 , wherein the virtual service chain is formed between a consumer and a provider and the throughput assurance for the virtual service chain is provided in either or both a direction from the consumer to the provider and from the provider to the consumer.
14. The method of claim 1 , wherein an infrastructure provider of the plurality of virtual nodes is different from a network service provider of the virtual service chain.
15. A system comprising:
one or more processors; and
at least one computer-readable storage medium having stored therein instructions which, when executed by the one or more processors, cause the one or more processors to perform operations comprising:
monitoring a virtual service chain formed by a plurality of stitched virtualized network functions running on a plurality of virtual nodes;
generating, by an inline statics agent, inline statistics of the operation of the virtual service chain, wherein the inline statistics is implemented in a hypervisor layer under the plurality of virtual nodes;
identifying an actual throughput of the virtual service chain from the inline statistics; and
providing throughput assurance for the virtual service chain by comparing the actual throughput of the virtual service chain with an expected throughput of the virtual service chain.
16. The system of claim 15 , wherein the instructions which, when executed by the one or more processors, further cause the one or more processors to perform operations comprising analyzing data passing between the virtualized network functions on a per-virtual node basis of the plurality of virtual nodes to generate inline statistics for each of the virtualized network functions in the virtual service chain as part of generating the inline statistics for the virtual service chain.
17. The system of claim 16 , wherein the instructions which, when executed by the one or more processors, further cause the one or more processors to perform operations comprising:
comparing the inline statistics for each of the virtualized network functions with the inline statistics of one or more adjacent virtualized network functions in the virtual service chain; and
providing the throughput assurance for the virtual service chain based on comparisons of the inline statistics of each of the virtualized functions with the inline statistics of the one or more adjacent virtualized network functions in the virtual service chain.
18. The system of claim 16 , wherein the instructions which, when executed by the one or more processors, further cause the one or more processors to perform operations comprising:
comparing corresponding egress data throughput at each of the virtualized network functions, as included as part of the inline statistics for each of the virtualized network functions, with the expected throughput of the virtual service chain; and
providing the throughput assurance for the virtual service chain based on comparisons of the corresponding egress data throughput at each of the virtualized network functions with the expected throughput of the virtual service chain.
19. The system of claim 18 , wherein the instructions which, when executed by the one or more processors, further cause the one or more processors to perform operations comprising:
determining that a virtualized network function in the virtual service chain is behaving as an anomaly in the virtual service chain based on a comparison with an egress data throughput at the virtualized network function with the expected throughput of the virtual service chain; and
reporting the virtualized network function as the anomaly as part of providing the throughput assurance for the virtual service chain.
20. A non-transitory computer-readable storage medium having stored therein instructions which, when executed by a processor, cause the processor to perform operations comprising:
monitoring a virtual service chain formed by a plurality of stitched virtualized network functions running on a plurality of virtual nodes;
generating, by an inline statics agent, inline statistics of the operation of the virtual service chain, wherein the virtualized network functions are stitched together, at least in part, through a hypervisor layer and the data passing between the virtualized network functions is monitored by the inline statistics agent in the hypervisor layer to generate the inline statistics for the virtual service chain;
identifying an actual throughput of the virtual service chain from the inline statistics; and
providing throughput assurance for the virtual service chain by comparing the actual throughput of the virtual service chain with an expected throughput of the virtual service chain.
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/713,569 US11050640B1 (en) | 2019-12-13 | 2019-12-13 | Network throughput assurance, anomaly detection and mitigation in service chain |
CN202080086348.0A CN114902623B (en) | 2019-12-13 | 2020-11-30 | Network throughput guarantees, anomaly detection and mitigation in a service chain |
PCT/US2020/062587 WO2021118821A1 (en) | 2019-12-13 | 2020-11-30 | Network throughput assurance, anomaly detection and mitigation in service chain |
EP20828212.9A EP4073980B1 (en) | 2019-12-13 | 2020-11-30 | Network throughput assurance, anomaly detection and mitigation in service chain |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/713,569 US11050640B1 (en) | 2019-12-13 | 2019-12-13 | Network throughput assurance, anomaly detection and mitigation in service chain |
Publications (2)
Publication Number | Publication Date |
---|---|
US20210184945A1 true US20210184945A1 (en) | 2021-06-17 |
US11050640B1 US11050640B1 (en) | 2021-06-29 |
Family
ID=73855571
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/713,569 Active US11050640B1 (en) | 2019-12-13 | 2019-12-13 | Network throughput assurance, anomaly detection and mitigation in service chain |
Country Status (4)
Country | Link |
---|---|
US (1) | US11050640B1 (en) |
EP (1) | EP4073980B1 (en) |
CN (1) | CN114902623B (en) |
WO (1) | WO2021118821A1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114024867A (en) * | 2021-11-10 | 2022-02-08 | 中国建设银行股份有限公司 | Network anomaly detection method and device |
US20230004412A1 (en) * | 2021-06-30 | 2023-01-05 | International Business Machines Corporation | Quantifying service chain functions of virtual machines for cross interferences |
Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140344439A1 (en) * | 2013-05-15 | 2014-11-20 | Telefonaktiebolaget L M Ericsson (Publ) | Method and apparatus for providing network services orchestration |
US20150365324A1 (en) * | 2013-04-26 | 2015-12-17 | Cisco Technology, Inc. | High-efficiency service chaining with agentless service nodes |
US20160149784A1 (en) * | 2014-11-20 | 2016-05-26 | Telefonaktiebolaget L M Ericsson (Publ) | Passive Performance Measurement for Inline Service Chaining |
US20170250892A1 (en) * | 2016-02-29 | 2017-08-31 | Intel Corporation | Technologies for independent service level agreement monitoring |
US20170310611A1 (en) * | 2016-04-26 | 2017-10-26 | Cisco Technology, Inc. | System and method for automated rendering of service chaining |
US20170371692A1 (en) * | 2016-06-22 | 2017-12-28 | Ciena Corporation | Optimized virtual network function service chaining with hardware acceleration |
US20180063018A1 (en) * | 2016-08-30 | 2018-03-01 | Cisco Technology, Inc. | System and method for managing chained services in a network environment |
US20180083847A1 (en) * | 2015-03-24 | 2018-03-22 | Nec Corporation | Network system, network control method, and control apparatus |
US9929945B2 (en) * | 2015-07-14 | 2018-03-27 | Microsoft Technology Licensing, Llc | Highly available service chains for network services |
US20180091395A1 (en) * | 2015-03-31 | 2018-03-29 | Nec Corporation | Network system, network control method and control apparatus |
US20180225139A1 (en) * | 2015-08-03 | 2018-08-09 | Nokia Solutions And Networks Oy | Load and software configuration control among composite service function chains |
US20190104022A1 (en) * | 2017-09-29 | 2019-04-04 | Intel Corporation | Policy-based network service fingerprinting |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10203972B2 (en) * | 2012-08-27 | 2019-02-12 | Vmware, Inc. | Framework for networking and security services in virtual networks |
US20160179582A1 (en) * | 2014-12-23 | 2016-06-23 | Intel Corporation | Techniques to dynamically allocate resources for local service chains of configurable computing resources |
KR101608818B1 (en) * | 2015-01-15 | 2016-04-21 | 경기대학교 산학협력단 | Network system and computer program for virtual service chaining |
US10135702B2 (en) * | 2015-11-12 | 2018-11-20 | Keysight Technologies Singapore (Holdings) Pte. Ltd. | Methods, systems, and computer readable media for testing network function virtualization (NFV) |
US10397108B2 (en) * | 2016-01-25 | 2019-08-27 | Futurewei Technologies, Inc. | Service function chaining across multiple subnetworks |
US20180034703A1 (en) * | 2016-07-26 | 2018-02-01 | Cisco Technology, Inc. | System and method for providing transmission of compliance requirements for cloud-based applications |
US10142356B2 (en) | 2016-07-29 | 2018-11-27 | ShieldX Networks, Inc. | Channel data encapsulation system and method for use with client-server data channels |
-
2019
- 2019-12-13 US US16/713,569 patent/US11050640B1/en active Active
-
2020
- 2020-11-30 WO PCT/US2020/062587 patent/WO2021118821A1/en unknown
- 2020-11-30 CN CN202080086348.0A patent/CN114902623B/en active Active
- 2020-11-30 EP EP20828212.9A patent/EP4073980B1/en active Active
Patent Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150365324A1 (en) * | 2013-04-26 | 2015-12-17 | Cisco Technology, Inc. | High-efficiency service chaining with agentless service nodes |
US20140344439A1 (en) * | 2013-05-15 | 2014-11-20 | Telefonaktiebolaget L M Ericsson (Publ) | Method and apparatus for providing network services orchestration |
US20160149784A1 (en) * | 2014-11-20 | 2016-05-26 | Telefonaktiebolaget L M Ericsson (Publ) | Passive Performance Measurement for Inline Service Chaining |
US20180083847A1 (en) * | 2015-03-24 | 2018-03-22 | Nec Corporation | Network system, network control method, and control apparatus |
US20180091395A1 (en) * | 2015-03-31 | 2018-03-29 | Nec Corporation | Network system, network control method and control apparatus |
US9929945B2 (en) * | 2015-07-14 | 2018-03-27 | Microsoft Technology Licensing, Llc | Highly available service chains for network services |
US20180225139A1 (en) * | 2015-08-03 | 2018-08-09 | Nokia Solutions And Networks Oy | Load and software configuration control among composite service function chains |
US20170250892A1 (en) * | 2016-02-29 | 2017-08-31 | Intel Corporation | Technologies for independent service level agreement monitoring |
US20170310611A1 (en) * | 2016-04-26 | 2017-10-26 | Cisco Technology, Inc. | System and method for automated rendering of service chaining |
US20170371692A1 (en) * | 2016-06-22 | 2017-12-28 | Ciena Corporation | Optimized virtual network function service chaining with hardware acceleration |
US20180063018A1 (en) * | 2016-08-30 | 2018-03-01 | Cisco Technology, Inc. | System and method for managing chained services in a network environment |
US20190104022A1 (en) * | 2017-09-29 | 2019-04-04 | Intel Corporation | Policy-based network service fingerprinting |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20230004412A1 (en) * | 2021-06-30 | 2023-01-05 | International Business Machines Corporation | Quantifying service chain functions of virtual machines for cross interferences |
CN114024867A (en) * | 2021-11-10 | 2022-02-08 | 中国建设银行股份有限公司 | Network anomaly detection method and device |
Also Published As
Publication number | Publication date |
---|---|
EP4073980B1 (en) | 2024-07-03 |
EP4073980A1 (en) | 2022-10-19 |
CN114902623A (en) | 2022-08-12 |
WO2021118821A1 (en) | 2021-06-17 |
CN114902623B (en) | 2024-09-03 |
US11050640B1 (en) | 2021-06-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11562176B2 (en) | IoT fog as distributed machine learning structure search platform | |
US10742516B1 (en) | Knowledge aggregation for GAN-based anomaly detectors | |
US20190081850A1 (en) | Network assurance event aggregator | |
US20200328977A1 (en) | Reactive approach to resource allocation for micro-services based infrastructure | |
US11799972B2 (en) | Session management in a forwarding plane | |
US11888876B2 (en) | Intelligent quarantine on switch fabric for physical and virtualized infrastructure | |
US20200379548A1 (en) | Cloud-managed allocation of a network's power use to control runtime on backup battery | |
US11150973B2 (en) | Self diagnosing distributed appliance | |
US11750463B2 (en) | Automatically determining an optimal amount of time for analyzing a distributed network environment | |
US11653220B2 (en) | Cloud-based deployment service in low-power and lossy network | |
EP4073980B1 (en) | Network throughput assurance, anomaly detection and mitigation in service chain | |
US11088915B1 (en) | Live network sandboxing on a centralized management system | |
US10437641B2 (en) | On-demand processing pipeline interleaved with temporal processing pipeline | |
US10691671B2 (en) | Using persistent memory to enable consistent data for batch processing and streaming processing | |
US11469986B2 (en) | Controlled micro fault injection on a distributed appliance |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
FEPP | Fee payment procedure |
Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
AS | Assignment |
Owner name: CISCO TECHNOLOGY, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:RANJIT, DINESH;SUBRAMANYASETTY, PRADEEP KANAVIHALLI;RAO, SHIVA PRASAD;AND OTHERS;SIGNING DATES FROM 20191213 TO 20200401;REEL/FRAME:052295/0311 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |