Automated tenant provisioning

By employing VRF technology in large multi-tenant clusters and dynamically associating VRF references with tenant requests, the complex tenant allocation process and difficult security management in existing technologies are resolved. This achieves efficient tenant isolation and resource management, improving the utilization efficiency and security of network resources.

CN122247647APending Publication Date: 2026-06-19MELLANOX TECHNOLOGIES LTD(IL)

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
MELLANOX TECHNOLOGIES LTD(IL)
Filing Date
2025-12-15
Publication Date
2026-06-19

Smart Images

  • Figure CN122247647A_ABST
    Figure CN122247647A_ABST
Patent Text Reader

Abstract

This application discloses automated tenant provisioning. The systems and methods disclosed herein are used for tenant provisioning in a network using Virtual Routing and Forwarding (VRF). The network may include network devices and authentication servers or services. The network devices may provide authentication requests and VRF requests to the authentication servers or services. The authentication servers or services may return VRF references to the network devices. The network devices may also use the VRF associated with the VRF references to place tenants, which is done on behalf of the tenants and as part of resource provisioning for the tenants.
Need to check novelty before this filing date? Find Prior Art

Description

[0001] Cross-reference to related applications

[0002] This is a non-provisional patent application that relates to and claims priority to U.S. Provisional Patent Application 63 / 735,240 entitled “Automated Tenant Provisioning”, filed on December 17, 2024, the entire contents of which are incorporated herein by reference for all intents and purposes. Technical Field

[0003] This disclosure generally relates to tenant assignment in large multi-tenant clusters, specifically to tenant assignment using Virtual Routing and Forwarding (VRF). Background Technology

[0004] Tenant provisioning can include creating and configuring a multi-tenant environment, and can specifically include provisioning to a particular tenant or customer within the shared infrastructure of the multi-tenant environment. Creation and configuration can include allocating resources, assigning permissions, and setting configurations to ensure isolation and security for each tenant or customer. Tenant provisioning can use certain criteria that are at least applicable to some aspects of the process. For example, The standard defines port-based authentication access control and authentication protocols for various aspects of the tenant provisioning process. Authentication access control and authentication protocols can be used to prevent unauthorized clients from connecting in a multi-tenant environment. For example, once authentication has been successfully performed, the standard can also be used to specify user VLANs (Virtual Local Area Networks). As used, the 802.1X standard may suffer from layer mismatches. For example, the 802.1X standard operates at Layer 2 (L2, as indicated by VLAN specifications) of the OSI (Open Systems Interconnection) standard. Artificial intelligence (AI) clusters operate at Layer 3 (L2 IP) of the OSI standard. Tenant provisioning can be cumbersome because it may require complex and potentially unnecessary L2 configuration on switches. Attached Figure Description

[0005] Figure 1 The diagram illustrates a network based on an embodiment of tenant provisioning using Virtual Routing and Forwarding (VRF);

[0006] Figure 2 The diagram illustrates a network aspect used for tenant provisioning with VRF in one example.

[0007] Figure 3 The illustration shows a module used in an example to support an authentication server for tenant provisioning using VRF;

[0008] Figure 4The illustration shows the computer and processor aspects of a system used for tenant provisioning using VRF in one example.

[0009] Figure 5 The diagram illustrates the process flow in a system for tenant provisioning using VRF in one example.

[0010] Figure 6 The diagram illustrates yet another process flow for supporting tenant provisioning on an authentication server, in one example; and

[0011] Figure 7 The diagram illustrates another process flow for switch-supported tenant provisioning in one example. Detailed Implementation

[0012] Figure 1 The illustration depicts a network 100 based on an embodiment of tenant provisioning using Virtual Routing and Forwarding (VRF). Network 100 uses switches to support dynamic association between tenants and their associated VRF information. For example, Layer 2 (L2) based signaling may not be naturally applicable to Layer 3 (L3) networking and may impose limitations on Internet Protocol (IP) addressing. Dynamic association can be made via signaling or using VRF references (such as VRF names), which are associated with tenant provisioning requests and can be L3 constructs as part of the 802.1X authentication process. In one example, a VRF reference can be used instead of L2 attributes (such as Virtual Local Area Network (VLAN) identifiers (IDs)) to be bound to an L3 entity. VRF references can be used to place tenants using VRFs (such as VRF instances) associated with the VRF reference, which is performed on behalf of the tenant and as part of resource provisioning for the tenant. A VRF can include a logical instance of a routing table that allows multiple independent routing tables to coexist on a single physical device, thereby providing isolation and security between different service flows for different tenants. Therefore, the references to VRFs in this document can be used interchangeably with VRF instances. Using VRFs to house tenants allows for the isolation and security of tenant service flows without the need for VLAN IDs or the creation of switch virtual interfaces (SVIs) for VLAN IDs to manage Internet Protocol (IP) addressing and routing for tenant-specific VLANs. In one example, using VRFs to house tenants, partly based on requests for VRF references, also represents automatic tenant clustering in large multi-tenant clusters because it eliminates the need to update switches based on SVI creation.

[0013] In one example, network 100 may include at least one circuit, which may be an execution unit of a processor within switches 106, 114, any one of the different interconnect devices 120, or an authentication server or service 118. The interconnect devices may allow communication across wider network groups and may include different switches 106 and / or gateways 108, while communication within or in narrower network groups may be implemented by at least one switch 106, 114. Switches may communicate with each other independently of nodes to share configuration information for various routes in network 100. Switches may also communicate independently with the authentication server or service 118 to perform authentication or to perform resource provisioning for tenants.

[0014] As illustrated, switches 106, 114 may be associated with a corresponding rack, chassis, or other physical set of network groups 2 102, 1 110, illustrated as nodes or other endpoints 1-N 104A-N, 1-N 112A-N. Tenant provisioning using VRF and authentication server or service 118 may be performed on one or more network devices typically referenced by reference numerals 106, 108, 114, 120. Authentication server or service 118 may be a Remote Authentication Dial-In User Service (RADIUS) server. Authentication server or service 118 may include or support network protocols used for authenticating and authorizing users. Authentication server or service 118 may centralize authentication, authorization, and accounting functions for network 100.

[0015] Network 100 may include at least a switch or gateway 108 as part of one or more interconnect devices 120 to provide communication 116 between multiple switches 106, 114, thus providing communication 116 across a wider network group between first or second group nodes 1-N 104A-N, 1-N 112A-N. Tenant provisioning using VRF can be performed within or between network groups. Therefore, the description of interconnect devices 120 herein can be understood as applicable to the use of any of the illustrated switches 106, 114, or gateway 108. Any communication network supporting Transmission Control Protocol (TCP) or Internet Protocol over TCP (IP) can be used with the tenant provisioning using VRF described herein. In some examples, network 100 is part of or supports large multi-tenant clusters provided by host nodes 112A-112N and 104A-104N. Thus, network 100 can be part of a multi-tenant environment, where host nodes 112A-112N and 104A-104N allow or support tenant leasing within the multi-tenant environment. In some examples, at least each network group 102, 110 can represent a cluster within the multi-tenant cluster described herein.

[0016] Figure 2 The illustration depicts a network aspect 200 for tenant provisioning using VRF in one example. The illustrated host nodes 1 112A-N 112N may include physical servers that are part of the underlying infrastructure for the virtualization environment and may be dependent on provisioning for one or more tenants 202. The provisioning process for the infrastructure that may include at least one of the host nodes 1 112A-N 112N may include: performing physical setup to acquire and configure the host nodes 1 112A-N 112N. This may include installing operating systems, network interfaces, and storage devices. The provisioning process may include: resource allocation using resources at the underlying infrastructure level, including: assigning resources to the nodes, such as central processing units (CPUs), memory, and storage devices. The provisioning process may include network configuration for configuring network settings including IP addresses, VLANs, and routing protocols. The provisioning process may include virtualization via the installation of a hypervisor or other agents and drivers that support it. The provisioning process may include setting up security configurations, including firewall rules, intrusion detection systems, and access controls.

[0017] Once the infrastructure is provided, tenant provisioning can include: using the infrastructure to create and configure virtual environments for individual tenants or customers. This process may include: allocating resources to tenant 202 using one or more virtual resources (CPU, memory, storage devices, and network bandwidth); creating virtual machines (VMs) with specified resources and configured operating systems (OS); configuring network routing for virtual networks, IP addresses, and VMs; provisioning storage devices by allocating storage space for tenant data; and configuring security within the virtualized space.

[0018] Tenant 202 can connect to interconnect device 120, such as switch or gateway 108. Although referred to as switch or gateway 108, the discussion in this document can be applied to... Figure 1 Each network device in the network devices is labeled with reference numerals 106, 108, 114, and 120 in the attached diagram. Tenant 202 may request 204 to be placed in a VRF (associated with an L3 Virtual Routing and Forwarding Context). In at least one example, request 204 may be a request for provisioning, and placement using a VRF may occur as part of provisioning. Placement 212 is also performed on behalf of tenant 202 and as part of resource provisioning for tenant 202. As illustrated, placement 212 may take the form of a mapping or table 210. Subsequently, placing a tenant using a VRF allows for the isolation and security of service flows for a tenant in a specific VRF.

[0019] Switch 108 supports VRF provisioning. In one example, a tenant's request 204 can trigger switch 108 to request authentication and provide a VRF request 206 to an authentication server or service 118. The authentication server or service 118 can receive and retain VRF information from one or more switches 108 in network 100. The authentication server or service 118 can return a VRF reference to switch 108. The VRF reference can be the tenant's VRF name. Switch 108 can obtain VRF reference 208 and can use VRF reference 208 to place the tenant in the VRF associated with VRF reference 208. Since VRF reference 208 is inherent to L3, no other dedicated capabilities are required besides the configuration within switch 108 that identifies VRF reference 208 and the configuration within authentication server or service 118 that provides VRF reference 208.

[0020] Figure 3 The illustration shows module 300 of an authentication server used in an example to support tenant provisioning using VRF. The authentication server or service 118 may include or be associated with authentication module 302, which can be used to ensure that authorized users (such as tenants) can access network resources of host nodes 112A-N 112N by enforcing authentication and authorization policies. Authentication module 302 is capable of processing authentication requests from a network access server (NAS) or host nodes 112A-N 112N. Authentication module 302 can verify user credentials based on a configured authentication source (such as LDAP (Lightweight Directory Access Protocol) or other databases). Authentication module 302 can send an authentication response to the NAS and can indicate the authentication result 304 of VRF attribute module 306. VRF attributes may include VRF references (such as name 306A, ID 306B) and the IP address range 306C of the VRF.

[0021] The authentication server or service 118 may include a configuration module 310 for allowing the management and configuration of the authentication server or service 118. Management and configuration may be performed according to authentication methods, authorization policies, and accounting parameters within the authentication server or service 118. A VRF request 206B may be matched with a VRF reference (such as a VRF name 306A or its identifier 306B).

[0022] In at least one example, the use of a VRF is an L3 construct and can represent independent routing instances of multiple routing instances on a shared infrastructure. VRFs can isolate different routing domains and enable security and flexibility within a network of 100. This represents a departure from L2 SVIs, which may rely more heavily on switch-based IP routing. While SVIs can create virtual interfaces representing VLANs, doing so may require updating the switch each time it is executed to allow multiple VLANs to coexist on a single physical switch for inter-VLAN routing provisioning. Mapping or tabulating (or otherwise placing) VRFs to tenants allows provisioning to continue with flows routed by IP-based instances rather than VLANs.

[0023] Figures 1-3 The diagram illustrates that network 100 may include network devices 106, 108, 114, 120 and an authentication server or service 118. Any of the network devices can provide authentication requests and VRF requests to the authentication server or service 118. The authentication server or service 118 can return a VRF reference to the network device. The network device can also use the VRF instance associated with the VRF reference to house tenant 202, which represents tenant 202 and is part of resource provisioning for tenant 202, such as in conjunction with... Figure 2 and Figure 3 The details are further described in one or more figures.

[0024] In some examples, network 100 may allow each network device performing an authentication request or VRF request to be a single physical device. The VRF instance 208 returned from the authentication server or service 118 may include or allow logical instances of routing tables to coexist on that network device along with multiple independent routing tables. In some examples, multiple independent routing tables may allow or provide isolation and security between different service flows for different tenants within network 100 and through network devices 106, 108, 114, and 120.

[0025] In some examples, using a VRF instance to house tenant 212 allows for the isolation and security of tenant service flows without a VLAN ID and without an SVI for the VLAN ID, to manage IP addressing and routing for tenant-specific VLANs. In some examples, using a VRF instance to house tenant 212 can be partially based on requests for VRF references. This can be part of automatic tenant aggregation in large multi-tenant clusters.

[0026] In some examples, the placement of tenant 212 using a VRF instance can be based in part on a dynamic association between the tenant and the VRF instance. This dynamic association can include the association of a VRF reference with the tenant as part of a dispatch performed in response to the tenant's request 204. The VRF reference can be a VRF name 306A or VRFID 306B, which can be reserved along with the IP address range 306F used for the VRF reference or VRF. Reservations can be made in the authentication server or service 118, such as in conjunction with... Figures 1-3 One or more of the figures shown and described.

[0027] Figure 4 The illustration shows a computer and processor aspect 400 of a system for tenant provisioning using VRF, according to at least one embodiment. According to at least one embodiment, the computer and processor aspect 400 may be executed by one or more processors, including a system-on-a-chip (SoC) or some combination thereof formed with a processor, the processor including an execution unit for executing instructions. Such one or more processors may include a CPU, a data processing unit (DPU), and a graphics processing unit (GPU), and may be located within any of the interconnect devices in switches 106, 114, different interconnect devices 120, or the first or second set of nodes 1-N 104A-N, 1-N 112A-N, as described throughout this document.

[0028] In at least one embodiment, according to embodiments of this disclosure (such as those described herein), the computer and processor aspect 400 may include, but is not limited to, components (such as processor 402) for employing an execution unit including logic for performing algorithms for processing data. In at least one embodiment, although other systems (including PCs with other microprocessors, engineering workstations, set-top boxes, etc.) may also be used, the computer and processor aspect 400 may include processors available from Intel Corporation, Santa Clara, California, such as… Processor series, Xeon TM , XScale TM and / or StrongARM TM , Core TM or Nervana TM Microprocessor. In at least one embodiment, although other operating systems (e.g., and Embedded software and / or graphical user interface, but the computer and processor aspects of the 400 can execute software and / or graphics user interface available from Microsoft Corporation in Redmond, Washington. Operating system version.

[0029] These embodiments can be used in other devices, such as handheld devices and embedded applications. Some examples of handheld devices include cellular phones, Internet Protocol devices, digital cameras, personal digital assistants (“PDAs”), and handheld PCs. In at least one embodiment, the embedded application may include a microcontroller, a digital signal processor (“DSP”), a system-on-a-chip, a network computer (“NetPC”), a set-top box, a network hub, a wide area network (“WAN”) switch, or any other system that can execute one or more instructions according to at least one embodiment.

[0030] In at least one embodiment, the computer and processor aspect 400 may include, but is not limited to, a processor 402, which may include, but is not limited to, functions for performing as described herein. Figures 1-3 and Figures 5-7 The figure describes one or more execution units 408 of various aspects of the technology. In at least one embodiment, the computer and processor aspect 400 is a single-processor desktop or server system, but in another embodiment, the computing and processor aspect 400 may be a multiprocessor system.

[0031] In at least one embodiment, processor 402 may include, but is not limited to, a Complex Instruction Set Computer (“CISC”) microprocessor, a Reduced Instruction Set Computing (“RISC”) microprocessor, a Very Long Instruction Word (“VLIW”) microprocessor, a processor implementing instruction set combinations, or any other processor device (e.g., a digital signal processor). In at least one embodiment, processor 402 may be coupled to processor bus 410, which can transmit data signals between processor 402 and other components in the computer and processor aspect 400.

[0032] In at least one embodiment, processor 402 may include, but is not limited to, a Level 1 (“L1”) internal cache memory (“cache”) 404. In at least one embodiment, processor 402 may have a single internal cache or multiple levels of internal caches. In at least one embodiment, cache 404 may be located external to processor 402. Depending on the specific implementation and requirements, other embodiments may also include a combination of both internal and external caches. In at least one embodiment, register file 406 may store different types of data in various registers, including but not limited to integer registers, floating-point registers, status registers, and instruction pointer registers.

[0033] In at least one embodiment, an execution unit 408, including but not limited to logic for performing integer and floating-point operations, is also located in the processor 402. In at least one embodiment, the processor 402 may further include a microcode (“ucode”) read-only memory (“ROM”) storing microcode for certain macro instructions. In at least one embodiment, the execution unit 408 may include logic for processing the packaged instruction set 409.

[0034] In at least one embodiment, by including a packet instruction set 409 in the instruction set of the general-purpose processor along with the associated circuitry for executing the instructions, operations used by many multimedia applications can be performed using packetized data in processor 402. In at least one embodiment, by using the full width of the processor's data bus to perform operations on the packetized data, many multimedia applications can be accelerated and executed more efficiently, thereby eliminating the need to transfer smaller data units on the processor's data bus to perform one or more operations on one data element at a time.

[0035] In at least one embodiment, execution unit 408 may also be used as a microcontroller, embedded processor, graphics device, DSP, and other types of logic circuitry. In at least one embodiment, computer and processor aspect 400 may include, but is not limited to, memory 420. In at least one embodiment, memory 420 may be a dynamic random access memory (“DRAM”) device, a static random access memory (“SRAM”) device, a flash memory device, or other memory device. In at least one embodiment, memory 420 may store one or more instructions 419 and / or data 421 represented by data signals that can be executed by processor 402.

[0036] In at least one embodiment, the system logic chip may be coupled to the processor bus 410 and the memory 420. In at least one embodiment, the system logic chip may include, but is not limited to, a memory controller hub (“MCH”) 416, and the processor 402 may communicate with the MCH 416 via the processor bus 410. In at least one embodiment, the MCH 416 may provide a high-bandwidth memory path 418 to the memory 420 for storing instructions and data, and for storing graphics commands, data, and textures. In at least one embodiment, the MCH 416 may direct data signals between the processor 402, the memory 420, and other components in the computer and processor aspect 400, and bridge data signals between the processor bus 410, the memory 420, and the system I / O interface 422. In at least one embodiment, the system logic chip may provide a graphics port for coupling to a graphics controller. In at least one embodiment, the MCH 416 may be coupled to the memory 420 via the high-bandwidth memory path 418, and the graphics / video card 412 may be coupled to the MCH 416 via an Accelerated Graphics Port (“AGP”) interconnect 414.

[0037] In at least one embodiment, the computer and processor aspect 400 may use a system I / O interface 422, which serves as a proprietary hub interface bus, to couple the MCH 416 to an I / O controller hub (“ICH”) 430. In at least one embodiment, the ICH 430 may provide direct connectivity to some I / O devices via a local I / O bus. In at least one embodiment, the local I / O bus may include, but is not limited to, a high-speed I / O bus for connecting peripheral devices to the memory 420, chipset, and processor 402. Examples may include, but are not limited to, an audio controller 429, a firmware hub (“flash BIOS”) 428, a wireless transceiver 426, a data storage device 424, a conventional I / O controller 423 including a user input and keyboard interface 425, a serial expansion port 427 (such as a Universal Serial Bus (“USB”) port), and a network controller 434. In at least one embodiment, the data storage device 424 may include a hard disk drive, a floppy disk drive, a CD-ROM device, a flash memory device, or other mass storage device.

[0038] In at least one embodiment, Figure 4 The illustration depicts a computer and processor aspect 400, which includes interconnected hardware devices or "chips," while in other embodiments... Figure 4 An exemplary SoC can be illustrated. In at least one embodiment, Figure 4 The devices illustrated in the figure can use proprietary interconnects, standardized interconnects (e.g., The components of the computer and processor aspect 400 are interconnected using either a compute fast link (CXL) interconnect or some combination thereof. In at least one embodiment, one or more components of the computer and processor aspect 400 are interconnected using a compute fast link (CXL) interconnect.

[0039] Therefore, in at least one embodiment, Figures 1-4 The system includes one or more execution units 408 within switches 106, 114, any of the interconnecting devices 120, or within the first or second group of nodes 1-N104A-N, 1-N112A-N, for supporting convergence optimization. For example, at least one execution unit 408 supports convergence optimization in other processing units of other host machines (or nodes). At least one execution unit 408 is part of one or more circuits to be associated as nodes in the network. For example, at least one execution unit 408 of a processor may be a circuit to be associated as part of a node with another circuit of another processor in a different node.

[0040] Thus, at least one or more circuits of execution unit 408 are capable of providing authentication requests and VRF requests for authentication and VRF references. At least one or more circuits of execution unit 408 can receive VRF references. One or more circuits are also capable of placing tenants using the VRF instance associated with the VRF reference, which is done on behalf of the tenant and as part of resource provisioning for the tenant.

[0041] At least one execution unit 408 may have one or more circuits that are part of a single physical device, such as a network device. A VRF instance may include a logical instance of a routing table, along with multiple independent routing tables that coexist on a single physical device. Multiple independent routing tables may exist to allow or provide isolation and security between different service flows for different tenants within the network and through a single physical device. In some examples, using a VRF instance to house tenants allows for the isolation and security of tenant service flows without VLAN IDs and without an SVI for VLAN IDs, to manage IP addressing and routing for tenant-specific VLANs. In some examples, using a VRF instance to house tenants may be based in part on requests for VRF references as part of automatic tenant aggregation in a large multi-tenant cluster. In some examples, using a VRF instance to house tenants may be based in part on dynamic associations between tenants and VRF instances. Dynamic associations may include the association of VRF references with tenants as part of dispatching performed in response to tenant requests. In some examples, a VRF reference is a VRF name or VRF ID, which, along with the IP address range used for the VRF reference, is retained by an authentication server or service that performs authentication for the authentication request.

[0042] Figure 5 The illustration depicts a process flow or method 500 in an example system for tenant provisioning using VRF. Method 500 may include steps for receiving a provisioning request 502 from a tenant. Method 500 may include steps for generating an authentication request 504 and a VRF request. The step of generating the 504 request may occur in response to a request in the step of receiving the 502 request. Method 500 may include steps for providing the authentication request and VRF request 506 to an authentication server. Method 500 may include steps for receiving a VRF reference 508 and placing a tenant 510 using the VRF associated with the VRF reference.

[0043] Figure 6 The illustration shows another process flow or method 600 for supporting tenant provisioning on an authentication server in one example. Method 600 can support... Figure 5 Method 500. For example, method 600 may include steps for configuring the authentication server 602 to include an authentication module and a VRF module. Method 600 may include steps for allowing network devices 604 to report VRF attributes to the VRF module. Method 600 may include steps for preserving 606 VRF attributes. Method 600 may include steps for providing 608 VRF references in response to VRF requests after authentication.

[0044] Figure 7 The diagram illustrates another process flow for switch-supported tenant provisioning in one example. This method 700 can support... Figure 5 Method 500 or Figure 6 Method 700 may include one or more of the methods in method 600. For example, method 700 may include steps for configuring a switch 702 to provide an authentication request with a VRF request to an authentication server. Method 700 may include steps for configuring a switch 704 to receive VRF references. Method 700 may include steps for allowing switch 706 to use the configuration supporting step 510 for placing tenants using the VRF associated with the VRF reference.

[0045] In some examples, one or more of methods 500, 600, and 700 may include steps or sub-steps for allowing multiple independent routing tables to coexist on a single physical device and as logical instances. The multiple independent routing tables may include the routing tables of a VRF instance. One or more of methods 500, 600, and 700 may include steps or sub-steps for using multiple independent routing tables to allow or provide isolation and security between different service flows for different tenants within the network and through a single physical device. One or more of methods 500, 600, and 700 may include steps or sub-steps for managing IP addressing and routing for tenant-specific VLANs by using a VRF instance to house tenants, allowing for the isolation and security of tenant service flows without VLAN IDs and without an SVI for VLAN IDs.

[0046] One or more of methods 500, 600, and 700 may include steps or sub-steps for allowing or inducing automatic tenant aggregation in a large multi-tenant cluster by using a VRF instance to accommodate tenants. This may be based in part on a request for accommodation from a tenant. One or more of methods 500, 600, and 700 may include steps or sub-steps for performing a dynamic association between a tenant and a VRF instance as part of accommodating a tenant using a VRF instance. The dynamic association may include the association of a VRF reference with a tenant as part of accommodation performed in response to a tenant's request. One or more of methods 500, 600, and 700 may include steps or sub-steps for using a VRF name or VRFID as a VRF reference, the VRF name and VRFID along with the IP address range used for the VRF reference being reserved by an authentication server or service.

[0047] Other variations are within the spirit of this disclosure. Therefore, while the disclosed technology is susceptible to various modifications and alternative constructions, certain illustrated embodiments are shown in the accompanying drawings and have been described in detail above. However, it should be understood that this disclosure is not intended to be limited to one or more specific forms disclosed, but rather is intended to cover all modifications, alternative constructions, and equivalents falling within the spirit and scope of this disclosure as defined by the appended claims.

[0048] In the context of describing the disclosed embodiments (especially in the context of the following claims), the terms “a” and “an”, as well as “the” and similar designations, should be interpreted as encompassing both the singular and plural, unless otherwise indicated herein or obviously contradicted by the context, and are not defined as terms. Unless otherwise indicated, the terms “comprising,” “having,” “including,” and “containing” are to be interpreted as open-ended terms (meaning “including, but not limited to”). When unmodified and referring to a physical connection, “connection” is to be interpreted as partially or completely contained in, attached to, or joined together, even with intervening elements. Unless otherwise indicated herein, statements of value ranges herein are intended only as a way of abbreviating each individual value falling within that range, and each individual value is incorporated into the specification as it is separately stated herein. In at least one embodiment, unless otherwise indicated or contradicted by the context, the use of the terms “set” (e.g., “set of items”) or “subset” is to be interpreted as a non-empty set comprising one or more members. Furthermore, unless otherwise indicated or contradicted by the context, the term "subset" in the context of a corresponding set does not necessarily refer to an appropriate subset of the corresponding set, but rather that the subset and the corresponding set can be equal.

[0049] Unless explicitly stated otherwise or clearly contradicted by the context, connective language (such as phrases of the form "at least one of A, B, and C" or "at least one of A, B, and C") is otherwise understood, in conjunction with the context, to generally represent items, terms, etc., which may be any non-empty subset of the set A or B or C, or A and B and C. For example, in an exemplary example of a set with three members, the connective phrases "at least one of A, B, and C" and "at least one of A, B, and C" refer to any one of the following sets: {A}, {B}, {C}, {A, B}, {A, C}, {B, C}, {A, B, C}. Therefore, such connective language is generally not intended to imply that certain embodiments require the separate presence of at least one of A, at least one of B, and at least one of C. Additionally, unless otherwise indicated by or contradicted by the context, the term "multiple" indicates a state of multiples (e.g., "multiple items" indicates multiple items). In at least one embodiment, the number of multiple items is at least two, but may be more when explicitly indicated or indicated by the context. Furthermore, unless otherwise stated or clear from the context, the phrase “based on” means “at least partially based on” rather than “based on only”.

[0050] Unless otherwise indicated herein or clearly contradicted by the context, the operations of the processes described herein may be performed in any suitable order. In at least one embodiment, processes such as those described herein (or variations and / or combinations thereof) are executed under the control of one or more computer systems configured with executable instructions and are implemented by hardware or a combination thereof as code (e.g., executable instructions, one or more computer programs, or one or more applications) that executes concurrently on one or more processors. In at least one embodiment, the code is stored, for example, on a computer-readable storage medium in the form of a computer program comprising a plurality of instructions executable by one or more processors.

[0051] In at least one embodiment, the computer-readable storage medium is a non-transitory computer-readable storage medium that does not include transient signals (e.g., propagating transient electrical or electromagnetic transmissions) but includes non-transitory data storage circuitry (e.g., buffers, caches, and queues) within a transceiver that includes transient signals. In at least one embodiment, code (e.g., executable code or source code) is stored on a group of one or more non-transitory computer-readable storage media (or other memory for storing executable instructions) on which executable instructions, when executed by one or more processors of a computer system (i.e., due to being executed), cause the computer system to perform the operations described herein. In at least one embodiment, the group of non-transitory computer-readable storage media includes multiple non-transitory computer-readable storage media, and one or more of the multiple non-transitory storage media lack all the code, while the multiple non-transitory computer-readable storage media collectively store all the code. In at least one embodiment, executable instructions are executed such that different instructions are executed by different processors, for example, instructions are stored on a non-transitory computer-readable storage medium, and a main central processing unit (“CPU”) executes some of the instructions, while a graphics processing unit (“GPU”) executes the others. In at least one embodiment, different components of the computer system have separate processors, and different processors execute different subsets of instructions.

[0052] In at least one embodiment, an arithmetic logic unit is a system of combinational logic circuits that accepts one or more inputs to produce a result. In at least one embodiment, a processor uses an arithmetic logic unit to implement mathematical operations such as addition, subtraction, or multiplication. In at least one embodiment, an arithmetic logic unit is used to implement logical operations such as logical AND / OR or XOR. In at least one embodiment, an arithmetic logic unit is stateless and is made of physical switching components such as semiconductor transistors arranged to form logic gates. In at least one embodiment, an arithmetic logic unit may operate internally as a stateful logic circuit with an associated clock. In at least one embodiment, an arithmetic logic unit may be configured as an asynchronous logic circuit whose internal state is not maintained in an associated register set. In at least one embodiment, an arithmetic logic unit is used by a processor to combine operands stored in one or more registers of the processor and produce an output that can be stored by the processor in another register or memory location.

[0053] In at least one embodiment, as a result of processing instructions retrieved by the processor, the processor provides one or more inputs or operands to the arithmetic logic unit (ALU), such that the ALU produces a result at least in part based on instruction codes provided to the ALU of the inputs. In at least one embodiment, the instruction codes provided by the processor to the ALU are at least in part based on instructions executed by the processor. In at least one embodiment, combinational logic in the ALU processes the inputs and produces an output, which is placed on a bus within the processor. In at least one embodiment, the processor selects a destination register, memory location, output device, or output storage location on the output bus so that timing by the processor causes the result produced by the ALU to be sent to the desired location.

[0054] Therefore, in at least one embodiment, the computer system is configured to implement one or more services that individually or collectively perform the processes described herein, and such a computer system is configured to have suitable hardware and / or software that allows the performance of the operations. Further, the computer system implementing at least one embodiment of this disclosure is a single device, and in another embodiment, it is a distributed computer system comprising multiple devices that operate in different ways such that the distributed computer system performs the operations described herein and that a single device does not perform all the operations.

[0055] Unless otherwise required, the use of any and all examples or exemplary language (e.g., “such as”) provided herein is intended only to better illustrate embodiments of this disclosure and does not limit the scope of the disclosure. The language in the specification should not be construed as indicating that any unclaimed element is essential to the practice of this disclosure.

[0056] In the specification and claims, the terms “coupled” and “connected” together with their derivatives may be used. It should be understood that these terms are not intended to be synonyms with each other. Rather, in specific examples, “connected” or “coupled” can be used to indicate that two or more elements are in direct or indirect physical or electrical contact with each other. “Coupled” can also mean that two or more elements are not in direct contact with each other, but still cooperate or interact with each other.

[0057] Unless otherwise specified, it should be understood that throughout this specification, terms such as “processing,” “operation,” “calculation,” “determine,” etc., refer to the actions and / or processes of a computer or computing system or similar electronic computing device that manipulate and / or transform data representing physical (such as electronic) quantities in the registers and / or memory of the computing system into other data representing physical quantities in the memory, registers, or other such information storage, transmission, or display devices of the computing system.

[0058] Similarly, the term "processor" can refer to any device or part of a device that processes electronic data from registers and / or memory, and can transform that electronic data into other electronic data that can be stored in registers and / or memory. As a non-limiting example, a "processor" can be a CPU or a GPU. A "computing platform" can include one or more processors. As used herein, a "software" process can include, for example, software and / or hardware entities that perform work over time, such as tasks, threads, and intelligent agents. Furthermore, each process can refer to multiple processes for executing instructions sequentially or in parallel, continuously or intermittently. In at least one embodiment, the terms "system" and "method" are used interchangeably herein, provided that the system can embody one or more methods and those methods can be considered a system.

[0059] In this document, reference may be made to obtaining, acquiring, receiving, or inputting analog or digital data into a subsystem, computer system, or computer implementation machine. In at least one embodiment, the process of obtaining, acquiring, receiving, or inputting analog or digital data can be implemented in various ways, such as by receiving data as a parameter of a function call or a call to an application programming interface. In at least one embodiment, the process of obtaining, acquiring, receiving, or inputting analog or digital data can be implemented by transmitting data via a serial or parallel interface. In at least one embodiment, the process of obtaining, acquiring, receiving, or inputting analog or digital data can be implemented by transmitting data from a providing entity to an acquiring entity via a computer network. Reference may also be made to providing, outputting, transmitting, sending, or presenting analog or digital data. In at least one embodiment, the process of providing, outputting, transmitting, sending, or presenting analog or digital data can be implemented by transmitting data as an input or output parameter of a function call, a parameter of an application programming interface, or an inter-process communication mechanism.

[0060] While the description herein illustrates example implementations of the described techniques, other architectures may also be used to implement the described functionality and are intended to fall within the scope of this disclosure. Furthermore, although the specific allocation of responsibilities has been defined above for illustrative purposes, various functions and responsibilities may be allocated and divided in different ways depending on the circumstances.

[0061] Furthermore, although the subject matter has been described in language specific to structural features and / or methodological actions, it should be understood that the subject matter claimed in the appended claims is not necessarily limited to the specific features or actions described. Rather, the specific features and actions are disclosed as exemplary forms for implementing the claims.

Claims

1. A network comprising a network device and an authentication server or service, the network device being configured to provide authentication requests and virtual routing and forwarding of VRF requests to the authentication server or service, the authentication server or service being configured to return VRF references to the network device, wherein the network device is further configured to place tenants using VRF instances associated with the VRF references, which is performed on behalf of the tenants and as part of resource provisioning for the tenants.

2. The network of claim 1, wherein the network device is a single physical device, and wherein the VRF instance includes or allows logical instances of routing tables to coexist on the network device along with multiple independent routing tables.

3. The network of claim 2, wherein the plurality of independent routing tables allow or provide isolation and security between different service flows for different tenants within the network and through the network devices.

4. The network of claim 1, wherein the VRF instance is used to house the tenant to enable isolation and security of the tenant’s service flows without a Virtual LAN Identifier ID and without a Switch Virtual Interface (SVI) for the VLAN ID, in order to manage Internet Protocol IP addressing and routing for the tenant-specific VLAN.

5. The network of claim 1, wherein the tenant is placed using the VRF instance in part based on a request for a reference to the VRF as part of automatic tenant aggregation in a large multi-tenant cluster.

6. The network of claim 1, wherein the tenant is placed using the VRF instance in part based on a dynamic association between the tenant and the VRF instance, wherein the dynamic association includes the association between the VRF reference and the tenant as part of a dispatch performed in response to a request from the tenant.

7. The network of claim 1, wherein the VRF reference is a VRF name or VRF identifier ID, the VRF name or VRF identifier ID together with the Internet Protocol IP address range used for the VRF reference being retained by the authentication server or service.

8. One or more circuits for providing authentication requests and VRF requests for authentication and VRF references, and for receiving the VRF references, wherein the one or more circuits are further configured to place a tenant using a VRF instance associated with the VRF reference, which is performed on behalf of the tenant and as part of resource provisioning for the tenant.

9. The one or more circuits of claim 8, wherein the one or more circuits are part of a single physical device, and wherein the VRF instance includes or allows logical instances of routing tables to coexist with multiple independent routing tables on the single physical device.

10. The circuitry of claim 9 or more, wherein the plurality of independent routing tables allow or provide isolation and security between different service flows for different tenants within the network and through the single network device.

11. One or more circuits as claimed in claim 8, wherein the VRF instance is used to house the tenant to enable isolation and security of the tenant's service flows in the absence of a Virtual LAN Identifier ID and a Switch Virtual Interface (SVI) for the VLAN ID, in order to manage IP addressing and routing for VLANs specific to the tenant.

12. One or more circuits as claimed in claim 8, wherein the tenant is placed using the VRF instance in part based on a request for a reference to the VRF as part of automatic tenant aggregation in a large multi-tenant cluster.

13. One or more circuits as claimed in claim 8, wherein the tenant is placed using the VRF instance in part based on a dynamic association between the tenant and the VRF instance, wherein the dynamic association includes the association between the VRF reference and the tenant as part of a dispatch performed in response to a request from the tenant.

14. The circuitry of claim 8, wherein the VRF reference is a VRF name or VRF identifier ID, the VRF name or VRF identifier ID together with the Internet Protocol IP address range used for the VRF reference being retained by an authentication server or service for performing authentication in response to the authentication request.

15. A method for a network, comprising: Receive requests for relocation from tenants; Generate authentication requests and VRF requests; Provide the authentication request and the VRF request to the authentication server or service; Receive VRF references; as well as The tenant is housed using a VRF instance associated with the VRF reference.

16. The method of claim 15, further comprising: Multiple independent routing tables are allowed to coexist on a single physical device and serve as logical instances, including the routing table of the VRF instance.

17. The method of claim 16, further comprising: The multiple independent routing tables are used to allow or provide isolation and security between different service flows for different tenants within the network and through the single physical device.

18. The method of claim 15, further comprising: By using the VRF instance to house the tenant, isolation and security of the tenant's service flows can be achieved without a Virtual LAN Identifier ID (VLAN ID) and without a Switch Virtual Interface (SVI) for the VLAN ID, in order to manage IP addressing and routing for VLANs specific to the tenant.

19. The method of claim 15, further comprising: Automatic tenant aggregation in large multi-tenant clusters is allowed or caused by using the VRF instance to house tenants, in part based on requests for the allocation from the tenants.

20. The method of claim 15, further comprising one or more of the following: Perform a dynamic association between the tenant and the VRF instance as part of settling the tenant using the VRF instance, wherein the dynamic association includes an association between the VRF reference and the tenant as part of a dispatch performed in response to a request from the tenant; or The VRF reference is provided by a VRF name or VRF identifier ID, which, together with the IP address range used for the VRF reference, is reserved by the authentication server or service.