Invention content
In order to solve the problems, such as that physical network device can not flexibly change, software defined network (SDN) and network virtualization
(NFV) it flourishes in recent years, NFV realizes the forwarding and control of network packet based on the x86 platforms being widely used at present
Function processed, SDN are a kind of realization methods of network virtualization, and core technology is by agreements such as OpenFlow by the network equipment
Control plane is separated with data surface, and is the important directions of future network development.The present invention, which is proposed, to be realized based on SDN
A kind of cloud computing multi-tenant scene overall network solution.
First aspect of the present invention it is proposed a kind of host in cloud platform framework, including:
At least one cloud host, is configured as:If the cloud host does not have the purpose media access control of data packet
MAC Address, then the cloud host by internal switch to Address Resolution Protocol ARP response agent send ARP broadcast, pass through institute
It states internal switch and receives the purpose to match with the purpose internet protocol address of data packet from arp response agency
MAC Address encapsulates the data packet with the target MAC (Media Access Control) address received, and the data packet is sent to the internal friendship
It changes planes;
The arp response agency is configured as when receiving the ARP broadcast from cloud host from internal switch, to
Management server sends the purpose IP address of the data packet in received ARP broadcast, receives and counts from the management server
According to the target MAC (Media Access Control) address that the purpose IP address of packet matches, and by the internal switch institute is sent to the cloud host
State target MAC (Media Access Control) address;
The internal switch is configured as from the cloud host receiving data packet, if received from the cloud host
The target MAC (Media Access Control) address of data packet is not the MAC Address of the first gateway of virtual router, then is controlled to software defined network SDN
Device sends source MAC and the target MAC (Media Access Control) address of received data packet to ask the SDN controllers to determine and the source
Whether the corresponding cloud host of MAC Address and cloud host corresponding with the target MAC (Media Access Control) address have communication authority and institute
Source MAC and the target MAC (Media Access Control) address are stated whether in the same host, when receiving instruction from the SDN controllers
Cloud host corresponding with the source MAC and cloud host corresponding with the target MAC (Media Access Control) address have communication authority simultaneously
And when the message of the source MAC and the target MAC (Media Access Control) address not in the same host, the data packet is sent to
External switch;
Virtual router has the first gateway and the second gateway;And
Described external switch is configured as, when receiving data packet from the internal switch, passing through network tunnel
The data packet is sent to another host.
Preferably, the cloud host is further configured to:If not receiving the data from arp response agency
The target MAC (Media Access Control) address of packet, then not transmission data packet.
Preferably, the internal switch is further configured to:If the mesh of the data packet received from the cloud host
MAC Address be the virtual router the first gateway MAC Address, then directly by the first gateway by the data packet turn
Issue the virtual router;
Wherein, the virtual router is configured as:By the first gateway the number is received from the internal switch
According to packet, the second gateway to match with the purpose IP address of the data packet is found according to routing table, by the mesh of the data packet
MAC Address change into target MAC (Media Access Control) address corresponding with the destination IP address, the source MAC of the data packet is changed
Become the MAC Address of second gateway, and the data packet is sent to by the inner exchanging by second gateway
Machine;And
The internal switch is further configured to:The data packet is received from the virtual router, to the SDN
Controller send source MAC and the target MAC (Media Access Control) address of received data packet with ask the SDN controllers determine with it is described
The corresponding cloud host of source MAC and cloud host corresponding with the target MAC (Media Access Control) address whether have communication authority and
Whether the source MAC and the target MAC (Media Access Control) address are in the same host, when receiving finger from the SDN controllers
Show that cloud host corresponding with the source MAC and cloud host corresponding with the target MAC (Media Access Control) address have communication authority
And when the message of the source MAC and the target MAC (Media Access Control) address not in the same host, the data packet is sent
To described external switch.
Preferably, the virtual router is further configured to:If do not found according to routing table and the data packet
The second gateway for matching of purpose IP address, then do not send the data packet.
Preferably, the internal switch is further configured to:If described being received from the virtual router
The forwarding instruction for indicating the source MAC and the target MAC (Media Access Control) address is not received after data packet from the SDN controllers
Or receive message and abandon instruction, then the data packet is not sent.
Preferably, the internal switch is further configured to:When from the SDN controllers receive instruction with it is described
The corresponding cloud host of source MAC and cloud host corresponding with the target MAC (Media Access Control) address have communication authority and described
When message in the same host of source MAC and the target MAC (Media Access Control) address, the data packet is sent to and the mesh
The second cloud host for matching of MAC Address.
Preferably, the internal switch is further configured to:When from the SDN controllers receive instruction with it is described
The corresponding cloud host of source MAC and cloud host corresponding with the target MAC (Media Access Control) address do not have the message of communication authority
When, the data packet is not forwarded.
Preferably, the virtual router is established by Linux NameSpaces mechanism.
Preferably, firewall protection is realized in the virtual router.
Preferably, network address translation nat feature is realized in the virtual router.
In the second aspect of the present invention, it is proposed that a kind of host routing data packet in cloud platform framework
Method, including:
If at least one cloud host does not have the purpose MAC address of data packet, the cloud host
By internal switch ARP broadcast is sent to Address Resolution Protocol ARP response agent;
The arp response agency is when receiving the ARP broadcast from cloud host from internal switch, to management server
The purpose IP address for sending the data packet in received ARP broadcast, the purpose with data packet is received from the management server
The target MAC (Media Access Control) address that internet protocol address matches, and institute is sent to the cloud host by the internal switch
State target MAC (Media Access Control) address;
The cloud host receives the IP address phase with data packet by the internal switch from arp response agency
The target MAC (Media Access Control) address matched encapsulates the data packet with the target MAC (Media Access Control) address received, and the data packet is sent to institute
State internal switch;
The internal switch receives the data packet from the cloud host, if the data packet received from the cloud host
Target MAC (Media Access Control) address be not virtual router the first gateway MAC Address, then to software defined network SDN controllers send
The source MAC and target MAC (Media Access Control) address of received data packet are to ask the SDN controllers to determine and the source MAC
Whether corresponding cloud host and cloud host corresponding with the target MAC (Media Access Control) address have communication authority and the source MAC
Whether address and the target MAC (Media Access Control) address indicate and the source in the same host when being received from the SDN controllers
The corresponding cloud host of MAC Address and cloud host corresponding with the target MAC (Media Access Control) address have communication authority and the source
When message not in the same host of MAC Address and the target MAC (Media Access Control) address, the data packet is sent to external exchange
Machine;And
Described external switch receives the data packet from the internal switch, and by network tunnel by the number
It is sent to another host according to packet.
Preferably, the method further includes:If the cloud host does not receive the data from arp response agency
The target MAC (Media Access Control) address of packet, then the cloud host not transmission data packet.
Preferably, the method further includes:
If the target MAC (Media Access Control) address for the data packet that the internal switch is received from the cloud host is the virtual flow-line
The data packet is then directly transmitted to the virtual router by the MAC Address of the first gateway of device by the first gateway;
The virtual router receives the data packet by the first gateway from the internal switch, is looked for according to routing table
The second gateway to match to the purpose IP address with the data packet, by the target MAC (Media Access Control) address of the data packet change into
The source MAC of the data packet is changed into second gateway by the corresponding target MAC (Media Access Control) address in the destination IP address
MAC Address, and the data packet is sent to by the internal switch by second gateway;
The internal switch receives the data packet from the virtual router, is connect to SDN controllers transmission
The source MAC and target MAC (Media Access Control) address of the data packet of receipts are opposite with the source MAC to ask the SDN controllers to determine
Whether the cloud host and cloud host corresponding with the target MAC (Media Access Control) address answered have communication authority and the source MAC
With the target MAC (Media Access Control) address whether in the same host, indicated and the source MAC when being received from the SDN controllers
The corresponding cloud host in address and cloud host corresponding with the target MAC (Media Access Control) address have communication authority and the source MAC
When message not in the same host of address and the target MAC (Media Access Control) address, the data packet is sent to external switch;
And
Described external switch receives the data packet from the internal switch, and by network tunnel by the number
It is sent to another host according to packet.
Preferably, the method further includes:If the virtual router is not found and the data packet according to routing table
The second gateway for matching of purpose IP address, then the virtual router do not send the data packet.
Preferably, the method further includes:If the internal switch from the virtual router described in receiving
The forwarding instruction for indicating the source MAC and the target MAC (Media Access Control) address is not received after data packet from the SDN controllers
Or receive message and abandon instruction, then the internal switch does not send the data packet.
Preferably, the method further includes:
When the internal switch receives instruction cloud master corresponding with the source MAC from the SDN controllers
Machine and cloud host corresponding with the target MAC (Media Access Control) address have communication authority and the source MAC and the purpose MAC
When message in same host, the data packet is sent to and the target MAC (Media Access Control) address according to the target MAC (Media Access Control) address
The the second cloud host to match.
Preferably, the method further includes:
When the internal switch receives instruction cloud master corresponding with the source MAC from the SDN controllers
When machine and cloud host corresponding with the target MAC (Media Access Control) address do not have the message of communication authority, the data packet is not forwarded.
Preferably, the virtual router is established by Linux NameSpaces mechanism.
Preferably, firewall protection is realized in the virtual router.
Preferably, network address translation nat feature is realized in the virtual router.
In the third aspect of the present invention, it is proposed that the host in a kind of cloud platform framework, including:
External switch is configured as through network tunnel received data packet, and the data packet is transmitted to inside
Interchanger;
The internal switch is configured as sending the source of received data packet to software defined network SDN controllers
MAC address and target MAC (Media Access Control) address and source internet protocol IP address and purpose IP address are described to ask
SDN controllers determine the port for sending the data packet in the internal switch, receive and indicate from the SDN controllers
The message of port in the internal switch for sending the data packet, and sent out the data packet by the port
It is sent to the recipient's cloud host to match with the target MAC (Media Access Control) address;And
Recipient's cloud host is configured as receiving the data packet from the internal switch by the port.
In the fourth aspect of the present invention, it is proposed that a kind of host routing data packet in cloud platform framework
Method, including:
By network tunnel received data packet at external switch, and the data packet is transmitted to inner exchanging
Machine;
The source media that received data packet is sent to software defined network SDN controllers at the internal switch are visited
Control MAC Address and target MAC (Media Access Control) address and source internet protocol IP address and purpose IP address are asked to ask the SDN to control
Device determines the port for sending the data packet in the internal switch, and it is described interior to receive instruction from the SDN controllers
The message of port in portion's interchanger for sending the data packet, and by the port by the data packet be sent to
Recipient's cloud host that the target MAC (Media Access Control) address matches;And
Recipient's cloud host receives the data packet by the port from the internal switch.
In the fifth aspect of the present invention, it is proposed that a kind of cloud platform framework, including it is multiple according to above-mentioned first aspect and
Host, management server and software defined network SDN controllers in three aspects described in either side, wherein
The management server be configured as from the arp response act on behalf of receive ARP broadcast, according to the ARP broadcast and
The arp response acts on behalf of the identifier lookup local pool of the host at place to obtain the target MAC (Media Access Control) address of data packet, and
The target MAC (Media Access Control) address is sent to the arp response agency;And
The SDN controllers are configured as receiving from the internal switch corresponding with the source MAC to determination
Cloud host and cloud host corresponding with the target MAC (Media Access Control) address whether have communication authority and the source MAC and
The target MAC (Media Access Control) address whether the request in the same host, and to the internal switch send instruction with it is described
The corresponding cloud host of source MAC and cloud host corresponding with the target MAC (Media Access Control) address whether have communication authority and
The source MAC and the target MAC (Media Access Control) address whether the message in the same host.
In the sixth aspect of the present invention, it is proposed that a kind of method in cloud platform framework, including according to above-mentioned second aspect
With the method described in either side in fourth aspect, and further include:
The management server is acted on behalf of from the arp response receives ARP broadcast, is rung according to ARP broadcast and the ARP
The identifier lookup local pool of host where should acting on behalf of is to obtain the target MAC (Media Access Control) address of data packet, and by the mesh
MAC Address be sent to arp response agency;And
The SDN controllers are received from the internal switch to determining cloud host corresponding with the source MAC
Whether corresponding cloud host has communication authority and the source MAC and the purpose with the target MAC (Media Access Control) address
MAC Address whether the request in the same host, and to the internal switch send instruction with the source MAC
Whether corresponding cloud host and cloud host corresponding with the target MAC (Media Access Control) address have communication authority and the source MAC
Address and the target MAC (Media Access Control) address whether the message in the same host.
The present invention provides one by means of the x86 platforms and SDN technologies that are widely present for cloud computing computer room multi-tenant scene
The landing solution of the network virtualization and Network Isolation of kind high flexibility.Pass through virtual subnet, virtual router and net
The mechanism such as network tunnel make the network formed between tenant's cloud host and the physical network of computer room level decouple and come, to make own
On a complete software defined network network, the flexibility of management greatly improves cloud host work.
Specific implementation mode
First, the function of the subnet and virtual router in multi-tenant cloud platform framework is described referring to Fig.1.In multi-tenant cloud
In platform architecture, by logical subnetwork (hereinafter referred to as " subnet ") to manage the cloud host resource of user, and set based on subnet
Communications boundary (as shown in Figure 1) between each cloud host.Cloud host is the web hosting service that cloud computing manufacturer provides a user,
Cloud host belongs to the service of Iaas levels.User need to specify when creating subnet subnet IP without Route Selection in class field
(CIDR), to be the subnet cloud host assignment IP address.Virtual router can be based on to realize across subnetwork communicating, network address
Convert the functions such as (NAT) and fire wall.If it is desired to the communication between realizing multiple subnets of same user, then it only need to be by this
A little gateway is linked to the same virtual router (vRouter).The number of cloud host between different hosts machine is encapsulated by network tunnel
According to packet, upper layer physical network device is avoided to perceive and learn lower stratus host information, to logically ensure cloud mainframe network
With the independence of physical network.SDN controllers can accurately control communication license and data flow between each cloud host.
The function of various components in cloud platform framework is described referring to Fig. 2.Cloud platform framework includes management server
210, SDN controllers 220, host agency 230, virtual switch, virtual router and arp response agency.
Management server 210 is for all related hosts under the overall leadership and cloud host information, and its major function includes:To
Host agency 230 issues behavior command, is controlled come cloud host to each host and thereon;And it externally provides
The control Application Program Interface (API) of RESTFUL styles, for applications of plugging into (APP).
SDN controllers 220 are responsible for issuing control instruction to virtual switch, and its major function includes:Based on tenant
Communication license between subnet judgement cloud host;And to specify opposite end IP across the network tunnel of host dynamic.
Host agency 230 is the Agent operated on host, and its major function includes:It receives and responds
The instruction that management server issues;Establish and safeguard the virtual network environment on host, which includes cloud master
Machine Microsoft Loopback Adapter, virtual switch and virtual router;And the resource metrics information of acquisition host and each cloud host, and and
When report and early warning.
Virtual switch is the interchanger based on software realization, and current most commonly used virtual switch software is
OpenvSwitch.The major function of virtual switch includes:Data packet forwarding strategy is obtained from SDN controllers, and is followed successively by pass
Join cloud host and data exchanging function is provided;And it is supported to provide network communication tunnel across the communication of host.
Virtual router is by the virtual router of Linux NameSpace Mechanism establishings, and its major function includes:
Gateway and three-layer routing service are provided for the cloud host in each subnet;Outer net is accessed for cloud host, and network N AT functions are provided;With
And the security strategy specified according to user, provide firewall services for each associated container.
Arp response agency is responsible for the local cloud host broadcast of response, and its major function includes:For cloud inside this host
The ARP broadcast that host is sent out provides response;And obtain arp response data from management server.
Cloud platform framework is mainly established in the following manner.First, management server is established.Management server is entire
The control brain of network of computer room framework, its rear end are based on each tenant of database purchase, subnet, cloud host and the relevant letter of network
Breath.Management server sends corresponding host according to API Calls and instructs, and realizes the setting to host cluster.
Then, virtual switch on host is arranged by host Agent.It is each in same host in order to ensure
Communication efficiency between cloud host, and facilitate debugging thing and north and south flow, two virtual friendships are all established on every host
It changes planes (internal switch (switch_inner) in referenced in schematic 3 and external switch (switch_outer)), switch_
Inner interchangers are mainly used to realize that the network communication between local cloud host, switch_outer are mainly used to send and receive
Across the network flow of host.Flow between wherein switch_outer and other hosts needs to encapsulate by network tunnel,
Reason for doing so is that different tenants may establish the subnet of identical private ip section, although these IP repeated are to each rent
Family is sightless, but but will produce route flapping problem for network of computer room equipment, therefore is patrolled to shield cloud host
Subnet is collected to the visibility of upper layer device, has to be put into the tunnels such as VXLAN across the flow of host and transmit.
Then, virtual router on host is arranged by host Agent.It needs to establish inside virtual router
The gateway of each association subnet, if the same virtual router of two sub-network correlations of same tenant, passes through the virtual road
Communication across subnet is realized by device.For example, if a certain virtual router is associated with tri- subnets of A, B, C, then the virtual road
By then needing respectively these three subnets to establish a gateway inside device, so as to the intercommunication between these three subnets.In addition, due to cloud
The IP that host is distributed is the privately owned network segment, can not directly access outer net, this programme in virtual router by realizing NAT work(
It can ensure that cloud host is able to access that outer net.Meanwhile the firewall protection provided cloud host is also realized in virtual router.
Next, establishing the arp response agency on host.Although different tenants may use identical IP sections of subnet,
But the corresponding MAC Address of each of which IP must be fixed for a certain tenant, this requires the clouds to each tenant
Host A RP broadcast can respond accurate MAC Address, and arp response agency is exactly to be arranged to solve this demand.In addition
In order to ensure ARP proxy response authority, when cloud host send out ARP broadcast when, by virtual switch by broadcast packet only
It is sent on the port of arp response agency, can also greatly reduce the number of broadcast times of computer room level in this way, reduce the wind of broadcast storm
Danger.
Finally, SDN controllers are set.One main purpose of SDN network is realized to network equipment spirit by software
Living effectively to control, the virtual switch on each host is required for one SDN controller of association after start-up, all by void
The packet path of quasi- interchanger forwarding will be judged forward by controller.Controller mainly does the judgement of three aspects:On
Whether the packet of report, which allows, forwards, which the IP of opposite end host is when which switch port and across host forwarding are walked in forwarding
One.
In order to ensure the high-performance and High Availabitity of whole system, management server and SDN controllers will be with the shapes of cluster
Formula externally provides service.
The structure of host 1 in cloud platform framework is described below with reference to Fig. 3 and Fig. 4.Host includes at least one
Cloud host, internal switch (switch_inner), virtual router (vRouter), external switch (switch_outer),
And arp response agency.At least one cloud host includes the first cloud host (cloud host 1 as shown in Figure 4).
When by 1 transmission data packet of host, if the first cloud host is configured as the first cloud host and does not have data
The target MAC (Media Access Control) address of packet, then the first cloud host acted on behalf of to arp response by internal switch and send ARP broadcast, pass through internal hand over
It changes planes and receives the target MAC (Media Access Control) address to match with the purpose internet protocol address of data packet from arp response agency, with being connect
The target MAC (Media Access Control) address encapsulated data packet of receipts, and deliver a packet to internal switch.Alternatively, the first cloud host by into
One step is configured to:If the target MAC (Media Access Control) address of data packet is not received from arp response agency, not transmission data packet.
Arp response agency is configured as, when receiving the ARP broadcast from cloud host from internal switch, taking to management
The purpose IP address for the data packet being engaged in the received ARP broadcast of device transmission, the purpose with data packet is received from management server
The target MAC (Media Access Control) address that IP address matches, and target MAC (Media Access Control) address is sent to the first cloud host by internal switch.
Internal switch is configured as from the first cloud host receiving data packet, if the data packet received from the first cloud host
Target MAC (Media Access Control) address be not virtual router the first gateway MAC Address (same network segment situation), then to SDN controllers send
The source MAC and target MAC (Media Access Control) address of received data packet are corresponding with source MAC to ask SDN controllers to determine
Whether cloud host and cloud host corresponding with target MAC (Media Access Control) address have communication authority and source MAC and target MAC (Media Access Control) address
Whether in the same host, when receiving instruction cloud host corresponding with source MAC and and purpose from SDN controllers
The corresponding cloud host of MAC Address has communication authority and source MAC and target MAC (Media Access Control) address be not in the same host
Message when, deliver a packet to external switch (the different host situation of same network segment, as shown in Figure 4 C).Alternatively, internal
Interchanger, which is further configured to work as from SDN controllers, receives instruction cloud host corresponding with source MAC and and purpose
The corresponding cloud host of MAC Address has communication authority and source MAC and target MAC (Media Access Control) address are in the same host
When message, the second cloud host (the same network segment chummage masters scenario, such as figure to match with target MAC (Media Access Control) address is delivered a packet to
Shown in 4A).Alternatively, internal switch is further configured to opposite with source MAC when receiving instruction from SDN controllers
When the cloud host and cloud host corresponding with target MAC (Media Access Control) address answered do not have the message of communication authority, data packet is not forwarded.Its
In, virtual router has the first gateway and the second gateway.
External switch is configured as when receiving data packet from internal switch, is sent out data packet by network tunnel
It is sent to another host.
Alternatively, internal switch is further configured to:If the purpose MAC for the data packet that the first cloud host receives
Location is the MAC Address (rete mirabile section) of the first gateway of virtual router, then data packet is directly transmitted to void by the first gateway
Quasi- router.
Virtual router is configured as receiving data packet from internal switch by the first gateway, is found according to routing table
The second gateway to match with the purpose IP address of data packet changes into the target MAC (Media Access Control) address of data packet and purpose IP address
The source MAC of data packet is changed into the MAC Address of the second gateway, and passes through the second net by corresponding target MAC (Media Access Control) address
Pass delivers a packet to internal switch.Alternatively, virtual router is further configured to:If do not looked for according to routing table
The second gateway to match to the purpose IP address with data packet, then not transmission data packet.
Internal switch is further configured to, from virtual router received data packet, be received to the transmission of SDN controllers
Data packet source MAC and target MAC (Media Access Control) address to ask SDN controllers to determine corresponding with source MAC cloud host
With with target MAC (Media Access Control) address corresponding cloud host whether have communication authority and source MAC and target MAC (Media Access Control) address whether
In the same host, when receiving instruction cloud host corresponding with source MAC and with purpose MAC from SDN controllers
The corresponding cloud host in location has communication authority and source MAC and target MAC (Media Access Control) address not disappearing in the same host
When breath, external switch (the different host situation of rete mirabile section, as shown in Figure 4 D) is delivered a packet to.Alternatively, inner exchanging
Machine is further configured to when receiving instruction cloud host corresponding with source MAC and with purpose MAC from SDN controllers
The corresponding cloud host in location has communication authority and the message of source MAC and target MAC (Media Access Control) address in the same host
When, deliver a packet to the second cloud host (the rete mirabile section chummage masters scenario, such as Fig. 4 B institutes to match with target MAC (Media Access Control) address
Show).Alternatively, internal switch is further configured to:It is corresponding with source MAC when receiving instruction from SDN controllers
Cloud host and cloud host corresponding with target MAC (Media Access Control) address when not having the message of communication authority, do not forward data packet.Alternatively
Ground, internal switch are further configured to:If do not connect from SDN controllers after receiving data packet from virtual router
It receives the forwarding instruction of instruction source MAC and target MAC (Media Access Control) address or receives message and abandon instruction, then not transmission data packet.
In the present embodiment, virtual router is established by Linux NameSpaces mechanism.In virtual router
Realize firewall protection and/or nat feature.
When by 2 received data packet of host, external switch is configured as through network tunnel received data packet, and
And data packet is transmitted to internal switch;
The source media that internal switch is configured as sending received data packet to software defined network SDN controllers are visited
Ask control MAC Address and target MAC (Media Access Control) address and source internet protocol IP address and purpose IP address to ask SDN controllers true
Determine the port for being used for transmission data packet in internal switch, is received in instruction internal switch from SDN controllers for sending number
According to the message of the port of packet, and the recipient's cloud host to match with target MAC (Media Access Control) address is delivered a packet to by port;
And
Recipient's cloud host is configured as through port from internal switch received data packet.
The method that the 1 routing data packet of host in cloud platform framework is described below with reference to Fig. 3 and Fig. 4.
When by 1 transmission data packet of host, if the first cloud host at least one cloud host does not have data
The target MAC (Media Access Control) address of packet, then the first cloud host by internal switch to arp response act on behalf of send ARP broadcast;Arp response generation
It manages when receiving the ARP broadcast from cloud host from internal switch, is sent to management server in received ARP broadcast
Data packet purpose IP address, the target MAC (Media Access Control) address to match with the purpose IP address of data packet is received from management server,
And target MAC (Media Access Control) address is sent to the first cloud host by internal switch;First cloud host is rung by internal switch from ARP
The target MAC (Media Access Control) address that the IP address of reception and data packet matches should be acted on behalf of, with the target MAC (Media Access Control) address encapsulation of data received
Packet, and deliver a packet to internal switch;Internal switch is from the first cloud host receiving data packet, if from the first cloud
The target MAC (Media Access Control) address for the data packet that host receives is not the MAC Address of the first gateway of virtual router, then to SDN controllers
It is opposite with source MAC to ask SDN controllers to determine to send source MAC and the target MAC (Media Access Control) address of received data packet
Whether the cloud host and cloud host corresponding with target MAC (Media Access Control) address answered have communication authority and source MAC and purpose MAC
Address whether in the same host, when from SDN controllers receive instruction cloud host corresponding with source MAC and with
The corresponding cloud host of target MAC (Media Access Control) address has communication authority and source MAC and target MAC (Media Access Control) address be not in the same host
When message in machine, external switch is delivered a packet to;And external switch is from internal switch received data packet, and
And another host is delivered a packet to by network tunnel.
If the first cloud host does not receive the target MAC (Media Access Control) address of data packet from arp response agency, the first cloud host is not
Transmission data packet.
If the target MAC (Media Access Control) address for the data packet that internal switch is received from the first cloud host is the first of virtual router
Data packet is then directly transmitted to virtual router by the MAC Address of gateway by the first gateway;Virtual router passes through the first net
It closes from internal switch received data packet, the second gateway to match with the purpose IP address of data packet is found according to routing table,
The target MAC (Media Access Control) address of data packet is changed into target MAC (Media Access Control) address corresponding with purpose IP address, by the source MAC of data packet
The MAC Address of the second gateway is changed into location, and delivers a packet to internal switch by the second gateway;Internal switch
From virtual router received data packet, the source MAC and target MAC (Media Access Control) address of received data packet are sent to SDN controllers
To ask whether SDN controllers determine cloud host corresponding with source MAC and cloud host corresponding with target MAC (Media Access Control) address
Have communication authority and source MAC and target MAC (Media Access Control) address whether in the same host, is received when from SDN controllers
To indicate cloud host corresponding with source MAC and cloud host corresponding with target MAC (Media Access Control) address have communication authority and
When message not in the same host of source MAC and target MAC (Media Access Control) address, external switch is delivered a packet to;With
And external switch delivers a packet to another host from internal switch received data packet, and by network tunnel
Machine.
If virtual router does not find the second gateway to match with the purpose IP address of data packet according to routing table,
Virtual router not transmission data packet.
If internal switch does not receive instruction source after receiving data packet from virtual router from SDN controllers
The forwarding of MAC Address and target MAC (Media Access Control) address instructs or receives message and abandons instruction, then internal switch not transmission data packet.
When internal switch from SDN controllers receive instruction cloud host corresponding with source MAC and with purpose MAC
When the corresponding cloud host in address has communication authority and message in same host of source MAC and purpose MAC, root
The the second cloud host to match with target MAC (Media Access Control) address is delivered a packet to according to target MAC (Media Access Control) address.
When internal switch from SDN controllers receive instruction cloud host corresponding with source MAC and with purpose MAC
When the corresponding cloud host in address does not have the message of communication authority, data packet is not forwarded.
In the present embodiment, virtual router is established by Linux NameSpaces mechanism.In virtual router
Realize firewall protection and/or nat feature.
When by 2 received data packet of host, by network tunnel received data packet at external switch, and will
Data packet is transmitted to internal switch;
The source media interviews control of received data packet is sent to software defined network SDN controllers at internal switch
MAC Address and target MAC (Media Access Control) address processed and source internet protocol IP address and purpose IP address are to ask in the determination of SDN controllers
It is used for the port of transmission data packet in portion's interchanger, is received in instruction internal switch from SDN controllers and is used for transmission data packet
Port message, and the recipient's cloud host to match with target MAC (Media Access Control) address is delivered a packet to by port;And
Recipient's cloud host is by port from internal switch received data packet.
Fig. 2 is turned to, cloud platform framework will be described in detail with reference to Fig. 2.In addition to above with reference to the host described in Fig. 3 and 4
Except structure, in cloud platform framework, management server, which is configured as acting on behalf of from arp response, receives ARP broadcast, wide according to ARP
The identifier lookup local pool with the host where arp response agency is broadcast to obtain the target MAC (Media Access Control) address of data packet, and
Target MAC (Media Access Control) address is sent to arp response agency;And SDN controllers be configured as from internal switch receive to determine with
Whether the corresponding cloud host of source MAC and cloud host corresponding with target MAC (Media Access Control) address have communication authority and source MAC
Address and target MAC (Media Access Control) address whether the request in the same host, and internally interchanger sends instruction with source MAC
The corresponding cloud host in location and cloud host corresponding with target MAC (Media Access Control) address whether have communication authority and source MAC and
Target MAC (Media Access Control) address whether the message in the same host.
The method in cloud platform framework is described in detail next, with reference to Fig. 2.In addition to above with reference to the place described in Fig. 3 and Fig. 4
Except the method for host routing data packet, further include in the method for cloud platform framework routing data packet:Management server from
Arp response agency receives ARP broadcast, the identifier lookup local address of the host where ARP broadcast and arp response agency
Target MAC (Media Access Control) address is sent to arp response agency by pond to obtain the target MAC (Media Access Control) address of data packet;And SDN controllers
It is received from internal switch to determining cloud host corresponding with source MAC and cloud host corresponding with target MAC (Media Access Control) address
Whether have communication authority and source MAC and target MAC (Media Access Control) address whether the request in the same host, and inwardly
Portion's interchanger, which is sent, indicates whether cloud host corresponding with source MAC and cloud host corresponding with target MAC (Media Access Control) address have
Standby communication authority and source MAC and target MAC (Media Access Control) address whether the message in the same host.
The present invention has the following advantages:The utilization rate to cheap x86 resources is promoted by NFV and SDN;It reduces to computer room object
The reason network facilities directly relies on, and is convenient for the flexible control of network data;By logical subnetwork and SDN network, it is realized with a low cost
Access isolation between tenant's cloud host;By distributed virtual router, the communication between the same tenant's cloud host of dynamic control, with
And reinforcing is to the safety guarantee of each cloud host;And network of computer room broadcast is effectively reduced by arp response agency, reduce broadcast wind
The possibility mutually detected between sudden and violent risk and tenant.
Above detailed description has elaborated inspection method and system by using schematic diagram, flow chart and/or example
Numerous embodiments.In the case where this schematic diagram, flow chart and/or example include one or more functions and/or operation,
It will be understood by those skilled in the art that each function and/or operation in this schematic diagram, flow chart or example can be by various
Structure, hardware, software, firmware or substantially their arbitrary combination to realize individually and/or jointly.In one embodiment,
If the stem portion of theme described in the embodiment of the present invention can pass through application-specific integrated circuit (ASIC), field programmable gate array
(FPGA), digital signal processor (DSP) or other integrated formats are realized.However, those skilled in the art will appreciate that
The some aspects of embodiments disclosed herein can equally be realized in integrated circuits on the whole or partly, be embodied as
The one or more computer programs run on one or more computer are (for example, be embodied as in one or more computer
The one or more programs run in system), it is embodied as the one or more program (examples run on the one or more processors
Such as, it is embodied as the one or more programs run in one or more microprocessors), it is embodied as firmware, or substantially real
It is now the arbitrary combination of aforesaid way, and those skilled in the art will be provided with design circuit and/or write-in is soft according to the disclosure
The ability of part and/or firmware code.In addition, it would be recognized by those skilled in the art that the mechanism of theme described in the disclosure can be made
It is distributed for the program product of diversified forms, and no matter actually is used for executing the concrete type of the signal bearing medium of distribution
How, the exemplary embodiment of theme described in the disclosure is applicable in.The example of signal bearing medium includes but not limited to:It is recordable
Type medium, such as floppy disk, hard disk drive, compact-disc (CD), digital versatile disc (DVD), digital magnetic tape, computer storage;
And transmission type media, such as number and/or analogue communication medium are (for example, optical fiber cable, waveguide, wired communications links, channel radio
Believe link etc.).
Although exemplary embodiment describing the present invention with reference to several, it is to be understood that, term used is explanation and shows
Example property, term and not restrictive.The spirit or reality that can be embodied in a variety of forms without departing from invention due to the present invention
Matter, it should therefore be appreciated that above-described embodiment is not limited to any details above-mentioned, and should be spiritual defined by appended claims
Accompanying is all should be with the whole variations and remodeling widely explained, therefore fallen into claim or its equivalent scope in range to weigh
Profit requires to be covered.