CN107204896A - Handle method, device and the VTEP equipment of VXLAN messages - Google Patents

Handle method, device and the VTEP equipment of VXLAN messages Download PDF

Info

Publication number
CN107204896A
CN107204896A CN201710364478.6A CN201710364478A CN107204896A CN 107204896 A CN107204896 A CN 107204896A CN 201710364478 A CN201710364478 A CN 201710364478A CN 107204896 A CN107204896 A CN 107204896A
Authority
CN
China
Prior art keywords
vxlan
local
vxlan messages
messages
vtep equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710364478.6A
Other languages
Chinese (zh)
Inventor
左义建
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Maipu Communication Technology Co Ltd
Original Assignee
Maipu Communication Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Maipu Communication Technology Co Ltd filed Critical Maipu Communication Technology Co Ltd
Priority to CN201710364478.6A priority Critical patent/CN107204896A/en
Publication of CN107204896A publication Critical patent/CN107204896A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Environmental & Geological Engineering (AREA)
  • Small-Scale Networks (AREA)

Abstract

This application discloses a kind of method, device and the VTEP equipment of processing VXLAN messages, it is related to technical field of communication network, when can solve VXLAN networks by counterfeit VXLAN message aggressions, the problem of normal operating efficiency of VTEP equipment is relatively low.Methods described includes:Receive VXLAN messages, wherein, VXLAN messages include local VXLAN messages and non-local VXLAN messages, and the local VXLAN messages refer to that head carries local VNI VXLAN messages, and the non-local VXLAN messages refer to that head does not carry local VNI VXLAN messages;In the first preset time, the quantity of non-local VXLAN messages is counted;When the statistical value of non-local VXLAN messages is more than or equal to first threshold, the non-local VXLAN messages received are abandoned.The embodiment of the present application is applied to the processing procedure of VXLAN messages.

Description

Handle method, device and the VTEP equipment of VXLAN messages
Technical field
The application is related to communication technical field, more particularly to a kind of method, device and the VTEP of processing VXLAN messages are set It is standby.
Background technology
With the fast development of cloud computing, the virtualization degree more and more higher of data center, the requirement to physical network More and more higher.For example, enclosure top (Top Of Rack, the TOR) interchanger disposed in data center network is, it is necessary to safeguard big Medium education (Media Access Control, MAC) address table of scale.In another example, existing VLAN (Virtual Local Area Network, VLAN) technology is maximum only to support 4094 independent forwarding domains of two layers of isolation, it is impossible to Realize the Network Isolation of magnanimity virtual machine.For another example multi-tenant environment is in the urgent need to effective technology of network isolation, to protect Demonstrate,prove the data safety of user.
Existing virtual expansible LAN (Virtual Extensible LAN, VXLAN) is although technology can be solved Above mentioned problem.However, in actual applications, there is the problem of being subject to counterfeit VXLAN message aggressions in VXLAN.For example, working as Attacker by a large amount of counterfeit VXLAN messages send to VXLAN endpoint of a tunnels (VXLAN Tunneling End Point, VTEP) during equipment, VTEP equipment has to provide substantial amounts of processor resource processing counterfeit VXLAN messages, causes VTEP to set Non- VXLAN messages are handled for no enough remaining processor resources, so as to reduce the normal operating efficiency of VTEP equipment.
The content of the invention
The application provides a kind of method and device of processing VXLAN messages, for solving VXLAN by counterfeit VXLAN During message aggression, the problem of normal operating efficiency of VTEP equipment is relatively low.
To reach above-mentioned purpose, the application is adopted the following technical scheme that:
This application provides a kind of method of processing VXLAN messages, this method is applied to virtual expansible LAN tunnel Destination VTEP equipment, wherein, other VTEP equipment in VTEP equipment and virtual expansible LAN VXLAN where it are each other The source and destination in VXLAN tunnels, this method include:
VXLAN messages are received, wherein, VXLAN messages include local VXLAN messages and non-local VXLAN messages, locally VXLAN messages refer to that head carries local VNI VXLAN messages, and non-local VXLAN messages refer to that head is not carried locally VNI VXLAN messages;
In the first preset time, the quantity of non-local VXLAN messages is counted;
When the statistical value of non-local VXLAN messages is more than or equal to first threshold, the non-local VXLAN received is abandoned Message.
Present invention also provides a kind of device of processing VXLAN messages, the device is applied to virtual expansible LAN tunnel Road destination VTEP equipment, wherein, VTEP equipment and other VTEP equipment in virtual expansible LAN VXLAN where it are mutual For the source and destination in VXLAN tunnels, the device includes:
Receiving unit, for receiving VXLAN messages, wherein, VXLAN messages include local VXLAN messages and non-local VXLAN messages, local VXLAN messages refer to that head carries local VNI VXLAN messages, and non-local VXLAN messages are fingers Portion does not carry local VNI VXLAN messages;
Statistic unit, in the first preset time, counting the quantity of non-local VXLAN messages;
Decision package, for when the statistical value of non-local VXLAN messages is more than or equal to first threshold, discarding to be received Non-local VXLAN messages.
Present invention also provides a kind of VTEP equipment, in the VTEP equipment and the virtual expansible LAN VXLAN in its place Other VTEP equipment VXLAN tunnels each other source and destination, the VTEP equipment includes processor, and the processor is used for real Existing following steps:
VXLAN messages are received by receiving unit, wherein, VXLAN messages include local VXLAN messages and non-local VXLAN messages, local VXLAN messages refer to that head carries local VNI VXLAN messages, and non-local VXLAN messages are fingers Portion does not carry local VNI VXLAN messages;
In the first preset time, the quantity of non-local VXLAN messages is counted;
When the statistical value of non-local VXLAN messages is more than or equal to first threshold, the non-local VXLAN received is abandoned Message.
Method, device and the VTEP equipment for the processing VXLAN messages that the application is provided, by counting in the first preset time The quantity of the non-local VXLAN messages received, and when the statistical value of non-local VXLAN messages is more than or equal to first threshold When, abandon the non-local VXLAN messages that receive, it is to avoid counterfeit VXLAN message of the processing from non-local VXLAN networks The substantial amounts of processor resource of VTEP equipment is taken, so that the VTEP equipment can retain enough processor resource processing Local VXLAN messages and non-VXLAN messages, improve the normal operating efficiency of the VTEP equipment.
Brief description of the drawings
, below will be to embodiment or existing in order to illustrate more clearly of the embodiment of the present application or technical scheme of the prior art There is the accompanying drawing used required in technology description to be briefly described, it should be apparent that, drawings in the following description are only this Some embodiments of application, for those of ordinary skill in the art, on the premise of not paying creative work, can be with Other accompanying drawings are obtained according to these accompanying drawings.
A kind of method flow diagram for processing VXLAN messages that Fig. 1 provides for the embodiment of the present application;
The method flow diagram for another processing VXLAN messages that Fig. 2 provides for the embodiment of the present application;
The method flow diagram for another processing VXLAN messages that Fig. 3 provides for the embodiment of the present application;
The method flow diagram for another processing VXLAN messages that Fig. 4 provides for the embodiment of the present application;
The method flow diagram for another processing VXLAN messages that Fig. 5 provides for the embodiment of the present application;
A kind of structural representation of the device for processing VXLAN messages that Fig. 6 provides for the embodiment of the present application;
The structural representation of the device for another processing VXLAN messages that Fig. 7 provides for the embodiment of the present application;
The structural representation of the device for another processing VXLAN messages that Fig. 8 provides for the embodiment of the present application;
A kind of structural representation for VTEP equipment that Fig. 9 provides for the embodiment of the present application.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present application, the technical scheme in the embodiment of the present application is carried out clear, complete Site preparation is described, it is clear that described embodiment is only some embodiments of the present application, rather than whole embodiments.It is based on Embodiment in the application, it is every other that those of ordinary skill in the art are obtained under the premise of creative work is not made Embodiment, belongs to the scope of the application protection.
VXLAN networks are usually using UDP (User Datagram Protocol, UDP) by common ether Message is encapsulated in UDP messages and is transmitted.VXLAN network identities (the VXLAN Network of VXLAN Web vector graphics 24 Identifier, VNI), maximum can support 16777215 independent forwarding domains of two layers of isolation, can be supported much larger than vlan network 4094 independent forwarding domains of two layers of isolation, can preferably meet the fairly large nets such as data center, cloud processor The demand that magnanimity tenant network is isolated in network, therefore be widely used.
In actual applications, encapsulation and the solution of VXLAN messages are generally completed by the VTEP equipment positioned at VXLAN tunnels two ends Encapsulation.For example, the VTEP equipment positioned at VXLAN tunnels one end, by the VXLAN messages after encapsulation, to the VXLAN tunnels other end VTEP equipment is sent;And the VTEP equipment for being located at the VXLAN tunnels other end is reported after the VXLAN messages are received to the VXLAN Text makees decapsulation processing.
It should be noted that the message transmitted in VXLAN networks, also non-in addition to above-mentioned VXLAN messages VXLAN messages.Therefore, after VTEP equipment receives a message, it is necessary first to which whether judge the message is VXLAN reports Text, specific method is as follows:VTEP equipment judges what the UDP destination slogans of the header and the VTEP equipment were locally configured Whether VXLAN dedicated port numbers are identical, if above-mentioned two port numbers are identical, and can determine that the message is VXLAN messages, otherwise, For non-VXLAN messages.
As shown in figure 1, the embodiment of the present application provides a kind of method of processing VXLAN messages, this method can apply to VTEP equipment, wherein, VTEP equipment and other VTEP equipment where it in VXLAN networks each other the source in VXLAN tunnels and Destination.
Wherein, the VTEP equipment can support at least one VXLAN network, for from least one VXLAN network Message be packaged reconciliation encapsulation process.
It should be noted that the VTEP equipment for sending VXLAN messages is tunnel source VTEP equipment, VXLAN messages are received VTEP equipment for the purpose of hold VTEP equipment.However, in actual applications, the VXLAN message transmissions between VTEP equipment are usual Two-way, thus participate in the VTEP equipment of two-way VXLAN message transmissions can source and destination each other.
As shown in figure 1, the method for above-mentioned processing VXLAN messages is specifically included:
Step 101, reception VXLAN messages.
Wherein, VXLAN messages include local VXLAN messages and non-local VXLAN messages.
It should be noted that local VXLAN messages refer to, the VXLAN headers carry local VNI VXLAN reports Text, local VNI includes the VNI for all VXLAN networks that the VTEP equipment is supported, carries local VNI and refers to, VXLAN reports The VNI that literary head is carried is equal with a VNI in the VNI for all VXLAN networks that the VTEP equipment is supported.Correspondingly, it is non- Local VXLAN messages refer to that the VXLAN headers do not carry local VNI VXLAN messages, and local VNI is not carried and is referred to, The VNI that the VXLAN headers are carried is other VXLAN in addition to all VXLAN networks that the VTEP equipment is supported The VNI of network.
Step 102, in the first preset time, count the quantity of non-local VXLAN messages.
Wherein, the first preset time refers to, the preset time of the quantity of the non-local VXLAN messages of the VTEP device statisticses, It can be set according to specific application environment.If for example, the non-local VXLAN that the VTEP equipment is received in different time sections The number change of message is larger, then the first preset time could be arranged to a smaller value, and such as 1 second, non-is counted to improve The degree of accuracy of the quantity of ground VXLAN messages.In another example, if the non-local XLAN reports that the VTEP equipment is received in a long time The quantity of text is smaller always, then the first preset time could be arranged to a higher value, such as 1 hour.
Step 103, when non-local VXLAN messages statistical value be more than or equal to first threshold when, abandon receive it is non- Local VXLAN messages.
It should be noted that first threshold can be set according to specific application environment, wherein specific application environment bag Include in the VTEP FU times treatable message maximum quantity.In actual applications, except the non-local VXLAN of statistics Outside the quantity of message, the quantity of local VXLAN messages and the quantity of non-VXLAN messages can also be counted;When local VXLAN reports The ratio that literary and non-VXLAN messages account for all messages received is higher (such as 80%), and the report received in the unit interval In literary total amount and the VTEP FU times ratio larger (such as 0.9) of the maximum quantity of treatable message when, can So that first threshold is set into a smaller value.Wherein, the message total amount received in the VTEP FU times, refers to this The quantity of the non-local VXLAN messages that VTEP equipment is received within the unit interval, the quantity of local VXLAN messages and non- The quantity sum of VXLAN messages.
If in addition, the statistical value of non-local VXLAN messages is less than first threshold, showing that VTEP equipment has enough residues Non-local VXLAN messages, local VXLAN messages and non-VXLAN messages that processor resource processing is received, therefore VTEP equipment Decapsulation processing can be made to the non-local VXLAN messages, local VXLAN messages and non-VXLAN messages received.
Received in a kind of method for processing VXLAN messages that the embodiment of the present application is provided, the first preset time of statistics The quantity of non-local VXLAN messages, when the statistical value of non-local VXLAN messages is more than or equal to first threshold, abandons and receives The non-local VXLAN messages arrived, it is to avoid counterfeit VXLAN message of the processing from non-local VXLAN networks takes the VTEP The substantial amounts of processor resource of equipment, so that the VTEP equipment, which can retain enough processor resources, handles local VXLAN Message and non-VXLAN messages, improve the normal operating efficiency of the VTEP equipment.
On the basis of implementation as shown in Figure 1, implementation as shown in Figure 2 is also implemented as.Performing Step 103 abandons the non-local VXLAN received when the statistical value of non-local VXLAN messages is more than or equal to first threshold After message, step 201 and step 202 can also carry out:
Step 201, in the second preset time, count the quantity of local VXLAN messages.
Wherein, the second preset time refers to, the preset time of the quantity of the local VXLAN messages of the VTEP device statisticses, can To be set according to specific application environment.If for example, the local VXLAN messages that the VTEP equipment is received in different time sections Number change it is larger, then the second preset time could be arranged to a smaller value, such as 1 second, to improve the local VXLAN of statistics The degree of accuracy of the quantity of message.In another example, if the quantity for the local XLAN messages that the VTEP equipment is received in a long time Smaller always, then the second preset time could be arranged to a higher value, such as 1 hour.In embodiments of the present invention, Ke Yiwei Each VXLAN networks in the VTEP equipment are independently arranged corresponding Second Threshold, i.e., VXLAN networks are configured in VTEP equipment When corresponding Second Threshold is set;The Second Threshold of different VXLAN network settings can be with identical, can also be different.
Step 202, when local VXLAN messages statistical value be more than or equal to Second Threshold when, abandon receive it is local VXLAN messages.
It should be noted that Second Threshold can be set according to specific application environment, wherein specific application environment bag Include in the VTEP FU times treatable message maximum quantity.In actual applications, except the non-local VXLAN of statistics Outside the quantity of message and the quantity of local VXLAN messages, the quantity of non-VXLAN messages can also be counted;When non-VXLAN messages Quantity account for all messages received ratio it is higher (such as 70%), and the report received in the VTEP FU times In literary total amount and the VTEP FU times ratio larger (such as 0.9) of the maximum quantity of treatable message when, can So that first threshold and Second Threshold are disposed as into a smaller value.
If in addition, the statistical value of local VXLAN messages is less than Second Threshold, showing that VTEP equipment has at enough residues Local VXLAN messages and non-VXLAN messages that the resource processing of reason device is received, therefore VTEP equipment can be local to what is received VXLAN messages and non-VXLAN messages make decapsulation processing.
What deserves to be explained is, in the present embodiment, in order to ensure there are enough processor resources to handle local VXLAN messages With the less non-local VXLAN messages of processing, first threshold can be set less than Second Threshold.Step in present application example 201 and step 202, it can also be performed simultaneously with step 102 and step 103 respectively, the application is not construed as limiting to this.
Received in the method for another processing VXLAN messages that the embodiment of the present application is provided, the first preset time of statistics Non-local VXLAN messages quantity and the second preset time in the quantity of local VXLAN messages that receives, when non-local The statistical value of VXLAN messages is more than or equal to first threshold, and the statistical value of local VXLAN messages is more than or equal to Second Threshold When, abandon the non-local VXLAN messages and local VXLAN messages that receive, it is to avoid when processing comes from non-local VXLAN networks Counterfeit VXLAN messages, and during the counterfeit VXLAN messages from local VXLAN networks, take the VTEP equipment substantial amounts of Processor resource, so that the VTEP equipment, which can retain enough processor resources, handles non-VXLAN messages, is further carried The high normal operating efficiency of the VTEP equipment.
On the basis of implementation as shown in Figure 1 or 2, step 103 is being performed when the system of non-local VXLAN messages When evaluation is more than or equal to first threshold, after the non-local VXLAN messages that discarding is received, or ought performing step 202 When the statistical value of local VXLAN messages is more than or equal to Second Threshold, abandons after the local VXLAN messages received, may be used also To perform step 301.For example, performing step 301 on the basis of Fig. 1, implementation as shown in Figure 3 can be obtained.
As shown in figure 3, after step 103 is performed, performing step 301:
Step 301, transmission alarm are indicated.
Wherein, alarm indicates to be used to be sent to user equipment, points out to log in the user of VXLAN networks by the user equipment The attack source of the counterfeit VXLAN messages of investigation.Alert instruction can for alarm song, voice message, pilot light, paper document, And can be by least one of word, image, video of the played.Wherein, user equipment includes mobile phone, PC All equipment that can be used for accessing VXLAN networks such as machine, tablet personal computer.
On the basis of implementation as shown in Figure 3, implementation as shown in Figure 4 is also implemented as.Performing Step 301 is sent after alarm instruction, can also carry out step 302:
Step 302, alarm predetermined period in, when sent alarm indicate quantity be more than or equal to alarm quantity threshold During value, stop sending alarm instruction.
Wherein, alarm predetermined period is usually arranged as a higher value.For example, it is pre- that alarm predetermined period is set into first If M times of one in time and the second preset time, or it is set to the minimum of the first preset time and the second preset time N times of common multiple, M and N therein are the natural number more than or equal to 1.
The purpose indicated is alerted, is to notify to investigate attack source by the user that the user equipment logs in VXLAN networks, only Guarantee to notify the user, it is not necessary that be transmitted across many alarms within a short period of time and indicate, to avoid to this User causes unnecessary interference, while avoiding being transmitted across the excessive VXLAN Internet resources of many alarm instruction occupancy.Therefore, In actual applications, alarm quantity threshold value is generally set to a smaller value, such as 5.In alarm predetermined period, when with hair When the quantity that the alarm sent is indicated is more than or equal to 5, stops the same alarm of transmission and indicate.
On the basis of implementation as shown in Figure 2, implementation as shown in Figure 5 is also implemented as.Such as Fig. 5 institutes Show, before step 101 reception VXLAN messages are performed, this method also includes step 401:
Step 401, when configuring each VXLAN networks in VTEP equipment, for the VXLAN network settings corresponding second Preset time and Second Threshold.
What deserves to be explained is, in actual applications, the first preset time for being mentioned in the embodiment of the present application, first threshold, Second preset time, Second Threshold, alarm predetermined period and alarm quantity threshold value can automatically be set by VXLAN networks, also may be used To be set manually by the user that the VXLAN networks are logged in by user equipment, the application is not construed as limiting to this.
In addition, it should be noted that in actual applications, can be according to the counterfeit VXLAN message sources received in the past The statistics of head, takes targetedly technological means, the application is not construed as limiting to this.If for example, from non-local VXLAN Large percentage shared by the counterfeit VXLAN messages of network, such as 90%, and the VTEP equipment still has enough remaining processors When resource handles local VXLAN messages and non-VXLAN messages, step can be taken just for the non-local VXLAN messages received Rapid 102 and step 103.
In another example, if the large percentage shared by the counterfeit VXLAN messages from local VXLAN networks, such as 90%, and , can a pin when VTEP equipment still has enough remaining processor resource non-local VXLAN messages of processing and non-VXLAN messages Take steps 201 and step 202 to the local VXLAN messages received.
If for another example the counterfeit VXLAN messages from local VXLAN networks and imitating from non-local VXLAN networks The VXLAN message amounts emitted are close, for example, respectively account for 50%, and the VTEP equipment does not have enough remaining processor resource processing non- During VXLAN messages, while 102 and the step 103 of being taken steps to the non-local VXLAN messages received, to receiving Local VXLAN messages take steps 201 and step 202.
As shown in figure 5, present invention also provides a kind of device 30 of processing VXLAN messages, the device 30 is applied to virtual Expansible LAN tunnel destination VTEP equipment, wherein, in VTEP equipment and virtual expansible LAN VXLAN where it The source and destination in other VTEP equipment VXLAN tunnels each other.
Said apparatus 30 includes:
Receiving unit 31, for receiving VXLAN messages, wherein, VXLAN messages include local VXLAN messages and non-local VXLAN messages.
Statistic unit 32, in the first preset time, counting the quantity of non-local VXLAN messages.
Decision package 33, for when the statistical value of non-local VXLAN messages is more than or equal to first threshold, abandoning and receiving The non-local VXLAN messages arrived.
In a kind of device 30 for processing VXLAN messages that the embodiment of the present application is provided, statistic unit 32 is counted by receiving The quantity for the non-local VXLAN messages that unit 31 is received in the first preset time, and when the statistics of non-local VXLAN messages When value is more than or equal to first threshold, decision package 33 abandons the non-local VXLAN messages that receive, it is to avoid processing is from non- The counterfeit VXLAN messages of local VXLAN networks take the substantial amounts of processor resource of VTEP equipment, so that the VTEP is set It is standby to retain enough processor resource local VXLAN messages of processing and non-VXLAN messages, improving the VTEP equipment just Normal operating efficiency.
In the device 30 for another processing VXLAN messages that the embodiment of the present application is provided, as shown in Figure 6:
Statistic unit 32, is additionally operable in the second preset time, counts the quantity of local VXLAN messages.
Decision package 33, is additionally operable to, when the statistical value of local VXLAN messages is more than or equal to Second Threshold, abandon and receive The local VXLAN messages arrived.
The device 30 for another processing VXLAN messages that the embodiment of the present application is provided, statistic unit 32 counts single by receiving The quantity for the non-local VXLAN messages that member 31 is received in the first preset time, and preset by receiving unit 31 second The quantity of the local VXLAN messages received in time, and when the statistical value of non-local VXLAN messages is more than or equal to the first threshold Value, and when locally the statistical value of VXLAN messages is more than or equal to Second Threshold, it is non-local that the discarding of decision package 33 is received VXLAN messages and local VXLAN messages, it is to avoid counterfeit VXLAN message of the processing from non-local VXLAN networks and come from The counterfeit VXLAN messages of local VXLAN networks, take the substantial amounts of processor resource of VTEP equipment, so that the VTEP Equipment can retain enough processor resources and handle non-VXLAN messages, further increase the normal work of the VTEP equipment Efficiency.
On the basis of the device 30 of above two processing VXLAN messages as shown in Figure 5, it is also implemented as such as Fig. 6 The device 30 of shown another processing VXLAN messages, wherein
Decision package 33, is additionally operable to send alarm instruction by transmitting element 34.
Indicate to take substantial amounts of resource in order to avoid being transmitted across many alarms, in a kind of processing VXLAN reports as shown in Figure 6 On the basis of the device 30 of text, another implementation is also implemented as.As shown in fig. 6, wherein
Decision package 33, is additionally operable in alarm predetermined period, when the statistical value that alarm is indicated is more than or equal to alarm number When measuring threshold value, stop sending alarm instruction.
On the basis of the device 30 of any one processing VXLAN message as shown in Figure 5 or Figure 6, it is also implemented as Another device 30 of processing VXLAN messages.A kind of device 30 of processing VXLAN messages shown in Fig. 7, is on Fig. 5 basis The device 30 of another processing VXLAN messages of upper realization.As shown in fig. 7, the device 30 also includes:
Processing unit 35, for when the statistical value of non-local VXLAN messages is less than first threshold, to non-received Ground VXLAN messages, local VXLAN messages and non-VXLAN messages make decapsulation processing;
Processing unit 35, is additionally operable to when the statistical value of local VXLAN messages is less than Second Threshold, local to what is received VXLAN messages and non-VXLAN messages make decapsulation processing.
It should be noted that the statistical value of non-local VXLAN messages is less than first threshold, show that processing unit 35 also has foot Non-local VXLAN messages, local VXLAN messages and non-VXLAN messages that enough remaining processor resource processing are received, therefore Processing unit 35 also can make decapsulation processing to the non-local VXLAN messages received.That is, when non-local VXLAN reports When the statistical value of text is less than first threshold, processing unit 35 can make decapsulation processing to all messages received.
Another point is it should be noted that locally the statistical value of VXLAN messages shows processing unit 35 also less than Second Threshold There are local VXLAN messages and non-VXLAN messages that enough remaining processor resource processing are received, therefore the meeting of processing unit 35 Decapsulation processing is made to the local VXLAN messages and non-VXLAN messages received.
On the basis of a kind of device 30 of processing VXLAN messages as shown in Figure 6, it is also implemented as shown in Figure 6 Another processing VXLAN messages device 30.As shown in fig. 6, decision package 33, is additionally operable to before VXLAN messages are received, When each VXLAN networks are configured in VTEP equipment, for corresponding second preset time of the VXLAN network settings and the second threshold Value.
As shown in figure 8, the embodiment of the present application additionally provides a kind of VTEP equipment 40, the VTEP equipment 40 and its place are virtual The source and destination in other VTEP equipment in expansible LAN VXLAN VXLAN tunnels each other, the VTEP equipment include place Device 41 is managed, processor 41 can be used for realizing following steps:
VXLAN messages are received by receiving unit 31, wherein, VXLAN messages include local VXLAN messages and non-local VXLAN messages;
In the first preset time, the quantity of non-local VXLAN messages is counted;
When the statistical value of non-local VXLAN messages is more than or equal to first threshold, the non-local VXLAN received is abandoned Message.
On the basis of VTEP equipment 40 as shown in Figure 8, the embodiment of the present application additionally provides another VTEP equipment 40. As shown in figure 8, after the non-local VXLAN messages received are abandoned, processor 41 is additionally operable to perform following steps:
In the second preset time, the quantity of local VXLAN messages is counted;
When the statistical value of local VXLAN messages is more than or equal to Second Threshold, the local VXLAN reports received are abandoned Text.
In above two VTEP equipment as shown in Figure 8 on the basis of any one VTEP equipment, the embodiment of the present application Additionally provide another VTEP equipment 40.As shown in figure 8, processor 41 is additionally operable to perform following steps:
Alarm is sent by transmitting element 34 to indicate.
Indicate to take substantial amounts of resource in order to avoid being transmitted across many alarms, in another realization side of the embodiment of the present application In formula, processor 41 is additionally operable to perform following steps:
In alarm predetermined period, when the quantity that the alarm sent is indicated is more than or equal to alarm quantity threshold value, stop Alarm is only sent to indicate.
On the basis of any one VTEP equipment 40 as shown in Figure 8, another VTEP equipment 40 is also implemented as. As shown in figure 8, wherein
Processor 41, is additionally operable to when the statistical value of non-local VXLAN messages is less than first threshold, to non-received Ground VXLAN messages, local VXLAN messages and non-VXLAN messages make decapsulation processing;
Processor 41, is additionally operable to when the statistical value of local VXLAN messages is less than Second Threshold, local to what is received VXLAN messages and non-VXLAN messages make decapsulation processing.
It should be noted that the statistical value of non-local VXLAN messages is less than first threshold, show that processor 41 also has enough The processing of remaining the processor resource non-local VXLAN messages, local VXLAN messages and the non-VXLAN messages that receive, therefore place Reason device 41 also can make decapsulation processing to the non-local VXLAN messages received.That is, when non-local VXLAN messages When statistical value is less than first threshold, processor 41 can make decapsulation processing to all messages received.
Another point is it should be noted that the statistical value of local VXLAN messages shows that processor 41 also has less than Second Threshold Enough remaining processor resources handle the local VXLAN messages and non-VXLAN messages received, therefore processor 41 can be docked The local VXLAN messages and non-VXLAN messages received makees decapsulation processing.
On the basis of implementation as shown in Figure 9, another implementation as shown in Figure 9 is also implemented as. As shown in figure 9, processor 41 is additionally operable to before VXLAN messages are received, when each VXLAN networks are configured in VTEP equipment, For corresponding second preset time of the VXLAN network settings and Second Threshold.
Through the above description of the embodiments, it is apparent to those skilled in the art that the application can be borrowed Software is helped to add the mode of required common hardware to realize, naturally it is also possible to which the former is more preferably by hardware, but in many cases Embodiment.
It is described above, the only embodiment of the application, but the protection domain of the application is not limited thereto, and it is any Those familiar with the art can readily occur in change or replacement in the technical scope that the application is disclosed, and should all contain Cover within the protection domain of the application.Therefore, the protection domain of the application should be based on the protection scope of the described claims.

Claims (12)

1. a kind of method of processing VXLAN messages, it is characterised in that applied to virtual expansible LAN tunnel destination VTEP Equipment, wherein, VTEP equipment and other VTEP equipment in virtual expansible LAN VXLAN where it VXLAN tunnels each other Source and destination, methods described includes:
VXLAN messages are received, wherein, VXLAN messages include local VXLAN messages and non-local VXLAN messages, described local VXLAN messages refer to that head carries local VNI VXLAN messages, and the non-local VXLAN messages refer to that head does not carry this Ground VNI VXLAN messages;
In the first preset time, the quantity of non-local VXLAN messages is counted;
When the statistical value of non-local VXLAN messages is more than or equal to first threshold, the non-local VXLAN reports received are abandoned Text.
2. according to the method described in claim 1, it is characterised in that after the non-local VXLAN messages received are abandoned, institute Stating method also includes:
In the second preset time, the quantity of local VXLAN messages is counted;
When the quantity of local VXLAN messages is more than or equal to Second Threshold, the local VXLAN messages received are abandoned.
3. method according to claim 1 or 2, it is characterised in that abandon the non-local VXLAN messages that receive it Afterwards, or after the local VXLAN messages received are abandoned, methods described also includes:
Alarm is sent to indicate.
4. method according to claim 2, it is characterised in that before VXLAN messages are received, methods described also includes: When each VXLAN networks are configured in VTEP equipment, for the corresponding Second Threshold of VXLAN network settings.
5. a kind of device of processing VXLAN messages, it is characterised in that applied to virtual expansible LAN tunnel destination VTEP Equipment, wherein, VTEP equipment and other VTEP equipment in virtual expansible LAN VXLAN where it VXLAN tunnels each other Source and destination, described device includes:
Receiving unit, for receiving VXLAN messages, wherein, VXLAN messages include local VXLAN messages and non-local VXLAN is reported Text, the local VXLAN messages refer to that head carries local VNI VXLAN messages, and the non-local VXLAN messages refer to Head does not carry local VNI VXLAN messages;
Statistic unit, in the first preset time, counting the quantity of non-local VXLAN messages;
Decision package, what is received for when the statistical value of non-local VXLAN messages is more than or equal to first threshold, abandoning is non- Local VXLAN messages.
6. device according to claim 5, it is characterised in that statistic unit, is additionally operable in the second preset time, statistics The quantity of local VXLAN messages;
Decision package, is additionally operable to when the quantity of local VXLAN messages is more than or equal to Second Threshold, it is local that discarding is received VXLAN messages.
7. the device according to claim 5 or 6, it is characterised in that decision package, is additionally operable to send by transmitting element and accuses It is alert to indicate.
8. device according to claim 6, it is characterised in that decision package, is additionally operable to before VXLAN messages are received, When each VXLAN networks are configured in VTEP equipment, for corresponding second preset time of the VXLAN network settings and the second threshold Value.
9. a kind of VTEP equipment, it is characterised in that mutual with other VTEP equipment in virtual expansible LAN VXLAN where it For the source and destination in VXLAN tunnels, VTEP equipment includes processor, and processor is used to realize following steps:
VXLAN messages are received by receiving unit, wherein, VXLAN messages include local VXLAN messages and non-local VXLAN is reported Text, the local VXLAN messages refer to that head carries local VNI VXLAN messages, and the non-local VXLAN messages refer to Head does not carry local VNI VXLAN messages;
In the first preset time, the quantity of non-local VXLAN messages is counted;
When the statistical value of non-local VXLAN messages is more than or equal to first threshold, the non-local VXLAN reports received are abandoned Text.
10. VTEP equipment according to claim 9, it is characterised in that processor is additionally operable to perform following steps:
In the second preset time, the quantity of local VXLAN messages is counted;
When the statistical value of local VXLAN messages is more than or equal to Second Threshold, the local VXLAN messages received are abandoned.
11. the VTEP equipment according to claim 9 or 10, it is characterised in that processor is additionally operable to send out by transmitting element Alarm is sent to indicate.
12. VTEP equipment according to claim 10, it is characterised in that before VXLAN messages are received, processor is also used In before VXLAN messages are received, when each VXLAN networks are configured in VTEP equipment, for VXLAN network settings correspondence The second preset time and Second Threshold.
CN201710364478.6A 2017-05-22 2017-05-22 Handle method, device and the VTEP equipment of VXLAN messages Pending CN107204896A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710364478.6A CN107204896A (en) 2017-05-22 2017-05-22 Handle method, device and the VTEP equipment of VXLAN messages

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710364478.6A CN107204896A (en) 2017-05-22 2017-05-22 Handle method, device and the VTEP equipment of VXLAN messages

Publications (1)

Publication Number Publication Date
CN107204896A true CN107204896A (en) 2017-09-26

Family

ID=59905874

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710364478.6A Pending CN107204896A (en) 2017-05-22 2017-05-22 Handle method, device and the VTEP equipment of VXLAN messages

Country Status (1)

Country Link
CN (1) CN107204896A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107896188A (en) * 2017-12-22 2018-04-10 迈普通信技术股份有限公司 Data forwarding method and device
CN112887317A (en) * 2021-01-30 2021-06-01 北京中安星云软件技术有限公司 Method and system for protecting database based on VXLAN network

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105591841A (en) * 2015-12-31 2016-05-18 盛科网络(苏州)有限公司 Connectivity detection method of VXLAN tunnel
CN106302076A (en) * 2016-07-22 2017-01-04 浪潮(北京)电子信息产业有限公司 Set up the method in VXLAN tunnel, system and SDN controller
CN106357652A (en) * 2016-09-26 2017-01-25 杭州迪普科技有限公司 Method and device for preventing attack of VXLAN message

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105591841A (en) * 2015-12-31 2016-05-18 盛科网络(苏州)有限公司 Connectivity detection method of VXLAN tunnel
CN106302076A (en) * 2016-07-22 2017-01-04 浪潮(北京)电子信息产业有限公司 Set up the method in VXLAN tunnel, system and SDN controller
CN106357652A (en) * 2016-09-26 2017-01-25 杭州迪普科技有限公司 Method and device for preventing attack of VXLAN message

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107896188A (en) * 2017-12-22 2018-04-10 迈普通信技术股份有限公司 Data forwarding method and device
CN107896188B (en) * 2017-12-22 2020-08-28 迈普通信技术股份有限公司 Data forwarding method and device
CN112887317A (en) * 2021-01-30 2021-06-01 北京中安星云软件技术有限公司 Method and system for protecting database based on VXLAN network

Similar Documents

Publication Publication Date Title
CN104022953B (en) Message forwarding method and device based on open flows Openflow
CN104468358B (en) The message forwarding method and equipment of the distributed virtual switch system
CN105100026B (en) A kind of safe retransmission method of message and device
CN104253767B (en) A kind of implementation method of virtual burst network and a kind of interchanger
CN113326228B (en) Message forwarding method, device and equipment based on remote direct data storage
CN106603550B (en) A kind of Network Isolation method and device
CN106685826B (en) Switchboard stacked system, from equipment, exchange chip and processing protocol message method
CN104852855B (en) Jamming control method, device and equipment
CN102334112A (en) Method and system for virtual machine networking
CN103973578B (en) The method and device that a kind of virtual machine traffic redirects
CN109428782B (en) Network monitoring method and equipment
CN106712988A (en) Virtual network management method and device
CN104579894B (en) The IGMP Snooping implementation methods and device of the distributed virtual switch system
CN104683428B (en) Network service processing method and device
CN105939267B (en) Outband management method and device
CN112787913B (en) Intelligent network card assembly, physical machine, cloud service system and message sending method
CN105556916A (en) Network flow information statistics method and apparatus
CN107948157A (en) A kind of message processing method and device
CN104734986B (en) A kind of message forwarding method and device
CN107547430A (en) A kind of file transmitting method and device
US20220210036A1 (en) Network Measurement System And Method, Device, And Storage Medium
CN107204896A (en) Handle method, device and the VTEP equipment of VXLAN messages
CN110417687A (en) A kind of message sends and receives method and device
CN106453022A (en) Network device and data packet sending method
CN107995199A (en) The port speed constraint method and device of the network equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20170926

RJ01 Rejection of invention patent application after publication