JP2016149701A - Network system and packet transfer method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a network system which improves fault resistance or operability, and a packet transfer method.SOLUTION: A network system 100 comprises: a router 20 that is mounted at a node of an L3 wide-area NW 3 and an L2NW of a user terminal 1; a router 140 that is mounted at a node of a server 150 within a DC 110 and an L3DCNW 130; and a DC-GW 120 that is disposed at a node of the L3 wide-area NW 3 and the DC 110. In the router 20, a destination of a virtual L2 tunnel is capsulated as for the DC-GW 120.The DC-GW 120 includes: a tunnel identifier setting part 120a that uniquely adds a tunnel identifier VNI for each pair of outgoing-side and incoming-side VTEP; a storage part 120b for storing a management table; and a processing part 120c by which if a packet addressed to the DC-GW itself arrives, while referring to the management table, the packet is transferred by rewiring the destination of the packet that is capsulated by the virtual L2 tunnel, into the incoming-side VTEP.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a network system and a packet transfer method.

  Conventional network control is mainly performed by IP (Internet Protocol) address routing. A flow control network has been proposed to ensure quality and improve network utilization. The flow control network includes a flow switch that transmits and receives packets and a control server that controls the flow switch. The flow switch includes a flow table that holds a flow entry given by the control server. In the flow entry, input physical port for identifying the type of the received packet, L2 (layer 2: data link layer), L3 (layer 3: network layer) and L4 (layer 4: transport layer) information, A process (action) for the packet of the type is described. The processing here includes, for example, transmitting a packet of the type from a specified physical port, attaching a VLAN (Virtual Local Area Network) tag to the packet of the type, and a destination MAC (Media Access Control) address. Is to change. This flow control network is a network that realizes path control in units of flows defined by combinations of MAC addresses, IP addresses, port numbers, and the like. An example of such a flow control network is an OpenFlow network (see Non-Patent Document 1). In this OpenFlow network, an OpenFlow switch is used as a flow switch and a controller is used as a control server.

In recent years, in order to dynamically use various NW services in a wide area network (hereinafter referred to as NW as appropriate), virtualization of NW services by NFV (Network Function Virtualization) has been studied. In NFV, it is known that there is also a service that needs to connect user services with an L2NW (layer 2 network) for only Ethernet (registered trademark) transfer.
On the other hand, a large-scale wide-area NW is often constructed with an L3NW (layer 3 network) using IP routing from the viewpoint of scaleability and fault tolerance. Therefore, NVO3 (Network Virtualization Over L3) that realizes L2 transfer by constructing a virtual L2 tunnel on L3NW in NFV has been studied (see Non-Patent Document 2).
As NVO3, various technologies such as VXLAN (Virtual eXtensible Local Area Network) (see Non-Patent Document 3) and NVGRE (Network Virtualization Generic Routing Encapsulation) have been studied (see Non-Patent Document 4).

The VXLAN extends the L2 communication (broadcast domain) via the L3 by tunneling the L2 communication with the L3 by using a 24-bit VXLAN ID called “VXLAN Network Identifier (VNI)”. In VXLAN, a VTEP (Virtual Tunnel End Point) is installed for each virtual switch or physical server of the hypervisor. VTEP is implemented at the connection point of physical L3NW and L2NW. VTEP manages the correspondence between the MAC address of each virtual machine and the VNI of that virtual machine in a table.
In NVO3, destination resolution is required at a router (VTEP) corresponding to a tunnel end point. In VXLAN, as a destination resolution method, there are (1) a method in which traffic of unknown destination is once flooded to all end point routers and learned by D-Plane, and (2) a method of learning by C-Plane in advance (E- VPN) (see Non-Patent Document 5).

FIG. 8 is a diagram illustrating a configuration of a network system according to NVO3.
As shown in FIG. 8A, in the network system according to NVO3, user terminals 1 ₁ and 1 ₂ are L3s that are relay NWs via routers 2 ₁ , 2 ₂ and 2 ₃ (here, router 2 ₂ ). It is connected to the wide area NW3. Servers 5 _{1 to} 5 ₆ that provide services via routers 4 ₁ , 4 ₂ , and 4 ₃ are connected to the L3 wide area NW ₃ . The user terminals 1 ₁ and 1 ₂ receive various services A to F such as applications from the servers 5 _{1 to} 5 ₆ via the router 2 ₂ , the L3 wide area NW 3, and the router 4. When the routers 2 ₁ , 2 ₂ , and 2 ₃ are collectively referred to as the router 2, the routers 4 ₁ , 4 ₂ , and 4 ₃ are collectively referred to as the router 4, and the servers 5 _{1 to} 5 ₆ are collectively referred to. When it does, it calls the server 5. When the user terminals 1 ₁ and 1 ₂ are not particularly distinguished, they are represented as user terminals 1.

The user terminal 1 is a general L2 service providing terminal that transmits requests for providing various services A to F to the server 5 and acquires information from the server 5 via the L3 wide area NW3. The user terminal 1 is composed of, for example, a general personal computer or a portable information terminal.
In this specification, a service refers to an application (application) having various transfer functions or a service provided by an application.
The router 2 is an end router that becomes a final multicast point during multicast distribution, for example.
L3 Wide area NW3 is L3NW.
The server 5 is a distribution server that provides various services A to F.

The transfer of the network system related to NVO3 will be described.
For example, if a virtual machine belongs to the same segment as a virtual machine on another server via VXLAN and starts L2 communication, VTEP determines that the destination MAC address is not local. The source VTEP adds an appropriate virtual L2 tunnel identifier (hereinafter referred to as tunnel identifier) VNI (ID of the VXLAN segment to which the source virtual machine belongs) in front of the MAC frame. The VTEP further adds its own IP address and MAC address, and starts communication with the IP address of the destination VTEP. The destination VTEP confirms by looking at the tunnel identifier VNI, deletes all the information attached by the source VTEP, and sends this MAC frame to the destination virtual machine.

Before making a transfer, it must resolve to which VTEP a user service with an arbitrary MAC address exists. As the method, NVO3 has proposed the following two MAC acquisition methods.
(1) A method of transferring to all preset VTEPs.
For example, the user terminal 1 ₁ attempts to connect to the server 5 ₆ that provides services F. In this case, the VTEP learns the MAC address by looking at the reply packet, and learns a table as shown in FIG. FIG. 8B is a table showing a correspondence relationship between the MAC address of each virtual machine managed by VTEP and the tunnel identifier VNI of the virtual machine.
In the example of FIG. 8 (b), the router _{2 2} the user terminal 1 is connected, MAC address of the server _{5 6} to provide a corresponding service F (L2 (MAC)) and the router _{4 3} IP address (L3 (RemoteVTEP )) Learn the table.
(2) A method of advertising a MAC address directly connected to VTEP in advance on a control plane such as E-VPN.
The advertised VTEP learns a table as shown in FIG.

Next, the flow of transfer will be described with reference to FIG.
_First, when the user terminal ₁₁ uses the service F, the user terminal 11 sends out a packet addressed to the MAC address of the service F. Then, the router 2 as the originating side VTEP holds the table as shown in FIG. 8B, so that it is encapsulated by a header defined by each NVO3 such as a VXLAN / GRE (Generic Routing Encapsulation) header, and the router 4 ₃ Forward to. In router 4 ₃ a callee VTEP, forwards the packet to the MAC address of the service F by decapsulating the header. With this series of operations, it can be seen that L2 transfer is performed from the viewpoint of the user service.

FIG. 9 is a diagram showing a frame format after the encapsulation of FIG. FIG. 9 shows VXLAN as an example.
As shown in FIG. 9, the frame format 10 after encapsulation in FIG. 8 is Outer Dst. MAC, Outer Src. MAC, Outer Dst. IP (router 2), Outer Src. IP (router 2 ₁ ), Outer Src. VXLAN frame 11 consisting of UDP, Outer Dst. UDP (VXLAN port) and VXLAN ID (id = 1), and the original consisting of Inner Dst. MAC (service A), Inner Src. MAC (user (1 ₁ )) and Payload Frame 12.
In the L3 network (wide area NW) other than VTEP, the data is transferred only by looking at the header (VXLAN frame 11 portion) shown in FIG. For this reason, it is only necessary to perform simple L3 transfer (IP transfer).

FIG. 10 is a diagram showing the configuration of a network system and DC related to NVO3.
As shown in FIG. 10, the server 5 equipped with the service function is accommodated in a DC (Data Center) 20. The DC 20 is connected to the wide area NW 3 via the L3 DC NW 21 constructed in the DC 20. In the example of FIG. 10, the routers 4 ₁ and 4 ₂ in the DC 20 are called arrival side VTEPs (also referred to as opposite VTEPs), and the router 4 ₁ (destination side VTEP) is connected to the server 5 ₁ having the application A function (service A). Connected. Server 5 ₁ is assumed to be in an active system running. The router _{4 2} (called side VTEP) and the server _{5. 2} is a standby system.
Router 2 (originating VTEP) performs encapsulation for router 4 (destination VTEP). Specifically, the router 2 (originating side VTEP) adds an appropriate tunnel identifier VNI (ID of the VXLAN segment to which the transmission source virtual machine belongs), the IP address and the MAC address of itself and the opposite router, in front of the MAC frame, Communication is started at the IP address of the router 4 ₁ (destination VTEP). Router _{4 1} (callee VTEP), after confirming watches tunnel identifier VNI, delete all the information routers 2 is (originating VTEP) attached, and sends this MAC frame to the destination server _{5 1} (See broken line arrows in FIG. 10).

  In the DC 20, a physical server (physical machine) is a virtual machine. As an advantage of virtual machine conversion, portability can be ensured and flexible operation can be performed by a migration technique for moving a virtual machine VM between different physical servers. In order to realize the migration, it is necessary to follow the network information (VLAN (Virtual Local Area Network) information, routing information) for accessing the virtual machine VM when the virtual machine VM is switched.

As shown in FIG. 10, the DC20, when migrating the server _{5 1} of the primary system to the server _{5 2} of the standby system, the router _{4 2} (called side VTEP), compared originating VTEP (in FIG. 10 Router 2) An instruction to update the MAC table is issued. Then, the router 2 (originating side VTEP) attaches an appropriate tunnel identifier VNI, its own IP address and MAC address in front of the MAC frame, and starts communication with the IP address of the router 4 ₂ (incoming side VTEP). Router _{4 2} (called side VTEP), after confirming watches tunnel identifier VNI, delete all the information routers 2 is (originating VTEP) attached, and sends this MAC frame to the destination server _{5 2} (See solid line arrow in FIG. 10).

OpenFlow, [online], [Search November 25, 2014], Internet, <URL: https: //www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow- switch-v1.3.4.pdf> NVO3, IETF RFC7365, [online], [Search February 1, 2015], Internet, <URL: https://www.tools.ietf.org/html/rfc7365> VXLAN, IETF RFC7348, [online], [Search February 1, 2015], Internet, <URL: http://www.tools.ietf.org/html/rfc7348> NVGRE, IETF Draft, [online], [Search February 1, 2015], Internet, <URL: https://www.tools.ietf.org/html/draft-sridharan-virtualization-nvgre-07> E-VPN, IETF Draft, [online], [Search February 1, 2015], Internet, <URL: https://www.tools.ietf.org/html/draft-boutros-l2vpn-vxlan-evpn -04>

  However, in the prior art, when the virtual machine VM in the DC 20 is migrated, the setting is spread to the WAN (the wide area NW 3 and the router 2 in FIG. 10), and there is a problem that it takes time for path switching.

This will be described in more detail with reference to FIG.
If a failure occurs in the DC20, it is necessary to migrate the server 5 ₁ of the primary system to the server 5 ₂ of the standby system. In particular, when a failure occurs in the DC 20 when using the virtual L2 tunnel, it takes a lot of time to switch the route to the standby system at the originating VTEP (router 2 in FIG. 10). That is, for this switching, the router 4 ₂ (destination VTEP) must issue an instruction to update the MAC table to the originating VTEP (router 2 in FIG. 10).
For example, if the MAC acquiring method (1), the packet is sent towards the server _{5 1} side service A to DC20 outside of all VTEP, all VTEP learns by the received packet.
In the case of the MAC acquisition method of (2) above, the MAC address is advertised on the control plane to all VTEPs outside the DC 20, and all VTEPs are learned based on the received results.
In any case, it is necessary to notify all the VTEPs on the wide area NW3 (L3) side in response to a failure on the DC20 side. As shown by reference symbol a in FIG. 10, for this switching, the router 4 ₂ (destination VTEP) immediately sends ARP (E-VPN) to all the originating VTEPs (router 4 in FIG. 10). Notification is required. As indicated by reference numeral b in FIG. 10, when the number of VTEPs on the wide area NW3 (L3) side is large, the load on the NW is large and switching takes time.
Thus, in the prior art, the DC 20 that accommodates the server 5 and the wide area NW are the same L2 NW, and thus there is a problem in terms of fault tolerance and operability.

  The present invention has been made in view of such a background, and an object of the present invention is to provide a network system and a packet transfer method that improve fault tolerance and operability.

  In order to solve the above-described problem, the invention according to claim 1 is an L2 service providing terminal connected to the L3 network by constructing a virtual L2 (Layer 2) tunnel on the L3 (Layer 3) network. A network system for transmitting and receiving packets to and from a terminal connected to a DC network in a DC (Data Center) connected to the L3 network, the connection point between the L3 network and the L2 service providing terminal L2 network A tunnel end point that is installed at the connection point between the terminal in the DC and the DC network, and a gateway that is disposed at the connection point between the L3 network and the DC. And the originating tunnel termination point precedes the destination of the virtual L2 tunnel. A packet is encapsulated as addressed to a gateway device, and the gateway device uniquely assigns a tunnel identifier for identifying the virtual L2 tunnel for each set of arrival and departure side tunnel termination points, the tunnel identifier and the arrival and departure A storage unit for storing correspondence information of the IP address of the side tunnel termination point, and when the packet addressed to itself is received, the destination of the packet encapsulated in the virtual L2 tunnel is referred to by referring to the correspondence information And a processing unit for rewriting and transferring the data.

  The invention described in claim 2 is also directed to a calling-side tunnel termination point implemented at a connection point between an L3 (Layer 3) network and an L2 (Layer 2) terminal, and a connection between a terminal in the DC and the DC network. A destination tunnel termination point implemented at a point, and a gateway device arranged at a connection point between the L3 network and the DC, constructing a virtual L2 tunnel on the L3 network, and A packet transfer method for a network system for transmitting and receiving packets between a connected L2 service providing terminal and the terminal connected to a DC network in a DC (Data Center) connected to the L3 network, At the side tunnel termination point, the virtual L2 tunnel destination is set as the gateway device. A tunnel identifier setting step for uniquely assigning a tunnel identifier for identifying the virtual L2 tunnel for each set of arrival and departure side tunnel termination points in the gateway device, the tunnel identifier and the arrival and departure side A storage step of storing correspondence information of the IP address of the tunnel termination point, and when the packet addressed to itself is received, the destination of the packet encapsulated in the virtual L2 tunnel is referred to as the destination tunnel termination point with reference to the correspondence information And a processing step of rewriting and transferring.

  By doing in this way, at the time of migration of the virtual machine in the DC, the influence of the migration can be completed in the DC without spreading outside the DC. In addition, the route can be quickly switched by controlling only the gateway device. As a result, the DC side standby system switching can be realized without being aware of the originating tunnel termination point, and fault tolerance and operability can be improved.

  According to the present invention, it is possible to provide a network system and a packet transfer method that improve fault tolerance and operability.

It is a figure which shows the structure of the network system and DC which concern on embodiment of this invention. It is a figure which shows the frame format of the network system which concerns on embodiment of this invention. It is a figure which compares and shows the virtual L2 tunnel management method of the network system which concerns on this embodiment, and the virtual L2 tunnel management method of a prior art. 4 is a management table showing the correspondence between a tunnel identifier VNI and a calling / receiving side VTEP IP address of the network system according to the present embodiment. It is a figure which shows the structure of the network system which concerns on embodiment of this invention. It is a figure which shows typically the VXLAN frame format of the network system which concerns on embodiment of this invention. It is a figure explaining the migration in DC of the network system which concerns on embodiment of this invention. It is a figure which shows the structure of the network system which concerns on NVO3. It is a figure which shows the frame format after the encapsulation of FIG. It is a figure which shows the network system which concerns on NVO3, and the structure of DC.

A network system and the like in a mode for carrying out the present invention (hereinafter referred to as “the present embodiment”) will be described below with reference to the drawings.
The present embodiment is an example applied to a transfer method in a relay section and a network system that realizes it when a virtual path is generated on a large-scale physical network. A technique for constructing a virtual L2NW on the NVO3 required in the NFV environment, that is, the L3NW will be described.

FIG. 1 is a diagram illustrating a configuration of a network system and a DC according to an embodiment of the present invention. The same components as those in FIG. 10 are denoted by the same reference numerals.
As shown in FIG. 1, the network system 100 is a gateway device of a DC 110 in which user terminals 1 ₁ and 1 ₂ (L2 service providing terminals) are connected to an L3 wide area NW3 via a router 20 (originating VTEP). It is connected to the L3 DC NW 130 via a DC-GW (Gate Way) 120. In the DC 110, the servers 150 ₁ and 150 ₂ having the service A and B functions are connected via the routers 140 ₁ and 140 ₂ (called side VTEP) connected to the L3 DC NW 130. 1, server 150 ₁ transfer function for the service A, the server 150 ₂ is an example having a transfer function for the service B. As will be described later (see FIG. 7), the servers 150 ₁ and 150 ₂ may both have a transfer function for the service A, and the server 150 ₁ may be an active system and the server 150 ₂ may be a standby system. The routers 140 ₁ and 140 ₂ are collectively referred to as the router 140, and the servers 150 ₁ and 150 ₂ are collectively referred to as the server 150. When the user terminals 1 ₁ and 1 ₂ are not particularly distinguished, they are represented as user terminals 1.

  The network system 100 constructs a virtual L2 tunnel on the L3 wide area NW3, and a user terminal 1 connected on the L3 wide area NW3 and a server 150 connected to the L3 DC NW 130 in the DC 110 connected to the L3 wide area NW3. Packets are transmitted and received between the two.

  The user terminal 1 is an L2 service providing terminal composed of, for example, a general personal computer or a portable information terminal. The user terminal 1 is connected to the router 20 (originating side VTEP) by L2NW.

The router 20 (originating side VTEP) is mounted at a connection point between the L3 wide area NW3 and the L2NW of the user terminal 1. The router 20 (originating side VTEP) transmits requests for providing various services A and B to the server 150 in the DC 110 via the L3 wide area NW3, and acquires information from the server 150 (here, 150 ₁ ). .
The router 20 (originating side VTEP) encapsulates the packet with the destination of the virtual L2 tunnel as the destination of the DC-GW 120. The router 20 (originating side VTEP) transfers a packet to the DC-GW 120 when performing encapsulation.

The DC 110 is connected to the L3 wide area NW 3 via the DC-GW 120. The DC 110 efficiently accommodates the L3 DC NW 130, the router 140 (destination VTEP), and the virtual server on a large scale. The DC 110 is a generic name for facilities and buildings where IT (Information Technology) devices such as servers and network devices are installed and operated, and any name may be used as long as it operates a plurality of routers 140 (destination VTEPs). Absent.
In the DC 110, a network is constructed by the L3 DC NW 130, and the server 150 is connected via the router 140 (destination VTEP).

The DC-GW 120 is arranged at a connection point between the L3 wide area NW3 and the DC 110, and relays between the L3 wide area NW3 and the DC 110.
The DC-GW 120 includes a tunnel identifier setting unit 120a that uniquely assigns a tunnel identifier VNI for identifying a virtual L2 tunnel for each pair of arrival and departure side VTEPs, and a management table 160 (corresponding to the tunnel identifier VNI and the IP address of the arrival and departure side VTEPs) Information) (refer to FIG. 4), and when the packet addressed to itself arrives, the management table 160 is referred to, and the destination of the packet encapsulated in the virtual L2 tunnel is rewritten to the destination VTEP and transferred. Part 120c. The DC-GW 120 manages the management table 160 of the tunnel identifier VNI and the IP address of the calling / receiving side VTEP, and rewrites the destination IP address appropriately.
There is a one-to-one correspondence between the tunnel identifier VNI and the arrival / departure side VTEP.
Note that the DC-GW 120 may include a normal gateway function and a firewall function.

The router 140 (destination VTEP) is mounted at the connection point between the server 150 in the DC 110 and the L3 DC NW 130.
The server 150 is a server that provides services A and B.

  As described above, the L3 wide area NW3 to which the router 20 (originating side VTEP) is connected is an L3NW, and the DC 110 is also an L3NW. For this reason, L2 over L3 connection for securing L2 connection from the user terminal 1 to the server 150 in the DC 110 is required. In this embodiment, VXLAN is taken as an example of the L2 over L3 connection technology, but NVGRE (Network Virtualization using Generic Routing Encapsulation) or the like may be used.

Hereinafter, a packet transfer method of the network system 100 configured as described above will be described.
In this embodiment, path switching is performed in the DC-GW 120. In the following, the operation in VTEP, the virtual L2 tunnel management method, and the operation in DC-GW 120 will be described separately.

<Operation at the calling side VTEP> (Packet transfer to DC-GW120)
In this embodiment, in the L2 extension between the carrier network (L3 wide area NW3) and the DC network (L3 DC NW130), the tunnel destination is set to DC-GW120. The frame format shown in FIG. 2 is used to set the tunnel destination to DC-GW 120.
FIG. 2 is a diagram illustrating a frame format of the network system 100. FIG. 2A shows a frame format when the router 20 (originating side VTEP) performs VXLAN encapsulation by the encapsulation operation addressed to the DC-GW 120.

As shown in FIG. 2A, the encapsulated frame format 210 in FIG. 1 includes Outer Dst. MAC, Outer Src. MAC, Outer Dst. IP (DC-GW), Outer Src. IP (router 20), Outer Src. UDP, Outer Dst. VXLAN frame 211 consisting of UDP (VXLAN port) and VXLAN ID (id = 1), Inner Dst. MAC (service A), Inner Src. MAC (user 1)) and Payload And an original frame 212.
As indicated by the symbol a in FIG. 2A, the destination of the tunnel is “Outer Dst. IP (DC-GW)”. As a result, the router 20 (originating side VTEP) performs encapsulation for the DC-GW 120.

<Virtual L2 tunnel management method> (Tunnel identifier and arrival / departure side VTEP is 1: 1)
In the prior art, as shown in FIG. 3B, the virtual L2 tunnel realizes MP2MP (Multi-Point to Multi-Point) connection using one tunnel identifier VNI. On the other hand, in the present embodiment, as shown in FIG. 3A, a tunnel identifier VNI is independently assigned to each set of a calling side VTEP and a called side VTEP (hereinafter referred to as a calling side VTEP). Specifically, as shown in FIG. 1, a tunnel identifier (VNI) = 10000 is assigned to a set of a router 20 (originating VTEP) and a router 140 ₁ (destination VTEP), and independently of this, the router 20 A tunnel identifier VNI = 20000 is assigned to a set of (originating VTEP) and router 140 ₂ (destination VTEP) (see FIG. 1). As a result, the DC-GW 120 can determine which VTEP should be forwarded only by referring to the assigned tunnel identifier VNI.

<Operation of DC-GW 120> (Part 1) (Tunnel identifier and IP address table of VTEP on arrival and arrival side)
In the present embodiment, the DC-GW 120 does not perform decapsulation and does not have an original frame MAC table. Therefore, as described above, in the DC-GW 120, the tunnel identifier setting unit 120a sets the tunnel identifier VNI to be unique for each set of tunnel end points.
The router 20 (originating side VTEP) transfers the packet encapsulated by the virtual L2 tunnel to the DC-GW 120. The DC-GW 120 transfers the original frame 212 including the Inner MAC without looking at all. Further, the DC-GW 120 performs processing without performing decapsulation of the virtual L2 tunnel.

<Operation of DC-GW 120> (Part 2) (Transfer from DC-GW to called side VTEP)
The DC-GW 120 deletes all the VXLAN frames 211 (see FIG. 2B) attached by the router 20 (originating side VTEP) after the processing unit 120c confirms by looking at the tunnel identifier VNI, and the router 140 (incoming side) Original frame 212 is sent to VTEP). In this case, in the DC-GW 120, the processing unit 120c refers to the management table 160 (see FIG. 4) indicating the correspondence between the tunnel identifier VNI and the calling side VTEP IP address, and receives the destination of the packet encapsulated in the virtual L2 tunnel. A process of rewriting and transferring to VTEP (destination router 140 in FIG. 1) is performed.

FIG. 4 is a management table 160 showing the correspondence between the tunnel identifier VNI and the arrival / departure side VTEP IP address.
In the network system 100, since the tunnel identifier VNI has a one-to-one correspondence with the arrival / departure side VTEP, the DC-GW 120 holds a management table 160 (see FIG. 4) for managing them.
When a server failure occurs, the DC-GW 120 can rewrite the server-side standby VTEP on the management table 160, thereby realizing path switching without affecting the user-side router 20 (originating-side VTEP).

An implementation example of the DC-GW 120 can be realized using OpenFlow. The entry table at that time is shown below.
Match condition: Destination UDP (User Datagram Protocol) port: Port number defined by encapsulation technology
Source IP address: IP address of the originating VTEP
Destination IP address: IP address of DC-GW 120 itself
Encapsulation ID: Tunnel identifier (VNI) of virtual L2 tunnel
Action: Source IP address: Rewrite to DC-GW120's own IP address
Destination IP address: Rewritten to the IP address of the destination VTEP
Output port: Output from the port that can transfer to the destination VTEP

FIG. 2B is a diagram showing a frame format when transferring from the DC-GW 120 to the router 140 (destination VTEP).
As shown in FIG. 2B, the frame format 210 from the DC-GW 120 includes Outer Dst. MAC, Outer Src. MAC, Outer Dst. IP (destination VTEP), Outer Src. IP (router 20), Outer Src. UDP, Outer Dst. VXLAN frame 211 consisting of UDP (VXLAN port) and VXLAN ID (id = 1), and Original frame consisting of Inner Dst. MAC (service A), Inner Src. MAC (user 1) and Payload 212.
As indicated by reference symbol a in FIG. 2B, the tunnel destination is rewritten as “Outer Dst. IP (destination VTEP)”. As a result, the DC-GW 120 transfers to the router 140 (destination VTEP).

  In this way, the DC-GW 120 refers to the set of the tunnel identifier VNI set in advance (or advertised by the E-VPN) and the IP address of the calling / receiving VTEP with respect to the L2 stretched packet addressed to itself, to the appropriate destination. Forward. In this embodiment, the DC-GW 120 manages the tunnel identifier VNI and the IP address management table 160 (see FIG. 4) of the arrival and departure side VTEP, and appropriately rewrites the destination IP address, thereby decapsulating the virtual L2 tunnel. Transfer correctly without doing. In this case, the DC-GW 120 transfers the original frame including the Inner MAC without looking at all.

The management of the tunnel identifier VNI will be described in more detail.
FIG. 5 is a diagram showing a configuration of a network system according to the embodiment of the present invention. The same components as those in FIG. 1 are denoted by the same reference numerals.
As shown in FIG. 5, in the network system 100, routers 20 _{1 to} 20 ₃ (originating side VTEP) are connected to the DC-GW 120 via the L3 wide area NW3. The DC-GW 120 is connected to the routers 140 ₁ and 140 ₂ (destination VTEP) via the L3 DC NW 130 using the DC-GW 120 as a connection point. The routers 20 _{1 to} 20 ₃ are collectively referred to as the router 20, and the routers 140 ₁ and 140 ₂ are collectively referred to as the router 140. The numbers in the blocks of the routers 20 _{1 to} 20 ₃ , 140 ₁ and 140 ₂ and “.” Are their own IP addresses.
The DC-GW 120 has a management table 160 (corresponding information) of the tunnel identifier VNI and the IP address of the calling / receiving VTEP shown in FIG.

FIG. 6 is a diagram schematically showing a VXLAN frame format of the network system 100 of FIG.
As indicated by reference symbol a in FIG. 6, in the prior art VTEP, the next transfer destination is determined with reference to the Inner MAC, so that a plurality of grounds (see the router 2 and the routers 4 ₁ and 4 _{2 in} FIG. 3B). ) Can be made one tunnel identifier (VXLAN ID). On the other hand, the DC-GW 120 of this embodiment can refer only to the VXLAN frame. Therefore, in the present embodiment, the next transfer destination is determined using the tunnel identifier VNI as shown by the symbol b in FIG. Specifically, the DC-GW 120 provides the management table 160 shown in FIG. 4 and manages the VTEP corresponding to the tunnel identifier VNI. Therefore, in order to uniquely determine the transfer destination VTEP, another tunnel identifier VNI is used when connecting to multiple grounds.

FIG. 7 is a diagram for explaining migration in the DC 110 of the network system according to the embodiment of the present invention.
As shown in FIG. 7, a router 140 ₁ (destination VTEP) in the DC 110 is connected to a server 150 ₁ having an application A function. Server 150 ₁ is assumed to be in an active system running. Router 140 ₂ (destination VTEP) and server 150 ₂ are standby systems.
The router 20 (originating side VTEP) attaches an appropriate VNI, its own IP address and MAC address to the front of the MAC frame, and starts communication with the IP address addressed to the DC-GW 120. As shown in the L2 tunnel in FIG. 7, the router 20 (originating side VTEP) transfers the packet encapsulated in the virtual L2 tunnel to the DC-GW 120. The DC-GW 120 does not perform decapsulation and does not have a MAC table. Therefore, the tunnel identifier VNI is unique for each set of tunnel end points. The DC-GW 120 performs a process of rewriting and transferring the destination of the packet encapsulated by the virtual L2 tunnel to the destination VTEP (the destination router 140 in FIG. 1) (see the broken line arrow in FIG. 7).

Assume that have migrated to the server 150 ₁ of the primary system to the server 150 ₂ of the standby system in DC 110. In the present embodiment, the router 20 (originating side VTEP) encapsulates a packet addressed to the DC-GW 120. The DC-GW 120 rewrites the destination of the encapsulated packet in the DC 110 to the router 140 (destination VTEP) and transfers it (see solid line arrow in FIG. 7). Therefore, since the influence at the time of migration is completed within the DC 110, setting such as advertising the MAC address on the control plane or the like for all VTEPs outside the DC 110 (in this case, the router 20) is not necessary, and the ripple is transmitted to the L3 wide area NW3 side. Never do.
For this reason, as shown by the symbol a in FIG. 7, the standby system switching can be realized without any awareness from the router 20 (originating side VTEP) side. Further, as indicated by reference sign b in FIG. 7, since switching can be performed only by control of the DC-GW 120, high-speed switching can be realized.

  As described above, the network system 100 includes the router 20 (originating VTEP) installed at the connection point between the L3 wide area NW3 and the L2NW of the user terminal 1 (L2 service providing terminal), the server 150 in the DC 110, and the L3 DC. A router 140 (destination VTEP) mounted at a connection point of the NW 130 and a DC-GW 120 disposed at a connection point between the L3 wide area NW3 and the DC 110 are provided. The router 20 (originating side VTEP) encapsulates the packet with the destination of the virtual L2 tunnel as the destination for the DC-GW 120. The DC-GW 120 stores a tunnel identifier setting unit 120a that uniquely assigns a tunnel identifier VNI for identifying a virtual L2 tunnel for each set of arrival and departure side VTEPs, and a management table 160 of the tunnel identifier VNI and the IP address of the arrival and departure side VTEPs And a processing unit 120c that refers to the management table 160 and rewrites and transfers the destination of the packet encapsulated by the virtual L2 tunnel to the destination VTEP when the packet addressed to itself is received.

This has the following effects.
(1) Switching time when a server failure occurs in an NFV environment is shortened. In particular, the environment becomes more prominent as the number of VTEPs on the user side increases. In general, in the NFV, the user side VTEP is overwhelmingly more than the DC side VTEP, and therefore, the fault tolerance improvement by the network system 100 is important.
(2) The influence of DC failure does not spread to wide area NW.
As a result, fault tolerance and operability are improved.
Further, in this embodiment, it is only necessary to set the destination of the tunnel in the VXLAN frame format to the DC-GW 120. Therefore, the existing device can be diverted or highly compatible with the existing device, and can be easily implemented and is a versatile system. Can be built.

In addition, among the processes described in the above embodiment, all or part of the processes described as being performed automatically can be performed manually, or the processes described as being performed manually can be performed. All or a part can be automatically performed by a known method. In addition, the processing procedures, control procedures, specific names, and information including various data and parameters shown in the above-described document and drawings can be arbitrarily changed unless otherwise specified.
Further, each component of each illustrated apparatus is functionally conceptual, and does not necessarily need to be physically configured as illustrated. That is, the specific form of distribution / integration of each device is not limited to the one shown in the figure, and all or a part of the distribution / integration may be functionally or physically distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured.

  Each of the above-described configurations, functions, processing units, processing means, and the like may be realized by hardware by designing a part or all of them with, for example, an integrated circuit. Further, each of the above-described configurations, functions, and the like may be realized by software for interpreting and executing a program that realizes each function by the processor. Information such as programs, tables, and files for realizing each function is stored in a memory, a hard disk, a recording device such as an SSD (Solid State Drive), an IC (Integrated Circuit) card, an SD (Secure Digital) card, an optical disk, etc. It can be held on a recording medium.

1,1 ₁ , 1 ₂ user terminal (L2 service providing terminal)
3 L3 Wide Area NW
20 router (source VTEP) (source tunnel termination point)
100 network system 110 DC
120 DC-GW
120a Tunnel identifier setting unit 120b Storage unit 120c Processing unit 130 L3 DC NW
140, 140 ₁ , 140 ₂ Router (Destination VTEP) (Destination Tunnel Termination Point)
150, 150 ₁ , 150 ₂ server 160 management table (corresponding information)
VNI tunnel identifier

Claims (2)

By constructing a virtual L2 (layer 2) tunnel on the L3 (layer 3) network, an L2 service providing terminal connected on the L3 network and a DC network in a DC (Data Center) connected to the L3 network A network system for transmitting and receiving packets to and from a connected terminal,
An originating tunnel termination point implemented at a connection point between the L3 network and the L2 service providing terminal L2 network;
A terminating tunnel termination point implemented at a connection point between the terminal in the DC and the DC network;
A gateway device arranged at a connection point between the L3 network and the DC,
The originating tunnel termination point is
Encapsulating a packet with the destination of the virtual L2 tunnel destined for the gateway device;
The gateway device is
A tunnel identifier setting unit that uniquely assigns a tunnel identifier for identifying the virtual L2 tunnel for each set of arrival and departure side tunnel termination points;
A storage unit for storing correspondence information between the tunnel identifier and the IP address of the destination tunnel termination point;
And a processing unit that, upon arrival of a packet addressed to itself, refers to the correspondence information and rewrites and forwards the destination of the packet encapsulated in the virtual L2 tunnel to the destination tunnel termination point. . An originating tunnel termination point implemented at the connection point between the L3 (Layer 3) network and the L2 (Layer 2) terminal, and a destination tunnel termination point implemented at the connection point between the terminal in the DC and the DC network; And an L2 service providing terminal connected to the L3 network by constructing a virtual L2 tunnel on the L3 network and having a gateway device arranged at a connection point between the L3 network and the DC A packet transfer method for a network system for transmitting and receiving packets to and from the terminal connected to a DC network in a DC (Data Center) connected to
At the originating tunnel termination point,
Encapsulating a packet with the destination of the virtual L2 tunnel destined for the gateway device;
In the gateway device,
A tunnel identifier setting step for uniquely assigning a tunnel identifier for identifying the virtual L2 tunnel for each set of arrival and departure side tunnel termination points;
A storage step of storing correspondence information between the tunnel identifier and the IP address of the calling and terminating tunnel termination point;
A packet forwarding process comprising: a step of rewriting a destination of a packet encapsulated in the virtual L2 tunnel to a destination tunnel termination point when the packet addressed to the destination arrives, and referring to the correspondence information Method.

Images